The HTTP Public-Key-Pins-Report-Only is a response header which sends report to the report-uri specified in the header if any pinning violation is done.
But, unlike Public-Key-Pins it still allows browsers to connect to the server and don’t print any error message on the screen if the pinning is violated.
You must read, see the HTTP Public-Key-Pins article before reading this.
Header type: Response header
Forbidden header name: no
Public-Key-Pins-Report-Only: pin - sha256 = "pin - value"; max - age = expire - time; includeSubDomains; report - uri = "uri"
pin – sha256 = “pin – value”
This pin is used to specify multiple pins for different public keys. We can also use other hashing algorithms than SHA-256 in the future.
max-age = expire-time
This directive is not used in the Public-Key-Pins-Report-Only header, it will be ignored by user agents and also it will not be cached.
This pin specifies that the site’s rules are also applied to site’s sub-domains as well. This parameter is optional.
report – uri = “uri”
This pin sends the report of pin validation failures. This parameter is also optional.
Public-Key-Pins-Report-Only: pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; pin-sha256 = "M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE="; includeSubDomains; report-uri = "https://www.geeksforgeeks.org/hpkp-report"
In this example, First pin pin-sha256 = “cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs=” is server’s public key used in production.
Second pin pin-sha256 = “M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE=” is used as backup key.
Third pin includeSubDomains represent that the key is valid for all subdomains.
Finally the last pin report-uri = “https://www.geeksforgeeks.org/hpkp-report” explains where to report pin validation failures.
- Google Chrome
- Internet Explorer
- Microsoft Edge
- HTTP headers | Access-Control-Request-Headers
- HTTP headers | Access-Control-Expose-Headers
- HTTP headers | Access-Control-Allow-Headers.
- HTTP Headers | TE
- HTTP headers | Age
- HTTP headers
- HTTP headers | Allow
- HTTP headers | Via
- HTTP headers | If-Unmodified-Since
- HTTP headers | Expect
- HTTP headers | Retry-After
- HTTP headers | Digest
- HTTP headers | SourceMap
- HTTP headers | expires
- HTTP headers | Expect-CT
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.