checker: flag the deprecated Expect-CT header

2026-06-18 10:55:16 +09:00 · 2026-06-18 10:55:16 +09:00 · 329df14ec6
commit 329df14ec6
parent a652692ba4
3 changed files with 40 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -23,6 +23,7 @@ relies on TLS for transport.
 | `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
 | `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
 | `http.x_xss_protection`       | Reports the legacy X-XSS-Protection header; warns on filtering mode (can introduce XSS), absent/`0` are fine, CSP is the real defense. | WARNING             |
+| `http.expect_ct`              | Flags the deprecated Expect-CT header (Certificate Transparency is now enforced by mainstream clients; Mozilla recommends removing it). | WARNING             |
 | `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
 | `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
 | `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |