Configuring Public-Key-Pins¶

There are four configuration options, as well as a list of certs to pin and/or a list of pin values. Note that you must supply two pins to generate a valid header, i.e. two certs, a cert and a pin value, or two pin values.

  • max-age is a TimeSpan (see TimeSpan.Parse)
  • includeSubdomains adds includeSubDomains in the header, defaults to false
  • httpsOnly ensures that the HSTS header is set over secure connections only, defaults to true.
  • reportUri specifies an absolute URI to where the browser can report HPKP violations. The scheme must be HTTP or HTTPS.
  • certificates specifies a list of certificates (by thumbprints) that should be pinned.
  • pins specifies a list of pinning values for certificates that should be pinned

The following examples assume that we supply the pinning values:

  • n3dNcH43TClpDuyYl55EwbTTAuj4T7IloK4GNaH1bnE=
  • d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=
Configuration Resulting header
max-age=”00:00:00” Public-Key-Pins: max-age=0
max-age=”12:00:00” Public-Key-Pins: max-age=43200;pin-sha256=”n3dNcH43TClpDuyYl55EwbTTAuj4T7IloK4GNaH1bnE=”;pin-sha256=”d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=”
Public-Key-Pins: max-age=31536000;includeSubdomains;pin-sha256=”n3dNcH43TClpDuyYl55EwbTTAuj4T7IloK4GNaH1bnE=”;pin-sha256=”d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=”
Public-Key-Pins: max-age=31536000;includeSubdomains;pin-sha256=”n3dNcH43TClpDuyYl55EwbTTAuj4T7IloK4GNaH1bnE=”;pin-sha256=”d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=”;report-uri=”” |

In web.config:

<public-Key-Pins max-age="30" includeSubdomains="true">
    <add thumbprint="FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF"/>
    <add pin="Base64 pin"/>
<public-Key-Pins-Report-Only max-age="00:00:10"  report-uri="">
    <add thumbprint="00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" />
    <add thumbprint="01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01" />

NWebsec.Owin (ASP.NET 4): Register the middleware in the OWIN startup class:

using NWebsec.Owin;
public void Configuration(IAppBuilder app)
    app.UseHpkp(options => options
        .MaxAge(seconds: 20)
        .PinCertificate("FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF")