How to enable Expect-Ct on apache using .htaccess

Question

i want to enable Expect-Ct on my website. From searching around i creaded code on my own from searches.

<IfModule mod_headers.c>
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
</IfModule>

I want to ask if this is right or not and what is report uri? it can be any random link or something else. for example my website is testwebsite.com then report uri should be testwebsite.com/report? and how can i check reports?

Answer 1

This is a good question; while the general syntax form is explained in the link provided in comments, it doesn't explain how to correctly apply this header in the .htaccess or httpd.conf Apache files.

Through trial and error I found this works:

<IfModule mod_headers.c>
    Header set Expect-CT enforce,max-age=2592000,report-uri="https://foo.example/report"
</IfModule>

Note that there should not be any white space in the "data" part.

Also note that the output detected by such things as redbot.org does not show exactly the same thing.