Remove Expect-CT middleware

See [#378](#378).

CHANGELOG.md

@@ -5,6 +5,7 @@
 ### Removed
 
 - **Breaking:** Drop support for Node 14 and 15. Node 16+ is now required
+- **Breaking:** `Expect-CT` is no longer part of Helmet. If you still need it, you can use the [`expect-ct` package](https://www.npmjs.com/package/expect-ct). See [#378](https://github.com/helmetjs/helmet/issues/378)
 
 ## 6.1.4 - 2023-04-10
 

README.md

@@ -109,17 +109,17 @@ app.use(helmet.xssFilter());
 <details>
 <summary><code>helmet(options)</code></summary>
 
-Helmet is the top-level middleware for this module, including all 15 others.
+Helmet is the top-level middleware for this module, including all 14 others.
 
 ```js
-// Includes all 15 middlewares
+// Includes all 14 middlewares
 app.use(helmet());
 ```
 
 If you want to disable one, pass options to `helmet`. For example, to disable `frameguard`:
 
 ```js
-// Includes 14 out of 15 middlewares, skipping `helmet.frameguard`
+// Includes 13 out of 14 middlewares, skipping `helmet.frameguard`
 app.use(
   helmet({
     frameguard: false,
@@ -130,7 +130,7 @@ app.use(
 Most of the middlewares have options, which are documented in more detail below. For example, to pass `{ action: "deny" }` to `frameguard`:
 
 ```js
-// Includes all 15 middlewares, setting an option for `helmet.frameguard`
+// Includes all 14 middlewares, setting an option for `helmet.frameguard`
 app.use(
   helmet({
     frameguard: {
@@ -357,49 +357,6 @@ You can install this module separately as `cross-origin-resource-policy`.
 
 </details>
 
-<details>
-<summary><code>helmet.expectCt(options)</code></summary>
-
-Default:
-
-```http
-Expect-CT: max-age=0
-```
-
-`helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.
-
-`Expect-CT` is no longer useful for new browsers in 2022. Therefore, `helmet.expectCt` is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet.
-
-`options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.
-
-`options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.
-
-`options.reportUri` is a string. If set, complying user agents will report Certificate Transparency failures to this URL. Unset by default.
-
-Examples:
-
-```js
-// Sets "Expect-CT: max-age=86400"
-app.use(
-  helmet.expectCt({
-    maxAge: 86400,
-  })
-);
-
-// Sets "Expect-CT: max-age=86400, enforce, report-uri="https://example.com/report"
-app.use(
-  helmet.expectCt({
-    maxAge: 86400,
-    enforce: true,
-    reportUri: "https://example.com/report",
-  })
-);
-```
-
-You can install this module separately as `expect-ct`.
-
-</details>
-
 <details>
 <summary><code>helmet.referrerPolicy(options)</code></summary>
 

index.ts

@@ -11,7 +11,6 @@ import crossOriginOpenerPolicy, {
 import crossOriginResourcePolicy, {
   CrossOriginResourcePolicyOptions,
 } from "./middlewares/cross-origin-resource-policy/index.js";
-import expectCt, { ExpectCtOptions } from "./middlewares/expect-ct/index.js";
 import originAgentCluster from "./middlewares/origin-agent-cluster/index.js";
 import referrerPolicy, {
   ReferrerPolicyOptions,
@@ -39,7 +38,6 @@ export interface HelmetOptions {
   crossOriginOpenerPolicy?: CrossOriginOpenerPolicyOptions | boolean;
   crossOriginResourcePolicy?: CrossOriginResourcePolicyOptions | boolean;
   dnsPrefetchControl?: XDnsPrefetchControlOptions | boolean;
-  expectCt?: ExpectCtOptions | boolean;
   frameguard?: XFrameOptionsOptions | boolean;
   hidePoweredBy?: boolean;
   hsts?: StrictTransportSecurityOptions | boolean;
@@ -69,7 +67,6 @@ interface Helmet {
   crossOriginOpenerPolicy: typeof crossOriginOpenerPolicy;
   crossOriginResourcePolicy: typeof crossOriginResourcePolicy;
   dnsPrefetchControl: typeof xDnsPrefetchControl;
-  expectCt: typeof expectCt;
   frameguard: typeof xFrameOptions;
   hidePoweredBy: typeof xPoweredBy;
   hsts: typeof strictTransportSecurity;
@@ -143,11 +140,6 @@ function getMiddlewareFunctionsFromOptions(
     result.push(xDnsPrefetchControl(...xDnsPrefetchControlArgs));
   }
 
-  const expectCtArgs = options.expectCt && getArgs(options.expectCt);
-  if (expectCtArgs) {
-    result.push(expectCt(...expectCtArgs));
-  }
-
   const xFrameOptionsArgs = getArgs(options.frameguard);
   if (xFrameOptionsArgs) {
     result.push(xFrameOptions(...xFrameOptionsArgs));
@@ -257,7 +249,6 @@ const helmet: Helmet = Object.assign(
     crossOriginOpenerPolicy,
     crossOriginResourcePolicy,
     dnsPrefetchControl: xDnsPrefetchControl,
-    expectCt,
     frameguard: xFrameOptions,
     hidePoweredBy: xPoweredBy,
     hsts: strictTransportSecurity,
@@ -277,7 +268,6 @@ export {
   crossOriginEmbedderPolicy,
   crossOriginOpenerPolicy,
   crossOriginResourcePolicy,
-  expectCt,
   originAgentCluster,
   referrerPolicy,
   strictTransportSecurity as hsts,