What did Expect-CT do?

It told the browser to check that your site's TLS certificate appeared in Certificate Transparency logs. If not, the browser would block the connection and optionally send a violation report to your endpoint.

Why was it deprecated?

Chrome made Certificate Transparency mandatory for all new TLS certificates in 2018. Since every valid certificate is already CT-logged by default, the header became redundant. It was removed from the IETF specification in 2021 and browsers now ignore it.

Do I need to do anything about CT now?

No active steps needed. Any TLS certificate from a trusted CA issued after April 2018 is automatically CT-logged. Your browser checks CT automatically without any header from your server.

HttpFixer → Blog → Headers → Expect-CT Is Deprecated — What to Use Instead in 2026

Headers

Expect-CT Is Deprecated — What to Use Instead in 2026

Updated April 2026

Reading this? Verify your fix in real-time. Scan your headers → HeadersFixer

Expect-CT appears in a lot of security header guides written between 2018 and 2021. Those guides are outdated. The header was removed from the spec, ignored by all modern browsers, and is now just dead weight in your response headers.

Quick check — remove it if you have it

# Check if you are sending Expect-CT
curl -I https://yoursite.com/ | grep -i expect-ct
# If it appears — remove it from your config. It does nothing.

Remove by stack

Nginx — remove from nginx.conf

# Delete this line if you have it:
add_header Expect-CT "max-age=86400, enforce, report-uri=https://yoursite.com/ct-report";

Helmet (Express) — it has already removed it

# Helmet stopped including Expect-CT in version 5.0 (2021)
# If you are on Helmet 5+ you are fine
# If on an older version: upgrade
npm install helmet@latest

Vercel / Netlify headers files — delete the line

# Remove from vercel.json headers or _headers file:
# { "key": "Expect-CT", "value": "..." }  ← delete this

What CT looks like today (no header needed)

Certificate Transparency now works like this:

You obtain a TLS certificate from your CA (Let's Encrypt, DigiCert, etc.)
The CA automatically submits it to multiple public CT logs
Chrome and other browsers check CT compliance using embedded log lists — not your header
If your certificate is not CT-logged, browsers show an error regardless of what headers you send

What you should have instead of Expect-CT

# These are the headers that actually matter for HTTPS security in 2026:

# HSTS — tells browsers to always use HTTPS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# CSP — controls which resources load
Content-Security-Policy: default-src 'self'; ...

# The rest of your security headers checklist
# Expect-CT is not on any of them — correctly

If you see Expect-CT in a security scanner report or a "recommended headers" list, that list is outdated. The header was formally obsoleted in RFC 9163 (2021). Any tool still recommending it has not been updated.

Scan your headers → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker