-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0222
"Expect-CT missing 'report-uri' directive"
The Expect-CT is sent from the web server to the web browser in the HTTP header. The Expect-CT header activates the check of the HTTPS certificate by the web browser via the public CT (Certificate Transparency) log. Current (August 2020) only some modern web browsers (e.g. Chrome 64, Edge ) support the check.
The Expect-CT is a field in the header of the HTTP response. The value is a string with internal structure, a list of one or more directives.
The report-uri=_URI_ directive signal the browser to send certificate errors to the given URI.
The 'report-uri' directive should be always combined with the 'enforce' directive.
Prepare your own report-uri endpoint for Expect-CT or use a service provider.
Include the report-uri=_URI_ directive with URI of your endpoint in the Expect-CT field in the web server configuration.
For nginx: include line add_header Expect-CT 'enforce, max-age=86400, report-uri="https://mydomain.com/report"'; in the server section of the configuration file.
For apache: include line Header set Expect-CT 'enforce, max-age=86400, report-uri="https://mydomain.com/report“’ in the configuration file.