Remove expect-ct and report-to headers

is it possible to remove expect-ct and report-to headers. I tried using a worker like this.

addEventListener('fetch', function(event) {
  const { request } = event
  const response = handleRequest(request)
  event.respondWith(response)
})

/**
 * Receives a HTTP request and replies with a response.
 * @param {Request} request
 * @returns {Promise<Response>}
 */
async function handleRequest(request) {
  const response = await fetch(request)

  var headers = new Headers()
  for (var kv of response.headers.entries()) {
      headers.append(kv[0], kv[1])
  }

  headers.delete('Expect-CT')
  headers.delete('Report-To')

  response.headers = headers
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: headers})
}

also tried using a nginx config but nothing seems to work?

Just curious, but why would you want those headers removed?

The report-to header can be removed by emailing Cloudflare support.

My guess is that Expect-CT can be removed with the same mechanism. I’m not sure why you would want them removed. They are used to identify issues which may go undetected otherwise.

It’s all about integrity. I live in Sweden and this is the information I have received about the issue with sending information to third party.

The Content Security Policy (CSP) directive report-uri , or report-to in combination with a Report-To header, instructs the user’s browser to send a violation report to specified URI(s) if the CSP is violated. Each report is a JSON object containing information about the violation, including, among other things, the URL of the document where it occurred, and referrer information. While reporting is useful for developers to find and fix bugs, it can also be used for tracking purposes.

The Expect-CT header can be used to enforce Certificate Transparency requirements, and/or optionally send reports of Certificate Transparency violations to a specified URI.

The NEL (Network Error Logging) header instructs the user’s browser to send reports about network errors (e.g. DNS resolution error, TCP or TLS connection failure, 4xx or 5xx HTTP responses) to a specified URI. It can also be configured to send reports about successful network requests. See [1], [2] for privacy considerations

(I am not a lawyer)

I would say it’s more down to trust. You are sending the information to the same third party who is serving the website (i.e. Cloudflare). So the level of trust is the same, but your judgement is what’s important. It you don’t trust their integrity…

While I have no knowledge of Cloudflares plans, Expect-CT will probably disappear in the next two months, as the browsers will by that point enforce CT on all certificates that are valid after May 2021. If you don’t want the NEL data to be sent, an email to support will have it removed.

The issue for me is that this is a recommendation from a security audit. In Sweden, which is my home country, we are pretty tough on keeping our users safe. So it’s not about me being afraid of being sued, it’s more about doing the right thing for my users.

I can’t find the support email adress. Can you point me in the right direction?

supportATcloudflareDOTcom

Hehe, thanks :man_facepalming:

Which might align with today’s Blog post.

2 Likes