Certificate pinning is a security method that ties an app or browser to one specific SSL certificate or public key for a given server. It stops attackers from using a fake or fraudulently issued certificate to impersonate that server.
The app stores an expected certificate or public key ahead of time, known as a pin. When the app connects to the server, it compares the certificate presented during the handshake to the stored pin. If the certificate does not match, the connection is refused, even if the certificate looks valid and trusted by the device. This blocks attacks where a rogue certificate authority issues a fraudulent certificate for a domain.
Match the strength of this control to what is actually at risk in the workflow.
USER-country-de-session-task01The credential string is the only configuration needed -- "country-de" sets the exit, "session-task01" keeps it consistent, and certificate pinning is handled by the gateway rather than your application code.
Test the setup with a leak-test tool or packet capture to confirm this protection is actually working, not just configured.
Pair this with sane session handling and header hygiene -- no single control covers a full workflow on its own.
Apply the strongest version of this control to logins, payments, and personal data -- it is overkill for public information.
Do not let two workflows that need to stay separate for privacy or account reasons share the same session or IP.
A banking app refuses to load if it detects a certificate that does not match its pinned value, even during a coffee shop MITM attempt.
Certificate pinning adds a strong layer of defense against interception on untrusted networks. Proxy users should know that some pinned apps may block proxy or MITM-style inspection tools entirely.
Pinned apps expect an exact certificate match, so any proxy that intercepts and re-signs traffic will fail the check. This is intentional and protects the app from tampering.
No. HSTS forces HTTPS, while certificate pinning verifies the exact certificate or key used. The two features solve different but related problems.
Ready to put this into practice? Security Documentation
Start a free trial and test with real targets -- no credit card, no sales call.