Certificate pinning
Cloudflare does not support HTTP public key pinning (HPKP)1 for Universal, Advanced, or Custom Hostname certificates.
This is because Cloudflare regularly changes the edge certificates provisioned for your domain and - if you had HPKP enabled - your domain would go offline. Additionally, industry experts ↗ discourage using HPKP.
For a better solution to the problem that HPKP is trying to solve - preventing certificate misissuance - use Certificate Transparency Monitoring. Also consider Cloudflare's blog post on modern alternatives to certificate pinning practices ↗.
To avoid downtime when pinning your certificates, use custom certificates and select user-defined bundle method. This way you can control which CA, intermediate, and certificate will be used after renewal.
- 
Key pinning allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. ↩ 
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark