This is my last post related to HTTP Public Key Pinning (HPKP). This is a post in response to Scott Helme’s latest post about him giving up on HPKP and how my blog is a perfect example of his concerns. In the past I’ve written three articles about the HPKP header: Testing HPKP headers Adding HPKP headers HPKP.. Public Key Pinning? The point of each of these articles are pretty well summed up in their titles.

Over the last two weeks, I’ve posting a lot about HTTP Public Key Pinning. This will be my last post about it, I want to focus on testing HPKP. If you don’t know what HPKP is, read the first post. To learn how to add those headers, read the second post. I’ve had to spend a lot of time trying to figure out how to properly test these headers. In theory, this is how it should work.

Before we try to add a HPKP header, let’s review from last week. I made a post about what HTTP public key pinning is. It’s a fingerprint that browsers use to compare certificates can warn the user if the certificate is from a different source, even if it’s trusted or from the same server. If that doesn’t make sense, check out the link to the previous post. Public-Key-Pins A Public-Key-Pins header looks like this: