I am trying to implement the "Public-Key-Pinning" on my IIS server but even when I enter a wrong hash, the page is still accessible without any kind of error (tested on google chrome)

The header is as follow

Public-Key-Pins:
max-age=90;
pin-sha256="[Hash]"

I know that it meanignless to have a "max-age" value of 90, but I am only testing the header behavior.

I used the https://report-uri.io/home/pkp_hash to generate my hash and used the Root Certification Authority

Here how I tried to make my website unaccessible for those with an invalid pin

  1. Configure the header with a "Max-age" of 90 seconds
  2. Navigate to the web site in google chrome
  3. Modify the pin-sha256 of the header to put one invalid (replacing one letter)
  4. Closing Google chrome
  5. Navigate back to my web site

I though I would have the "invalid pin error" (I did it under 90 seconds) but nothing happen

What am I doing wrong?

0 Answers 11

Not the answer you're looking for? Browse other questions tagged or ask your own question.