From 94c4becb34a64cd22649076fcf9320d002ca9eb3 Mon Sep 17 00:00:00 2001
From: Alireza Ahmadi <alireza7@gmail.com>
Date: Sun, 1 Feb 2026 10:51:38 +0100
Subject: [PATCH] Add pinnedPeerCertSha256 support to TLS settings

Introduces the pinnedPeerCertSha256 field to TlsStreamSettings in the JS model and adds a corresponding input in the TLS settings form. This allows users to specify SHA256 fingerprints for peer certificate pinning, enhancing security configuration options.

Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
---
 web/assets/js/model/inbound.js      | 4 ++++
 web/html/xui/form/tls_settings.html | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index 4ddd5758..ad87458c 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -596,6 +596,7 @@ class TlsStreamSettings extends XrayCommonClass {
         maxVersion = TLS_VERSION_OPTION.TLS13,
         cipherSuites = '',
         rejectUnknownSni = false,
+        pinnedPeerCertSha256 = [],
         disableSystemRoot = false,
         enableSessionResumption = false,
         certificates = [new TlsStreamSettings.Cert()],
@@ -610,6 +611,7 @@ class TlsStreamSettings extends XrayCommonClass {
         this.maxVersion = maxVersion;
         this.cipherSuites = cipherSuites;
         this.rejectUnknownSni = rejectUnknownSni;
+        this.pinnedPeerCertSha256 = pinnedPeerCertSha256;
         this.disableSystemRoot = disableSystemRoot;
         this.enableSessionResumption = enableSessionResumption;
         this.certs = certificates;
@@ -643,6 +645,7 @@ class TlsStreamSettings extends XrayCommonClass {
             json.maxVersion,
             json.cipherSuites,
             json.rejectUnknownSni,
+            json.pinnedPeerCertSha256 || [],
             json.disableSystemRoot,
             json.enableSessionResumption,
             certs,
@@ -660,6 +663,7 @@ class TlsStreamSettings extends XrayCommonClass {
             maxVersion: this.maxVersion,
             cipherSuites: this.cipherSuites,
             rejectUnknownSni: this.rejectUnknownSni,
+            pinnedPeerCertSha256: this.pinnedPeerCertSha256.length > 0 ? this.pinnedPeerCertSha256 : undefined,
             disableSystemRoot: this.disableSystemRoot,
             enableSessionResumption: this.enableSessionResumption,
             certificates: TlsStreamSettings.toJsonArray(this.certs),
diff --git a/web/html/xui/form/tls_settings.html b/web/html/xui/form/tls_settings.html
index 2aa2d642..58696ee5 100644
--- a/web/html/xui/form/tls_settings.html
+++ b/web/html/xui/form/tls_settings.html
@@ -58,6 +58,12 @@
         <a-form-item label="Session Resumption">
         <a-switch v-model="inbound.stream.tls.enableSessionResumption"></a-switch>
         </a-form-item>
+        <a-form-item label="Pinned Peer Cert">
+        <a-select mode="tags" v-model="inbound.stream.tls.pinnedPeerCertSha256"
+            :dropdown-class-name="themeSwitcher.currentTheme"
+            placeholder="Enter SHA256 fingerprints (base64)">
+        </a-select>
+        </a-form-item>
         <a-divider :style="{ margin: '0' }"></a-divider>
         <template v-for="cert,index in inbound.stream.tls.certs">
             <a-form-item label='{{ i18n "certificate" }}'>