A new header still in experimental status is to instruct the browser to validate the connection with web servers for certificate transparency (CT). This project by Google aims to fix some of the flaws in the SSL/TLS certificate system.
The following three variables are available for the Expect-CT header.
|max-age||In seconds, for how long the browser should cache the policy.|
|enforce||An optional directive to enforce the policy.|
|report-uri||Browser to send a report to the specified URL when valid certificate transparency not received.|
Let’s assume you want to enforce this policy, report, and cache for 12 hours then you got to add the following.
Header set Expect-CT 'enforce, max-age=43200, report-uri="https://somedomain.com/report"'
And, here is the result.
What if you want to report and cache for 1 hour?
add_header Expect-CT 'max-age=60, report-uri="https://mydomain.com/report"';
The output would be.