Expect-CT


What is Expect-CT?

The Expect-CT header allows you to determine if your site is ready for Certificate Transparency (CT) and enforce CT if you are.

You can read more about CT on the project site but in short this is a requirement that all certificates issued must be logged in a public and auditable log so that no certificates can exist in secret. Websites must prove their certificates have been logged to CT by providing Signed Certificate Timestamps (SCTs). The Expect-CT header lets you know if you are fulfilling this obligation.


Getting Started

Deploying Expect-CT is safe, easy and can give you vital information about your site. Simply set the following HTTP response header on your website.


Expect-CT: max-age=604800, report-uri="https://{subdomain}.report-uri.com/r/d/ct/enforce"


To deploy this header on your website you will need to update the subdomain in the example to your own subdomain, which you can find on the Setup page, and then set the header on your website. Here are some examples on how to do that depending on your platform or language of choice:


PHP
header('Expect-CT: max-age=604800, report-uri="https://{subdomain}.report-uri.com/r/d/ct/enforce"')


Nginx
add_header "Expect-CT" "max-age=604800, report-uri=\"https://{subdomain}.report-uri.com/r/d/ct/enforce\""


Apache
Header set Expect-CT "max-age=604800, report-uri=\"https://{subdomain}.report-uri.com/r/d/ct/enforce\""


IIS

Open IIS Manager and navigate to the level you want to manage, In Features View, double-click HTTP Response Headers. On the HTTP Response Headers page, in the Actions pane, click Add. In the Add Custom HTTP Response Header dialog box use the following name and value and then click OK.

Name: Expect-CT

Value: max-age=604800, report-uri="https://{subdomain}.report-uri.com/r/d/ct/enforce"


https://www.certificate-transparency.org/

https://scotthelme.co.uk/certificate-transparency-an-introduction/

https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02

https://scotthelme.co.uk/a-new-security-header-expect-ct/