Expect-CT in Report Only Mode

ISO27001-A.14.1.2

,

Expect-CT in Report Only Mode

Severity:

Information

Summary

Invicti identified that Expect-CT is in report only mode. The optional enforce directive controls whether the browser should drop the connection when the policy is violated.

Impact

When Expect-CT policy is deployed in report only mode and the user agent does not receive a valid Certificate Transparency Log, rather than dropping the connection it will simply send a report to the specified endpoint which is set with report-uri directive.

Remediation

Use enforce flag in definition of Expect-CT.

Expect-CT: enforce, max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL"

Required Skills for Successful Exploitation

Actions To Take

Classifications

ISO27001-A.14.1.2

,

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

Out-of-date Version (Sortable)

Out-of-date Version (Restlet Framework)

Out-of-date Version (jsTree)

Out-of-date Version (W3 Total Cache)

Out-of-date (Varnish)

Featured resources

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

View all resources

Build your resistance to threats. And save hundreds of hours each month.