happyDomain/checker-http
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
nemunaire 2026-04-27 01:31:20 +07:00
commit 542ebdea34
40 changed files with 4592 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

231
checker/rules_security_headers.go Normal file
View file

@ -0,0 +1,231 @@
// This file is part of the happyDomain (R) project.
// Copyright (c) 2020-2026 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
package checker
import (
"context"
"fmt"
"strings"
sdk "git.happydns.org/checker-sdk-go/checker"
)
func init() {
RegisterRule(&hstsRule{})
RegisterRule(&cspRule{})
RegisterRule(&xFrameOptionsRule{})
RegisterRule(&xXSSProtectionRule{})
}
// hstsRule checks the Strict-Transport-Security header on HTTPS responses.
type hstsRule struct{}
func (r *hstsRule) Name() string { return "http.hsts" }
func (r *hstsRule) Description() string {
return "Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses."
}
func (r *hstsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
data, errSt := loadHTTPData(ctx, obs)
if errSt != nil {
return []sdk.CheckState{*errSt}
}
require := sdk.GetBoolOption(opts, OptionRequireHSTS, true)
minDays := sdk.GetIntOption(opts, OptionMinHSTSMaxAgeDays, DefaultMinHSTSMaxAge)
minSeconds := int64(minDays) * 86400
return EvalPerHTTPS(data, "http.hsts", func(p HTTPProbe) sdk.CheckState {
h := ParseHSTS(p.Headers["strict-transport-security"])
if h == nil {
status := sdk.StatusWarn
if !require {
status = sdk.StatusInfo
}
return sdk.CheckState{
Status: status,
Code: "http.hsts.missing",
Subject: p.Address,
Message: "Strict-Transport-Security header is missing.",
Meta: map[string]any{"fix": "Send `Strict-Transport-Security: max-age=15552000; includeSubDomains` from HTTPS responses."},
}
}
if h.MaxAge < minSeconds {
return sdk.CheckState{
Status: sdk.StatusWarn,
Code: "http.hsts.short_max_age",
Subject: p.Address,
Message: fmt.Sprintf("HSTS max-age=%d is below the recommended %d seconds (%d days).", h.MaxAge, minSeconds, minDays),
}
}
return sdk.CheckState{
Status: sdk.StatusOK,
Code: "http.hsts.ok",
Subject: p.Address,
Message: fmt.Sprintf("HSTS present (max-age=%d, includeSubDomains=%v, preload=%v).", h.MaxAge, h.IncludeSub, h.Preload),
}
})
}
// cspRule checks for the presence of a Content-Security-Policy header.
type cspRule struct{}
func (r *cspRule) Name() string { return "http.csp" }
func (r *cspRule) Description() string {
return "Verifies the presence of a Content-Security-Policy header on HTTPS responses."
}
func (r *cspRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState {
data, errSt := loadHTTPData(ctx, obs)
if errSt != nil {
return []sdk.CheckState{*errSt}
}
require := sdk.GetBoolOption(opts, OptionRequireCSP, false)
return EvalPerHTTPS(data, "http.csp", func(p HTTPProbe) sdk.CheckState {
csp := ParseCSP(p.Headers["content-security-policy"])
if csp == nil {
status := sdk.StatusInfo
if require {
status = sdk.StatusWarn
}
return sdk.CheckState{
Status: status,
Code: "http.csp.missing",
Subject: p.Address,
Message: "Content-Security-Policy header is missing.",
Meta: map[string]any{"fix": "Define a CSP appropriate for your application (e.g. default-src 'self')."},
}
}
if csp.HasUnsafe() {
return sdk.CheckState{
Status: sdk.StatusWarn,
Code: "http.csp.unsafe",
Subject: p.Address,
Message: "Content-Security-Policy uses 'unsafe-inline' or 'unsafe-eval'.",
}
}
return sdk.CheckState{
Status: sdk.StatusOK,
Code: "http.csp.ok",
Subject: p.Address,
Message: "Content-Security-Policy is set.",
}
})
}
// xFrameOptionsRule checks X-Frame-Options (or frame-ancestors in CSP as
// an acceptable substitute).
type xFrameOptionsRule struct{}
func (r *xFrameOptionsRule) Name() string { return "http.x_frame_options" }
func (r *xFrameOptionsRule) Description() string {
return "Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive."
