Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Stop setting Expect-CT by default
See original GitHub issueWe may want to remove support for the Expect-CT header in Helmet 5.
From MDN:
The
Expect-CTwill likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.
The OWASP Secure Headers Project says something similar.
First, we should make sure that it’s okay to remove Expect-CT. Will removing it cause any harm? If so, we should abandon this work and continue to maintain it.
If we can remove it, we should:
- Remove the
Expect-CTmiddleware (git rm -r middlewares/expect-ct) - Remove the middleware-specific tests (
git rm test/expect-ct.test.ts) - Remove the top-level tests (see
test/index.ts) - Remove it from the top-level middleware (see
index.ts) - Remove it from the published allowlist (see
.npmignore) - Update the changelog and documentation
After this is done, git grep -i expect-ct and git grep -i expectct should only return results in the changelog. And this change should be made against the v5.x branch, not main.
But again, we shouldn’t do any of this if Expect-CT shouldn’t be removed.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I’m planning the next major version of Helmet, version 5. I’m trying to decide what to do with
Expect-CTin that version. I see three options:Expect-CTheader by default and allow users to set it.Expect-CTheader by default and allow users to explicitly enable it.Expect-CTfrom the codebase.There still seems to be some benefit to the header and I want to minimize disruption, so I think I’m going to go with the first option (keeping things as is). We can re-evaluate this in Helmet version 6.
If anyone disagrees with that plan, let me know!
I agree 100%. However, I want to make sure it’s okay to delete. Based on my very quick research, it seems like the above links haven’t been updated to say something like, “this is now deprecated”.
I’m away from reliable internet this week, so if someone could find definitive sources that claim we can drop this header, I’d appreciate it! Once we’ve decided we can remove it, we’ll start logging deprecation warnings and so on.