Expect-CT

The HTTP Expect-CT header is a mechanism that allows a site to opt-in for enforcing and reporting on Certificate Transparency requirements. This helps to prevent the use of mis-issued certificates for that site.

Usage

The HTTP Expect-CT response header is sent by a server, it is requesting that the client verify its certificate appears in the public certificate transparency logs.

The certificate transparency requirements can be satisfied in three ways, including:

• The X.509v3 certificate extension, which allows the embedding of timestamps
• A signed_certificate_timestamp TLS extension transmitted during the handshake
• OCSP stapling using a TLS status_request, accompanied by a SignedCertificateTimestampList

There are three directives including max-age, report-uri, and enforce.

max-age

The max-age directive refers to the number of seconds that a client shall consider the host of the received message as known. The timer begins after the message is received.

!!! important "Note" The max-age directive is the only mandatory directive.

report-uri=”<uri>”

The report-uri directive is optional. The client can use it as a link to report Expect-CT failures.

enforce

The enforce directive is optional and directs the client to enforce the policy by refusing connections that violate it.

Enforce-and-Report

When the report-uri and enforce headers are included, it is known as an enforce-and-report configuration. Essentially, it relies on the client to both enforce and report violations in an attempt to improve integrity in general.

Example

In this example, the server is setting the age to eight hours, in an enforce-and-report configuration.

Expect-CT: max-age=28800, enforce, report-uri=https://example.re/rpct

Takeaway

The Expect-CT header is employed by servers as an opt-in method for certificate transparency. It can be set up in a strict, enforce-and-report configuration, for the best protection.

See also

• HTTP headers