LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

HPKP (HTTP Public Key Pinning) is now deprecated. What was it, and why was it pulled?

HPKP let a server pin specific public-key fingerprints — the browser would refuse to trust any other key for that domain for max-age time.

In theory: rock-solid defense against rogue CAs issuing fake certs for your domain.

In practice: a self-destruct button.

Why it was deprecated (by Chrome in 2018, then everyone):

  • Foot-gun risk: pin the wrong key, or lose the pinned private key, or forget to rotate — and every visitor's browser locks them out of your site for the pin's lifetime. Several big sites bricked themselves.
  • Hostile-pinning attack: an attacker who briefly compromises a server could set a long pin to keys they control, effectively holding the domain ransom.
  • Replaced by Expect-CT (now also deprecated) and Certificate Transparency logs — CAs are now required to publish issued certs publicly, so rogue issuance gets detected without the brittle pinning mechanism.

Tip: Modern equivalent for high-value targets is CAA records (Certification Authority Authorization in DNS) — restrict which CAs may issue certificates for your domain. Much safer than HPKP, no client-side state.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026