paragonie/hpkp-builder

Easily integrate HTTP Public-Key-Pinning headers into your application.

HTTP Public-Key-Pinning Builder

, _(*1)

This library aims to make it easy to build HTTP Public-Key-Pinning headers in your PHP projects. HPKP Builder was was created by Paragon Initiative Enterprises as part of our effort to encourage better application security practices., _(*2)

Check out our other open source projects too., _(*3)

PHP Version requirements

• PHP 7.0 or newer

Build a Public-Key-Pinning header from a JSON configuration file

<?php

use \ParagonIE\HPKPBuilder\HPKPBuilder;

$hpkp = HPKPBuilder::fromFile('/path/to/source.json');
$hpkp->sendHPKPHeader();

Example JSON configuration

{
    "hashes": [
        {
            "algo": "sha256",
            "hash": "hwGEkxDWJ2oHtKv6lsvylKvhotXAAZQR1e0nq0eb2Vw="
        },
        {
            "algo": "sha256",
            "hash": "0jum0Eiu4Eg6vjn3zTmyd/RobfN6e4EagFQcz6E5ZKI="
        }
    ],
    "include-subdomains": false,
    "max-age": 5184000,
    "report-only": false,
    "report-uri": null
}

Build a Public-Key-Pinning Header

<?php

use \ParagonIE\HPKPBuilder\HPKPBuilder;

$hpkp = (new HPKPBuilder)
    ->addHash('hwGEkxDWJ2oHtKv6lsvylKvhotXAAZQR1e0nq0eb2Vw=')
    ->addHash('0jum0Eiu4Eg6vjn3zTmyd/RobfN6e4EagFQcz6E5ZKI=')
    ->addHash('JDR7yv7lvdKaM26fnKriSPiyryeYw9qi5sO8Ot7SNUQ=')
    ->includeSubdomains(true)
    ->reportOnly(true)
    ->reportUri('https://report-uri.io')
    ->sendHPKPHeader();