Vulnerabilities/

Public-Key-Pins Header is Set

Severity:
Informational

Description

The HTTP Public-Key-Pins response header was used to associate a specific cryptographic public key with a web server to mitigate the risk of MITM attacks with forged certificates. However, it has been deprecated and is no longer supported by modern browsers.

Recommendation

Consider removing the Public-Key-Pins header and instead use the Expect-CT header along with Certificate Transparency to enhance security against MITM attacks.

References

Related Issues

Tags:
HTTP Headers
SSL/TLS
Certificate Transparency
Man-in-the-middle Attack
Application Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download