In the annals of bad human ideas, HTTP public key pinning, or what’s more commonly known as HPKP, ranks right up there with spray-on hair and two-in-one toilet/bidets. Without straying too far into the proverbial weeds, we’re going to lay out why you definitely shouldn’t be pinning your keys in this blog post.
And to be clear — just in case you don’t read past this sentence — don’t pin your keys. Simply put, HPKP is a terrible idea, and it’s more likely to break your website than lead to any meaningful improvement in security! Even Google agrees.