Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE: Expect-CT Header #16

Closed
lewisgoddard opened this issue Nov 30, 2017 · 1 comment
Closed

FEATURE: Expect-CT Header #16

lewisgoddard opened this issue Nov 30, 2017 · 1 comment
Assignees
@lewisgoddard
Labels
💹 Status: Fix Released ⚠️ Priority: Medium

Comments

@lewisgoddard
Copy link
Member

lewisgoddard commented Nov 30, 2017
edited
Loading

As Google is abandoning HPKP in favour of the Expect-CT header, we should implement that instead.

This makes things much easier, as it works like CSP but for Certificate Transparency. No more hashing certificates and updating a file.

Expect-CT: max-age=0, report-uri="https://scotthelme.report-uri.io/r/default/ct/reportOnly"
Expect-CT: enforce,max-age=30,report-uri="https://scotthelme.report-uri.io/r/default/ct/enforce"
@lewisgoddard lewisgoddard mentioned this issue Nov 30, 2017
Closed
5 tasks
@lewisgoddard
Copy link
Member Author

lewisgoddard commented Nov 30, 2017
edited
Loading

This should probably be added to nginx-config/directive/bubbly_security-headers.conf

It would be good if this and CSP looked similar:

  1. Off by default.
  2. Report only, common domains for CSP.
  3. On, with warnings.

@lewisgoddard lewisgoddard self-assigned this Dec 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lewisgoddard lewisgoddard

Labels
💹 Status: Fix Released ⚠️ Priority: Medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lewisgoddard