Product
HTTP Interceptor

A Power HTTP Interceptor to Intercept, Record, Debug & Modify HTTP Requests

API Client

A lightweight and secure API Client for faster API Development & Testing

API Mocking

Build frontend faster without waiting for backend.

Solutions
Frontend Web/Mobile Developers

Requestly improves front-end workflows with local JS testing, mocking, and SessionBook debugging.

For QA engineers

QA engineers love Requestly for its features and ease of use, allowing easy edge case testing.

Support Engineer

Support engineers value Requestly for debugging, demoing, and overriding GTM and Adobe scripts.

Backend Developers

Requestly helps in improving back-end development workflows, by enabling testing.

Pricing
Resources
Pricing
Blog
Case Studies
Status
Github
Release Note
Student Programme
🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Expect CT

HTTP Header

The Expect-CT response header allows websites to opt in to reporting or enforcing Certificate Transparency. Certificate Transparency (CT) helps prevent the use of misissued certificates for a site from going unnoticed.

Currently, only Google Chrome and other Chromium-based browsers support the Expect-CT header. Chromium deprecated the header starting from version 107 because Chrome now enforces CT by default.
See the Chrome Platform Status update for more details.

Certificate Transparency requirements can be fulfilled through any of the following methods:

  • X.509v3 certificate extension that allows embedding of signed certificate timestamps issued by individual logs. Most publicly-trusted CA-issued TLS certificates used online include embedded CT.

  • A TLS extension of type signed_certificate_timestamp sent during the handshake process.

  • Supporting OCSP stapling (also called the status_request TLS extension) and providing a SignedCertificateTimestampList.

Syntax

Expect-CT: report-uri=<uri>,
enforce,
max-age=<age>

Directives

The `max-age` directive specifies the duration in seconds during which the user agent should consider the host as a known Certificate Transparency host after receiving the Expect-CT header. If the cache encounters a value exceeding its representable range or encounters an overflow during calculations, it defaults to either 2,147,483,648 (231) seconds or the maximum positive integer it can store.

If the report-uri directive is included, it indicates the URI where the user agent should report failures related to Expect-CT. When used alongside the enforce directive, this setup is known as an “enforce-and-report” configuration, instructing the user agent to both enforce compliance and report violations.

The optional enforce directive signals that the user agent should actively enforce the Certificate Transparency policy, refusing to establish future connections if violations are detected. When both enforce and report-uri directives are specified, the policy is enforced, and violations are reported, making it an enforced and monitored policy.

Example

The following example demonstrates the enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.com.

Expect-CT: max-age=86400, enforce, report-uri=”https://foo.example.com/report”

Browsers do not remember an Expect-CT policy unless the website has demonstrated that it can serve a certificate that meets the certificate transparency requirements. Each browser implements its own trust model to determine which CT logs are considered trusted for the certificates that are logged.

Chrome builds are designed to stop enforcing the Expect-CT policy approximately 10 weeks after the installation’s build date.

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Expect-CT header. This is useful for testing and debugging how your website handles Certificate Transparency policies during development. Steps to Modify the Expect-CT Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Expect-CT.
    • In the “Header Value” field, enter your desired policy value (e.g., max-age=86400, enforce).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
  5. Save the rule.

Once set up, Requestly will inject the Expect-CT header into all matching requests, allowing you to test and verify how your site responds to different Certificate Transparency policies.

Modifying the Expect-CT header can help you test how browsers enforce certificate transparency to improve security. It’s useful for developers who want to ensure their site’s HTTPS certificates are properly monitored and compliant.