{"id":139,"date":"2023-11-30T17:53:26","date_gmt":"2023-11-30T17:53:26","guid":{"rendered":"https:\/\/protocolguard.com\/resources\/?p=139"},"modified":"2024-11-28T12:52:24","modified_gmt":"2024-11-28T12:52:24","slug":"http-public-key-pinning","status":"publish","type":"post","link":"https:\/\/protocolguard.com\/resources\/http-public-key-pinning\/","title":{"rendered":"HTTP Public Key Pinning"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\n<p>We are in the era of the Internet, and prioritizing the protection of connections between devices and websites is extremely important. In this context enters HTTP Public Key Pinning (HPKP), which is a great tool for enhancing security.<\/p>\n\n\n\n<p>You can think of HPKP as a mechanism that establishes &#8220;pins&#8221; or &#8220;trust keys&#8221; between your browser and a web server. These pins serve as digital stamps, and their job is to ensure the authenticity and security of communication between the server and browser. This feature plays a key role in stopping cyber threats like identity theft by introducing an extra layer of validation.<\/p>\n\n\n\n<p>In this article, we will take a look at the inner workings of HTTP Public Key Pinning (HPKP), we will see how important it is for web security, and how developers can implement it to keep the integrity of information online.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#what-is-http-public-key-pinning\">What is HTTP Public Key Pinning?<\/a><ul><li><a href=\"#the-role-of-http-public-key-pinning\">The role of HTTP Public Key Pinning<\/a><\/li><li><a href=\"#the-inner-workings-of-http-public-key-pinning\">The inner workings of HTTP Public Key Pinning<\/a><\/li><li><a href=\"#why-is-http-public-key-pinning-obsolete\">Why is HTTP Public Key Pinning obsolete?<\/a><\/li><li><a href=\"#the-dangers-of-http-public-key-pinning\">The dangers of HTTP Public Key Pinning<\/a><\/li><\/ul><\/li><li><a href=\"#how-to-configure-http-public-key-pinning\">How to configure HTTP Public Key Pinning<\/a><ul><li><a href=\"#setting-up-http-public-key-pinning-in-apache\">Setting up HTTP Public Key Pinning in Apache<\/a><\/li><li><a href=\"#enabling-http-public-key-pinning-in-nginx\">Enabling HTTP Public Key Pinning in Nginx<\/a><\/li><li><a href=\"#configuring-http-public-key-pinning-on-iis\">Configuring HTTP Public Key Pinning on IIS<\/a><\/li><\/ul><\/li><li><a href=\"#testing-http-public-key-pinning\">Testing HTTP Public Key Pinning<\/a><\/li><li><a href=\"#http-public-key-pinning-faq\">HTTP Public Key Pinning FAQ<\/a><ul><li><a href=\"#is-http-public-key-pinning-mandatory\">Is HTTP Public Key Pinning mandatory?<\/a><\/li><li><a href=\"#is-http-public-key-pinning-obsolete\">Is HTTP Public Key Pinning obsolete?<\/a><\/li><li><a href=\"#http-public-key-pinning-alternatives\">HTTP Public Key Pinning alternatives<\/a><\/li><\/ul><\/li><li><a href=\"#summary\">Summary<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-http-public-key-pinning\">What is HTTP Public Key Pinning?<\/h2>\n\n\n\n<p>HTTP Public Key Pinning (HPKP) works as a security feature in web browsers, guarding users against potential man-in-the-middle attacks exploiting fraudulent SSL\/TLS certificates.<\/p>\n\n\n\n<p>Its function involves website operators specifying a designated set of public keys associated with their domain, indicating the approved certificate authorities authorized to issue valid certificates for that domain. The act of pinning these keys enables browsers to identify and stop the use of unauthorized certificates, thereby increasing the overall security of the HTTPS connection.<\/p>\n\n\n\n<p>However, as a result of potential <a href=\"https:\/\/protocolguard.com\/resources\/top-http-misconfigurations\/\">HTTP misconfigurations<\/a> leading to site disruptions, modern browsers have deprecated it. We advise web developers and admins to explore alternative security strategies for protecting their websites.<\/p>\n\n\n\n<p><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/HPKP\" target=\"_blank\" rel=\"noopener\">Mozilla<\/a> says that &#8220;HTTP Public Key Pinning (HPKP) is an obsolete security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.&#8221;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-role-of-http-public-key-pinning\">The role of HTTP Public Key Pinning<\/h3>\n\n\n\n<p>As previously mentioned, HTTP Public Key Pinning serves as a security mechanism designed to protect HTTPS connections by stopping intermediary attacks. Instead of relying only on the SSL\/TLS certificate chain for server authentication, HPKP enables a website to explicitly set the public keys required to establish a secure connection.<\/p>\n\n\n\n<p>Upon encountering an HTTP Public Key Pinning header in the server&#8217;s response, a browser stores the fingerprints of authorized public keys for a designated period. This implies that even if an attacker manages to obtain a fraudulent certificate, they cannot establish a secure connection without the corresponding authorized public key.