0. Pinning disabled
   1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
   2. Strict. Pinning is always enforced.
   3. Enforce test mode.

I know that: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) However there are settings that seem to override that and force user-defined CA be checked against hpkp: The pinning level is enforced by a pref, security.cert_pinning.enforcement_level 0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode. (https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) Tried to set to "3", but that still does not allow certs issued by internal CA to be protected using HPKP: Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. Is there a way to force FF to protect internal certs too? Thanks