From 4be2bc93436c8b0fe6ab816511a5902e4c5ba0fd Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:57:39 +0700
Subject: [PATCH] Update rules section

---
 README.md | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 79ac2ad..ca92a97 100644
--- a/README.md
+++ b/README.md
@@ -9,26 +9,30 @@ Deep TLS / certificate analysis is intentionally **delegated to
 [checker-tls](https://git.happydns.org/checker-tls)** - this checker only
 relies on TLS for transport.
 
-## What it checks
+## Rules
 
-| Rule                              | What it verifies                                                                  |
-| --------------------------------- | --------------------------------------------------------------------------------- |
-| `http.tcp_reachable`              | Port 80 accepts connections on every A/AAAA address.                              |
-| `https.tcp_reachable`             | Port 443 accepts connections on every A/AAAA address.                             |
-| `http.https_redirect`             | Plain HTTP redirects to HTTPS (warning if not).                                   |
-| `http.hsts`                       | `Strict-Transport-Security` is present with a sufficient `max-age`.               |
-| `http.csp`                        | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`.      |
-| `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
-| `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
-| `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
-| `http.referrer_policy`            | `Referrer-Policy` is set to a privacy-preserving value (W3C Referrer Policy).     |
-| `http.permissions_policy`         | `Permissions-Policy` is set (W3C Permissions Policy, replaces Feature-Policy).    |
-| `http.coop`                       | `Cross-Origin-Opener-Policy` isolates the document from cross-origin windows.     |
-| `http.coep`                       | `Cross-Origin-Embedder-Policy` requires CORP/CORS opt-in for embedded resources.  |
-| `http.corp`                       | `Cross-Origin-Resource-Policy` restricts cross-origin embedding of responses.     |
-| `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
-| `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
-| `http.security_txt`               | `/.well-known/security.txt` is published (RFC 9116).                              |
+| Code                          | Description                                                                                                       | Severity            |
+|-------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
+| `http.tcp_reachable`          | Verifies that every probed IP accepts an HTTP connection on the standard port.                                    | CRITICAL            |
+| `https.tcp_reachable`         | Verifies that every probed IP accepts an HTTPS connection on the standard port.                                   | CRITICAL            |
+| `http.https_redirect`         | Plain HTTP responses must redirect to an HTTPS URL on the same host.                                              | WARNING             |
+| `http.redirect_chain`         | Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades.                  | WARNING             |
+| `http.redirect_permanence`    | HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary).                             | WARNING             |
+| `http.hsts`                   | Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses.                     | WARNING             |
+| `http.csp`                    | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses.                       | WARNING             |
+| `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
+| `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
+| `http.x_xss_protection`       | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement).   | INFO                |
+| `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
+| `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
+| `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |
+| `http.coep`                   | Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation.   | WARNING             |
+| `http.corp`                   | Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. | WARNING             |
+| `http.cookie_flags`           | Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes.                            | WARNING             |
+| `http.cookie_prefixes`        | Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints.                    | WARNING             |
+| `http.cookie_size`            | Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1).          | WARNING             |
+| `http.sri`                    | Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes.   | WARNING             |
+| `http.security_txt`           | Reports whether /.well-known/security.txt (RFC 9116) is published.                                                | WARNING             |
 
 ## Options