removed expect-ct it's deprecated

README.md

@@ -246,7 +246,7 @@ Install it as follows.
 1. Go to Extender, Extensions, and click on Add Extension. Select python and load the burpecheaders.py file.
     ![Load the burpsecheaders.py file](./pics/burp1.png)
 2. Once BurpSuite loads the plugin successfully, visit a website and observe that the plugin reports issues under the scanner tab.
-    ![Scanner shows issues of the plugin](./pics/burp2.png)  
+    ![Scanner shows issues of the plugin](./pics/burp2.png)
 
 Observe that the plugin highlights the offending header/directives/keywords in the response headers.
 ![BurpSuite highlights the insecure headers](./pics/burp3.png)
@@ -405,7 +405,7 @@ The HTTP Strict Transport Security (HSTS) header ensures that all communication
 
 The header has the following directives:
 
-- **max-age**: specifies the number of seconds the browser regards the host as a known HSTS Host.  
+- **max-age**: specifies the number of seconds the browser regards the host as a known HSTS Host.
 - **includeSubdomains**: this optional directive indicates that the HSTS Policy applies to this HSTS Host as well as any subdomains of
    the host's domain name.
 - **preload**: the `preload` directive indicates that the domain can be preloaded in the browser as a known HSTS host.
@@ -681,7 +681,7 @@ The tool also identifies the following syntactical errors (`SyntaxChecker`) for
     ```
 - **Missing Directive** (`MissingDirectiveChecker`): using a header without a required directive is an issue. The tool will thus mark the following as an error as max-age is missing.
     ```http
-    Expect-CT: enforce
+    Strict-Transport-Security: includeSubDomains
     ```
 - **Empty Directives** (`EmptyDirectiveChecker`): using a directive without a required value is an issue. The tool will thus mark the following as an error.
     ```http

securityheaders/checkers/__init__.py

@@ -34,7 +34,6 @@
 from .xpoweredby import *
 from .xxssprotection import *
 from .other import *
-from .expectct import *
 from .xpcdp import *
 from .setcookie import *
 

securityheaders/models/__init__.py

@@ -27,14 +27,15 @@
 from .xwebkitcsp import *
 from .xcsp import *
 from .xdownloadoptions import *
-from .expectct import *
 from .xaspnetversion import *
 from .xaspnetmvcversion import *
 from .hpkp import *
 from .xpcdp import *
 from .setcookie import *
 
-__all__ = ['annotations','csp','cors','clearsitedata','hsts','xcontenttypeoptions','xframeoptions','xxssprotection','featurepolicy','referrerpolicy','server','xpoweredby', 'expectct','xcsp','xwebkitcsp','xpcdp','xaspnetversion','xaspnetmvcversion','hpkp','xdownloadoptions']
+__all__ = ['annotations', 'csp', 'cors', 'clearsitedata', 'hsts', 'xcontenttypeoptions', 'xframeoptions',
+           'xxssprotection', 'featurepolicy', 'referrerpolicy', 'server', 'xpoweredby', 'xcsp', 'xwebkitcsp', 'xpcdp',
+           'xaspnetversion', 'xaspnetmvcversion', 'hpkp', 'xdownloadoptions']
 clazzes = list(Util.inheritors(Header))
 clazzes.extend(Util.inheritors(Directive))
 clazzes.extend(Util.inheritors(Keyword))

securityheaders/securityheader.py

@@ -9,7 +9,7 @@
 import ssl
 import random
 from functools import partial
-from anytree import ContStyle, RenderTree     
+from anytree import ContStyle, RenderTree
 
 try:
     from multiprocessing import Pool, freeze_support
@@ -44,14 +44,14 @@ def _unpickle_method(func_name, obj, cls):
             break
     return func.__get__(obj, cls)
 
-try: 
+try:
     import copy_reg
 except ModuleNotFoundError:
     import copyreg as copy_reg
 
 import types
 copy_reg.pickle(types.MethodType, _pickle_method, _unpickle_method)
-                                  
+
 
 class SecurityHeaders(object):
     def __init__(self):
@@ -75,7 +75,7 @@ def get_options(self):
 
     def get_all_checker_names(self):
         return CheckerFactory().getnames()
-    
+
     def get_all_header_names(self):
         return sorted(ModelFactory().getheadernames())
 
@@ -137,7 +137,7 @@ def check_headers_with_map(self, headermap, options=None):
             options['checks'] = []
         if not 'unwanted' in options.keys():
             options['unwanted'] = []
-        checks = CheckerFactory().getactualcheckers(options['checks'])     
+        checks = CheckerFactory().getactualcheckers(options['checks'])
         unwanted = CheckerFactory().getactualcheckers(options['unwanted'])
         options['checks'] = [e for e in checks if e not in unwanted]
         options['unwanted'] = None
@@ -149,7 +149,7 @@ def check_headers_with_map(self, headermap, options=None):
                     for check in options[checker].keys():
                         if leaf not in options.keys():
                             options[leaf]=dict()
-                        options[leaf][check] = options[checker][check]      
+                        options[leaf][check] = options[checker][check]
         return HeaderEvaluator().evaluate(headermap,options)
 
     def check_headers_parallel(self, urls, options=None, callback=None):
@@ -164,7 +164,7 @@ def check_headers_parallel(self, urls, options=None, callback=None):
                 result = pool.apply_async(self.check_headers, args=(url, options.get('redirects'), options), callback=callback)
                 results.append(result)
             pool.close()
-            pool.join() 
+            pool.join()
             return results
         else:
             raise Exception('no parallelism supported')
@@ -175,7 +175,7 @@ def check_headers(self, url, follow_redirects = 3, options=None):
 
         Args:
             url (str): Target URL in format: scheme://hostname/path/to/file
-            follow_redirects (Optional[str]): How deep we follow the redirects, 
+            follow_redirects (Optional[str]): How deep we follow the redirects,
             value 0 disables redirects.
         """
         if not options:
@@ -193,7 +193,7 @@ def check_headers(self, url, follow_redirects = 3, options=None):
            else:
                url = 'https://' + url.strip()
 
-        parsed = urlparse(url) 
+        parsed = urlparse(url)
         hostname = parsed.netloc
         if not hostname:
             return []
@@ -222,7 +222,7 @@ def check_headers(self, url, follow_redirects = 3, options=None):
             else:
                 """ Unknown protocol scheme """
                 return {}
-     
+
             conn.request('GET', path, None, headers)
             res = conn.getresponse()
             headers = res.getheaders()
@@ -231,14 +231,14 @@ def check_headers(self, url, follow_redirects = 3, options=None):
             if (res.status >= 300 and res.status < 400  and follow_redirects > 0):
                 for header in headers:
                     if (header[0] == 'location'):
-                        return self.check_headers((urlid, header[1]), follow_redirects - 1, options) 
-                
+                        return self.check_headers((urlid, header[1]), follow_redirects - 1, options)
+
             """ Loop through headers and evaluate the risk """
             result = self.check_headers_with_map(headers, options)
             for finding in result:
                 finding.url = url
                 finding.urlid = urlid
-            
+
             return result
         except Exception as e:
             return [Finding(None, FindingType.ERROR, str(e), FindingSeverity.ERROR, None, None,url , urlid)]