}
func (r *xFrameOptionsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
data, errSt := loadHTTPData(ctx, obs)
if errSt != nil {
return []sdk.CheckState{*errSt}
}
return EvalPerHTTPS(data, "http.x_frame_options", func(p HTTPProbe) sdk.CheckState {
xfo := strings.ToUpper(strings.TrimSpace(p.Headers["x-frame-options"]))
hasFrameAncestors := ParseCSP(p.Headers["content-security-policy"]).HasDirective("frame-ancestors")
switch {
case xfo == "DENY" || xfo == "SAMEORIGIN" || hasFrameAncestors:
return sdk.CheckState{
Status: sdk.StatusOK,
Code: "http.x_frame_options.ok",
Subject: p.Address,
Message: "Clickjacking protection is in place.",
}
case xfo != "":
return sdk.CheckState{
Status: sdk.StatusWarn,
Code: "http.x_frame_options.invalid",
Subject: p.Address,
Message: "X-Frame-Options has an unrecognised value: " + xfo,
}
default:
return sdk.CheckState{
Status: sdk.StatusWarn,
Code: "http.x_frame_options.missing",
Subject: p.Address,
Message: "Neither X-Frame-Options nor CSP frame-ancestors is set.",
Meta: map[string]any{"fix": "Send `X-Frame-Options: DENY` (or SAMEORIGIN) or use CSP frame-ancestors."},
}
}
})
}
func init() {
// Showcase: a rule expressed entirely as a HeaderRuleSpec. Compare
// with the hand-rolled rules above — the boilerplate vanishes once
// the only logic is "is this header present and well-formed?".
RegisterRule(HeaderRule(HeaderRuleSpec{
Code: "http.x_content_type_options",
Description: "Verifies that responses set X-Content-Type-Options: nosniff.",
Header: "X-Content-Type-Options",
Required: true,
FixHint: "Add `X-Content-Type-Options: nosniff` to all responses.",
Validate: func(v string) (sdk.Status, string) {
if strings.EqualFold(v, "nosniff") {
return sdk.StatusOK, "X-Content-Type-Options: nosniff is set."
}
return sdk.StatusWarn, "X-Content-Type-Options has an unexpected value: " + strings.ToLower(v)
},
}))
}
// xXSSProtectionRule checks the legacy X-XSS-Protection header. Modern
// browsers ignore it, but if present we want it to be sane.
type xXSSProtectionRule struct{}
func (r *xXSSProtectionRule) Name() string { return "http.x_xss_protection" }
func (r *xXSSProtectionRule) Description() string {
return "Reports the value of the legacy X-XSS-Protection header (disabled is preferred on modern browsers; CSP is the proper replacement)."
}
func (r *xXSSProtectionRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState {
data, errSt := loadHTTPData(ctx, obs)
if errSt != nil {
return []sdk.CheckState{*errSt}
}
return EvalPerHTTPS(data, "http.x_xss_protection", func(p HTTPProbe) sdk.CheckState {
v := strings.TrimSpace(p.Headers["x-xss-protection"])
switch {
case v == "":
return sdk.CheckState{
Status: sdk.StatusInfo,
Code: "http.x_xss_protection.absent",
Subject: p.Address,
Message: "X-XSS-Protection is not set; CSP is the recommended replacement.",
}
case strings.HasPrefix(v, "0"):
return sdk.CheckState{
Status: sdk.StatusOK,
Code: "http.x_xss_protection.disabled",
Subject: p.Address,
Message: "X-XSS-Protection is explicitly disabled (recommended).",
}
case strings.Contains(strings.ToLower(v), "mode=block"):
return sdk.CheckState{
Status: sdk.StatusInfo,
Code: "http.x_xss_protection.enabled",
Subject: p.Address,
Message: "X-XSS-Protection is set to the historically recommended `1; mode=block`. Modern browsers ignore this header; CSP is the proper replacement.",
}
default:
return sdk.CheckState{
Status: sdk.StatusInfo,
Code: "http.x_xss_protection.enabled",
Subject: p.Address,
Message: "X-XSS-Protection is enabled. Modern browsers ignore this header; CSP is the proper replacement.",
}
}
})
}