lua-http
lua-http copied to clipboard
Published
20 hours ago •
daurnimator
daurnimator
Support Expect-CT header
- Draft Spec
- https://scotthelme.co.uk/a-new-security-header-expect-ct/
- Chrome feature available since chrome 61
Client side support
- [x] Support for Expect-CT header in lpeg_patterns (Tracking issue: https://github.com/daurnimator/lpeg_patterns/issues/11)
- [ ] Track known expect-ct hosts
- [ ] Support report-uri
- This requires json library
- May want to turn off by default for privacy?
-
UAs SHOULD limit the rate at which they send reports. For example, it is unnecessary to send the same report to the same "report-uri" more than once.
- [ ] Come up with a CT Policy
- Google's
- Need to include default log providers? See https://www.certificate-transparency.org/known-logs
Server side support
- Probably need https://github.com/wahern/luaossl/issues/105
