Public-Key-Pins

您正在阅读此内容的英文版本,因为该语系尚未翻译。 帮助我们翻译此文章吧!

Public-Key-Pins 是一个响应首部,其包含该Web 服务器用来进行加密的 public key (公钥)信息 ,以此来降低使用伪造证书进行 MITM  (中间人攻击)的风险。如果锚定的加密串与服务器返回的公钥不匹配,那么浏览器将会认定响应不合法,并且不会将结果展示给用户。

更多相关信息请参考 HTTP Public Key Pinning 这篇文章。

Header type Response header
Forbidden header name no

语法

Public-Key-Pins: pin-sha256="<pin-value>"; 
                 max-age=<expire-time>; 
                 includeSubDomains; 
                 report-uri="<uri>"

指令

pin-sha256="<pin-value>"
引号里面的是内容是以Base64编码的 SPKI(公钥) 指纹.你可以为多个不同的公钥都设定对应的pins。 一些浏览器将来可能也支持非SHA-256 的哈希算法。
max-age=<expire-time>
指定以秒为单位的时间,在这段时间内,浏览器应该记住, 该站点只能以这些指定的密钥进行访问
includeSubDomains 可选
如果该选项被指定,该规则也会应用到网站的所有子域名
report-uri="<uri>" 可选
如果该可选项被指定,一旦pin校验失败,就会发送此相关异常信息给该URL

示例

如果设置不合理,HPKP可能会使得用户长时间不能访问网站。因此建议也同时固定备用证书或者CA证书。

Public-Key-Pins: 
  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; 
  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; 
  max-age=5184000; includeSubDomains; 
  report-uri="https://www.example.org/hpkp-report"

在这个例子里面,pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" 固定了该服务器的公钥. 第二个声明pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=" 也固定了服务器的备用公钥. max-age=5184000 则是让客户端(浏览器)将该固定扩展信息存储两个月, 这个是IETF RFC建议时间。同时通过includeSubDomains 的声明使得该设置对所有子域名都生效;最后, report-uri="https://www.example.org/hpkp-report" 则是定义了验证失败时异常信息发送的服务器地址。

规范

Specification Title
RFC 7469, section 2.1: Public-Key-Pins Public Key Pinning Extension for HTTP

浏览器兼容性

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Public-Key-PinsChrome No support ? — 72Edge No support No
Notes
No support No
Notes
Notes Under consideration for future release.
Firefox No support 35 — 72
No support 35 — 72
Full support 72
Disabled
Disabled From version 72: this feature is behind the security.cert_pinning.hpkp.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support YesSafari No support NoWebView Android Full support YesChrome Android No support ? — 72Firefox Android Full support 35Opera Android Full support YesSafari iOS No support NoSamsung Internet Android Full support Yes
report-uriChrome No support 46 — 72Edge No support NoFirefox No support No
Notes
No support No
Notes
Notes See bug 1091176.
IE No support NoOpera Full support 33Safari No support NoWebView Android Full support YesChrome Android No support ? — 72Firefox Android No support NoOpera Android Full support 33Safari iOS No support NoSamsung Internet Android Full support Yes

Legend

Full support  
Full support
No support  
No support
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.

相关内容