1. Home
  2. Security Hardening
  3. Headers
  4. Security Headers – Expect-CT
Searching...

Security Headers – Expect-CT

Contents

The Expect-CT header is a security header used to enforce Certificate Transparency (CT) on a website. Certificate Transparency is a mechanism designed to enhance the security of the SSL/TLS certificate issuance process by providing a publicly auditable log of all issued certificates.

The Expect-CT header instructs the browser to enforce that a valid Signed Certificate Timestamp (SCT) is present in the certificate chain, indicating that the certificate has been logged in a Certificate Transparency log.

Purpose of Expect-CT

The primary purpose of the Expect-CT header is to help prevent the issuance of fraudulent SSL/TLS certificates and detect any unauthorized certificates in the wild. By requiring that certificates are logged in Certificate Transparency logs, website operators can ensure that the certificates for their domains are publicly verifiable and have not been issued without proper authorization.

How Expect-CT Works

The Expect-CT header includes a directive that specifies the behavior that the browser should follow. The primary directive is:

enforceInstructs the browser to enforce the Certificate Transparency policy, meaning that the browser should reject any connections to the website that do not present a valid SCT.
max-ageSpecifies the maximum amount of time (in seconds) that the browser should enforce the Certificate Transparency policy.
report-uriSpecifies a URI to which the browser should report violations of the Certificate Transparency policy.

This example sets the Expect-CT header to enforce Certificate Transparency, specifying a maximum age of 86400 seconds (24 hours) for the policy. It also provides a report URI for the browser to send reports about any policy violations.

Expect-CT: enforce, max-age=86400, report-uri="https://example.com/report"

Configure Expect-CT via Web Servers

More detailed instructions on how to configure security headers available here. Below assumes you know where to configure the headers relative to web server type:

Apache

<IfModule mod_headers.c>
    Header always set Expect-CT "enforce, max-age=86400, report-uri=https://example.com/report"
</IfModule>

NGINX

add_header Expect-CT "enforce, max-age=86400, report-uri=https://example.com/report";
Updated on December 13, 2023
Was this article helpful?
Yes No

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Email: support@noc.org