Expect-CT Header via HTTP [deprecated]

Severity: Information

Summary#

Expect-CT header is sent over HTTP response which should have been sent over HTTPS only. Browser will ignore any Expect-CT header received in an HTTP response.

Impact#

Browser will ignore the Expect-CT header and the users will not be able to take advantage of it. This renders the Expect-CT implementation useless. Not having Expect-CT will make use of misissued certificates easier for attackers.

Classifications#

CWE-16, WASC-15, ISO27001-A.14.1.2

Invicti Security Insights

HTTP security headers: An easy way to harden your web applications
Why Websites Need HTTP Strict Transport Security (HSTS)
Content-Type and Status Code Leakage
Why Framework Choice Matters in Web Application Security
The Importance of the Content-Type Header in HTTP Requests