<\/p>\n\n\n\n<p>Despite the additional security layer provided by HPKP, its implementation requires careful consideration, as errors may result in users being unable to access the site if key changes occur.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-inner-workings-of-http-public-key-pinning\">The inner workings of HTTP Public Key Pinning<\/h3>\n\n\n\n<p>The functionality of HPKP involves enabling a web server to outline a set of public key hashes within the HTTP Strict-Transport-Security (HSTS) header. These hashes play an important role as browsers use them to confirm that the certificate presented by the server during the connection matches with the pre-established public key.<\/p>\n\n\n\n<p>The main objective of HPKP is to reduce the vulnerabilities linked to man-in-the-middle attacks, wherein a bad guy might use a fraudulent SSL\/TLS certificate. Keep in mind that improper handling of public keys under HPKP can lead to accessibility challenges. As we have already mentioned, due to potential drawbacks, HPKP has been deprecated, and instead, adopting more contemporary mechanisms like Certificate Transparency is now recommended.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-is-http-public-key-pinning-obsolete\">Why is HTTP Public Key Pinning obsolete?<\/h3>\n\n\n\n<p>HTTP Public Key Pinning was initially developed to increase the security of web connections, which was achieved by enabling web servers to communicate to browsers the specific public keys of SSL\/TLS certificates to anticipate for a designated period. However, with time, HPKP has <a href=\"https:\/\/caniuse.com\/publickeypinning\" target=\"_blank\" rel=\"noopener\">become outdated and discouraged<\/a> for various reasons.<\/p>\n\n\n\n<p>Initially, its implementation was intricate and prone to errors, leading to issues where legitimate websites were erroneously blocked due to <a href=\"https:\/\/protocolguard.com\/resources\/security-misconfigurations\/\" data-type=\"link\" data-id=\"https:\/\/protocolguard.com\/resources\/security-misconfigurations\/\">security misconfigurations<\/a>. Additionally, the rigid nature of fixed key policies introduced further security risks, as an unintentional alteration in keys could result in users being locked out of the site.<\/p>\n\n\n\n<p>To make things worse for HPKP, the widespread acceptance of security infrastructure based on the Certificate Authority (CA) standard has lessened the necessity for it. Modern browsers rely on CAs to validate certificate authenticity, making key pinning redundant in most instances.<\/p>\n\n\n\n<p>HTTP Public Key Pinning posed notable security risks, as inadequate implementation could expose vulnerabilities to potential attacks. Given the mix of complexity, risks, and the evolving landscape of security practices, HTTP Public Key Pinning has been labeled as obsolete. Thus, developers and system administrators have preferred more contemporary and secure approaches.<\/p>\n\n\n\n<p><a href=\"https:\/\/scotthelme.co.uk\/hpkp-is-no-more\/\" target=\"_blank\" rel=\"noopener\">Data provided by Security Researcher Scott Helme<\/a> tells that, at its peak, this feature was used by 3500 of the top 1 million websites.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"the-dangers-of-http-public-key-pinning\">The dangers of HTTP Public Key Pinning<\/h3>\n\n\n\n<p>Quite high, actually. The risks associated with HPKP stem from its lack of adaptability and the possibility of misconfigurations. If the keys of a website are altered for any reason, users might face difficulties accessing the site until the expiration of the pinning policy. This has the potential to lead to disruptions in service, particularly if errors occur in key management.<\/p>\n\n\n\n<p>Additionally, should a site owner erroneously pin an inaccurate or compromised public key, it may result in a denial of service for users who have that key pinned. Recovering from such situations can prove to be challenging.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-to-configure-http-public-key-pinning\">How to configure HTTP Public Key Pinning<\/h2>\n\n\n\n<p>If, despite the risks, you still want to set HPKP in your web server, we will tell you how to do so, but please keep in mind that HPKP is obsolete and won\u2019t work in modern browsers.<\/p>\n\n\n\n<p>First off, run the following to create your public key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl rsa -in your_public_key.pem -pubout -outform der | openssl dgst -sha256 -binary | base64<\/pre>\n\n\n\n<p>And this one for your backup key:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl rsa -in your_backup_key.pem -pubout -outform der | openssl dgst -sha256 -binary | base64<\/pre>\n\n\n\n<p>You will need both in a minute.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setting-up-http-public-key-pinning-in-apache\">Setting up HTTP Public Key Pinning in Apache<\/h3>\n\n\n\n<p>Open the Apache configuration file, like httpd.conf or your site-specific file.