Update rules section
This commit is contained in:
parent
77f8ee4024
commit
4be2bc9343
1 changed files with 23 additions and 19 deletions
42
README.md
42
README.md
|
|
@ -9,26 +9,30 @@ Deep TLS / certificate analysis is intentionally **delegated to
|
|||
[checker-tls](https://git.happydns.org/checker-tls)** - this checker only
|
||||
relies on TLS for transport.
|
||||
|
||||
## What it checks
|
||||
## Rules
|
||||
|
||||
| Rule | What it verifies |
|
||||
| --------------------------------- | --------------------------------------------------------------------------------- |
|
||||
| `http.tcp_reachable` | Port 80 accepts connections on every A/AAAA address. |
|
||||
| `https.tcp_reachable` | Port 443 accepts connections on every A/AAAA address. |
|
||||
| `http.https_redirect` | Plain HTTP redirects to HTTPS (warning if not). |
|
||||
| `http.hsts` | `Strict-Transport-Security` is present with a sufficient `max-age`. |
|
||||
| `http.csp` | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`. |
|
||||
| `http.x_frame_options` | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection. |
|
||||
| `http.x_content_type_options` | `X-Content-Type-Options: nosniff` is set. |
|
||||
| `http.x_xss_protection` | Reports the legacy `X-XSS-Protection` header (recommendation: disable). |
|
||||
| `http.referrer_policy` | `Referrer-Policy` is set to a privacy-preserving value (W3C Referrer Policy). |
|
||||
| `http.permissions_policy` | `Permissions-Policy` is set (W3C Permissions Policy, replaces Feature-Policy). |
|
||||
| `http.coop` | `Cross-Origin-Opener-Policy` isolates the document from cross-origin windows. |
|
||||
| `http.coep` | `Cross-Origin-Embedder-Policy` requires CORP/CORS opt-in for embedded resources. |
|
||||
| `http.corp` | `Cross-Origin-Resource-Policy` restricts cross-origin embedding of responses. |
|
||||
| `http.cookie_flags` | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute. |
|
||||
| `http.sri` | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
|
||||
| `http.security_txt` | `/.well-known/security.txt` is published (RFC 9116). |
|
||||
| Code | Description | Severity |
|
||||
|-------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
|
||||
| `http.tcp_reachable` | Verifies that every probed IP accepts an HTTP connection on the standard port. | CRITICAL |
|
||||
| `https.tcp_reachable` | Verifies that every probed IP accepts an HTTPS connection on the standard port. | CRITICAL |
|
||||
| `http.https_redirect` | Plain HTTP responses must redirect to an HTTPS URL on the same host. | WARNING |
|
||||
| `http.redirect_chain` | Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades. | WARNING |
|
||||
| `http.redirect_permanence` | HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary). | WARNING |
|
||||
| `http.hsts` | Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses. | WARNING |
|
||||
| `http.csp` | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses. | WARNING |
|
||||
| `http.x_frame_options` | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive. | WARNING |
|
||||
| `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff. | WARNING |
|
||||
| `http.x_xss_protection` | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement). | INFO |
|
||||
| `http.referrer_policy` | Verifies that responses set a Referrer-Policy header with a privacy-preserving value. | WARNING |
|
||||
| `http.permissions_policy` | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …). | WARNING |
|
||||
| `http.coop` | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation. | WARNING |
|
||||
| `http.coep` | Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation. | WARNING |
|
||||
| `http.corp` | Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. | WARNING |
|
||||
| `http.cookie_flags` | Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes. | WARNING |
|
||||
| `http.cookie_prefixes` | Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints. | WARNING |
|
||||
| `http.cookie_size` | Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1). | WARNING |
|
||||
| `http.sri` | Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes. | WARNING |
|
||||
| `http.security_txt` | Reports whether /.well-known/security.txt (RFC 9116) is published. | WARNING |
|
||||
|
||||
## Options
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue