Expect-CT
The HTTP Expect-CT response header allowed a site to opt in to Certificate Transparency enforcement and reporting, helping detect misissued TLS certificates.
Legacy
Certificate Transparency is now a baseline requirement for all publicly trusted certificates. Browsers enforce Certificate Transparency by default, making Expect-CT unnecessary. Chrome removed support for this header. New deployments do not need Expect-CT. Existing deployments send the header as a defense-in-depth measure for older clients.
Usage
Certificate Transparency (CT) is a system of public, append-only logs recording every TLS certificate issued by a certificate authority. When a browser connects to a site over HTTPS, the browser verifies the certificate appears in these logs, making misissued or fraudulently obtained certificates detectable.
The Expect-CT header was introduced before Certificate Transparency became a universal browser requirement. The header gave site operators a way to opt in to CT enforcement, request violation reports, or both. The header is only processed over secure connections. Responses delivered over plain HTTP ignore the header entirely.
Three directives control the behavior: max-age, enforce,
and report-uri.
Directives
max-age
The max-age directive is required. The value specifies the
number of seconds the browser remembers the host as a known
Expect-CT host. During this window, the browser applies the
CT policy on every connection to the host.
enforce
The enforce directive is optional. When present, the
browser refuses connections to the host if the certificate
does not meet Certificate Transparency requirements, rather
than allowing the connection and only reporting.
report-uri
The report-uri directive is optional. The value provides a
URL where the browser sends a JSON report when a CT violation
is detected. The report includes details about the
certificate chain and the failure reason.
Example
An enforce-and-report configuration setting an eight-hour retention window and directing violation reports to a reporting endpoint:
Expect-CT: max-age=28800, enforce, report-uri="https://example.re/ct-report"
A report-only configuration collecting data before switching to enforcement:
Expect-CT: max-age=86400, report-uri="https://example.re/ct-report"
Takeaway
The Expect-CT header was an opt-in mechanism for Certificate Transparency enforcement before browsers made CT a default requirement. Modern browsers enforce Certificate Transparency natively, and the header is no longer needed for new deployments.