FEATURE: Expect-CT Header - Githubissues

eustasy / Bubbly

BASH: Better SSL in Nginx in 10 minutes. Configuration files and setup scripts for Certbot.

MIT License

218 stars 21 forks source link

FEATURE: Expect-CT Header #16

Closed lewisgoddard closed 6 years ago

lewisgoddard commented 6 years ago

As Google is abandoning HPKP in favour of the Expect-CT header, we should implement that instead.

https://www.theregister.co.uk/2017/10/30/google_hpkp/

This makes things much easier, as it works like CSP but for Certificate Transparency. No more hashing certificates and updating a file.

Expect-CT: max-age=0, report-uri="https://scotthelme.report-uri.io/r/default/ct/reportOnly"
Expect-CT: enforce,max-age=30,report-uri="https://scotthelme.report-uri.io/r/default/ct/enforce"

https://scotthelme.co.uk/a-new-security-header-expect-ct/

lewisgoddard commented 6 years ago

This should probably be added to nginx-config/directive/bubbly_security-headers.conf

It would be good if this and CSP looked similar:

Off by default.
Report only, common domains for CSP.
On, with warnings.