Public-Key-Pins Header is Set
Impact: Informational
Description
The HTTP Public-Key-Pins
response header used to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. However, it has been removed from modern browsers and is no longer supported.
Use Certificate Transparency and Expect-CT
header instead. Mozilla
Recommendation
Consider removing the Public-Key-Pins
header and using the Expect-CT
header.
References
- Mozilla: Public-Key-Pins
- Mozilla: Certificate Transparency
- Mozilla: Expect-CT
- Wikipedia: Man-in-the-middle attack
👉 You might also like:
Strict-Transport-Security Header is Missing - Vulnerability
X-XSS-Protection Header is Set - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on February 15, 2021