Initial commit

2026-04-27 01:31:20 +07:00 · 2026-04-27 01:31:20 +07:00 · 542ebdea34
commit 542ebdea34
40 changed files with 4592 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,67 @@
+# checker-http
+
+HTTP/HTTPS server checker plugin for [happyDomain](https://happydomain.org).
+
+Probes the `abstract.Server` it is attached to over HTTP (port 80) and HTTPS
+(port 443) and evaluates a battery of independent rules on the response.
+
+Deep TLS / certificate analysis is intentionally **delegated to
+[checker-tls](https://git.happydns.org/checker-tls)** - this checker only
+relies on TLS for transport.
+
+## What it checks
+
+| Rule                              | What it verifies                                                                  |
+| --------------------------------- | --------------------------------------------------------------------------------- |
+| `http.tcp_reachable`              | Port 80 accepts connections on every A/AAAA address.                              |
+| `https.tcp_reachable`             | Port 443 accepts connections on every A/AAAA address.                             |
+| `http.https_redirect`             | Plain HTTP redirects to HTTPS (warning if not).                                   |
+| `http.hsts`                       | `Strict-Transport-Security` is present with a sufficient `max-age`.               |
+| `http.csp`                        | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`.      |
+| `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
+| `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
+| `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
+| `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
+| `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
+
+## Options
+
+User-configurable:
+
+- `probeTimeoutMs`: per-request timeout (default: 10000)
+- `maxRedirects`: redirect hops to follow (default: 5)
+- `userAgent`: User-Agent header to send (default: `happyDomain-checker-http/1.0`)
+- `requireHTTPS`: flag plain HTTP that does not redirect (default: true)
+- `requireHSTS`: require Strict-Transport-Security on HTTPS (default: true)
+- `minHSTSMaxAgeDays`: minimum acceptable HSTS max-age in days (default: 180)
+- `requireCSP`: require Content-Security-Policy on HTTPS (default: false)
+
+## Deployment
+
+The `/collect` endpoint has no built-in authentication and will issue HTTP
+requests to whatever IP addresses the target `abstract.Server` advertises
+(including those discovered via the system resolver for additional A/AAAA
+records). Because those addresses are user-controlled, a domain pointing at
+`127.0.0.1`, an RFC1918 range, or a cloud metadata endpoint
+(`169.254.169.254`) will cause the checker to fetch internal resources and
+return their headers, cookies, and HTML body in the observation payload,
+a classic SSRF surface.
+
+It is meant to run on a trusted network, reachable only by the happyDomain
+instance that drives it, and from a network position that cannot reach
+internal services or metadata endpoints. Restrict access via a reverse
+proxy with authentication, a network ACL, or by binding the listener to a
+private interface; do not expose it directly to the public internet, and
+prefer running it from an egress-restricted network segment.
+
+## Build
+
+```sh
+make            # standalone binary: ./checker-http
+make plugin     # Go plugin .so: ./checker-http.so
+make docker     # Docker image: happydomain/checker-http
+```
+
+## License
+
+AGPL-3.0 (see [LICENSE](LICENSE) and [NOTICE](NOTICE)).