Stop setting Expect-CT by default

See [#310][310].

[310]: #310

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - **Breaking:** Where possible, increase TypeScript strictness around some strings. Only affects TypeScript users. See [#369](https://github.com/helmetjs/helmet/issues/369)
 - **Breaking:** `helmet.contentSecurityPolicy` no longer sets `block-all-mixed-content` directive by default
+- **Breaking:** `helmet.expectCt` is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See [#310](https://github.com/helmetjs/helmet/issues/310)
 - `helmet.frameguard` no longer offers a specific error when trying to use `ALLOW-FROM`; it just says that it is unsupported. Only the error message has changed
 
 ### Removed

README.md

@@ -37,7 +37,6 @@ Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' http
 Cross-Origin-Embedder-Policy: require-corp
 Cross-Origin-Opener-Policy: same-origin
 Cross-Origin-Resource-Policy: same-origin
-Expect-CT: max-age=0
 Origin-Agent-Cluster: ?1
 Referrer-Policy: no-referrer
 Strict-Transport-Security: max-age=15552000; includeSubDomains
@@ -373,6 +372,8 @@ Expect-CT: max-age=0
 
 `helmet.expectCt` sets the `Expect-CT` header which helps mitigate misissued SSL certificates. See [MDN's article on Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) and the [`Expect-CT` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT) for more.
 
+`Expect-CT` is no longer useful for new browsers in 2022. Therefore, `helmet.expectCt` is deprecated and will be removed in the next major version of Helmet. However, it can still be used in this version of Helmet.
+
 `options.maxAge` is the number of seconds to expect Certificate Transparency. It defaults to `0`.
 
 `options.enforce` is a boolean. If `true`, the user agent (usually a browser) should refuse future connections that violate its Certificate Transparency policy. Defaults to `false`.

index.ts

@@ -147,7 +147,7 @@ function getMiddlewareFunctionsFromOptions(
     result.push(xDnsPrefetchControl(...xDnsPrefetchControlArgs));
   }
 
-  const expectCtArgs = getArgs(options.expectCt);
+  const expectCtArgs = options.expectCt && getArgs(options.expectCt);
   if (expectCtArgs) {
     result.push(expectCt(...expectCtArgs));
   }

test/index.test.ts

@@ -24,7 +24,7 @@ import xXssProtection from "../middlewares/x-xss-protection";
 describe("helmet", () => {
   const topLevel = helmet.default;
 
-  it("includes all middleware with their default options", async () => {
+  it("includes all middleware, except Expect-CT, with their default options", async () => {
     // NOTE: This test relies on the CSP object being ordered a certain way,
     // which could change (and be non-breaking). If that becomes a problem,
     // we should update this test to be more robust.
@@ -34,7 +34,8 @@ describe("helmet", () => {
       "cross-origin-embedder-policy": "require-corp",
       "cross-origin-opener-policy": "same-origin",
       "cross-origin-resource-policy": "same-origin",
-      "expect-ct": "max-age=0",
+      // In Helmet 7, we can remove this Expect-CT assertion.
+      "expect-ct": null,
       "origin-agent-cluster": "?1",
       "referrer-policy": "no-referrer",
       "strict-transport-security": "max-age=15552000; includeSubDomains",
@@ -61,6 +62,16 @@ describe("helmet", () => {
     });
   });
 
+  // In Helmet 7, this test should be removed.
+  it("allows Expect-CT to be enabled", async () => {
+    await check(topLevel({ expectCt: true }), {
+      "expect-ct": "max-age=0",
+    });
+    await check(topLevel({ expectCt: { maxAge: 123 } }), {
+      "expect-ct": "max-age=123",
+    });
+  });
+
   it("works with all default middlewares disabled", async () => {
     await check(
       topLevel({