<\/p>\n\n\n\n<p>Add the following line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Header always set Public-Key-Pins \"pin-sha256=\\\"base64+primary==\\\"; pin-sha256=\\\"base64+backup==\\\"; max-age=expireTime [; includeSubDomains][; report-uri=\\\"reportURI\\\"]\"<\/pre>\n\n\n\n<p>Replace <strong>base64+primary==<\/strong> and <strong>base64+backup==<\/strong> with the SHA-256 hash values of the primary and backup public keys, respectively.<\/p>\n\n\n\n<p>Optionally, include parameters like &#8220;includeSubDomains&#8221; or specify a report-uri for policy violation reports.<\/p>\n\n\n\n<p>Restart Apache:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart apache2<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enabling-http-public-key-pinning-in-nginx\">Enabling HTTP Public Key Pinning in Nginx<\/h3>\n\n\n\n<p>Open the Nginx configuration file, such as nginx.conf or your site-specific file.<\/p>\n\n\n\n<p>Add the following line in the server section, replacing hash values using the ones you created a minute ago.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">add_header Public-Key-Pins 'pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=expireTime [; includeSubDomains] [; report-uri=\"reportURI\"]';<\/pre>\n\n\n\n<p>You can optionally use the includeSubDomains parameter or define a report-uri.<\/p>\n\n\n\n<p>Save the file and test your Nginx config before restarting the service:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nginx -t\n\nsystemctl restart nginx<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-http-public-key-pinning-on-iis\">Configuring HTTP Public Key Pinning on IIS<\/h3>\n\n\n\n<p>Start by running the Command Prompt or PowerShell and proceed to extract the public key from your SSL\/TLS certificate:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl x509 -in your_certificate.crt -pubkey -noout &gt; public_key.pem<\/code><\/pre>\n\n\n\n<p>Now generate the SHA-256 hash of the public key:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl dgst -sha256 -binary public_key.pem | openssl enc -base64<\/code><\/pre>\n\n\n\n<p>Repeat the process for your backup certificate\u2019s public key.<\/p>\n\n\n\n<p>Now start the IIS Manager and select the desired site. Access HTTP Response Headers and click on Add.<\/p>\n\n\n\n<p>Enter the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: Public-Key-Pins<\/li>\n\n\n\n<li>Value:\n<ul class=\"wp-block-list\">\n<li>pin-sha256=&#8221;Base64PrimaryHash&#8221;;<\/li>\n\n\n\n<li>pin-sha256=&#8221;Base64BackupHash&#8221;;<\/li>\n\n\n\n<li>max-age=5184000; includeSubDomains<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Don&#8217;t forget to replace Base64PrimaryHash and Base64BackupHash with your actual public key hashes.<\/p>\n\n\n\n<p>Save the new settings.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"testing-http-public-key-pinning\">Testing HTTP Public Key Pinning<\/h2>\n\n\n\n<p>Testing your current HTTP Public Key Pinning settings is pretty easy, just follow the steps below:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Access our <a href=\"https:\/\/protocolguard.com\/\">web security scanner<\/a>.<\/li>\n\n\n\n<li>Input your domain in the scan box.<\/li>\n\n\n\n<li>Tick the two boxes below (\u2018Clear cache\u2019 and \u2018Follow redirects\u2019).<\/li>\n\n\n\n<li>Click the Scan button.<\/li>\n\n\n\n<li>Now scroll down to the \u2018HTTP Security Headers\u2019 section and check the \u2018HTTP Public Key Pinning\u2019 results: a \u2018Passed\u2019 in green is good. However, if you get a \u2018Failed\u2019 in red, you must update your current settings.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image aligncenter\"><img loading=\"lazy\" decoding=\"async\" width=\"1246\" height=\"373\" src=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-test-results.webp\" alt=\"HTTP Public Key Pinning test results\" class=\"wp-image-477\" title=\"HTTP Public Key Pinning test results\" srcset=\"https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-test-results.webp 1246w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-test-results-300x90.webp 300w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-test-results-1024x307.webp 1024w, https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-test-results-768x230.webp 768w\" sizes=\"auto, (max-width: 1246px) 100vw, 1246px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"http-public-key-pinning-faq\">HTTP Public Key Pinning FAQ<\/h2>\n\n\n\n<p>Let\u2019s see a couple of the most common questions and concerns related to HPKP.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-http-public-key-pinning-mandatory\">Is HTTP Public Key Pinning mandatory?<\/h3>\n\n\n\n<p>No, HPKP is not mandatory for any website. While it can provide an additional layer of security, it also introduces complexities and potential risks if misconfigured. An improperly implemented HPKP can lead to site outages if the pinned keys are changed without proper planning.<\/p>\n\n\n\n<p>Due to these considerations, HPKP usage has declined, and its use is discouraged in favor of more modern security mechanisms like Certificate Transparency (CT) and HTTPS best practices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-http-public-key-pinning-obsolete\">Is HTTP Public Key Pinning obsolete?