CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Certificate Pinning

security CWE-295 OWASP A7:2021 Advanced
debt(d7/e7/b7/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). The detection_hints list burpsuite and mitmproxy as tools, but these require active interception testing — there is no automated static analysis that flags missing or misconfigured pinning. The absence of pinning is silent in normal operation; you only discover it when deliberately probing with a proxy tool or during a security review.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix notes that pinning requires bundling public key hashes, maintaining backup pins, and a rotation plan. The common_mistakes list reveals that a correct implementation touches mobile app code (pin logic, fallback pins), server-side override/rotation mechanisms, CI/CD pipelines for debug vs. release builds, and operational runbooks for key rotation — this spans multiple systems and teams, not a single-file fix.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7). Once pinning is adopted, every certificate rotation becomes a coordinated event across mobile app releases and server infrastructure. The common_mistakes confirm this: missing backup pins turn a routine rotation into an outage, and hardcoded pins without a server-side override mechanism create permanent operational risk. The applies_to scope (web/api with mobile clients) means this choice shapes ongoing deployment and release processes throughout the product lifecycle.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states that developers believe pinning makes an app immune to interception, when in reality it is bypassed via Frida hooking, patched APKs, or pin expiry without fallback. Additionally, the common_mistakes show multiple non-obvious failure modes: pinning leaf certs that rotate frequently, omitting backup pins, hardcoding without override — all of which contradict what a competent developer would intuitively do when first implementing pinning.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-06 · reviewed by human

Also Known As

SSL pinning TLS pinning public key pinning

TL;DR

Hardcoding expected TLS certificate or public-key fingerprints in a client to prevent MITM even when a rogue CA issues a valid cert.

Explanation

Certificate pinning supplements the CA trust model by associating a host with its specific certificate or SPKI hash. Even if an attacker obtains a fraudulent certificate from a trusted CA, a pinning client rejects it. In PHP CLI/service contexts, cURL supports pinning via CURLOPT_PINNEDPUBLICKEY. Trade-off: pinned certificates must be rotated before expiry — missed rotation causes outages; key compromise requires emergency pin updates. HPKP (the HTTP header equivalent) was deprecated due to abuse potential. Combine with Certificate Transparency monitoring as a complementary server-side control.

Common Misconception

Certificate pinning makes a mobile app immune to interception. Pinning prevents casual MITM but is bypassed via Frida hooking, patched APKs, or when pins expire without a fallback in place.

Why It Matters

Even if an attacker installs a trusted CA or gets a fraudulent certificate, pinning ensures the client only trusts a specific key — blocking MITM in compromised CA scenarios.

Common Mistakes

  • Pinning the leaf certificate rather than the intermediate or root CA — leaf certs rotate frequently.
  • Not including backup pins, making a key rotation an outage.
  • Hardcoding pins in code without a server-side override mechanism for emergency updates.
  • Disabling pinning in debug/test builds, which attackers can exploit by triggering debug mode.

Code Examples

✗ Vulnerable 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
✓ Fixed 
curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, 'sha256//AbCdEfGhIjKlMnOpQrStUvWxYz==');
Added 15 Mar 2026
Edited 22 Mar 2026
Views 24

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 2 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 9 Perplexity 6 Unknown AI 2 Ahrefs 2 Google 1 Bing 1
Also referenced
Man-in-the-Middle Attack (MitM) 29 Insecure TLS / SSL 27 HTTP Strict Transport Security (HSTS) 24 cURL in PHP 20
How they use it
crawler 20 crawler_json 1
Related categories
php 7.2k security 4.5k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: High
⚡ Quick Fix
Pin certificates in mobile apps by bundling the public key hash — but maintain a pin backup and a rotation plan, as a pinned cert expiry becomes an outage
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
PHP API with mobile clients sending sensitive data without cert pinning; CURLOPT_SSL_VERIFYPEER false as workaround
Auto-detectable: ✗ No burpsuite mitmproxy
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: High Context: File Tests: Update
CWE-295
✓ schema.org compliant