Public-Key-Pins

HTTP response header

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server the browser will not accept the response as legitimate and will not display it.

Header usage statistics

Public-Key-Pins response header information and usage statistics.

Websites using header Public-Key-Pins16,702
Percentage of websites that use Public-Key-Pins header<0.1%
Total discovered header values3,154
Header uses directivesYes
Header values are unique or randomNo
Most popular in the country US

Public-Key-Pins directives (4 total)

  • includesubdomains
  • max-age
  • pin-sha256
  • report-uri

Public-Key-Pins Directives

Public-Key-Pins directives value information and usage statistics

DirectiveShareWebsites countUnique Values
pin-sha25698.74%16,491173
max-age86.73%14,48633
includesubdomains74.82%12,49632
report-uri6.78%1,13325

Distribution by websites popularity

Public-Key-Pins detection in the top websites by popularity

Top 10k sites12 websites
Top 100k sites97 websites
Top 1m sites712 websites

Websites utilizing Public-Key-Pins

List of websites that use Public-Key-Pins header

See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Public-Key-Pins header values

Header valueValue prevalence
pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains13.09%
pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=" max-age=15552000; includeSubDomains11.65%
pin-sha256="<Subject Public Key Information (SPKI)>"; max-age=2592000; includeSubDomains5.53%
pin-sha256='X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg='; pin-sha256='MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec='; pin-sha256='isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg='; includeSubdomains; max-age=25920004.99%
pin-sha256=""; pin-sha256=""; max-age=315360002.30%
pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains2.15%
pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains1.89%
pin-sha256='base64+primary=='; pin-sha256='base64+backup=='; max-age=5184000; includeSubDomains1.66%
pin-sha256="base64+info1="; max-age=315360001.11%
pin-sha256="pin1"; pin-sha256="pin2"; max-age=25920000.83%
pin-sha256="S1CQF4bfrfu+0NZpDAVgczOJu73tqMTakCcdDM6il1E="; pin-sha256="7V0k+NyeVRIXOmD+zCJpX6nsXdAFjX0MsIACD/NeTQg="; max-age=2592000; includeSubDomains0.80%
pin-sha256="Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9Qk="; pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; max-age=60; includeSubDomains0.67%
pin-sha256="aR6DUqN8qK4HQGhBpcDLVnkRAvOHH1behpQUU1Xl7fE="; max-age=2592000; includeSubDomains0.63%
pin-sha256=”SPKI_digest#1“; pin-sha256=”SPKI_digest#2“; max-age=315360000.56%
pin-sha256=base64+primary==; pin-sha256=base64+backup==; max-age=5184000; includeSubDomains0.56%
pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="; pin-sha256="diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI="; max-age=5184000; includeSubDomains0.56%
pin-sha256=\"\"; pin-sha256=\"\"; max-age=315360000.53%
pin-sha256="nQPXamGeO1QhgyL4G/h0MO2/GmWgDTPYayL81ZL37Qg="; max-age=5184000; includeSubDomains0.52%
max-age=2592000;pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf+6kEgbVtzfCSkw55AGk=";pin-sha256="Dh46PQn5HIpXCusEb8G7YJsLzBSGAzNjgvsxeShjlv8="0.51%
pin-sha256="jDNPIoQdviZhELycQEXvXmBzJFLLM13xUlT8Jamgc0U="; pin-sha256="KVhT/NkSwnjmxDOvcy6MKwG9ak5RAgxEOV0QQBT94Bo="; pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="https:/0.44%