Expect-CT

A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system.

The following three variables are available for the Expect-CT header.

ValueDescription
max-ageIn seconds, for how long the browser should cache the policy.
enforceAn optional directive to enforce the policy.
report-uriBrowser to send a report to the specified URL when valid certificate transparency not received.

Apache

Let’s assume you want to enforce this policy, report, and cache for 12 hours then you got to add the following.

Header set Expect-CT 'enforce, max-age=43200, report-uri="https://somedomain.com/report"'

And, here is the result.

Nginx

What if you want to report and cache for 1 hour?

add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"';

The output would be.