Public-Key-Pins test
This page allows online testing of browser (or web firewall, if SSL decrypting firewall is used) support for Public Key Pinning Extension for HTTP (HPKP) and HTTP Strict Transport Security (HSTS).
Contents
About Public key pinning and HPKP
Public key pinning and Public Key Pinning Extension for HTTP (HPKP) sections of Public-Key-Pins calculator page briefly describe these technologies, how they work and how they make HTTPS/SSL/TLS connections more secure.
Deprecation
HPKP has been removed in Chrome 72 and Firefox 72.
On Firefox 72 - 77 it was possible to re-enable HPKP by manually setting security.cert_pinning.hpkp.enabled
about:config setting to true
.
In Firefox 78 HPKP has been completely removed (security.cert_pinning.hpkp.enabled
has no effect on Firefox 78 and later).
Browser compatibility test
Automatic test results for browser visiting this page:
Feature | Support |
---|---|
Public Key Pinning Extension for HTTP (HPKP) | |
HTTP Strict Transport Security (HSTS) |
More precise manual testing
- Public Key Pinning Extension for HTTP test page will open page only upon failure or will show non-bypassable browser error (stating that verification of certificate hash has failed) upon success. This test works by opening a page on subdomain whose certificate public key is not pinned via Public-Key-Pins HTTP header sent by this page.
- HTTP Strict Transport Security (HSTS) test page will open page showing whether browser side redirection from HTTP to HTTPS has happened. This page works by using two different HTML files - success message available via HTTPS and failure message available via HTTP - and linking to failure message.
- HTTP Strict Transport Security (HSTS) No User Recourse test page will show non-bypassable browser error (about invalid certificate) upon success or will display regular/bypassable browser error upon failure. This test works by opening a page on subdomain whose certificate is considered invalid (with mismatched name), but has correctly pinned public key (actually certificate of this site).
Direct test links
These links can be used to detect browser bugs in Public Key Pinning Extension for HTTP and HTTP Strict Transport Security (HSTS) implementations in specific conditions (e.g. when address is typed after re-opening browser, added to favorites, set as homepage, opened by restoring session etc.). These addresses can be used only after visiting https://projects.dm.id.lv/. Upon success both of these addresses will show non-bypassable browser errors.
- https://pkptest.projects.dm.id.lv/ is direct address of Public Key Pinning Extension for HTTP test page. It will open page only upon failure or it will show non-bypassable browser error (stating that verification of certificate hash has failed) upon success.
- http://hststest.projects.dm.id.lv/ (please note "http://" without "s") is direct address of HTTP Strict Transport Security (HSTS) (including No User Recourse) test page. It will open page (or bypassable error/warning) only upon failure or it will show non-bypassable browser error (about invalid certificate) upon success. This address tests HSTS and HSTS No User Recourse, so bypassable error/warning means that only No User Recourse is not supported.
Test results for some well known browsers
This table shows test results for some popular web browsers (two results marked with * are not test results, but data taken from documentation):
Browser | Platform | HPKP supported | HSTS supported | HSTS No User Recourse |
---|---|---|---|---|
Firefox 78.0.1 with security.cert_pinning.hpkp.enabled enabled *
|
Windows/Linux/MacOS/Android/iOS | No | Yes | Yes |
Firefox 78.0.1 with security.cert_pinning.hpkp.enabled enabled
|
Windows 8.1 | No | Yes | Yes |
Firefox 75.0 with security.cert_pinning.hpkp.enabled enabled
|
Windows 8.1 | Yes | Yes | Yes |
Chrome 72.0 * | Windows/Linux/MacOS/Android/iOS | No | Yes | Yes |
Firefox 72.0 * | Windows/Linux/MacOS/Android/iOS | No | Yes | Yes |
Chrome 35.0.1916.153 m | Windows 7 | Yes | Yes | Yes |
Firefox 35.0 | Windows 7 | Yes | Yes | Yes |
Firefox 34.0 | Windows 7 | No | Yes | Yes |
Opera 23.0.1522.60 | Windows 7 | Partially (bypassable error) |
Yes | No |
Internet Explorer 11.0.38 (11.0.9600.18538) | Windows 8.1 | No | Yes | Yes |
Internet Explorer 11.0.38 (11.0.9600.18537) | Windows 7 | No | Yes | Yes |
Internet Explorer 11.0.8 (11.0.9600.16663) | Windows 8.1 | No | No | No |
Chrome 35.0.1916.153 | MacOS 10.9 | Yes | Yes | Yes |
Firefox 35.0 | MacOS 10.10.1 | Yes | Yes | Yes |
Firefox 33.0.3 | MacOS 10.10.1 | No | Yes | Yes |
Safari 7.0.3 (9537.75.14) | MacOS 10.9 | No | Yes | Yes |
Chrome 35.0.1916.153 | Linux (Debian 7.5) | Yes | Yes | Yes |
Firefox 35.0 | Linux (Debian 7.8) | Yes | Yes | Yes |
Firefox 34.0 | Linux (Debian 7.8) | No | Yes | Yes |
Iceweasel 31.4.0 | Linux (Debian 7.8) | No | Yes | Yes |
Opera 12.16 (build 1860) | Linux (Debian 7.5) | No | Yes | Yes |
Chrome 38.0.2125.114 | Android (CM11) | Yes | Yes | Yes |
Chrome 37.0.2062.117 | Android (CM11) | No | Yes | Yes |
Firefox 35.0 | Android (CM11) | Yes | Yes | Yes |
Firefox 34.0 | Android (CM11) | No | Yes | Yes |
Opera Classic 12.10.ADR-1309251116 | Android (CM11) | No | Yes | Yes |
Android 4.4.4 built-in browser | Android (CM11 M12) | No | Yes | No |
Chrome 39.0.2171.50 | iPhone 5 (iOS 7.1.2) | Yes | Yes | Yes |
Chrome 35.0.1916.41 | iPhone 5 (iOS 7.1.1) | No | Yes | Yes |
iOS 8.1.1 Safari | iPhone 5 (iOS 8.1.1 (12B435)) | No | Yes | Yes |
iOS 7.1.1 Safari | iPhone 5 (iOS 7.1.1 (11D201)) | No | Yes | Yes |
Atomic Web 7.0.1 | iPhone 5 (iOS 7.1.1) | No | Yes | Yes |
Related browser security tests
Here are links to some third party browser SSL/TLS tests. They can be used to test other security features of web browser.
- https://www.ssllabs.com/ssltest/viewMyClient.html - online browser test which analyzes various SSL/TLS (and related) features.
- https://badssl.com/ - various online SSL/TLS browser tests.
- https://www.grc.com/revocation.htm - online browser test which checks for acceptance of revoked certificates.