happyDomain/checker-http
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
5 commits 1 branch 1 tag 138 KiB
  • Go 99.3%
  • Makefile 0.4%
  • Dockerfile 0.3%
Find a file
Exact
Pierre-Olivier Mercier 603e93355b Deepen CSP, Permissions-Policy and cookie audits 
Detect CSP weaknesses individually (unsafe-inline, unsafe-eval, missing
default-src/script-src, permissive sources on script-src or its
default-src fallback) instead of a single catch-all "unsafe" code, and
honour CSP3 fetch-directive fallback via EffectiveSources/WildcardSource
helpers. Validate Permissions-Policy values: warn when a powerful
feature (camera, microphone, geolocation, payment, sensors, …) is
granted to all origins. Add a SameSite aggregate state on cookie audits
so callers get the global ratio alongside per-cookie diagnostics.
2026-04-28 18:43:07 +07:00
checker Deepen CSP, Permissions-Policy and cookie audits 2026-04-28 18:43:07 +07:00
plugin Initial commit 2026-04-28 18:42:11 +07:00
.gitignore Initial commit 2026-04-28 18:42:11 +07:00
Dockerfile Initial commit 2026-04-28 18:42:11 +07:00
go.mod Initial commit 2026-04-28 18:42:11 +07:00
go.sum Initial commit 2026-04-28 18:42:11 +07:00
LICENSE Initial commit 2026-04-28 18:42:11 +07:00
main.go Initial commit 2026-04-28 18:42:11 +07:00
Makefile Initial commit 2026-04-28 18:42:11 +07:00
NOTICE Initial commit 2026-04-28 18:42:11 +07:00
README.md Add modern security header rules 2026-04-28 18:42:26 +07:00

README.md

checker-http

HTTP/HTTPS server checker plugin for happyDomain.

Probes the abstract.Server it is attached to over HTTP (port 80) and HTTPS (port 443) and evaluates a battery of independent rules on the response.

Deep TLS / certificate analysis is intentionally delegated to checker-tls - this checker only relies on TLS for transport.

What it checks

Rule What it verifies
http.tcp_reachable Port 80 accepts connections on every A/AAAA address.
https.tcp_reachable Port 443 accepts connections on every A/AAAA address.
http.https_redirect Plain HTTP redirects to HTTPS (warning if not).
http.hsts Strict-Transport-Security is present with a sufficient max-age.
http.csp Content-Security-Policy is set; flags 'unsafe-inline' / 'unsafe-eval'.
http.x_frame_options X-Frame-Options or CSP frame-ancestors provides clickjacking protection.
http.x_content_type_options X-Content-Type-Options: nosniff is set.
http.x_xss_protection Reports the legacy X-XSS-Protection header (recommendation: disable).
http.referrer_policy Referrer-Policy is set to a privacy-preserving value (W3C Referrer Policy).
http.permissions_policy Permissions-Policy is set (W3C Permissions Policy, replaces Feature-Policy).
http.coop Cross-Origin-Opener-Policy isolates the document from cross-origin windows.
http.coep Cross-Origin-Embedder-Policy requires CORP/CORS opt-in for embedded resources.
http.corp Cross-Origin-Resource-Policy restricts cross-origin embedding of responses.
http.cookie_flags Every Set-Cookie has Secure, HttpOnly, and a SameSite attribute.
http.sri Cross-origin <script>/<link> tags carry integrity= (Subresource Integrity).
http.security_txt /.well-known/security.txt is published (RFC 9116).

Options

User-configurable:

  • probeTimeoutMs: per-request timeout (default: 10000)
  • maxRedirects: redirect hops to follow (default: 5)
  • userAgent: User-Agent header to send (default: happyDomain-checker-http/1.0)
  • requireHTTPS: flag plain HTTP that does not redirect (default: true)
  • requireHSTS: require Strict-Transport-Security on HTTPS (default: true)
  • minHSTSMaxAgeDays: minimum acceptable HSTS max-age in days (default: 180)
  • requireCSP: require Content-Security-Policy on HTTPS (default: false)

Deployment

The /collect endpoint has no built-in authentication and will issue HTTP requests to whatever IP addresses the target abstract.Server advertises (including those discovered via the system resolver for additional A/AAAA records). Because those addresses are user-controlled, a domain pointing at 127.0.0.1, an RFC1918 range, or a cloud metadata endpoint (169.254.169.254) will cause the checker to fetch internal resources and return their headers, cookies, and HTML body in the observation payload, a classic SSRF surface.

It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it, and from a network position that cannot reach internal services or metadata endpoints. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet, and prefer running it from an egress-restricted network segment.

Build

make            # standalone binary: ./checker-http
make plugin     # Go plugin .so: ./checker-http.so
make docker     # Docker image: happydomain/checker-http

License

AGPL-3.0 (see LICENSE and NOTICE).