The HTTP Expect-CT header is a response-type header that prevents the usage of wrongly issued certificates for a site and makes sure that they do not go unnoticed and it also allows sites to decide on reporting or enforcement of Certificate Transparency requirements.
Expect-CT max-age=<age>, enforce, report-uri="<uri>"
Note: Enforce and report-uri are optional directives.
Directives: The HTTP Expect-CT header accepts three directives mentioned above and described below:
- max-age:<age>: This directive tells the number of seconds for which the user should consider the Expect-CT host(from whom the message was received) after the reception of the Expect-CT header.
- enforce: It is an optional directive which prompts the user to refuse further connections which do not comply with the Certificate Transparency(CT) policy and also enforces the policy.
- report-uri:<uri>: It is an optional directive that describes the URL where the user can report the failure of the Expect-CT header.
- In this example, the Certificate Transparency is enforced for 12 hours and the reports are made to geeksforgeeks.org .
Expect-CT: max-age=43200, enforce, report-uri="https://geeksforgeeks.org/report"
- In this example, the Certificate Transparency is enforced for an hour.
Expect-CT: max-age=3600, enforce
- Google Chrome
To check the Expect-CT in action go to Inspect Element -> Network check the response header for Expect-CT like below, Expect-CT is highlighted.
Supported browsers: The browsers are compatible with HTTP Expect-CT header are listed below: