Remove HTTP-Based Public Key Pinning - Chrome Platform Status

Remove HTTP-Based Public Key Pinning (deprecated)

We expect to remove support for HPKP in Chrome 69. HTTP-Based Public Key Pinning (HPKP) was intended to allow websites to send an HTTP header that pins one or more of the public keys present in the site's certificate chain. It has very low adoption, and although it provides security against certificate misissuance, it also creates risks of denial of service and hostile pinning. See https://groups.google.com/a/chromium.org/d/msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ for more details.

Specification

Established standard

Status in Chromium

Blink components: Security

Deprecated (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: No public signals
Edge: No public signals
Safari: No public signals
Web Developers: Mixed signals

Owners

palmer@chromium.org
estark@chromium.org
rsleevi@chromium.org

Last updated on 2018-04-12