Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the
Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.
Expect-CT: report-uri="<uri>", enforce, max-age=<age>
Specifies the number of seconds after reception of the
Expect-CT header field during which the user agent should regard the host from whom the message was received as a known Expect-CT host.
If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider the value to be either 2147483648 (2^31) or the greatest positive integer it can conveniently represent.
Specifies the URI to which the user agent should report Expect-CT failures.When both the
enforcedirective and the
report-uridirective are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.
When both the
enforce directive and the
report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
|Internet Draft||Expect-CT Extension for HTTP|
|Feature||Android webview||Chrome for Android||Edge mobile||Firefox for Android||Opera Android||iOS Safari||Samsung Internet|
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.