In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to:
Expect-CT: max-age=0, report-uri=
I am not sure if it is a good idea to add this header. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:
“The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.”
So because certificates are expected to support SCTs by default I do not think that this header makes any sense.
When it comes to configuration according to https://scotthelme.co.uk/a-new-security-header-expect-ct/
max-age=0, report-uri= means:
“This policy is deployed in report-only mode and if the browser doesn’t receive CT information that it’s happy with, referred to as not being ‘CT Qualified’, rather than terminate the connection it will simply send a report to the specified report-uri value.”
Because I don’t have uri here, the report will not be sent, so there is no additional security at all.
On the other hand I see that some popular websites like Linkedin still use this header, the example from Linkedin:
Expect-CT: max-age=86400, report-uri="https://www.linkedin.com/platform-telemetry/ct"