# Certificate Pinning

You can enable certificate pinning for a TLS-Client instance. You need to provide a map of pins by host when you create the client. See the example code below

```
pins := map[string][]string{
   "bstn.com": {
      "NQvy9sFS99nBqk/nZCUF44hFhshrkvxqYtfrZq3i+Ww=",
      "4a6cPehI7OG6cuDZka5NDZ7FR8a60d3auda+sKfg4Ng=",
      "x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=",
   },
}

options := []tls_client.HttpClientOption{
   tls_client.WithCertificatePinning(pins, tls_client.DefaultBadPinHandler),
}

client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
```

This example code shows how to enabled certificate pinning for bstn.com. Next to it you can supply a BadPinHandler function as second argument for the WithCertificatePinning option.

The default BadPinHandler looks like this. This function will be executed when a bad pin is detected:

```
var DefaultBadPinHandler = func(req *http.Request) {
   fmt.Println("this is the default bad pin handler")
}
```

#### Shared Library & Standalone API

When using the shared library you can supply certificate pinning settings via the `"certificatePinningHosts"` field. This should look similar to this:

```
"certificatePinningHosts": {
        "bstn.com": [
            "NQvy9sFS99nBqk/nZCUF44hFhshrkvxqYtfrZq3i+Ww=",
            "4a6cPehI7OG6cuDZka5NDZ7FR8a60d3auda+sKfg4Ng=",
            "x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=",
        ],
    },
```

#### Wildcards

You can define wildcards for subdomains for example like this

```
pins := map[string][]string{
   "*.bstn.com": {
      "NQvy9sFS99nBqk/nZCUF44hFhshrkvxqYtfrZq3i+Ww=",
      "4a6cPehI7OG6cuDZka5NDZ7FR8a60d3auda+sKfg4Ng=",
      "x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=",
   },
}

options := []tls_client.HttpClientOption{
   tls_client.WithCertificatePinning(pins, tls_client.DefaultBadPinHandler),
}

client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
```

#### How to generate pins?

You can easilly generate pins with this helpful tool: <https://github.com/tam7t/hpkp> \
Just install the tool and run the following command against the site you want to generate pins for:

```
hpkp-pins -server=bstn.com:443
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bogdanfinn.gitbook.io/open-source-oasis/readme/certificate-pinning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.