Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.
Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements. Certificate Transparency (CT) aims to prevent the use of misissued certificates for that site from going unnoticed.
Only Google Chrome and other Chromium-based browsers implemented
Expect-CT, and Chromium has deprecated the header from version 107, because Chromium now enforces CT by default. See the Chrome Platform Status update.
CT requirements can be satisfied via any one of the following mechanisms:
- X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs. Most TLS certificates issued by publicly-trusted CAs and used online contain embedded CT.
- A TLS extension of type
signed_certificate_timestampsent during the handshake
- Supporting OCSP stapling (that is, the
status_requestTLS extension) and providing a
Note: When a site enables the
Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.
Note: Browsers ignore the
Expect-CT header over HTTP; the header only has effect on HTTPS connections.
Expect-CT is mostly obsolete since June 2021. Since May 2018, all new TLS certificates are expected to support SCTs by default. Certificates issued before March 2018 were allowed to have a lifetime of 39 months, so they had expired in June 2021. Chromium plans to deprecate
Expect-CT header and to eventually remove it.
Expect-CT: report-uri="<uri>", enforce, max-age=<age>
The number of seconds after reception of the
Expect-CTheader field during which the user agent should regard the host of the received message as a known
If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider this value to be either 2,147,483,648 (2^31) or the greatest positive integer it can represent.
The URI where the user agent should report
When present with the
enforcedirective, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.
When both the
enforcedirective and the
report-uridirective are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example.com/report"
Root CAs manually added to the trust store override and suppress
Browsers will not remember an
Expect-CT policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.
Builds of Chrome are designed to stop enforcing the
Expect-CT policy 10 weeks after the installation's build date.
|Expect-CT Extension for HTTP |
BCD tables only load in the browser