Public-Key-Pins Header is Set

Description

The HTTP Public-Key-Pins response header was used to associate a specific cryptographic public key with a web server to mitigate the risk of MITM attacks with forged certificates. However, it has been deprecated and is no longer supported by modern browsers.

Recommendation

Consider removing the Public-Key-Pins header and instead use the Expect-CT header along with Certificate Transparency to enhance security against MITM attacks.

References

• Mozilla: Public-Key-Pins
• Mozilla: Certificate Transparency
• Mozilla: Expect-CT
• Wikipedia: Man-in-the-middle attack
• CWE-16
• OWASP 2021-A5

Related Issues

• Strict-Transport-Security Header is Missing - Vulnerability
• X-XSS-Protection Header is Set - Vulnerability
• Content-Security-Policy Header is Missing - Vulnerability
• Cookie without Secure Flag - Vulnerability

Tags:

HTTP Headers

SSL/TLS

Certificate Transparency

Man-in-the-middle Attack

Application Misconfiguration