Summary

Expect-CT header is sent over HTTP response which should have been sent over HTTPS only. Browser will ignore any Expect-CT header received in an HTTP response.

Impact

Browser will ignore the Expect-CT header and the users will not be able to take advantage of it. This renders the Expect-CT implementation useless. Not having Expect-CT will make use of misissued certificates easier for attackers.

Classifications
OWASP PC-C10
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO