Adding Expect-CT header to HTTP response

In the security test report, I have a recommendation to add Expect-CT header to the HTTP response from web application, additionally developers set this to:

Expect-CT: max-age=0, report-uri=

I am not sure if it is a good idea to add this header. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT:

“The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.”

So because certificates are expected to support SCTs by default I do not think that this header makes any sense.

When it comes to configuration according to https://scotthelme.co.uk/a-new-security-header-expect-ct/ max-age=0, report-uri= means:

“This policy is deployed in report-only mode and if the browser doesn’t receive CT information that it’s happy with, referred to as not being ‘CT Qualified’, rather than terminate the connection it will simply send a report to the specified report-uri value.”

Because I don’t have uri here, the report will not be sent, so there is no additional security at all.

On the other hand I see that some popular websites like Linkedin still use this header, the example from Linkedin:

Expect-CT: max-age=86400, report-uri="https://www.linkedin.com/platform-telemetry/ct"

error (Undefined index) and (Cannot modify header information – headers already)

Error:

Notice: Undefined index: link_type in /home/golchind/public_html/wp-content/themes/golchindl/functions.php on line 40

Notice: Trying to get property of non-object in /home/golchind/public_html/wp-content/themes/golchindl/functions.php on line 58

Warning: Cannot modify header information – headers already sent by (output started at /home/golchind/public_html/wp-content/themes/golchindl/functions.php:40) in /home/golchind/public_html/wp-admin/admin-header.php on line 9

help :

line 40

$ type = $ _POST[‘link_type’];

line 58

update_post_meta($ post->ID,”_oscar_data”,json_encode(array(“episodes”=>$ episodes,”links”=>$ links,”type”=>$ type), JSON_UNESCAPED_UNICODE));

function oscar_meta_box_js(){     wp_enqueue_style( 'oscar_box_style',get_bloginfo('template_url')."/css/admin_meta_box.css");     wp_enqueue_script( 'oscar_box', get_bloginfo('template_url'). '/js/meta_boxes.js', array('jquery'),'1.0',true); } add_action( 'admin_enqueue_scripts', 'oscar_meta_box_js');   function oscar_meta_save(){     global $  post,$  meta_args,$  meta_dls;     $  type = $  _POST['link_type'];     $  episodes = array();     $  links = array();     if($  type == "serial"){         for($  i=0;$  i<count($  _POST['ep_name']);$  i++){             $  episodes[] = array("name"=>$  _POST['ep_name'][$  i],"quality"=>$  _POST['ep_quality'][$  i],"medium_size"=>$  _POST['ep_med'][$  i]);         }         for($  i=0;$  i<count($  _POST['link']);$  i++){             $  links[] = array("name"=>$  _POST['name'][$  i],"link"=>$  _POST['link'][$  i],"subtitle"=>$  _POST['subtitle'][$  i],"screenshot"=>$  _POST['screenshot'][$  i],"episode"=>$  _POST['episode'][$  i]);         }     } else if($  type == "movie") {         for($  i=0;$  i<count($  _POST['movie_title']);$  i++){             $  episodes[] = array("name"=>$  _POST['movie_title'][$  i]);         }         for($  i=0;$  i<count($  _POST['mlink']);$  i++){             $  links[] = array("name"=>$  _POST['mname'][$  i],"link"=>$  _POST['mlink'][$  i],"subtitle"=>$  _POST['msubtitle'][$  i],"screenshot"=>$  _POST['mscreenshot'][$  i],"episode"=>$  _POST['mtitle'][$  i]);         }     }     update_post_meta($  post->ID,"_oscar_data",json_encode(array("episodes"=>$  episodes,"links"=>$  links,"type"=>$  type), JSON_UNESCAPED_UNICODE)); }        function oscar_download(){     global $  post;     ?> <script> var $   = jQuery; $  (function(){     var data = '<?=get_post_meta($  post->ID,"_oscar_data",true);?>';     if(data != ""){         data = JSON.parse(data);         var type = data['type'];         data['episodes'].forEach(function(e){             if(type == "serial")                 add_ep(e['name'],e['quality'],e['medium_size'])             else                 add_title(e['name']);         });         data['links'].forEach(function(e){             if(type == "serial")                 add_link(e['name'],e['link'],e['subtitle'],e['screenshot'],e['episode'])             else                 add_mlink(e['name'],e['link'],e['subtitle'],e['screenshot'],e['episode'])         });         if(data['type']){           $  ("#link_type").val(data['type']);     }     }     normalize_links()     normalize_mlinks() }); </script> <?php if ('series' == get_post_type()) { ?> <div id="serial" class="content">     <div class="side_inp_keeper">         <input id="title_serial" type="text" placeholder="عنوان فصل">         <input id="quality_serial" type="text" placeholder="کیفیت">         <input id="med_serial" type="text" placeholder="میانگین حجم هم قسمت">         <button id="add_ep" class="button">افزودن</button>     </div>     <div id="episodes">      </div>     <hr>     <div class="links" style="display:none;">             <div class="side_inp_keeper">                 <select id="ep"></select>                 <input type="text" id="name" placeholder="عنوان لینک">                 <input type="text" id="link" placeholder="لینک دانلود">                 <input type="text" id="subtitle" placeholder="زیر نویس">                 <input type="text" id="screenshot" placeholder="نمونه کیفیت">                 <button id="add_link" class="button">افزودن</button>             </div>             <div id="links">              </div>         </div> </div> <?php } else if ('movies' == get_post_type()) { ?> <div id="movie" class="content">     <div class="side_inp_keeper">         <input type="text" name="movie_title" id="movie_title" placeholder="عنوان (مثال : زبان اصلی)"><button id="add_link_title" class="button">افزودن</button>     </div>     <div id="titles">      </div>     <hr>     <div class="mlinks">         <div class="side_inp_keeper">                     <select id="titl"></select>                     <input type="text" id="mname" placeholder="عنوان لینک">                     <input type="text" id="mlink" placeholder="لینک دانلود">                     <input type="text" id="msubtitle" placeholder="زیر نویس">                     <input type="text" id="mscreenshot" placeholder="نمونه کیفیت">                     <button id="add_mlink" class="button">افزودن</button>         </div>         <div id="mlinks">          </div>     </div> </div> <?php } ?> <input type="hidden" name="link_type" id="link_type" value="serial">     <?php }    function oscar_meta_boxes() {     add_meta_box( 'oscar_download',"باکس دانلود", 'oscar_download', array('movies', 'series'), 'normal', 'high' ); } add_action("save_post","oscar_meta_save"); add_action( 'add_meta_boxes', 'oscar_meta_boxes' ); 