<\/h3>\n\n\n\n<p>Yes. HTTP Public Key Pinning (HPKP) is now obsolete. Initially created to boost security by protecting against malicious man-in-the-middle attacks, HPKP required browsers to enforce specific certificates. However, its implementation encountered issues, potentially causing sites to become inaccessible due to errors.<\/p>\n\n\n\n<p>Also, the widespread adoption of Let&#8217;s Encrypt, offering free certificates with regular updates, decreased the necessity for HPKP. As technology progressed, vulnerabilities were uncovered, and HPKP was found to be susceptible to abuse. In the end, developers and browsers ceased support, deeming HPKP obsolete.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"http-public-key-pinning-alternatives\">HTTP Public Key Pinning alternatives<\/h3>\n\n\n\n<p>As previously mentioned, HTTP Public Key Pinning is a security measure allowing websites to specify which SSL\/TLS certificates are valid for their domain. However, due to implementation challenges and potential risks, HPKP was deprecated and removed in 2018.<\/p>\n\n\n\n<p>Safer options have emerged, like <a href=\"https:\/\/protocolguard.com\/resources\/what-is-expect-ct\/\">Expect-CT<\/a> and Certificate Transparency (CT). Expect-CT lets websites request browsers to validate a certificate&#8217;s existence in a transparency log. Meanwhile, Certificate Transparency (CT), a standard ensuring public disclosure of all issued certificates, offers transparency and detects malicious issuances. These alternatives enhance security without the associated risks of HPKP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"summary\">Summary<\/h2>\n\n\n\n<p>Today we have learned that HTTP Public Key Pinning operates as a security rule in web browsers, shielding us against potential man-in-the-middle attacks exploiting fraudulent SSL\/TLS certificates. To use HPKP, website owners designate a set of public keys associated with their domain, specifying approved certificate authorities. This pinning process allows browsers to identify and prevent the usage of unauthorized certificates, which boosts the overall security of HTTPS connections.<\/p>\n\n\n\n<p>Due to its complex implementation and potential drawbacks, HPKP is considered obsolete. Issues such as misconfigurations leading to site disruptions and the evolving security landscape have led developers to adopt more contemporary mechanisms like Certificate Transparency.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are in the era of the Internet, and prioritizing the protection of connections between devices and websites is extremely important. In this context enters HTTP Public Key Pinning (HPKP), which is a great tool for enhancing security. You can think of HPKP as a mechanism that establishes &#8220;pins&#8221; or &#8220;trust keys&#8221; between your browser [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":591,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-http-security"],"uagb_featured_image_src":{"full":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning.webp",1200,628,false],"thumbnail":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-150x150.webp",150,150,true],"medium":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-300x157.webp",300,157,true],"medium_large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-768x402.webp",768,402,true],"large":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning-1024x536.webp",1024,536,true],"1536x1536":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning.webp",1200,628,false],"2048x2048":["https:\/\/protocolguard.com\/resources\/wp-content\/uploads\/2023\/11\/HTTP-Public-Key-Pinning.webp",1200,628,false]},"uagb_author_info":{"display_name":"ProtocolGuard Research Team","author_link":"https:\/\/protocolguard.com\/resources\/author\/researchadmin\/"},"uagb_comment_info":0,"uagb_excerpt":"We are in the era of the Internet, and prioritizing the protection of connections between devices and websites is extremely important. In this context enters HTTP Public Key Pinning (HPKP), which is a great tool for enhancing security. You can think of HPKP as a mechanism that establishes &#8220;pins&#8221; or &#8220;trust keys&#8221; between your browser&hellip;","_links":{"self":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/comments?post=139"}],"version-history":[{"count":2,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/139\/revisions"}],"predecessor-version":[{"id":806,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/posts\/139\/revisions\/806"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media\/591"}],"wp:attachment":[{"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/media?parent=139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/categories?post=139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/protocolguard.com\/resources\/wp-json\/wp\/v2\/tags?post=139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}