# checker-http

HTTP/HTTPS server checker plugin for [happyDomain](https://happydomain.org).

Probes the `abstract.Server` it is attached to over HTTP (port 80) and HTTPS
(port 443) and evaluates a battery of independent rules on the response.

Deep TLS / certificate analysis is intentionally **delegated to
[checker-tls](https://git.happydns.org/checker-tls)** - this checker only
relies on TLS for transport.

## What it checks

| Rule                              | What it verifies                                                                  |
| --------------------------------- | --------------------------------------------------------------------------------- |
| `http.tcp_reachable`              | Port 80 accepts connections on every A/AAAA address.                              |
| `https.tcp_reachable`             | Port 443 accepts connections on every A/AAAA address.                             |
| `http.https_redirect`             | Plain HTTP redirects to HTTPS (warning if not).                                   |
| `http.hsts`                       | `Strict-Transport-Security` is present with a sufficient `max-age`.               |
| `http.csp`                        | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`.      |
| `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
| `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
| `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
| `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
| `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |

## Options

User-configurable:

- `probeTimeoutMs`: per-request timeout (default: 10000)
- `maxRedirects`: redirect hops to follow (default: 5)
- `userAgent`: User-Agent header to send (default: `happyDomain-checker-http/1.0`)
- `requireHTTPS`: flag plain HTTP that does not redirect (default: true)
- `requireHSTS`: require Strict-Transport-Security on HTTPS (default: true)
- `minHSTSMaxAgeDays`: minimum acceptable HSTS max-age in days (default: 180)
- `requireCSP`: require Content-Security-Policy on HTTPS (default: false)

## Deployment

The `/collect` endpoint has no built-in authentication and will issue HTTP
requests to whatever IP addresses the target `abstract.Server` advertises
(including those discovered via the system resolver for additional A/AAAA
records). Because those addresses are user-controlled, a domain pointing at
`127.0.0.1`, an RFC1918 range, or a cloud metadata endpoint
(`169.254.169.254`) will cause the checker to fetch internal resources and
return their headers, cookies, and HTML body in the observation payload,
a classic SSRF surface.

It is meant to run on a trusted network, reachable only by the happyDomain
instance that drives it, and from a network position that cannot reach
internal services or metadata endpoints. Restrict access via a reverse
proxy with authentication, a network ACL, or by binding the listener to a
private interface; do not expose it directly to the public internet, and
prefer running it from an egress-restricted network segment.

## Build

```sh
make            # standalone binary: ./checker-http
make plugin     # Go plugin .so: ./checker-http.so
make docker     # Docker image: happydomain/checker-http
```

## License

AGPL-3.0 (see [LICENSE](LICENSE) and [NOTICE](NOTICE)).