Security header Expect CT

Expect-ct header will soon be enforced by Google and as such will require all certificates issued to be logged or they will not be trusted.

The Expect-CT header allows sites to report or enforce certificate transparency requirements, in a nutshell, this will prevent the use of misissued certificates for sites.

When a site enables Expect-CT, the site is requesting that the browser checks that any certificate appears in public logs.

Scott Helme has a very detailed blog about it, so I won't go into too much detail about it, as the aim of this blog is how to create the Expect-CT header in a module and link that to your web.config file.

The first thing we need to do is create a new class library in our project and then create a new class adding the following code.

CT Header Code
public class ExpectCtHeader : IHttpModule
    {

        public void Init(HttpApplication app)
        {
            app.BeginRequest += (App_BeginRequest);

        }

        private void App_BeginRequest(object sender, EventArgs e)
        {
            if (HttpContext.Current.Request.IsSecureConnection)
            {
                string baseUrl = "https://xxxxxxxx.report-uri.com/r/d/ct/reportOnly";
                string headerValue = $"max-age=0, report-uri=\"{baseUrl}";
                HttpContext.Current.Response.AddHeader("Expect-CT",headerValue);
            }
        }

        public void Dispose()
        {
            // Needed for IHttpModule
        }
    }

I have a free account on https://report-uri.com/ and as such, if the browser is not happy with the CT information it received, instead of terminating the connecting it will simply log the message.

In the code above I have max-age set to 0, once you are happy everything works OK, you can get that to 30 seconds 60seconds etc and replace reportOnly with enforce.

Adding the module to your web.config file is an easy issue, just make sure you have a reference to the class library you created and then add the following code to the system.webServer section of your web.config file.

Web.Config

If all went well and you view your headers in Chrome Dev Tools, you should see your CT-Header

<add name="ExpectCtHeader" type="Web.RequiresHttps.ExpectCtHeader, Web.RequiresHttps" />

Blog Form

 Please complete the required fields (*required)

 *
*