Our products
Our tools
Docs
Use cases
Common use cases
HTTP headers

Expect-CT Header

Table of Content

The Expect-CT HTTP response header is a reliable and robust security measure used by websites to ensure successful enforcement of Certificate Transparency (CT) requirements. It primarily prevents the use of mis-issued or fraudulent certificates by requiring browser/client-side validation, thus enhancing the website's security regarding secure connections and ensuring transparency in the operations.

Syntax

Expect-CT: max-age=<duration>, enforce, report-uri="<uri>"

Directives

  • max-age=<duration>: This directive specifies the time period in seconds during which the browser should regard the host as a Certificate Transparency-compliant. After this period expires, browsers are not obliged to enforce CT compliance.
  • enforce: If this directive is present, the browser will prevent users from accessing the site if it fails the CT validation.
  • report-uri=<uri>: The URI where the browser will send reports if the CT validation fails.

Examples

A very minimal usage scenario could be:

Expect-CT: max-age=0

In cases where the enforcement is required, along with reports to be sent to a specific URI, the syntax would be:

Expect-CT: max-age=86400, enforce, report-uri="https://www.example.net/ct-report"

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Not Supported
Safari Not Supported
Opera Supported
Edge Supported

How to modify Expect-CT header

modHeader is a versatile Chrome extension that can be used to modify HTTP request and response headers. To modify the Expect-CT header using modHeader, follow the steps below:

  1. Install the modHeader extension from the Chrome Web Store.
  2. Click on the extension icon visible in the toolbar, and it will open the extension settings.
  3. The "Response headers" section is where you need to focus. Click on 'Add' and fill in the "Header name" and "Header value" fields. For instance, "Header name" should be Expect-CT and "Header value" can be max-age=86400, enforce.
  4. After setting the values, close the settings. The modifications will be applied immediately to all the subsequent HTTP responses.

Using modHeader can be useful in testing and development scenarios where developers need to check the functionality of the website under different CT requirements. It also aids in verifying the correct implementation of security headers.