Back to Learning Center
SaaS Security

A Guide to Certificate Pinning: What It Is & When to Use It

8 min read
Updated June 2026

Certificate pinning is an advanced security mechanism that tells a client to associate a specific public key with a particular web server. Its goal is to prevent man-in-the-middle (MITM) attacks where an attacker uses a fraudulent (but still valid) SSL certificate from a compromised Certificate Authority (CA). While powerful, it's a technique fraught with risk and has largely been deprecated on the public web in favor of safer alternatives.

How Does Certificate Pinning Work?

Normally, when a browser connects to an HTTPS site, it checks if the site's certificate is signed by a trusted CA. As long as the signature is valid, the connection is trusted. The problem is that there are hundreds of trusted CAs, and if any one of them is compromised, an attacker could issue a valid certificate for any domain.

Certificate pinning hardcodes—or "pins"—the expected public key (or its hash) for a domain within the client application (e.g., a mobile app) or via a browser header. When the client connects:

  1. It receives the server's certificate as usual.
  2. It extracts the public key from the certificate.
  3. It compares this public key to the pinned public key(s) it has stored.
  4. If there is a match, the connection proceeds. If not, the connection is immediately terminated, even if the certificate is otherwise valid according to the device's trust store.

The Dangers of Pinning: The "Foot-Gun" Problem

Certificate pinning is extremely brittle. If your pinned certificate expires or is compromised and you need to issue a new one with a different key, your application will refuse to connect to your own server. This can effectively brick your application for all users until they update it, a scenario known as a "hostage situation."

HTTP Public Key Pinning (HPKP): The Deprecated Standard

For a time, browsers supported certificate pinning via the Public-Key-Pins HTTP header. HPKP allowed a website to tell the browser to pin the public keys of its certificate chain.

Example of an HPKP Header (Do Not Use!)

Public-Key-Pins: 
  pin-sha256="base64-encoded-hash-of-public-key"; 
  pin-sha256="base64-encoded-hash-of-backup-key"; 
  max-age=5184000; includeSubDomains

Due to its complexity and the high risk of self-inflicted denial-of-service, Google Chrome removed support for HPKP in 2018, and other browsers followed. You should not use HPKP today.

Modern Alternatives to Pinning

The security goals of HPKP are now better served by newer, safer technologies that provide transparency and accountability without the risk of bricking your site.

Certificate Transparency (CT)

This is the primary replacement for pinning. All trusted CAs are required to submit every certificate they issue to public, auditable logs. This means you can monitor these logs to see if any certificates have been issued for your domain without your knowledge. Browsers like Chrome now require certificates to be present in CT logs to be considered valid.

How it helps: Provides public accountability and allows for rapid detection of mis-issued certificates.

The `Expect-CT` Header

This header instructs browsers to check that any certificate for your site appears in public Certificate Transparency logs. It acts as an enforcement mechanism for CT.

Expect-CT: max-age=86400, enforce, report-uri="https://your-report-uri.com/expect-ct"
  • enforce: Tells the browser to reject connections that don't comply with the CT policy.
  • report-uri: Specifies where browsers should send reports about compliance failures.

When is Pinning Still Appropriate?

While HPKP is dead for the web, certificate pinning is still a viable and recommended practice for mobile and native applications. In this controlled environment, you have a direct update path (the app store) if you need to change a pinned key. This makes the "hostage" scenario less likely.

For a mobile app connecting to your API, pinning the API's server certificate provides a strong defense against MITM attacks on public Wi-Fi or in corporate environments with SSL inspection.

Best Practice for Mobile Pinning:

  • Pin against the public key of an intermediate certificate or the leaf certificate. Do not pin the root CA.
  • Always include a backup pin from a different CA in case your primary CA is compromised or you need to switch providers.
  • Implement a mechanism to remotely update the pins in your app without requiring a full app store update, if possible.

Focus on Transparency and Monitoring

For web applications, the modern approach is to rely on Certificate Transparency. CertNotify leverages CT logs to provide real-time alerts when a new certificate is issued for your domain, giving you immediate visibility into potential threats without the risks of pinning.

Learn More About Certificate Transparency →