-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop setting Expect-CT by default #310
Comments
Maybe it is time to deprecate it first, set a timeline for removal, and display a warning for everyone who is using it and point them here to give feedback? Hopefully at least some users would see the warning. Or since it is a major version bump, just break people's CI to get them here. |
I agree 100%. However, I want to make sure it's okay to delete. Based on my very quick research, it seems like the above links haven't been updated to say something like, "this is now deprecated". I'm away from reliable internet this week, so if someone could find definitive sources that claim we can drop this header, I'd appreciate it! Once we've decided we can remove it, we'll start logging deprecation warnings and so on. |
To be honest I don't think even a "definitive" deprecation means much in terms of HTTP headers. After all HTML5 was a reimagining of the HTML standard which picked back up plenty of what had been deprecated by HTML4. The only way to be sure about if it's okay to delete seems to be collecting usage data, but telemetry is kind of frowned upon. Might as well just keep it for posterity if there is no issue with it? |
The difference, I think, is that Expect-CT tells browsers to expect certificate transparency. If modern browsers expect it by default, then the header is a waste (though not harmful). According to MDN, it looks like Chrome and Safari require it but Firefox does not, so the header would still be useful for Firefox. But that info may be out of date. |
I'm planning the next major version of Helmet, version 5. I'm trying to decide what to do with
There still seems to be some benefit to the header and I want to minimize disruption, so I think I'm going to go with the first option (keeping things as is). We can re-evaluate this in Helmet version 6. If anyone disagrees with that plan, let me know! |
My plan is:
|
remove `expect-ct` - helmetjs/helmet#310 remove `block-all-mixed-content` - helmetjs/helmet@3874c6b
remove `expect-ct` - helmetjs/helmet#310 remove `block-all-mixed-content` - helmetjs/helmet@3874c6b
This is deprecated as of helmet v7 (helmetjs/helmet#310)
The `Expect-CT` header is now deprecated (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) and helmet dropped support for it as of helmet v7 (helmetjs/helmet#310)
This commit: - Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config (which is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose. Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
This commit: - Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config (which is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose. Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
- Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config (which is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose. Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
- Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config. It is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
This commit: - Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config. It is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
This commit: - Updates the version of helmet to match a recent dependabot PR (See #1716) - Removes the Certificate Transparency option from the config. It is now deprecated and not supported by helmet. See below. - Refactors the helmet configuration to use an object rather than a function. I've done this because the function felt verbose Expect-CT deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT Helmet 7 removes support: helmetjs/helmet#310
We may want to remove support for the
Expect-CT
header in Helmet 5.From MDN:
The OWASP Secure Headers Project says something similar.
First, we should make sure that it's okay to remove
Expect-CT
. Will removing it cause any harm? If so, we should abandon this work and continue to maintain it.If we can remove it, we should:
Expect-CT
middleware (git rm -r middlewares/expect-ct
)git rm test/expect-ct.test.ts
)test/index.ts
)index.ts
).npmignore
)After this is done,
git grep -i expect-ct
andgit grep -i expectct
should only return results in the changelog. And this change should be made against thev5.x
branch, notmain
.But again, we shouldn't do any of this if
Expect-CT
shouldn't be removed.The text was updated successfully, but these errors were encountered: