Quiz Entry - updated: 2026.06.26
HPKP (HTTP Public Key Pinning) is now deprecated. What was it, and why was it pulled?
HPKP let a server pin specific public-key fingerprints — the browser would refuse to trust any other key for that domain for max-age time.
In theory: rock-solid defense against rogue CAs issuing fake certs for your domain.
In practice: a self-destruct button.
Why it was deprecated (by Chrome in 2018, then everyone):
- Foot-gun risk: pin the wrong key, or lose the pinned private key, or forget to rotate — and every visitor's browser locks them out of your site for the pin's lifetime. Several big sites bricked themselves.
- Hostile-pinning attack: an attacker who briefly compromises a server could set a long pin to keys they control, effectively holding the domain ransom.
- Replaced by Expect-CT (now also deprecated) and Certificate Transparency logs — CAs are now required to publish issued certs publicly, so rogue issuance gets detected without the brittle pinning mechanism.
Tip: Modern equivalent for high-value targets is CAA records (Certification Authority Authorization in DNS) — restrict which CAs may issue certificates for your domain. Much safer than HPKP, no client-side state.