Expected Certificate Transparency

Written by Ulises Gascón

Apr 08, 20201 min read

The attack

Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs. by Chrome platform

The header

The Expect-CT HTTP header tells browsers to expect Certificate Transparency.

The code

const helmet = require('helmet')


// Sets Expect-CT: max-age=123
app.use(helmet.expectCt({ maxAge: 123 }))

// Sets Expect-CT: enforce; max-age=123
  enforce: true,
  maxAge: 123

You can define a report url. This will help you to analyze the impact on your users with old browsers. Check compatibility

// Sets Expect-CT: enforce; max-age=30; report-uri="http://example.com/report"
  enforce: true,
  maxAge: 30,
  reportUri: 'http://example.com/report'