Public-Key-Pins

HTTP response header

The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server the browser will not accept the response as legitimate and will not display it.

Header usage statistics

Public-Key-Pins response header information and usage statistics.

Websites using header Public-Key-Pins 3,747
Percentage of websites that use Public-Key-Pins header <0.1%
Total discovered header values 1,217
Header uses directives Yes
Header values are unique or random No
Most popular in the country United States of America

Public-Key-Pins Directives (4 total)

  • includesubdomains
  • max-age
  • pin-sha256
  • report-uri

Public-Key-Pins Directives

Public-Key-Pins directives value information and usage statistics

Directive Share Websites count Unique Values
pin-sha256 25.81% 967 125
includesubdomains 23.41% 877 24
max-age 7.85% 294 29
report-uri 0.32% 12 8

Distribution by websites popularity

Public-Key-Pins detection in the top websites by popularity

Top 10k sites 18 websites
Top 100k sites 59 websites
Top 1m sites 617 websites

Websites utilizing Public-Key-Pins

List of websites that use Public-Key-Pins header

Domain Country Rank Contacts
addons.mozilla.org United States of America 113
www.fcc.gov United States of America 744
torproject.org Germany 768
www.barnesandnoble.com United States of America 976
my.pcloud.com Luxembourg 1,365
validator.w3.org United States of America 1,413
See full domain list

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Public-Key-Pins header values

Header value Value prevalence
pin-sha256="X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=" max-age=15552000; includeSubDomains 22.26%
pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains 7.87%
pin-sha256=''X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=''; pin-sha256=''MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec=''; pin-sha256=''isi41AizREkLvvft0IRW4u3XMFR2Yg7bvrF7padyCJg=''; includeSubdomains; max-age=2592000 4.16%
pin-sha256=""; pin-sha256=""; max-age=31536000 2.32%
pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains 2.14%
pin-sha256="<Subject Public Key Information (SPKI)>"; max-age=2592000; includeSubDomains 1.79%
pin-sha256="S1CQF4bfrfu+0NZpDAVgczOJu73tqMTakCcdDM6il1E="; pin-sha256="7V0k+NyeVRIXOmD+zCJpX6nsXdAFjX0MsIACD/NeTQg="; max-age=2592000; includeSubDomains 1.44%
pin-sha256=''base64+primary==''; pin-sha256=''base64+backup==''; max-age=5184000; includeSubDomains 1.23%
pin-sha256="jDNPIoQdviZhELycQEXvXmBzJFLLM13xUlT8Jamgc0U="; pin-sha256="KVhT/NkSwnjmxDOvcy6MKwG9ak5RAgxEOV0QQBT94Bo="; pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="https:/ 1.01%
pin-sha256="base64+info1="; max-age=31536000 0.56%
pin-sha256="++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI="; pin-sha256="JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg="; max-age=2592000; includeSubDomains 0.51%
pin-sha256=”SPKI_digest#1“; pin-sha256=”SPKI_digest#2“; max-age=31536000 0.45%
pin-sha256="3CDX8ZTd/68QP6/Z2m+cB3voajCzmPxjfc+17eTvCYM="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains 0.45%
max-age=999999;pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=";pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=";pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";includeS 0.40%
pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains 0.37%
pin-sha256="bWdUrxNN9K0g0JJ2ncPZJwsJ5YS8nJpbZrcUE1W/Mh8="; pin-sha256="UEem6LeyvLX19I+/b5FoJzW66nu47Yx3h3/DaR1y2nE="; max-age=0 0.37%
pin-sha256=\"\"; pin-sha256=\"\"; max-age=31536000 0.35%
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; max-age=5184000; includeSubDomains 0.35%
pin-sha256="aR6DUqN8qK4HQGhBpcDLVnkRAvOHH1behpQUU1Xl7fE="; max-age=2592000; includeSubDomains 0.32%
max-age=0; includeSubDomains 0.29%