Expect-CT Header via HTTP

CWE-16

,

ISO27001-A.14.1.2

,

WASC-15

,

Expect-CT Header via HTTP

Severity:

Information

Summary

Expect-CT header is sent over HTTP response which should have been sent over HTTPS only. Browser will ignore any Expect-CT header received in an HTTP response.

Impact

Browser will ignore the Expect-CT header and the users will not be able to take advantage of it. This renders the Expect-CT implementation useless. Not having Expect-CT will make use of misissued certificates easier for attackers.

Remediation

Required Skills for Successful Exploitation

Actions To Take

Classifications

,

ISO27001-A.14.1.2

,

,

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

Misconfigured Access-Control-Allow-Origin Header

Out-of-date Version (Payara)

Out-of-date Version (ScrollReveal)

Out-of-date Version (Lighttpd)

Out-of-date Version (Chamilo)

Featured resources

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

View all resources

Build your resistance to threats. And save hundreds of hours each month.