HTTP Public Key Pinning (HPKP) is very powerful if configured correctly. It has the ability to protect against the most sophisticated targeted attacks that seriously threaten the security on the Internet, for all of us. But, with great security comes great responsibility. If HPKP is deployed into a production environment without being thoroughly tested and designed, the website may be inaccessible for all the previous visited clients. The fear of incorrectly deploying an HPKP-policy could scare the security-responsible into not using the security mechanism at all. So is it worth it? Should you use HPKP?