HTTP Public Key Pinning

- OTHER

Declare that a website's HTTPS certificate should only be treated as valid if the public key is contained in a list specified over HTTP to prevent MITM attacks that use valid CA-issued certificates.

Chrome

  1. 4 - 37: Not supported
  2. 38 - 71: Supported
  3. 72 - 122: Not supported
  4. 123: Not supported
  5. 124 - 126: Not supported

Edge

  1. 12 - 122: Not supported
  2. 123: Not supported

Safari

  1. 3.1 - 17.3: Not supported
  2. 17.4: Not supported
  3. TP: Not supported

Firefox

  1. 2 - 34: Not supported
  2. 35 - 71: Supported
  3. 72 - 123: Not supported
  4. 124: Not supported
  5. 125 - 127: Not supported

Opera

  1. 9 - 19: Not supported
  2. 20 - 22: Support unknown
  3. 23: Partial support
  4. 24: Support unknown
  5. 25 - 65: Supported
  6. 66 - 107: Not supported
  7. 108: Not supported

IE

  1. 5.5 - 10: Not supported
  2. 11: Not supported

Chrome for Android

  1. 122: Not supported

Safari on iOS

  1. 3.2 - 17.3: Not supported
  2. 17.4: Not supported

Samsung Internet

  1. 4 - 10.1: Supported
  2. 11.1 - 22: Not supported
  3. 23: Not supported

Opera Mini

  1. all: Not supported

Opera Mobile

  1. 10 - 12.1: Not supported
  2. 80: Not supported

UC Browser for Android

  1. 15.5: Not supported

Android Browser

  1. 2.1 - 4.4.4: Not supported
  2. 122: Not supported

Firefox for Android

  1. 123: Not supported

QQ Browser

  1. 14.9: Not supported

Baidu Browser

  1. 13.52: Not supported

KaiOS Browser

  1. 2.5: Supported
  2. 3: Not supported

All browsers have removed support. The header was too complicated to use, and when incorrectly implemented, could completely block websites for longer periods of time.

Certificate transparency is widely used and tries to provide the same security by very different means.

Resources:
MDN Web Docs - Public Key Pinning
Scott Helme article on the issues of HPKP