Expect-CT is [DEPRECATED]

The Expect-CT security header was created to enforce the use of certificate transparency. Certificate Transparency (CT) requires all SSL certificates issued, to be logged in a public log so that any unauthorized issuance of certificates can be easily detected. When a certificate is issued the issuer of the certificate sends a “Signed Certificate Timestamp” (SCT) to a publicly available CT log.  If your site sends the Expect-CT header it tells browsers to check if the SCT for your site’s certificate is present in the public CT logs.

Expect-CT Options

The Expect-CT header has the following options:

  • max-age -> The number of seconds the browser should remember the site has the Expect-CT header set.
  • report-uri -> Instructs the browser to report CT failures to the URL provided, this can also be used together with the enforce option to detect rogue certificate issuances
  • enforce -> Instructs the browser to refuse to make a connection to a site for which there is no valid SCT in the public CT logs

Expect-CT Deprecation

Because all certificates issued after May 2018 are required to support SCTs by default and all the major browsers require SCTs to be present this header is no longer useful after July 2021 (when the last certificates issued before May 2018 expire). You could still use this header with the report-uri option to get alerts about rogue certificates issued for your domain.

Expect-CT References:

https://owasp.org/www-project-secure-headers/#expect-ct
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
https://scotthelme.co.uk/a-new-security-header-expect-ct
NOTE: Really Simple SSL Pro removed the option for setting this header in version 5.4 (May 2022)

Peter Tak

Peter Tak

Security Specialist
Really Simple Plugins

LinkedIn

Related articles

Leave a Reply

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!