The HTTP Public-Key-Pins-Report-Only is a response header which sends report to the report-uri specified in the header if any pinning violation is done.
But, unlike Public-Key-Pins it still allows browsers to connect to the server and don’t print any error message on the screen if the pinning is violated.
You must read, see the HTTP Public-Key-Pins article before reading this.
Header type: Response header
Forbidden header name: no
Public-Key-Pins-Report-Only: pin - sha256 = "pin - value"; max - age = expire - time; includeSubDomains; report - uri = "uri"
- pin – sha256 = “pin – value”
This pin is used to specify multiple pins for different public keys. We can also use other hashing algorithms than SHA-256 in the future.
- max-age = expire-time
This directive is not used in the Public-Key-Pins-Report-Only header, it will be ignored by user agents and also it will not be cached.
This pin specifies that the site’s rules are also applied to site’s sub-domains as well. This parameter is optional.
- report – uri = “uri”
This pin sends the report of pin validation failures. This parameter is also optional.
Public-Key-Pins-Report-Only: pin-sha256 = "cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs="; pin-sha256 = "M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE="; includeSubDomains; report-uri = "https://www.geeksforgeeks.org/hpkp-report"
In this example, First pin pin-sha256 = “cUPcTAZWKaASuYWhhneY3oBAkE3h2+soZS7sWs=” is server’s public key used in production.
Second pin pin-sha256 = “M8HztCzM3elS5P4hhyBNf6lHkmjAHKhpGPWE=” is used as backup key.
Third pin includeSubDomains represent that the key is valid for all subdomains.
Finally the last pin report-uri = “https://www.geeksforgeeks.org/hpkp-report” explains where to report pin validation failures.
- Google Chrome
- Internet Explorer
- Microsoft Edge