Tackle WordPress weaknesses and fortify your website.

Expect-CT is [DEPRECATED]

The Expect-CT security header was created to enforce the use of certificate transparency. Certificate Transparency (CT) requires all SSL certificates issued, to be logged in a public log so that any unauthorized issuance of certificates can be easily detected. When a certificate is issued the issuer of the certificate sends a “Signed Certificate Timestamp” (SCT) to a publicly available CT log.  If your site sends the Expect-CT header it tells browsers to check if the SCT for your site’s certificate is present in the public CT logs.

Expect-CT Options

The Expect-CT header has the following options:

  • max-age -> The number of seconds the browser should remember the site has the Expect-CT header set.
  • report-uri -> Instructs the browser to report CT failures to the URL provided, this can also be used together with the enforce option to detect rogue certificate issuances
  • enforce -> Instructs the browser to refuse to make a connection to a site for which there is no valid SCT in the public CT logs

Expect-CT Deprecation

Because all certificates issued after May 2018 are required to support SCTs by default and all the major browsers require SCTs to be present this header is no longer useful after July 2021 (when the last certificates issued before May 2018 expire). You could still use this header with the report-uri option to get alerts about rogue certificates issued for your domain.

Expect-CT References:

https://owasp.org/www-project-secure-headers/#expect-ct
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
https://scotthelme.co.uk/a-new-security-header-expect-ct
NOTE: Really Simple SSL Pro removed the option for setting this header in version 5.4 (May 2022)

Table of Contents

Peter Tak

Peter Tak

Lorem ipsum dolor sit amet consectetur adipiscing elit dolor

Read More

Advanced Security

With the mixed content fixer and scan in Really Simple SSL pro we’ll get you the secure lock!

Definitions

Extensive scan which enables you to detect the source of mixed content that couldn’t be fixed automatically, with fix button.

HttpOnly and Secure flags to make cookies secure and encrypted.

Related articles

Cross Origin Security Headers

Cross-Origin Isolation In 2018, a new vulnerability was discovered in processors. It allowed a “side channel attack”. These types of attacks try to gather information

Read More