/ HTTP Headers

Expect-CT

The Expect-CT header is used to enforce Certificate Transparency (CT) compliance for a specific domain. CT is a security mechanism that allows monitoring and auditing of SSL/TLS certificates issued by Certificate Authorities (CAs). By using the Expect-CT header, a website can instruct user agents (such as web browsers) to ensure that the site’s certificate is CT-compliant. This helps prevent man-in-the-middle attacks and the use of misissued certificates.

How the Expect-CT Header Works

The Expect-CT header can be set by a server in its HTTP response. When a user agent receives this header, it checks the site’s certificate against CT logs to ensure that it is compliant. If the certificate is not CT-compliant, the user agent may display a warning or block access to the site, depending on the browser’s implementation.

The Expect-CT header has three primary directives:

  1. enforce: When set, the user agent will enforce CT compliance and may block access to non-compliant sites.
  2. max-age: Specifies the number of seconds the user agent should remember the Expect-CT policy. After this time has elapsed, the user agent will no longer enforce the policy.
  3. report-uri: An optional directive that provides a URL for the user agent to report non-compliant certificates to.

Example: Expect-CT Header in a Server Response

In this example, a server includes the Expect-CT header in its HTTP response. The header enforces CT compliance, sets a max-age of 86400 seconds (24 hours), and provides a report-uri for non-compliant certificate reporting.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expect-CT: enforce, max-age=86400, report-uri="https://example.com/report"

Upon receiving this response, the user agent will enforce CT compliance for the next 24 hours when accessing the site. If it encounters a non-compliant certificate, it may block access and report the issue to the specified report-uri.

Example: Expect-CT Header in a User Agent Request

While the Expect-CT header is typically set by the server in its response, it can also be included in a user agent’s request. This is done to signal to the server that the user agent supports and prefers CT compliance enforcement.

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Expect-CT: max-age=86400

In this example, the user agent sends an Expect-CT header with a max-age of 86400 seconds. The server can respond with an appropriate Expect-CT header, instructing the user agent to enforce CT compliance.

Summary

The Expect-CT header is an essential security feature that enforces Certificate Transparency compliance for a domain. By using this header, websites can protect their users from man-in-the-middle attacks and misissued SSL/TLS certificates. User agents that receive this header will check the site’s certificate against CT logs and may block access or display warnings for non-compliant sites. The Expect-CT header can be set by a server in its HTTP response or included in a user agent’s request to indicate support for CT compliance enforcement.

Was this helpful?

Thanks for your feedback!