Does the DICOM file header gets lost when transferred over the network?

I am currently investigating the PEDICOM vulnerability CVE-2019-11687 where I am trying to reassemble the P-DATA DICOM fragments from a PCAP. Since the vulnerability takes advantage of writing bytes onto the header, I want to investigate this. When sniffing the network and trying to capture and reassemble the file, when sent over the network using the DICOM protocol does it loose its header and the only information is sent are the different data elements?

Prevent Cross-site WebSocket hijacking with a custom header and no CORS

Considering I am vulnerable to Cross-site WebSocket hijacking, so my WebSocket handshake (GET to example.com/wss) does not require a random (CSRF) token.

I have defined no CORS settings, so no custom headers can be added to cross-site requests.

Would it theoretically be enough to add a static custom request header, that is required for the WebSocket handshake to prevent a Cross-site WebSocket hijacking?

How to manually add expire header for google fonts css files?

i am trying to boost my website shoeamaze but when i look it on gtmetrix it says following statement

There are 6 static components without a far-future expiration date.

https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C900&ver=5.4.1 https://fonts.googleapis.com/css?family=Droid+Serif%3A400%2C700&ver=5.4.1 https://fonts.googleapis.com/css?family=Muli%3A400%2C500%2C600%2C900%7CRubik%3A500%2C700&subset=latin%2Clatin-ext

Can the Host Header be used to hide the existence of a service?

Imagine a web server running on 93.184.216.34, usually reachable via the public DNS entry example.com. Web servers usually allow the distinction of multiple “virtual” servers, based on the Host header received via the HTTP request.

Now imagine the same web server would offer a different service when requested via cx6wdffpuik997eljf6d878i6f3np4207ne30vyjsvhpra69, which was not a public DNS entry, but rather done via a local DNS server or a modified hosts file.

Would this effectively hide the existence of the hidden service? Is this done in practice?


Note: I am aware that this alone should not be used to secure the service. Authentication via client-certificates would be done in addition.

How to determine start and end bytes of LUKS header?

How can I determine the exact start byte and exact end byte of a LUKS header on a block storage device?

I use Linux Unified Key Setup (LUKS) for Full Disk Encryption (FDE), so all of the data on my drive is encrypted using a strong master key that’s not derived from my passpharse, and I’m working on a script that will securely wipe the drive in an panic/emergency shutdown situation (ie: someone is physically stealing your laptop).

Let’s say I have a 1000T drive and time is too short (~30 seconds) in my emergency scenario to actually fill the drive with random bytes. Instead, I’d just like to overwrite the header because all of the data on the drive is worthless if the master key and/or salts stored in the LUKS header’s keyslots area is lost–even if the passphrase were recovered via rubber-hose cryptanalysis.

How can I safely determine the start byte and end byte of the LUKS header so I know what to overwrite?

Note: The solution provided must be valid for both LUKS1 (released in 2014) and LUKS2 (released in 2018).

Edit: I know I can just overwrite the first 10 MiB and be sure to get the entire LUKS header, but I’d also like the ability to restore the header in the future in-case the emergency shutdown was accidental (triggered by a false-positive). So knowing the exact start & end bytes of the LUKS header are critical to avoid the risk of data corruption if restoring the LUKS header.