Summary #

Expect-CT header is sent over HTTP response which should have been sent over HTTPS only. Browser will ignore any Expect-CT header received in an HTTP response.

Impact #

Browser will ignore the Expect-CT header and the users will not be able to take advantage of it. This renders the Expect-CT implementation useless. Not having Expect-CT will make use of misissued certificates easier for attackers.

Classifications #
CWE-16; ISO27001-A.14.1.2; WASC-15; OWASP PC-C10
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability



Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo