Public Key Pinning

- OTHER

Declare that a website's HTTPS certificate should only be treated as valid if the public key is contained in a specified list to prevent MITM attacks that use valid CA-issued certificates.

IE

  1. 5.5 - 10: Not supported
  2. 11: Not supported

Edge

  1. 12 - 79: Not supported
  2. 80: Not supported

Firefox

  1. 2 - 34: Not supported
  2. 35 - 71: Supported
  3. 72: Not supported
  4. 73 - 74: Not supported

Chrome

  1. 4 - 37: Not supported
  2. 38 - 71: Supported
  3. 72 - 79: Not supported
  4. 80: Not supported
  5. 81 - 83: Not supported

Safari

  1. 3.1 - 12.1: Not supported
  2. 13: Not supported
  3. TP: Not supported

Opera

  1. 9 - 19: Not supported
  2. 20 - 22: Support unknown
  3. 23: Partial support
  4. 24: Support unknown
  5. 25 - 65: Supported
  6. 66: Not supported

iOS Safari

  1. 3.2 - 13.1: Not supported
  2. 13.2: Not supported
  3. 13.3: Not supported

Opera Mini

  1. all: Not supported

Android Browser

  1. 2.1 - 4.4.4: Not supported
  2. 76: Not supported

Blackberry Browser

  1. 7: Not supported
  2. 10: Not supported

Opera Mobile

  1. 10 - 12.1: Not supported
  2. 46: Not supported

Chrome for Android

  1. 79: Not supported

Firefox for Android

  1. 68: Supported

IE Mobile

  1. 10: Not supported
  2. 11: Not supported

UC Browser for Android

  1. 12.12: Supported

Samsung Internet

  1. 4 - 9.2: Supported
  2. 10.1: Supported

QQ Browser

  1. 1.2: Not supported

Baidu Browser

  1. 7.12: Supported

KaiOS Browser

  1. 2.5: Supported

The HTTP header syntax is 'Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]'.

Support in Chrome was deprecated and removed.

Resources:
MDN Web Docs - Public Key Pinning