Home/ Glossary/ Expect-CT

Expect-CT (Expect-CT)

Security Glossary - Security Headers

Definition: Expect-CT was a security header that instructed browsers to verify Certificate Transparency compliance for the site's SSL certificate. It could enforce CT (blocking non-compliant certificates) or report violations. Since Chrome now requires CT for all certificates by default, Expect-CT has been deprecated and removed from Chrome 107+.

Why Expect-CT Is Important

Expect-CT was useful during the transition period when Certificate Transparency was not universally required. It allowed early adopters to enforce CT on their domains before browsers mandated it globally. With Chrome and other browsers now requiring CT for all new certificates, the header is no longer needed.

If your server still sends Expect-CT, it is harmless but unnecessary. Modern browsers ignore it. You can safely remove it to reduce header size. The underlying protection - requiring CT compliance - is now built into browser certificate validation.

The report-uri feature of Expect-CT allowed site operators to receive notifications about CT compliance failures. This reporting capability is still useful but is now better served by Certificate Transparency monitoring services that watch CT logs directly.

How to Check

A security audit may still check for Expect-CT. If present, it can be safely removed since all browsers now enforce CT by default. Focus on monitoring CT logs (via crt.sh or similar services) for unauthorized certificate issuance.

See how your site handles Expect-CT

Run a Security Audit

Common Questions About Expect-CT

Should I add Expect-CT to my site?
No. Expect-CT has been deprecated since Chrome 107 (October 2022) because Certificate Transparency is now required for all certificates by default. Adding it provides no benefit and the header is ignored by modern browsers.
What replaces Expect-CT?
Nothing directly replaces it because its functionality (requiring CT compliance) is now the default behavior in all browsers. For monitoring certificate issuance, use CT log monitoring services like crt.sh or Certspotter.

See Also

Certificate Transparency SSL/TLS Certificate Security Headers Overview HTTP Strict Transport Security report-uri and report-to Directives
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.