help/content/reference/checkers/http.en.md

date	author	title	description	weight
2026-06-11T09:00:00+02:00	nemunaire	HTTP / HTTPS	Probes a web server over HTTP and HTTPS and evaluates reachability, the redirect chain, and the full battery of HTTP security response headers and cookie hygiene rules.	180

The HTTP / HTTPS checker probes the web server declared by a Server service over plain HTTP (port 80) and HTTPS (port 443), then evaluates a battery of independent rules on the responses: reachability, the HTTP→HTTPS redirect chain, and the modern set of HTTP security headers (HSTS, CSP, frame options, cross-origin isolation…) along with cookie hygiene.

Scope: service-level. It attaches to services of type abstract.Server (a subdomain that publishes A/AAAA records) and is configured from that service's Checks tab.

Deep TLS and certificate analysis is intentionally delegated to the {{< relref "/reference/checkers/tls" >}} checker; this checker relies on TLS only as a transport.

What it checks

Rule	Verifies	Severity
http.tcp_reachable	Every probed IP accepts an HTTP connection on port 80.	Critical
https.tcp_reachable	Every probed IP accepts an HTTPS connection on port 443.	Critical
http.https_redirect	Plain HTTP redirects to an HTTPS URL on the same host.	Warning
http.redirect_chain	The redirect chain has no loops, excessive length, or scheme downgrades.	Warning
http.redirect_permanence	HTTP→HTTPS upgrade uses 301 or 308 (permanent) rather than 302/307.	Warning
http.hsts	Presence and quality of the Strict-Transport-Security header on HTTPS.	Warning
http.csp	Presence and quality of the Content-Security-Policy header on HTTPS.	Warning
http.x_frame_options	Responses set X-Frame-Options or a CSP frame-ancestors directive.	Warning
http.x_content_type_options	Responses set X-Content-Type-Options: nosniff.	Warning
http.x_xss_protection	Reports the legacy X-XSS-Protection header value (CSP is the proper replacement).	Info
http.referrer_policy	Responses set a privacy-preserving Referrer-Policy header.	Warning
http.permissions_policy	The Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation…).	Warning
http.coop	The Cross-Origin-Opener-Policy header is set for cross-origin process isolation.	Warning
http.coep	The Cross-Origin-Embedder-Policy header is set (required with COOP for cross-origin isolation).	Warning
http.corp	The Cross-Origin-Resource-Policy header restricts cross-origin embedding.	Warning
http.cookie_flags	Cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes.	Warning
http.cookie_prefixes	Cookies using the __Secure- / __Host- prefixes meet the RFC 6265bis constraints.	Warning
http.cookie_size	Flags Set-Cookie lines exceeding the 4096-byte minimum browsers must support.	Warning
http.sri	Reports cross-origin script/style tags missing Subresource Integrity attributes.	Warning
http.security_txt	Reports whether /.well-known/security.txt (RFC 9116) is published.	Warning

Options

Option	Meaning	Default
Per-request timeout (ms) (probeTimeoutMs)	Maximum time allowed for a single HTTP/HTTPS request.	10000
Max redirects to follow (maxRedirects)	Stop following redirects after this many hops.	5
User-Agent (userAgent)	User-Agent header sent with every request.	happyDomain-checker-http/1.0
Require HTTPS (requireHTTPS)	Plain HTTP must redirect to HTTPS.	true
Require HSTS (requireHSTS)	HTTPS responses must include a Strict-Transport-Security header.	true
Min HSTS max-age (days) (minHSTSMaxAgeDays)	Minimum acceptable HSTS max-age, in days.	180
Require Content-Security-Policy (requireCSP)	HTTPS responses must include a Content-Security-Policy header.	false

In happyDomain

This is a service-level checker: configure it from the Checks tab of the Server service on the relevant subdomain. For deep certificate posture, add the {{< relref "/reference/checkers/tls" >}} checker as well. For the general workflow of configuring and reading checks, see {{< relref "/pages/checks" >}}.