{"id":17430,"library":"expect-ct","title":"Expect-CT Header Middleware","description":"The `expect-ct` package provides Express middleware for setting the deprecated Expect-CT HTTP response header. This header was designed to enforce Certificate Transparency (CT) requirements by instructing browsers to expect valid Signed Certificate Timestamps (SCTs) for a website's TLS certificates. However, the Expect-CT header itself has been deprecated by major browsers (e.g., Chrome removed support in version 107 in October 2022) as Certificate Transparency is now a baseline requirement enforced by default across all publicly trusted certificates. As such, this middleware, currently at version 1.0.0 (though `1.0.1` is on npm, published 3 years ago), offers minimal practical security benefit for modern web applications. The Helmet.js project, which originally included this functionality, removed `expect-ct` from its default middlewares in Helmet v5 due to its obsolescence.","status":"deprecated","version":"1.0.0","language":"javascript","source_language":"en","source_url":"git://github.com/helmetjs/helmet","tags":["javascript","express","security","expect-ct","typescript"],"install":[{"cmd":"npm install expect-ct","lang":"bash","label":"npm"},{"cmd":"yarn add expect-ct","lang":"bash","label":"yarn"},{"cmd":"pnpm add expect-ct","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This is an Express middleware, requiring Express for application integration.","package":"express","optional":false}],"imports":[{"note":"The package exports a default function. Though TypeScript types are shipped, the primary usage is with CommonJS `require`.","wrong":"import { expectCt } from 'expect-ct';","symbol":"expectCt","correct":"import expectCt from 'expect-ct';"},{"note":"CommonJS `require` is the most common way to import this middleware, as shown in the package's documentation.","symbol":"expectCt","correct":"const expectCt = require('expect-ct');"}],"quickstart":{"code":"import express from 'express';\nimport expectCt from 'expect-ct';\n\nconst app = express();\nconst port = process.env.PORT ?? 3000;\n\n// Sets Expect-CT: max-age=123\napp.use(expectCt({ maxAge: 123 }));\n\n// Optionally, enforce and report\napp.use(\n  expectCt({\n    enforce: true,\n    maxAge: 30,\n    reportUri: 'https://example.com/report' // Replace with your actual reporting endpoint\n  })\n);\n\napp.get('/', (req, res) => {\n  res.send('Hello, Expect-CT!');\n});\n\napp.listen(port, () => {\n  console.log(`Server listening on port ${port}`);\n  console.warn('The Expect-CT header is largely deprecated and may not provide significant security benefits in modern browsers.');\n});\n","lang":"typescript","description":"Demonstrates how to integrate `expect-ct` middleware into an Express application to set the Expect-CT header, including options for `maxAge`, `enforce`, and `reportUri`."},"warnings":[{"fix":"Consider removing the `expect-ct` middleware entirely from new projects. For existing projects, its removal will likely have no adverse security impact on modern browsers.","message":"The Expect-CT HTTP header itself is deprecated and largely obsolete. Most major browsers (like Chrome since version 107 in October 2022) have removed support or no longer process this header, as Certificate Transparency is now a default, built-in security measure.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"To achieve similar (though now largely ineffective) functionality with Helmet v5+, explicitly install `expect-ct` (`npm install expect-ct`) and use `app.use(expectCt(options))` alongside Helmet.","message":"The `expect-ct` middleware is no longer included by default in Helmet.js version 5 and later. If you upgraded Helmet and rely on Expect-CT, you will need to install and configure this standalone package explicitly, although it is not recommended due to header deprecation.","severity":"breaking","affected_versions":">=1.0.0 (when used with Helmet v5+)"},{"fix":"Ensure your application is served exclusively over HTTPS for any Expect-CT policy to be considered by the browser. However, given the header's deprecation, investing in this is generally not recommended.","message":"The Expect-CT header only functions over HTTPS connections. Browsers will ignore the header if sent over plain HTTP.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Be aware that any 'protection' offered by this header was limited to a subset of browsers. This further reduces its utility for broad web security.","message":"Only Chromium-based browsers (e.g., Google Chrome, Microsoft Edge) ever implemented support for the Expect-CT header. Other browsers like Firefox and Safari never adopted it.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"For CommonJS: `const expectCt = require('expect-ct');`. For ESM: `import expectCt from 'expect-ct';` (without curly braces).","cause":"Incorrect import: Attempting to destructure a default export, or mixing CommonJS `require` syntax with ESM `import` for a default export.","error":"TypeError: expectCt is not a function"},{"fix":"Contact your Certificate Authority (CA) to ensure your certificates include Signed Certificate Timestamps (SCTs) and are properly logged in CT logs. This is a fundamental requirement for modern certificates, irrespective of the Expect-CT header.","cause":"While Expect-CT is deprecated, if it were still enforced by a browser (e.g., an older Chrome version), this error indicates that your site's SSL/TLS certificate is not satisfying Certificate Transparency requirements.","error":"ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"}],"ecosystem":"npm","meta_description":null}