Validate certificate pinning configurations and verify public key hash pins. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.
Use Cases
Validate that an app's bundled SPKI hashes match the server's current certificate chain.
Check whether backup pins are present and hash to valid SPKI values.
Verify pinning configuration before deploying a new TLS certificate to prevent lockouts.
Tips
Pin to the Subject Public Key Info (SPKI) hash, not the certificate itself — SPKI pins survive certificate renewal as long as the key pair is reused.
Always include at least one backup pin for a different key so a compromised key does not permanently lock users out.
Test pinning in report-only mode first using the Public-Key-Pins-Report-Only header before enforcing.
Fun Facts
HTTP Public Key Pinning (HPKP) was deprecated by Chrome in 2018 after several high-profile site lockouts caused by misconfiguration — including a GitHub incident that affected users for months.
Google's Certificate Transparency (CT) logs, launched in 2013, largely replaced HPKP as the industry's preferred mechanism for detecting rogue certificates.
Mobile app certificate pinning was mandated by Apple in its App Transport Security requirements starting with iOS 9 (2015), though custom exceptions can be declared in the app bundle.
FAQ
What is SPKI pinning vs. certificate pinning?
Certificate pinning compares the full certificate; SPKI pinning hashes only the public key portion. SPKI pinning persists across renewals if the key is reused, making it less operationally fragile.
Is HPKP still used?
Rarely. Most browsers dropped HPKP support after 2018 due to misconfiguration risks. Mobile apps still implement certificate/SPKI pinning directly in application code.
