HSTS (HTTP Strict Transport Security) and HPKP (HTTP Public Key Pinning) are web security mechanisms which enable servers to protect against attacks using cookie hijacking, protocol downgrades and fraudulent certificates.

These are set up on the server and regular web users don't ever have to know they exist, but Firefox does record some details on any compliant sites you've visited.

Developers can use Pin Patrol to browse the technical details, including the protected domains, the "score" (the number of days the domain has been visited), the date last visited, the expiration date and more.

Everyone else could use this as a hidden browsing history, independent of the regular history controls.

That is, if someone tries to hide what they've done on Firefox just by deleting the normal "Browsing and Download History", the HSTS and HPKP data will still be available for viewing. It won't cover every website visited, or even most, but could still be useful.

To clear the HSTS and HPKP list as well, click Tools > Options > Privacy > Clear your recent history and make sure you check "Site Preferences".

(Please note, if you're testing Pin Patrol, the HSTS and HPKP list won't include sites visited in the current session. You must close and reopen Firefox, then click the Pin Patrol button to see any new URLs.)


Pin Patrol will normally only be interesting to a few web developers and security specialists, but its hidden browsing history could help you understand what someone else has been doing in the browser.