HTTP Headers
Expect CT
The Expect-CT
response header allows websites to opt in to reporting or enforcing Certificate Transparency. Certificate Transparency (CT) helps prevent the use of misissued certificates for a site from going unnoticed.
Currently, only Google Chrome and other Chromium-based browsers support the Expect-CT
header. Chromium deprecated the header starting from version 107 because Chrome now enforces CT by default.
See the Chrome Platform Status update for more details.
Certificate Transparency requirements can be fulfilled through any of the following methods:
- X.509v3 certificate extension that allows embedding of signed certificate timestamps issued by individual logs. Most publicly-trusted CA-issued TLS certificates used online include embedded CT.
- A TLS extension of type
signed_certificate_timestamp
sent during the handshake process. - Supporting OCSP stapling (also called the
status_request
TLS extension) and providing aSignedCertificateTimestampList
.
Syntax
Expect-CT: report-uri=<uri>,
enforce,
max-age=<age>
Directives
The `max-age` directive specifies the duration in seconds during which the user agent should consider the host as a known Certificate Transparency host after receiving the Expect-CT
header. If the cache encounters a value exceeding its representable range or encounters an overflow during calculations, it defaults to either 2,147,483,648 (231) seconds or the maximum positive integer it can store.
If the report-uri
directive is included, it indicates the URI where the user agent should report failures related to Expect-CT
. When used alongside the enforce
directive, this setup is known as an “enforce-and-report” configuration, instructing the user agent to both enforce compliance and report violations.
The optional enforce
directive signals that the user agent should actively enforce the Certificate Transparency policy, refusing to establish future connections if violations are detected. When both enforce
and report-uri
directives are specified, the policy is enforced, and violations are reported, making it an enforced and monitored policy.
Example
The following example demonstrates the enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.com.
Expect-CT: max-age=86400, enforce, report-uri=”https://foo.example.com/report”
Browsers do not remember an Expect-CT
policy unless the website has demonstrated that it can serve a certificate that meets the certificate transparency requirements. Each browser implements its own trust model to determine which CT logs are considered trusted for the certificates that are logged.
Chrome builds are designed to stop enforcing the Expect-CT
policy approximately 10 weeks after the installation’s build date.
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Expect-CT header. This is useful for testing and debugging how your website handles Certificate Transparency policies during development. Steps to Modify the Expect-CT Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Expect-CT.
- In the “Header Value” field, enter your desired policy value (e.g., max-age=86400, enforce).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-website.com/*).
- Save the rule.
Once set up, Requestly will inject the Expect-CT header into all matching requests, allowing you to test and verify how your site responds to different Certificate Transparency policies.
Modifying the Expect-CT header can help you test how browsers enforce certificate transparency to improve security. It’s useful for developers who want to ensure their site’s HTTPS certificates are properly monitored and compliant.
Table of Contents
- No headings found.