Expect-CT Header Middleware

Common errors

• TypeError: expectCt is not a function

  cause Incorrect import: Attempting to destructure a default export, or mixing CommonJS `require` syntax with ESM `import` for a default export.
  fix For CommonJS: `const expectCt = require('expect-ct');`. For ESM: `import expectCt from 'expect-ct';` (without curly braces).

• ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

  cause While Expect-CT is deprecated, if it were still enforced by a browser (e.g., an older Chrome version), this error indicates that your site's SSL/TLS certificate is not satisfying Certificate Transparency requirements.
  fix Contact your Certificate Authority (CA) to ensure your certificates include Signed Certificate Timestamps (SCTs) and are properly logged in CT logs. This is a fundamental requirement for modern certificates, irrespective of the Expect-CT header.

Warnings

• deprecated The Expect-CT HTTP header itself is deprecated and largely obsolete. Most major browsers (like Chrome since version 107 in October 2022) have removed support or no longer process this header, as Certificate Transparency is now a default, built-in security measure.
  Fix: Consider removing the `expect-ct` middleware entirely from new projects. For existing projects, its removal will likely have no adverse security impact on modern browsers.
• breaking The `expect-ct` middleware is no longer included by default in Helmet.js version 5 and later. If you upgraded Helmet and rely on Expect-CT, you will need to install and configure this standalone package explicitly, although it is not recommended due to header deprecation.
  Fix: To achieve similar (though now largely ineffective) functionality with Helmet v5+, explicitly install `expect-ct` (`npm install expect-ct`) and use `app.use(expectCt(options))` alongside Helmet.
• gotcha The Expect-CT header only functions over HTTPS connections. Browsers will ignore the header if sent over plain HTTP.
  Fix: Ensure your application is served exclusively over HTTPS for any Expect-CT policy to be considered by the browser. However, given the header's deprecation, investing in this is generally not recommended.
• gotcha Only Chromium-based browsers (e.g., Google Chrome, Microsoft Edge) ever implemented support for the Expect-CT header. Other browsers like Firefox and Safari never adopted it.
  Fix: Be aware that any 'protection' offered by this header was limited to a subset of browsers. This further reduces its utility for broad web security.

Install

• npm install expect-ct npm
• yarn add expect-ct yarn
• pnpm add expect-ct pnpm

Imports

• expectCt
  wrong:

  import { expectCt } from 'expect-ct';

  correct:

  import expectCt from 'expect-ct';

  The package exports a default function. Though TypeScript types are shipped, the primary usage is with CommonJS `require`.
• expectCt

  const expectCt = require('expect-ct');

  CommonJS `require` is the most common way to import this middleware, as shown in the package's documentation.

Quickstart

Demonstrates how to integrate `expect-ct` middleware into an Express application to set the Expect-CT header, including options for `maxAge`, `enforce`, and `reportUri`.

import express from 'express';
import expectCt from 'expect-ct';

const app = express();
const port = process.env.PORT ?? 3000;

// Sets Expect-CT: max-age=123
app.use(expectCt({ maxAge: 123 }));

// Optionally, enforce and report
app.use(
  expectCt({
    enforce: true,
    maxAge: 30,
    reportUri: 'https://example.com/report' // Replace with your actual reporting endpoint
  })
);

app.get('/', (req, res) => {
  res.send('Hello, Expect-CT!');
});

app.listen(port, () => {
  console.log(`Server listening on port ${port}`);
  console.warn('The Expect-CT header is largely deprecated and may not provide significant security benefits in modern browsers.');
});