Splorix LogoSplorix
Login Login to your Splorix account

Expect-CT

HTTP header that enforces Certificate Transparency requirements to detect misissued SSL/TLS certificates.

What is Expect-CT?

Expect-CT is an HTTP security header that allows websites to enforce Certificate Transparency (CT) requirements. This header instructs browsers to verify that SSL/TLS certificates presented by a website are logged in public Certificate Transparency logs, helping to detect misissued or fraudulent certificates.

Certificate Transparency is an open framework that monitors and audits SSL/TLS certificates, making it easier to detect certificates that have been mistakenly issued or maliciously acquired.

Header Syntax

The Expect-CT header uses the following syntax:

Expect-CT: max-age=<seconds>[, report-uri="<uri>"][, enforce]

Where:

  • max-age: Specifies the number of seconds the browser should cache and apply the policy
  • report-uri (optional): URL where the browser should send reports of CT violations
  • enforce (optional): If present, instructs the browser to refuse connections that violate the CT policy

How Certificate Transparency Works

Certificate Transparency works through three main components:

  1. Certificate Logs: Publicly auditable logs that record all issued certificates
  2. Monitors: Services that watch the logs for suspicious certificates
  3. Auditors: Services that verify the logs are consistent and complete

When a browser receives an Expect-CT header, it checks that the website's certificate appears in at least one public CT log.

Security Benefits

Detects misissued certificates:

  • Identifies certificates issued without proper authorization
  • Helps prevent man-in-the-middle attacks using fraudulent certificates
  • Provides early warning of certificate authority compromises

Enhances trust in SSL/TLS ecosystem:

  • Increases transparency in certificate issuance process
  • Makes it harder for attackers to use fraudulent certificates undetected
  • Encourages better practices among certificate authorities

Provides reporting mechanism:

  • Allows website owners to receive reports of potential issues
  • Helps identify configuration problems or attacks

Best Practices

  1. Start with reporting mode before enforcing:
    Expect-CT: max-age=86400, report-uri="https://example.com/report-ct"
  2. Gradually increase max-age as you gain confidence in your CT compliance
  3. Monitor reports to identify potential issues
  4. Combine with other security headers for comprehensive protection:
  5. Transition to enforcement mode once you're confident in your setup:
    Expect-CT: max-age=31536000, enforce, report-uri="https://example.com/report-ct"

Example Implementations

HTTP Response Header (Reporting Mode):

Expect-CT: max-age=86400, report-uri="https://example.com/ct-report-endpoint"

HTTP Response Header (Enforcement Mode):

Expect-CT: max-age=31536000, enforce, report-uri="https://example.com/ct-report-endpoint"

Web Server Configuration Examples:

Apache (.htaccess):

Header set Expect-CT "max-age=86400, report-uri=\"https://example.com/ct-report-endpoint\""

Nginx:

add_header Expect-CT "max-age=86400, report-uri=\"https://example.com/ct-report-endpoint\"";

Express.js (Node.js):

app.use((req, res, next) => {
  res.setHeader('Expect-CT', 'max-age=86400, report-uri="https://example.com/ct-report-endpoint"');
  next();
});

Common Use Cases

  1. Financial institutions: Protect against fraudulent certificates that could enable phishing
  2. E-commerce platforms: Ensure secure transactions by detecting certificate issues
  3. Government websites: Maintain trust in official communications
  4. Healthcare providers: Protect sensitive patient data from interception
  5. Social media platforms: Prevent account hijacking through certificate-based attacks

Browser Support and Current Status

Important Note: The Expect-CT header has been deprecated in favor of built-in Certificate Transparency enforcement in modern browsers.

Current browser behavior:

  • Chrome: Enforces CT requirements by default (no longer honors Expect-CT)
  • Firefox: Enforces CT requirements by default
  • Safari: Enforces CT requirements by default
  • Edge: Enforces CT requirements by default

Recommendation: While Expect-CT is no longer actively used, understanding Certificate Transparency remains important for web security.

Certificate Transparency Logs

Public CT logs that browsers check include:

  • Google's Aviator
  • DigiCert's Log Server
  • Cloudflare's Nimbus
  • Let's Encrypt's Oak
  • Sectigo's Sabre

Related Security Concepts

Domain Name System (DNS)

The Domain Name System (DNS) is the hierarchical naming system that translates human-readable domain names into machine-readable IP addresses.

Exploit Chain

An exploit chain combines multiple vulnerabilities to achieve a more significant compromise, often bypassing security controls and escalating privileges.