checker: flag the deprecated Expect-CT header

checker/rules_security_headers.go

@@ -69,6 +69,27 @@ func init() {
 			}}
 		},
 	}))
+
+	RegisterRule(HeaderRule(HeaderRuleSpec{
+		Code:        "http.expect_ct",
+		Description: "Reports the presence of the deprecated Expect-CT header (Certificate Transparency enforcement is now mandatory in mainstream clients; Mozilla recommends removing it).",
+		Header:      "Expect-CT",
+		Inspect: func(_ string, _ HTTPProbe, _ sdk.CheckerOptions) []HeaderResult {
+			return []HeaderResult{{
+				Status:  sdk.StatusWarn,
+				Suffix:  "deprecated",
+				Message: "Expect-CT is deprecated. Certificate Transparency is now enforced by mainstream clients, so the header serves no purpose; Mozilla recommends removing it.",
+				Meta:    map[string]any{"fix": "Remove the `Expect-CT` header from your responses."},
+			}}
+		},
+		OnMissing: func(_ HTTPProbe, _ sdk.CheckerOptions) []HeaderResult {
+			return []HeaderResult{{
+				Status:  sdk.StatusOK,
+				Suffix:  "absent",
+				Message: "Expect-CT is not set, which is correct (the header is deprecated).",
+			}}
+		},
+	}))
 }
 
 // HSTS ----------------------------------------------------------------