Expected Certificate Transparency
Written by Ulises Gascón
Apr 08, 2020 — 1 min readThe attack
Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs. by Chrome platform
The header
The Expect-CT HTTP header tells browsers to expect Certificate Transparency.
The code
const helmet = require('helmet')
app.use(helmet())
// Sets Expect-CT: max-age=123
app.use(helmet.expectCt({ maxAge: 123 }))
// Sets Expect-CT: enforce; max-age=123
app.use(helmet.expectCt({
enforce: true,
maxAge: 123
}))
You can define a report url. This will help you to analyze the impact on your users with old browsers. Check compatibility
// Sets Expect-CT: enforce; max-age=30; report-uri="http://example.com/report"
app.use(helmet.expectCt({
enforce: true,
maxAge: 30,
reportUri: 'http://example.com/report'
}))
Refs:
- Helmet | Expect-CT
- MDN | Certificate Transparency
- MDN | Expect-CT
- Scott Helme | A new security header: Expect-CT
- Scott Helme | Certificate Transparency, an introduction