checker: flag the deprecated Expect-CT header

checker/rules_security_headers_test.go

@@ -279,6 +279,23 @@ func TestXXSSProtectionRule(t *testing.T) {
 	}
 }
 
+func TestExpectCTRule(t *testing.T) {
+	// Absent → OK, since Expect-CT is deprecated.
+	states := runRule(t, ruleByName(t, "http.expect_ct"), &HTTPData{Probes: []HTTPProbe{httpsProbe("a:443")}}, nil)
+	mustStatus(t, states, sdk.StatusOK)
+	if !hasCode(states, "http.expect_ct.absent") {
+		t.Errorf("missing absent code: %+v", states)
+	}
+	// Present → Warn deprecated.
+	p := httpsProbe("a:443")
+	p.Headers["expect-ct"] = "max-age=86400, enforce"
+	states = runRule(t, ruleByName(t, "http.expect_ct"), &HTTPData{Probes: []HTTPProbe{p}}, nil)
+	mustStatus(t, states, sdk.StatusWarn)
+	if !hasCode(states, "http.expect_ct.deprecated") {
+		t.Errorf("missing deprecated code: %+v", states)
+	}
+}
+
 func TestSecurityHeaders_NoHTTPS(t *testing.T) {
 	// Each header rule must emit Unknown when there are no successful HTTPS probes.
 	rules := []sdk.CheckRule{
@@ -287,6 +304,7 @@ func TestSecurityHeaders_NoHTTPS(t *testing.T) {
 		ruleByName(t, "http.x_frame_options"),
 		ruleByName(t, "http.x_content_type_options"),
 		ruleByName(t, "http.x_xss_protection"),
+		ruleByName(t, "http.expect_ct"),
 	}
 	data := &HTTPData{Probes: []HTTPProbe{httpProbe("a:80")}}
 	for _, r := range rules {