I am trying to implement the "Public-Key-Pinning" on my IIS server but even when I enter a wrong hash, the page is still accessible without any kind of error (tested on google chrome)
The header is as follow
Public-Key-Pins: max-age=90; pin-sha256="[Hash]"
I know that it meanignless to have a "max-age" value of 90, but I am only testing the header behavior.
I used the https://report-uri.io/home/pkp_hash to generate my hash and used the Root Certification Authority
Here how I tried to make my website unaccessible for those with an invalid pin
- Configure the header with a "Max-age" of 90 seconds
- Navigate to the web site in google chrome
- Modify the pin-sha256 of the header to put one invalid (replacing one letter)
- Closing Google chrome
- Navigate back to my web site
I though I would have the "invalid pin error" (I did it under 90 seconds) but nothing happen
What am I doing wrong?