What is Expect-CT HTTP header?

What is Expect-CT HTTP header?

Bad guys are always looking for ways to exploit websites and steal some personal data, and even more, but luckily out there exists a pretty handy tool known as Expect-CT. This is an HTTP header used to boost the security of the website you’re browsing, helping you to have a safer online experience. The name “Expect-CT” comes from “Expect Certificate Transparency”.

So, what does Expect-CT do exactly? When your browser connects to a site, this security header ensures that the certificates, which are like the website’s digital identification tags, are not counterfeit. Basically, Expect-C will double-check every virtual handshake between your browser and the site you’re browsing, confirming that you’re interacting with the real one.

In this article we will take a deep look into the Expect-CT header and we will make clear how it actively contributes to creating a more secure online experience for users.

What is the Expect-CT HTTP header?

Expect-CT is a web security protocol designed to enhance the integrity of digital certificates used by websites. This is extremely important in Internet security, because certificates act as identification cards for websites, which helps your browser to trust them.

The main function of Expect-CT is to enforce transparency in the deployment of these certificates. When your browser connects to a website, the header dictates that the presented certificates are not only valid but also have been publicly logged in recognized certificate transparency logs. These logs serve as a public record, verifying that the certificates have gone through the proper validation processes.

Thanks to this level of transparency, Expect-CT helps to mitigate the risk of potential security threats, becoming a great security measure against malicious third parties that attempt to use counterfeit certificates to impersonate legitimate websites.

Regarding it, Mozilla says that “The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements.”

The function of Expect-CT

Expect-CT works by requiring websites to declare their certificate transparency expectations through an HTTP header. This helps ensure that certificates are properly logged in public CT logs, minimizing the risk of unauthorized or malicious certificate issuance.

Expect-CT has a few specific standards, let’s take a look at them.

Enforcement through HTTP header:

As we have already explained, Expect-CT is implemented through an HTTP header that web servers send in their responses. This header includes information about the expected transparency behavior regarding certificates for the given domain.

Directive and reporting:

The header contains a directive specifying the Certificate Transparency (CT) policy that is expected. This policy tells if the website requires that all issued certificates are logged in public CT logs.

Websites can also include a “report-uri” parameter in the header, where it’s possible to specify a URI if the browser requires to send reports, in case it encounters certificate-related issues. This is very helpful for the monitoring and analysis of potential fake certificate incidents.

Preloading:

Websites can choose to enhance their security by being “preloaded” into web browsers. This means they are included in a list of websites that require CT enforcement by default, regardless of the presence of the Expect-CT header. This is known as the HTTP Strict Transport Security (HSTS) preload list.

Certificate Transparency logs:

Certificate Transparency logs are public logs that record certificate information. When a certificate is issued, it is expected to be added to these logs by the CA. Browsers, when encountering this header, verify that the presented certificate is indeed logged in the CT logs.

Handling violations:

If a browser encounters a certificate that violates the CT policy, it can take corrective actions. This may include preventing the connection or issuing a report to a specified URI.

Expect-CT deprecation

Is it deprecated? Well, it is, but at the same time, it isn’t. The main concern with Expect-CT is its initial design for Chromium-based browsers. While these browsers still provide support, a significant shift occurred with Chromium version 107: Certificate Transparency (CT) is now automatically enforced, which renders the mentioned header useless. Due to this, many consider it deprecated.

If you choose to implement it on your website, you can do so. As previously mentioned, some major browsers continue to support it. It’s important to note that deploying it alongside browsers that enforce CT by default will simply result in redundancy.

Webtechsurvey reports that 0,22% of websites still use it.

Expect-CT browser support

As we have already mentioned, Expect-CT is a header that only works under Chromium-based browsers, so major browsers like Safari and Firefox do not support it. Others like Chrome, Edge and Opera still support it, though.

Google Chrome added support for it starting with version 64 in early September 2017, and was the first major browser to include it. A couple of weeks later Opera started to support it too. Finally, Microsoft Edge included support for the header in 2020, a lot later than the other two. The rest of major browsers like Apple Safari and Mozilla Firefox are not compatible with this feature.

