Last post Feb 01, 2019 02:14 AM by Ackerly Xu
Jan 31, 2019 06:05 PM|Selvakumar Ramachandran|LINK
I am implementing HPKP as per security team request. I added this element under header tag in config file and deployed application to server but after deploying the application it stop working.
<add name="Public-Key-Pins" value="pin-sha256=@@@@@@@@@@@; max-age=5184000; includeSubDomains"/>
pin-sha256=@@@@@@@@@@@ - actual key was replaced by @ and the original key was provided by the security team.
Feb 01, 2019 02:14 AM|Ackerly Xu|LINK
Hi Selvakumar Ramachandran,
HPKP is used to prevent
MITM in client and server communication through https.
Does your website use https?
If your pin-sha256 is wrong, the client(browser) will look for a wrong public key of a certificate in the certificate chain, then the client should present a warning to the user.
You could refer to MDN for the right format of Public-Key-Pins header, it is at the bottom of the page.