Public-Key-Pins Header is Set
Impact: Informational
Description
The HTTP Public-Key-Pins
response header was used to associate a specific cryptographic public key with a web server to mitigate the risk of MITM attacks with forged certificates. However, it has been deprecated and is no longer supported by modern browsers.
Recommendation
Consider removing the Public-Key-Pins
header and instead use the Expect-CT
header along with Certificate Transparency to enhance security against MITM attacks.
References
- CWE-16
- Mozilla: Certificate Transparency
- Mozilla: Expect-CT
- Mozilla: Public-Key-Pins
- OWASP 2021-A5
- Wikipedia: Man-in-the-middle attack
👉 You might also like:
Strict-Transport-Security Header is Missing - Vulnerability
X-XSS-Protection Header is Set - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
Cookie without Secure Flag - Vulnerability
Last updated on May 13, 2024