Expect-CT: Why This HTTP Security Header Is Deprecated!

Important Notice: The Expect-CT header is now deprecated and no longer recommended for use in modern web applications.

As a web security specialist with more than two decades of experience advising Fortune 500 companies, I've seen the rise and fall of various HTTP security headers. Expect-CT is one such header that was once useful for enforcing Certificate Transparency (CT), but is now considered deprecated.

What Is the Expect-CT Header?

Expect-CT is a response header designed to instruct browsers to enforce and/or report Certificate Transparency compliance for TLS certificates. Certificate Transparency helps ensure that misissued or fraudulent certificates do not go undetected.

Only Chromium-based browsers ever supported strict enforcement of the Expect-CT header, and Chromium has deprecated this functionality since version 107.

How Expect-CT Works

max-age

Duration (in seconds) for which the browser should cache and enforce the policy.

enforce

Optional directive that makes the browser actively block connections that fail the CT check.

report-uri

Optional URL where the browser sends failure reports for diagnosing CT compliance issues.

Server Implementation (Legacy Support Only)

<IfModule mod_headers.c>
    Header set Expect-CT "max-age=86400, enforce, report-uri=\"https://example.com/report\""
</IfModule>
add_header Expect-CT "max-age=86400, enforce, report-uri=\"https://example.com/report\"";

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Expect-CT" 
             value="max-age=86400, enforce, report-uri="https://example.com/report"" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Modern Alternatives

Instead of using the deprecated Expect-CT header, consider implementing:

  • HTTP Strict Transport Security (HSTS)
  • Robust TLS configurations
  • Modern certificate issuance practices with embedded SCTs

Additional Resources

Chromium CT Policy

Official documentation on Certificate Transparency in Chromium

Certificate Transparency

Learn about the Certificate Transparency project

MDN Web Docs

Historical documentation of the Expect-CT header

Related Security Headers

Learn about other HTTP security headers to strengthen your website's security:

Cross-Origin-Embedder-Policy (COEP) Cross-Origin-Resource-Policy (CORP) Content-Security-Policy (CSP) Content-Security-Policy-Report-Only Expect-CT (Deprecated) Permissions-Policy Reporting-Endpoints (Experimental) Strict-Transport-Security (HSTS) Upgrade-Insecure-Requests X-Content-Type-Options X-Frame-Options (XFO) X-Permitted-Cross-Domain-Policies X-Powered-By X-XSS-Protection (Deprecated)