Expect-CT header is used to enforce Certificate Transparency (CT) compliance for a specific domain. CT is a security mechanism that allows monitoring and auditing of SSL/TLS certificates issued by Certificate Authorities (CAs). By using the
Expect-CT header, a website can instruct user agents (such as web browsers) to ensure that the site’s certificate is CT-compliant. This helps prevent man-in-the-middle attacks and the use of misissued certificates.
How the Expect-CT Header Works
Expect-CT header can be set by a server in its HTTP response. When a user agent receives this header, it checks the site’s certificate against CT logs to ensure that it is compliant. If the certificate is not CT-compliant, the user agent may display a warning or block access to the site, depending on the browser’s implementation.
Expect-CT header has three primary directives:
enforce: When set, the user agent will enforce CT compliance and may block access to non-compliant sites.
max-age: Specifies the number of seconds the user agent should remember the
Expect-CTpolicy. After this time has elapsed, the user agent will no longer enforce the policy.
report-uri: An optional directive that provides a URL for the user agent to report non-compliant certificates to.
Example: Expect-CT Header in a Server Response
In this example, a server includes the
Expect-CT header in its HTTP response. The header enforces CT compliance, sets a
max-age of 86400 seconds (24 hours), and provides a
report-uri for non-compliant certificate reporting.
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Expect-CT: enforce, max-age=86400, report-uri="https://example.com/report"
Upon receiving this response, the user agent will enforce CT compliance for the next 24 hours when accessing the site. If it encounters a non-compliant certificate, it may block access and report the issue to the specified
Example: Expect-CT Header in a User Agent Request
Expect-CT header is typically set by the server in its response, it can also be included in a user agent’s request. This is done to signal to the server that the user agent supports and prefers CT compliance enforcement.
GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Expect-CT: max-age=86400
In this example, the user agent sends an
Expect-CT header with a
max-age of 86400 seconds. The server can respond with an appropriate
Expect-CT header, instructing the user agent to enforce CT compliance.
Expect-CT header is an essential security feature that enforces Certificate Transparency compliance for a domain. By using this header, websites can protect their users from man-in-the-middle attacks and misissued SSL/TLS certificates. User agents that receive this header will check the site’s certificate against CT logs and may block access or display warnings for non-compliant sites. The
Expect-CT header can be set by a server in its HTTP response or included in a user agent’s request to indicate support for CT compliance enforcement.