i4connected Knowledgebase 5.6

Expect-CT header

Abstract

Check out this article and read more details about the Expect-CT header and learn how to configure it for your i4connected installation.

The Expect-CT header enables web pages with possibility to report and/or enforce Certificate Transparency requirements, to prevent the use of misissued certificates from going unnoticed.

The Expect-CT header can be configured under the Web.config file, under the i4connected API folder, as follows:

  • "Expect-CT" value="max-age=7776000, enforce, report-uri= ;"

    Expect-CT.jpg

    The Expect-CT header

    • The max-age parameter represents the number of seconds that the recipient should regard received messages, as known.

      Even though this parameter should be set to a value long enough, is the value is greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider this value to be either 2,147,483,648 (231) or the greatest positive integer it can represent.

    • The enforce parameter should be added as soon as any potential problems during the introduction and configuration of Certificate Transparency have been removed.

    • The report-uri parameter should provide the URL pointing towards the report address, hence it should be different from the application URL. The inserted report-uri should be capable to process corresponding messages of browsers, so that the indications of invalid certificates can be investigated.

    Note

    When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.