4.3 KiB
checker-http
HTTP/HTTPS server checker plugin for happyDomain.
Probes the abstract.Server it is attached to over HTTP (port 80) and HTTPS
(port 443) and evaluates a battery of independent rules on the response.
Deep TLS / certificate analysis is intentionally delegated to checker-tls - this checker only relies on TLS for transport.
What it checks
| Rule | What it verifies |
|---|---|
http.tcp_reachable |
Port 80 accepts connections on every A/AAAA address. |
https.tcp_reachable |
Port 443 accepts connections on every A/AAAA address. |
http.https_redirect |
Plain HTTP redirects to HTTPS (warning if not). |
http.hsts |
Strict-Transport-Security is present with a sufficient max-age. |
http.csp |
Content-Security-Policy is set; flags 'unsafe-inline' / 'unsafe-eval'. |
http.x_frame_options |
X-Frame-Options or CSP frame-ancestors provides clickjacking protection. |
http.x_content_type_options |
X-Content-Type-Options: nosniff is set. |
http.x_xss_protection |
Reports the legacy X-XSS-Protection header (recommendation: disable). |
http.referrer_policy |
Referrer-Policy is set to a privacy-preserving value (W3C Referrer Policy). |
http.permissions_policy |
Permissions-Policy is set (W3C Permissions Policy, replaces Feature-Policy). |
http.coop |
Cross-Origin-Opener-Policy isolates the document from cross-origin windows. |
http.coep |
Cross-Origin-Embedder-Policy requires CORP/CORS opt-in for embedded resources. |
http.corp |
Cross-Origin-Resource-Policy restricts cross-origin embedding of responses. |
http.cookie_flags |
Every Set-Cookie has Secure, HttpOnly, and a SameSite attribute. |
http.sri |
Cross-origin <script>/<link> tags carry integrity= (Subresource Integrity). |
http.security_txt |
/.well-known/security.txt is published (RFC 9116). |
Options
User-configurable:
probeTimeoutMs: per-request timeout (default: 10000)maxRedirects: redirect hops to follow (default: 5)userAgent: User-Agent header to send (default:happyDomain-checker-http/1.0)requireHTTPS: flag plain HTTP that does not redirect (default: true)requireHSTS: require Strict-Transport-Security on HTTPS (default: true)minHSTSMaxAgeDays: minimum acceptable HSTS max-age in days (default: 180)requireCSP: require Content-Security-Policy on HTTPS (default: false)
Deployment
The /collect endpoint has no built-in authentication and will issue HTTP
requests to whatever IP addresses the target abstract.Server advertises
(including those discovered via the system resolver for additional A/AAAA
records). Because those addresses are user-controlled, a domain pointing at
127.0.0.1, an RFC1918 range, or a cloud metadata endpoint
(169.254.169.254) will cause the checker to fetch internal resources and
return their headers, cookies, and HTML body in the observation payload,
a classic SSRF surface.
It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it, and from a network position that cannot reach internal services or metadata endpoints. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet, and prefer running it from an egress-restricted network segment.
Build
make # standalone binary: ./checker-http
make plugin # Go plugin .so: ./checker-http.so
make docker # Docker image: happydomain/checker-http