Expect-CT directives

The Expect-CT header includes a few directives that provide instructions on how the browser should handle certificate-related issues. Here are the key directives:

“enforce” directive:

The enforce directive makes the browser enforce the Certificate Transparency policy for the specified host. This means that the browser will only connect to the website if the presented SSL/TLS certificate has been properly logged in public Certificate Transparency logs.

enforce

“max-age” directive:

The max-age directive defines the time (in seconds) for which the browser should remember the Certificate Transparency policy. During this period, the browser will continue to enforce the policy without checking the header again.

max-age=31536000

“report-uri” directive:

The report-uri directive lets us specify a URI where the browser should send reports if it encounters certificate-related issues, such as a certificate that violates the Certificate Transparency policy.

report-uri="https://domain.com/report"

“report-to” directive:

Similar to report-uri, the report-to directive (based on Reporting API) defines a reporting group that specifies where the browser should send the reports.

report-to="group-name"

Expect-CT examples

Now let’s see a few examples of how this header can be configured with different directives:

Enforcing CT with a specific max-age: this example enforces Certificate Transparency and sets a max-age of 30 days (in seconds). Browsers will enforce the CT policy for this domain for the specified duration.

Expect-CT: enforce, max-age=2592000

Enforcing CT with reporting: this one enforces Certificate Transparency and includes a report-uri where browsers should send reports if they encounter certificate-related issues.

Expect-CT: enforce, report-uri="https://example.com/report"

Enforcing CT with the reporting API: in this example, Certificate Transparency is enforced and it uses the report-to directive, specifying a reporting group for more advanced reporting using the Reporting API.

Expect-CT: enforce, report-to="group name"

Non-enforcing directive: this example doesn’t enforce Certificate Transparency but includes a report-uri for monitoring purposes. Browsers will not reject connections based on CT compliance.

Expect-CT: report-uri="https://domain.com/report"

Enforcing CT with a short max-age for testing: during testing, a short max-age can be useful. This example enforces CT and sets a max-age of 10 minutes.

Expect-CT: enforce, max-age=600

How to configure Expect-CT

Enabling this feature in your server is pretty easy. Let’s see how to do this in popular web servers like Apache and Nginx.

Enabling Expect-CT in Apache

Open your Apache configuration file (for example httpd.conf or your site’s virtual host file), you can use a text editor like nano or vim.

Add the following line to your VirtualHost block to enable it:

Header always set Expect-CT "enforce, max-age=31536000, report-uri=https://example.com/report"

Remember to customize the parameters based on your specific requirements, the parameters above are just an example.

Save the configuration file and restart Apache to apply the changes.

systemctl restart apache2

Setting up Expect-CT in Nginx

Open your Nginx configuration file (for example nginx.conf or your domain’s .conf file).
Add the following line in your server block to enable it:

add_header Expect-CT "enforce, max-age=31536000, report-uri=https://example.com/report";

Don’t forget to customize the parameters based on your specific requirements, the parameters we have used are just an example.

Expect-CT set in Nginx

Save the configuration file, test your Nginx config and restart it:

nginx -t
systemctl restart nginx

How to configure Expect-CT on IIS

Let’s see how to add the Expect-CT header on the IIS webserver.

  1. Open the IIS Manager and select the website where you want to enable the Expect-CT header.
  2. Now access HTTP Response Headers and add a new header with the following:
    • Name: Expect-CT
    • Value: enforce, max-age=31536000, report-uri=https://example.com/report
  3. Remember to customize the parameters based on your requirements.
  4. Now save the changes and restart the IIS site.

Testing Expect-CT

It’s very easy to test your site, just follow the steps below:

  1. Access our web security scanner.
  2. Input your domain in the scan box.
  3. Tick the two boxes below (‘Clear cache’ and ‘Follow redirects’).
  4. Click the Scan button.
  5. Now scroll down to the ‘HTTP Security Headers’ section and check the ‘Expect-CT’ results: a ‘Passed’ in green is good. However, if you get a ‘Failed’ in red, you must update your current settings.
Expect-CT test results

Expect-CT FAQ

Before closing our article, let’s answer some common questions related to this header.

What are the benefits of using Expect-CT?

It helps prevent various certificate-related attacks, such as certificate misissuance and man-in-the-middle attacks. Also, by enforcing CT, website owners can ensure that only certificates issued through transparent and trustworthy processes are accepted by browsers.

What should I consider when setting up Expect-CT?

  • Choose an appropriate CT policy that balances security and compatibility with your website’s requirements.
  • Configure the reporting to receive violation reports generated by browsers when they encounter certificates that violate the Expect-CT policy. These reports can provide valuable information about potential security issues.
  • Also, test the Expect-CT setup to ensure compatibility with all browsers and devices used by your website visitors.

Summary

Expect-CT is an HTTP header used to boost online security. Its full name, Expect Certificate Transparency, hints at its job: making your online experience safer. When your browser connects to a site, this security tool checks if the site’s certificate is genuine.

It works by making sure that certificates presented by websites are not only valid but also publicly logged in special certificate logs. This transparency helps prevent potential security threats, stopping bad guys from using fake certificates to pose as real websites.

Scroll to Top