Summary #

Invicti identified that Expect-CT is in report only mode. The optional enforce directive controls whether the browser should drop the connection when the policy is violated.

Impact #

When Expect-CT policy is deployed in report only mode and the user agent does not receive a valid Certificate Transparency Log, rather than dropping the connection it will simply send a report to the specified endpoint which is set with report-uri directive.

Remediation #

Use enforce flag in definition of Expect-CT.

Expect-CT: enforce, max-age=7776000, report-uri="https://ABSOLUTE_REPORT_URL"
Classifications #
ISO27001-A.14.1.2; OWASP PC-C9
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo