// This file is part of the happyDomain (R) project. // Copyright (c) 2020-2026 happyDomain // Authors: Pierre-Olivier Mercier, et al. package checker import ( "context" "fmt" "strings" sdk "git.happydns.org/checker-sdk-go/checker" ) func init() { RegisterRule(&hstsRule{}) RegisterRule(&cspRule{}) RegisterRule(&xFrameOptionsRule{}) RegisterRule(&xXSSProtectionRule{}) } // hstsRule checks the Strict-Transport-Security header on HTTPS responses. type hstsRule struct{} func (r *hstsRule) Name() string { return "http.hsts" } func (r *hstsRule) Description() string { return "Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses." } func (r *hstsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState { data, errSt := loadHTTPData(ctx, obs) if errSt != nil { return []sdk.CheckState{*errSt} } require := sdk.GetBoolOption(opts, OptionRequireHSTS, true) minDays := sdk.GetIntOption(opts, OptionMinHSTSMaxAgeDays, DefaultMinHSTSMaxAge) minSeconds := int64(minDays) * 86400 return EvalPerHTTPS(data, "http.hsts", func(p HTTPProbe) sdk.CheckState { h := ParseHSTS(p.Headers["strict-transport-security"]) if h == nil { status := sdk.StatusWarn if !require { status = sdk.StatusInfo } return sdk.CheckState{ Status: status, Code: "http.hsts.missing", Subject: p.Address, Message: "Strict-Transport-Security header is missing.", Meta: map[string]any{"fix": "Send `Strict-Transport-Security: max-age=15552000; includeSubDomains` from HTTPS responses."}, } } if h.MaxAge < minSeconds { return sdk.CheckState{ Status: sdk.StatusWarn, Code: "http.hsts.short_max_age", Subject: p.Address, Message: fmt.Sprintf("HSTS max-age=%d is below the recommended %d seconds (%d days).", h.MaxAge, minSeconds, minDays), } } return sdk.CheckState{ Status: sdk.StatusOK, Code: "http.hsts.ok", Subject: p.Address, Message: fmt.Sprintf("HSTS present (max-age=%d, includeSubDomains=%v, preload=%v).", h.MaxAge, h.IncludeSub, h.Preload), } }) } // cspRule checks for the presence of a Content-Security-Policy header. type cspRule struct{} func (r *cspRule) Name() string { return "http.csp" } func (r *cspRule) Description() string { return "Verifies the presence of a Content-Security-Policy header on HTTPS responses." } func (r *cspRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, opts sdk.CheckerOptions) []sdk.CheckState { data, errSt := loadHTTPData(ctx, obs) if errSt != nil { return []sdk.CheckState{*errSt} } require := sdk.GetBoolOption(opts, OptionRequireCSP, false) return EvalPerHTTPS(data, "http.csp", func(p HTTPProbe) sdk.CheckState { csp := ParseCSP(p.Headers["content-security-policy"]) if csp == nil { status := sdk.StatusInfo if require { status = sdk.StatusWarn } return sdk.CheckState{ Status: status, Code: "http.csp.missing", Subject: p.Address, Message: "Content-Security-Policy header is missing.", Meta: map[string]any{"fix": "Define a CSP appropriate for your application (e.g. default-src 'self')."}, } } if csp.HasUnsafe() { return sdk.CheckState{ Status: sdk.StatusWarn, Code: "http.csp.unsafe", Subject: p.Address, Message: "Content-Security-Policy uses 'unsafe-inline' or 'unsafe-eval'.", } } return sdk.CheckState{ Status: sdk.StatusOK, Code: "http.csp.ok", Subject: p.Address, Message: "Content-Security-Policy is set.", } }) } // xFrameOptionsRule checks X-Frame-Options (or frame-ancestors in CSP as // an acceptable substitute). type xFrameOptionsRule struct{} func (r *xFrameOptionsRule) Name() string { return "http.x_frame_options" } func (r *xFrameOptionsRule) Description() string { return "Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive." } func (r *xFrameOptionsRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState { data, errSt := loadHTTPData(ctx, obs) if errSt != nil { return []sdk.CheckState{*errSt} } return EvalPerHTTPS(data, "http.x_frame_options", func(p HTTPProbe) sdk.CheckState { xfo := strings.ToUpper(strings.TrimSpace(p.Headers["x-frame-options"])) hasFrameAncestors := ParseCSP(p.Headers["content-security-policy"]).HasDirective("frame-ancestors") switch { case xfo == "DENY" || xfo == "SAMEORIGIN" || hasFrameAncestors: return sdk.CheckState{ Status: sdk.StatusOK, Code: "http.x_frame_options.ok", Subject: p.Address, Message: "Clickjacking protection is in place.", } case xfo != "": return sdk.CheckState{ Status: sdk.StatusWarn, Code: "http.x_frame_options.invalid", Subject: p.Address, Message: "X-Frame-Options has an unrecognised value: " + xfo, } default: return sdk.CheckState{ Status: sdk.StatusWarn, Code: "http.x_frame_options.missing", Subject: p.Address, Message: "Neither X-Frame-Options nor CSP frame-ancestors is set.", Meta: map[string]any{"fix": "Send `X-Frame-Options: DENY` (or SAMEORIGIN) or use CSP frame-ancestors."}, } } }) } func init() { // Showcase: a rule expressed entirely as a HeaderRuleSpec. Compare // with the hand-rolled rules above — the boilerplate vanishes once // the only logic is "is this header present and well-formed?". RegisterRule(HeaderRule(HeaderRuleSpec{ Code: "http.x_content_type_options", Description: "Verifies that responses set X-Content-Type-Options: nosniff.", Header: "X-Content-Type-Options", Required: true, FixHint: "Add `X-Content-Type-Options: nosniff` to all responses.", Validate: func(v string) (sdk.Status, string) { if strings.EqualFold(v, "nosniff") { return sdk.StatusOK, "X-Content-Type-Options: nosniff is set." } return sdk.StatusWarn, "X-Content-Type-Options has an unexpected value: " + strings.ToLower(v) }, })) } // xXSSProtectionRule checks the legacy X-XSS-Protection header. Modern // browsers ignore it, but if present we want it to be sane. type xXSSProtectionRule struct{} func (r *xXSSProtectionRule) Name() string { return "http.x_xss_protection" } func (r *xXSSProtectionRule) Description() string { return "Reports the value of the legacy X-XSS-Protection header (disabled is preferred on modern browsers; CSP is the proper replacement)." } func (r *xXSSProtectionRule) Evaluate(ctx context.Context, obs sdk.ObservationGetter, _ sdk.CheckerOptions) []sdk.CheckState { data, errSt := loadHTTPData(ctx, obs) if errSt != nil { return []sdk.CheckState{*errSt} } return EvalPerHTTPS(data, "http.x_xss_protection", func(p HTTPProbe) sdk.CheckState { v := strings.TrimSpace(p.Headers["x-xss-protection"]) switch { case v == "": return sdk.CheckState{ Status: sdk.StatusInfo, Code: "http.x_xss_protection.absent", Subject: p.Address, Message: "X-XSS-Protection is not set; CSP is the recommended replacement.", } case strings.HasPrefix(v, "0"): return sdk.CheckState{ Status: sdk.StatusOK, Code: "http.x_xss_protection.disabled", Subject: p.Address, Message: "X-XSS-Protection is explicitly disabled (recommended).", } case strings.Contains(strings.ToLower(v), "mode=block"): return sdk.CheckState{ Status: sdk.StatusInfo, Code: "http.x_xss_protection.enabled", Subject: p.Address, Message: "X-XSS-Protection is set to the historically recommended `1; mode=block`. Modern browsers ignore this header; CSP is the proper replacement.", } default: return sdk.CheckState{ Status: sdk.StatusInfo, Code: "http.x_xss_protection.enabled", Subject: p.Address, Message: "X-XSS-Protection is enabled. Modern browsers ignore this header; CSP is the proper replacement.", } } }) }