search

GaProgMan / OwaspHeaders.Core

Inject OWASP recommended HTTP Headers for increased security in a single line
https://www.nuget.org/packages/OwaspHeaders.Core/
MIT License
282 stars 35 forks source link

Expect-CT is deprecated, consider removing or disabling by default #72

Closed jamie-taylor-rjj closed 1 year ago

jamie-taylor-rjj commented 1 year ago

10k ft View

The following comes directly from the OWASP Secure Headers Project (as of May 11th, 2023):

Deprecated.

⚠️ Warning: This header will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

source: https://owasp.org/www-project-secure-headers/#expect-ct

The MDN page for Expect-CT goes into this further:

Note: The Expect-CT is mostly obsolete since June 2021. Since May 2018, all new TLS certificates are expected to support SCTs by default. Certificates issued before March 2018 were allowed to have a lifetime of 39 months, so they had expired in June 2021. Chromium plans to deprecate Expect-CT header and to eventually remove it.

Rather than remove it, perhaps set its default value to disabled.

jamie-taylor-rjj commented 1 year ago

This was closed in #78