The HTTP Expect-CT header is a mechanism that allows a site to opt-in for enforcing and reporting on Certificate Transparency requirements. This helps to prevent the use of mis-issued certificates for that site.
The HTTP Expect-CT response header is sent by a server, it is requesting that the client verify its certificate appears in the public certificate transparency logs.
The Expect-CT header is only used in a secure context and it is ignored by clients communicating on an HTTP Connection.
The certificate transparency requirements can be satisfied in three ways, including:
- The X.509v3 certificate extension, which allows the embedding of timestamps
- A signed_certificate_timestamp TLS extension transmitted during the handshake
- OCSP stapling using a TLS status_request, accompanied by a SignedCertificateTimestampList
There are three directives including
max-age directive refers to the number of seconds that a client shall consider the host of the received message as known. The timer begins after the message is received.
!!! important "Note" The
max-age directive is the only mandatory directive.
report-uri directive is optional. The client can use it as a link to report Expect-CT failures.
enforce directive is optional and directs the client to enforce the policy by refusing connections that violate it.
report-uri and enforce headers are included, it is known as an enforce-and-report configuration. Essentially, it relies on the client to both enforce and report violations in an attempt to improve integrity in general.
In this example, the server is setting the age to eight hours, in an enforce-and-report configuration.
Expect-CT: max-age=28800, enforce, report-uri=https://example.ai/rpct
The Expect-CT header is employed by servers as an opt-in method for certificate transparency. It can be set up in a strict, enforce-and-report configuration, for the best protection.