Table of Content
The Expect-CT HTTP response header is a reliable and robust security measure used by websites to ensure successful enforcement of Certificate Transparency (CT) requirements. It primarily prevents the use of mis-issued or fraudulent certificates by requiring browser/client-side validation, thus enhancing the website's security regarding secure connections and ensuring transparency in the operations.
Expect-CT: max-age=<duration>, enforce, report-uri="<uri>"
max-age=<duration>: This directive specifies the time period in seconds during which the browser should regard the host as a Certificate Transparency-compliant. After this period expires, browsers are not obliged to enforce CT compliance.
enforce: If this directive is present, the browser will prevent users from accessing the site if it fails the CT validation.
report-uri=<uri>: The URI where the browser will send reports if the CT validation fails.
A very minimal usage scenario could be:
In cases where the enforcement is required, along with reports to be sent to a specific URI, the syntax would be:
Expect-CT: max-age=86400, enforce, report-uri="https://www.example.net/ct-report"
How to modify Expect-CT header
modHeader is a versatile Chrome extension that can be used to modify HTTP request and response headers. To modify the
Expect-CT header using modHeader, follow the steps below:
- Install the modHeader extension from the Chrome Web Store.
- Click on the extension icon visible in the toolbar, and it will open the extension settings.
- The "Response headers" section is where you need to focus. Click on 'Add' and fill in the "Header name" and "Header value" fields. For instance, "Header name" should be
Expect-CTand "Header value" can be
- After setting the values, close the settings. The modifications will be applied immediately to all the subsequent HTTP responses.
Using modHeader can be useful in testing and development scenarios where developers need to check the functionality of the website under different CT requirements. It also aids in verifying the correct implementation of security headers.