Skip to main content

HTTP Header: Expect-CT

The attack

Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs. by Chrome platform

The header

The Expect-CT HTTP header tells browsers to expect Certificate Transparency.

The code

const helmet = require('helmet')

app.use(helmet())

// Sets Expect-CT: max-age=123
app.use(helmet.expectCt({ maxAge: 123 }))

// Sets Expect-CT: enforce; max-age=123
app.use(
helmet.expectCt({
enforce: true,
maxAge: 123
})
)

You can define a report url. This will help you to analyze the impact on your users with old browsers. Check compatibility

// Sets Expect-CT: enforce; max-age=30; report-uri="http://example.com/report"
app.use(
helmet.expectCt({
enforce: true,
maxAge: 30,
reportUri: 'http://example.com/report'
})
)

Refs: