# checker-http

HTTP/HTTPS server checker plugin for [happyDomain](https://happydomain.org).

Probes the `abstract.Server` it is attached to over HTTP (port 80) and HTTPS
(port 443) and evaluates a battery of independent rules on the response.

Deep TLS / certificate analysis is intentionally **delegated to
[checker-tls](https://git.happydns.org/checker-tls)** - this checker only
relies on TLS for transport.

## Rules

| Code                          | Description                                                                                                       | Severity            |
|-------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
| `http.tcp_reachable`          | Verifies that every probed IP accepts an HTTP connection on the standard port.                                    | CRITICAL            |
| `https.tcp_reachable`         | Verifies that every probed IP accepts an HTTPS connection on the standard port.                                   | CRITICAL            |
| `http.https_redirect`         | Plain HTTP responses must redirect to an HTTPS URL on the same host.                                              | WARNING             |
| `http.redirect_chain`         | Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades.                  | WARNING             |
| `http.redirect_permanence`    | HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary).                             | WARNING             |
| `http.hsts`                   | Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses.                     | WARNING             |
| `http.csp`                    | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses.                       | WARNING             |
| `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
| `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
| `http.x_xss_protection`       | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement).   | INFO                |
| `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
| `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
| `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |
| `http.coep`                   | Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation.   | WARNING             |
| `http.corp`                   | Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. | WARNING             |
| `http.cookie_flags`           | Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes.                            | WARNING             |
| `http.cookie_prefixes`        | Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints.                    | WARNING             |
| `http.cookie_size`            | Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1).          | WARNING             |
| `http.sri`                    | Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes.   | WARNING             |
| `http.security_txt`           | Reports whether /.well-known/security.txt (RFC 9116) is published.                                                | WARNING             |

## Options

User-configurable:

- `probeTimeoutMs`: per-request timeout (default: 10000)
- `maxRedirects`: redirect hops to follow (default: 5)
- `userAgent`: User-Agent header to send (default: `happyDomain-checker-http/1.0`)
- `requireHTTPS`: flag plain HTTP that does not redirect (default: true)
- `requireHSTS`: require Strict-Transport-Security on HTTPS (default: true)
- `minHSTSMaxAgeDays`: minimum acceptable HSTS max-age in days (default: 180)
- `requireCSP`: require Content-Security-Policy on HTTPS (default: false)

## Deployment

The `/collect` endpoint has no built-in authentication and will issue HTTP
requests to whatever IP addresses the target `abstract.Server` advertises
(including those discovered via the system resolver for additional A/AAAA
records). Because those addresses are user-controlled, a domain pointing at
`127.0.0.1`, an RFC1918 range, or a cloud metadata endpoint
(`169.254.169.254`) will cause the checker to fetch internal resources and
return their headers, cookies, and HTML body in the observation payload,
a classic SSRF surface.

It is meant to run on a trusted network, reachable only by the happyDomain
instance that drives it, and from a network position that cannot reach
internal services or metadata endpoints. Restrict access via a reverse
proxy with authentication, a network ACL, or by binding the listener to a
private interface; do not expose it directly to the public internet, and
prefer running it from an egress-restricted network segment.

## Build

```sh
make            # standalone binary: ./checker-http
make plugin     # Go plugin .so: ./checker-http.so
make docker     # Docker image: happydomain/checker-http
```

## License

AGPL-3.0 (see [LICENSE](LICENSE) and [NOTICE](NOTICE)).