Summary

Expect-CT header is sent over HTTP response which should have been sent over HTTPS only. Browser will ignore any Expect-CT header received in an HTTP response.

Impact

Browser will ignore the Expect-CT header and the users will not be able to take advantage of it. This renders the Expect-CT implementation useless. Not having Expect-CT will make use of misissued certificates easier for attackers.

Severity

Information

Classification

CWE-16 ISO27001-A.14.1.2 WASC-15