Generate HTTP Public Key Pinning headers from a certificate. Part of the DevTools Surf developer suite. Browse more tools in the Networking collection.
Use Cases
Generating pin headers for legacy systems still using HPKP
Learning about public key pinning concepts for security audits
Creating HPKP report-only headers for certificate monitoring
Studying deprecated security headers for compliance documentation
Tips
Extract the public key pin from your server certificate
Generate backup pins from your CA's intermediate certificate
Include a report-uri to monitor pinning violations in production
Fun Facts
HPKP (RFC 7469) was published in April 2015 but deprecated by Chrome in 2018 due to the risk of site operators accidentally bricking their own sites.
Google was the first major site to deploy public key pinning in 2011, using a proprietary mechanism before HPKP was standardized.
Certificate Transparency (CT) logs, proposed by Google in 2013, largely replaced HPKP as a more practical approach to preventing mis-issued certificates.
FAQ
Is HPKP still recommended?
No — HPKP (HTTP Public Key Pinning) was deprecated by Chrome in 2018 due to self-DoS risks. Certificate Transparency and Expect-CT replaced it.
Why does the tool exist?
Legacy systems and research. Some environments still use HPKP; the tool helps migrate or audit existing configurations.
What should I use instead?
Expect-CT or CAA DNS records. For mobile apps, cert pinning in the app code (more controlled than browser HPKP).
Can I test my pin?
The tool generates the header but doesn't verify against live traffic. Use openssl or curl --pinned-pubkey for runtime validation.
