Security header Expect CT

The expect-ct header will soon be enforced by Google and as such will require all certificates issued to be logged or they will not be trusted.

The Expect-CT header allows sites to report or enforce certificate transparency requirements; in a nutshell, this will prevent the use of mis-issued certificates for websites.

When a site enables Expect-CT, the site is requesting that the browser checks that any certificate appears in public logs.

Scott Helme has a very nice blog about it, so I won't go into too much detail about it, as the aim of this blog is how to create the Expect-CT header in a module and link that to your web.config file.

The first thing we need to do is create a new class library in our project and then create a new class adding the following code.

CT Header Code

public class ExpectCtHeader : IHttpModule

        public void Init(HttpApplication app)
            app.BeginRequest += (App_BeginRequest);


        private void App_BeginRequest(object sender, EventArgs e)
            if (HttpContext.Current.Request.IsSecureConnection)
                string baseUrl = "";
                string headerValue = $"max-age=0, report-uri=\"{baseUrl}";

        public void Dispose()
            // Needed for IHttpModule

Logging Error

I have a free account on and as such, if the browser is not happy with the CT information it received, instead of terminating the connecting it will simply log the message.

In the code above I have max-age set to 0, once you are happy everything works OK, you can get that to 30 seconds 60seconds etc. and replace reportOnly with enforce.

Adding the module to your web.config file is an easy issue, make sure you have a reference to the class library you created and then add the following code to the system.webServer section of your web.config file.


If all went well and you view your headers in Chrome Dev Tools, you should see your CT-Header

<add name="ExpectCtHeader" type="Web.RequiresHttps.ExpectCtHeader, Web.RequiresHttps" />