Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.
Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements. Certificate Transparency (CT) aims to prevent the use of misissued certificates for that site from going unnoticed.
Only Google Chrome and other Chromium-based browsers implemented
Expect-CT, and Chromium has deprecated the header from version 107, because Chromium now enforces CT by default. See the Chrome Platform Status update.
CT requirements can be satisfied via any one of the following mechanisms:
- X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs. Most TLS certificates issued by publicly-trusted CAs and used online contain embedded CT.
- A TLS extension of type
signed_certificate_timestampsent during the handshake
- Supporting OCSP stapling (that is, the
status_requestTLS extension) and providing a
Note: When a site enables the
Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.
Note: Browsers ignore the
Expect-CT header over HTTP; the header only has effect on HTTPS connections.
Expect-CT is mostly obsolete since June 2021. Since May 2018, all new TLS certificates are expected to support SCTs by default. Certificates issued before March 2018 were allowed to have a lifetime of 39 months, so they had expired in June 2021. Chromium plans to deprecate
Expect-CT header and to eventually remove it.
|Header type||Response header|
|Forbidden header name||yes|