happyDomain/checker-http
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
checker-http/README.md

5.8 KiB
Raw Blame History

checker-http

HTTP/HTTPS server checker plugin for happyDomain.

Probes the abstract.Server it is attached to over HTTP (port 80) and HTTPS (port 443) and evaluates a battery of independent rules on the response.

Deep TLS / certificate analysis is intentionally delegated to checker-tls - this checker only relies on TLS for transport.

Rules

Code Description Severity
http.tcp_reachable Verifies that every probed IP accepts an HTTP connection on the standard port. CRITICAL
https.tcp_reachable Verifies that every probed IP accepts an HTTPS connection on the standard port. CRITICAL
http.https_redirect Plain HTTP responses must redirect to an HTTPS URL on the same host. WARNING
http.redirect_chain Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades. WARNING
http.redirect_permanence HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary). WARNING
http.hsts Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses. WARNING
http.csp Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses. WARNING
http.x_frame_options Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive. WARNING
http.x_content_type_options Verifies that responses set X-Content-Type-Options: nosniff. WARNING
http.x_xss_protection Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement). INFO
http.referrer_policy Verifies that responses set a Referrer-Policy header with a privacy-preserving value. WARNING
http.permissions_policy Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …). WARNING
http.coop Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation. WARNING
http.coep Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation. WARNING
http.corp Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. WARNING
http.cookie_flags Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes. WARNING
http.cookie_prefixes Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints. WARNING
http.cookie_size Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1). WARNING
http.sri Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes. WARNING
http.security_txt Reports whether /.well-known/security.txt (RFC 9116) is published. WARNING

Options

User-configurable:

  • probeTimeoutMs: per-request timeout (default: 10000)
  • maxRedirects: redirect hops to follow (default: 5)
  • userAgent: User-Agent header to send (default: happyDomain-checker-http/1.0)
  • requireHTTPS: flag plain HTTP that does not redirect (default: true)
  • requireHSTS: require Strict-Transport-Security on HTTPS (default: true)
  • minHSTSMaxAgeDays: minimum acceptable HSTS max-age in days (default: 180)
  • requireCSP: require Content-Security-Policy on HTTPS (default: false)

Deployment

The /collect endpoint has no built-in authentication and will issue HTTP requests to whatever IP addresses the target abstract.Server advertises (including those discovered via the system resolver for additional A/AAAA records). Because those addresses are user-controlled, a domain pointing at 127.0.0.1, an RFC1918 range, or a cloud metadata endpoint (169.254.169.254) will cause the checker to fetch internal resources and return their headers, cookies, and HTML body in the observation payload, a classic SSRF surface.

It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it, and from a network position that cannot reach internal services or metadata endpoints. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet, and prefer running it from an egress-restricted network segment.

Build

make            # standalone binary: ./checker-http
make plugin     # Go plugin .so: ./checker-http.so
make docker     # Docker image: happydomain/checker-http

License

AGPL-3.0 (see LICENSE and NOTICE).