Public Key Pinning

Declare that a website's HTTPS certificate should only be treated as valid if the public key is contained in a specified list to prevent MITM attacks that use valid CA-issued certificates.

Spec	https://tools.ietf.org/html/rfc7469
Status	Other

IE	Edge	Firefox	Chrome	Safari	Opera
			73
		65	72
		64	71	TP
11	18	63	70	12	56
10	17	62	69	11.1	55
9	16	61	68	11	54
8	15	60	67	10.1	53
Show all
7	14	59	66	10	52
6	13	58	65	9.1	51
5.5	12	57	64	9	50
		56	63	8	49
		55	62	7.1	48
		54	61	7	47
		53	60	6.1	46
		52	59	6	45
		51	58	5.1	44
		50	57	5	43
		49	56	4	42
		48	55	3.2	41
		47	54	3.1	40
		46	53		39
		45	52		38
		44	51		37
		43	50		36
		42	49		35
		41	48		34
		40	47		33
		39	46		32
		38	45		31
		37	44		30
		36	43		29
		35	42		28
		34	41		27
		33	40		26
		32	39		25
		31	38		24
		30	37		23
		29	36		22
		28	35		21
		27	34		20
		26	33		19
		25	32		18
		24	31		17
		23	30		16
		22	29		15
		21	28		12.1
		20	27		12
		19	26		11.6
		18	25		11.5
		17	24		11.1
		16	23		11
		15	22		10.6
		14	21		10.5
		13	20		10.0-10.1
		12	19		9.5-9.6
		11	18		9
		10	17
		9	16
		8	15
		7	14
		6	13
		5	12
		4	11
		3.6	10
		3.5	9
		3	8
		2	7
			6
			5
			4

iOS Safari	Opera Mini	Android Browser	Blackberry Browser	Opera Mobile	Android Chrome	Android Firefox	IE Mobile	Android UC Browser	Samsung Internet	QQ Browser	Baidu Browser
12	all	67	10	46	70	63	11	11.8	7.2	1.2	7.12
11.3-11.4		4.4.3-4.4.4	7	12.1			10		6.2
11.0-11.2		4.4		12					5
10.3		4.2-4.3		11.5					4
Show all
10.0-10.2		4.1		11.1
9.3		4		11
9.0-9.2		3		10
8.1-8.4		2.3
8		2.2
7.0-7.1		2.1
6.0-6.1
5.0-5.1
4.2-4.3
4.0-4.1
3.2

Notes

The HTTP header syntax is 'Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]'.

Will be deprecated and removed from Chrome as of Chrome 69.

Resources

• MDN Web Docs - Public Key Pinning