README.md in secure_headers-2.0.2 vs README.md in secure_headers-2.1.0

@@ -6,10 +6,11 @@
 - X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. [X-Frame-Options draft](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options-02)
 - X-XSS-Protection - [Cross site scripting heuristic filter for IE/Chrome](http://msdn.microsoft.com/en-us/library/dd565647\(v=vs.85\).aspx)
 - X-Content-Type-Options - [Prevent content type sniffing](http://msdn.microsoft.com/en-us/library/ie/gg622941\(v=vs.85\).aspx)
 - X-Download-Options - [Prevent file downloads opening](http://msdn.microsoft.com/en-us/library/ie/jj542450(v=vs.85).aspx)
 - X-Permitted-Cross-Domain-Policies - [Restrict Adobe Flash Player's access to data](https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html)
+- Public Key Pinning - Pin certificate fingerprints in the browser to prevent man-in-the-middle attacks due to compromised Certificate Authorites. [Public Key Pinnning  Specification](https://tools.ietf.org/html/draft-ietf-websec-key-pinning-21)
 
 ## Usage
 
 - `ensure_security_headers` in a controller will set security-related headers automatically based on the configuration below.
 
@@ -19,10 +20,11 @@
 
 The following methods are going to be called, unless they are provided in a `skip_before_filter` block.
 
 * `:set_csp_header`
 * `:set_hsts_header`
+* `:set_hpkp_header`
 * `:set_x_frame_options_header`
 * `:set_x_xss_protection_header`
 * `:set_x_content_type_options_header`
 * `:set_x_download_options_header`
 * `:set_x_permitted_cross_domain_policies_header`
@@ -49,19 +51,28 @@
     :default_src => "https: self",
     :frame_src => "https: http:.twimg.com http://itunes.apple.com",
     :img_src => "https:",
     :report_uri => '//example.com/uri-directive'
   }
+  config.hpkp = {
+    :max_age => 60.days.to_i,
+    :include_subdomains => true,
+    :report_uri => '//example.com/uri-directive',
+    :pins => [
+      {:sha256 => 'abc'},
+      {:sha256 => '123'}
+    ]
+  }
 end
 
-# and then simply include this in application_controller.rb
+# and then include this in application_controller.rb
 class ApplicationController < ActionController::Base
   ensure_security_headers
 end
 ```
 
-Or simply add it to application controller
+Or do the config as a parameter to `ensure_security_headers`
 
 ```ruby
 ensure_security_headers(
   :hsts => {:include_subdomains => true, :max_age => 20.years.to_i},
   :x_frame_options => 'DENY',
@@ -296,10 +307,30 @@
 <%= hashed_javascript_tag(raise_error_on_unrecognized_hash = true) do %>
 console.log("will raise an exception if not in script_hashes.yml!")
 <% end %>
 ```
 
+### Public Key Pins
+
+Be aware that pinning error reporting is governed by the same rules as everything else. If you have a pinning failure that tries to report back to the same origin, by definition this will not work.
+
+```
+config.hpkp = {
+  max_age: 60.days.to_i,   # max_age is a required parameter
+  include_subdomains: true, # whether or not to apply pins to subdomains
+  # Per the spec, SHA256 hashes are the only currently supported format.
+  pins: [
+    {sha256: 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'},
+    {sha256: '73a2c64f9545172c1195efb6616ca5f7afd1df6f245407cafb90de3998a1c97f'}
+  ],
+  enforce: true,            # defaults to false (report-only mode)
+  report_uri: '//example.com/uri-directive',
+  app_name: 'example',
+  tag_report_uri: true
+}
+```
+
 ### Using with Sinatra
 
 Here's an example using SecureHeaders for Sinatra applications:
 
 ```ruby
@@ -319,9 +350,10 @@
     :default_src => "https: inline eval",
     :report_uri => '//example.com/uri-directive',
     :img_src => "https: data:",
     :frame_src => "https: http:.twimg.com http://itunes.apple.com"
   }
+  config.hpkp = false
 end
 
 class Donkey < Sinatra::Application
   include SecureHeaders
   set :root, APP_ROOT