HTTP Public Key Pinning

Explore the concept of HTTP Public Key Pinning (HPKP), how it helps prevent man-in-the-middle attacks by specifying trusted SSL certificates, and understand the risks that have led to its deprecation in major browsers. This lesson emphasizes HPKP's practical implications and prepares learners for alternative security headers.

We'll cover the following...

- Why HTTP Public Key Pinning?
- HPKP is dangerous

Why HTTP Public Key Pinning?

HTTP Public Key Pinning (abbr. HPKP) is a mechanism that allows us to advertise which SSL certificates to expect when a browser connects to our servers. It is a trust on first use header, just like HSTS, meaning that, once the client connects to our server, it will store the certificate’s info for subsequent interactions.

If at any point in time the client detects that another certificate is being used by the server, it will politely refuse to connect, rendering man in the middle (MITM) attacks very hard to pull off.

This is what an HPKP policy ...

1.Introduction

2.Understanding The Browser

3.HTTP

4.Protection through HTTP Headers

5.HTTP Cookies

6.Situationals

7.DDoS Attacks

8.Bug Bounty Programs

9.Conclusion

Project

HTTP Public Key Pinning

Why HTTP Public Key Pinning?