Web Security-HTTP headers · April 14, 2020


Except-CT, where CT stands for certificate Transparency, is a new security header which replaces the HPKP (HTTP Public Key Pinning) and enables websites to opt in to enforce-CT framework. OK, too much in one line, lets break it down:

HPKP: This security header was introduced to bind the websites with specific public keys(certificates) on browser level to avoid any MITM – attacks. Its worked on TOFU (Trust on First Use): first time browser visits a website it stores the certificate and expects the website to deliver the same next time.

Why HPKP was depreciated: As it turns out along with the benefits, there are a lot of issues with the HPKP header:
1.) Wrong configuration of this header can cause your website to be in-accessible or lockout users for a very long time
2.) In case an attacker is able to get your public certificate of domain, he/she can take your site hostage (hostile pinning)

These 2 reasons were strong enough to discourage browsers to adapt this HTTP header.

JWorks have a very good article on this, you can read up and know more about it:

Certificate Transparency is an open source framework in which we monitor the use of our SSL certificate publicly over the internet and find out if anyone is misusing it. When a new certificate is generated for a domain it is added to the CT log and SCT (signed certificate timestamp) is created, which assures the certificate authenticity.

So what is Except-CT basically, this security headers enables websites to monitors the use of their certificates. The browser will check the certificate provided by web server in public CT logs and at least one of the certificate must be present there. Incase browser is not able to find the given certificate in public CT logs it will report this to report URI mentioned in the header.

Syntax: Except-CT: report-uri=, enforce, max-age=<in sec>

Except-CT have the following directives:
max age: No. of sec host of certificate sender is assumed as known Expect-CT.
report-URI: Expect-CT failures are reported at this uri
enforce: enables drop of future connections where Except-CT fails

Useful links:
More about CT framework: https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency