-
Notifications
You must be signed in to change notification settings - Fork 53
TWA 0223
"Expect-CT missing 'max-age' directive"
The Expect-CT is sent from the web server to the web browser in the HTTP header. The Expect-CT header activates the check of the HTTPS certificate by the web browser via the public CT (Certificate Transparency) log. Current (August 2020) only some modern web browsers (e.g. Chrome 64, Edge ) support the check.
The Expect-CT is a field in the header of the HTTP response. The value is a string with internal structure, a list of one or more directives.
The max-age=_SECONDS_ directive signal the browser to use the Certificate Transparency check for connections to this host during the next SECONDS.
Include the max-age=_SECONDS_ directive in the Expect-CT field in the web server configuration.
E.g. use 86400 seconds = 24 hours.
For nginx: include line add_header Expect-CT 'enforce, max-age=86400, report-uri="https://mydomain.com/report"'; in the server section of the configuration file.
For apache: include line Header set Expect-CT 'enforce, max-age=86400, report-uri="https://mydomain.com/report“’ in the configuration file.
If the max-age directive was not found, then the enforce and report-uri checks are disabled.