happyDomain/help
2
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
help/content/reference/checkers/http.en.md
Pierre-Olivier Mercier 5ccdd8892f
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
docs: add checker reference pages and update homepage feature list 
Add individual reference pages for all domain health checkers (EN/FR),
update the homepage feature descriptions in both languages to highlight
monitoring, notifications, and domain availability checks.
2026-06-11 17:27:47 +09:00

54 lines
4.3 KiB
Markdown
Raw Permalink Blame History

---
date: 2026-06-11T09:00:00+02:00
author: nemunaire
title: HTTP / HTTPS
description: "Probes a web server over HTTP and HTTPS and evaluates reachability, the redirect chain, and the full battery of HTTP security response headers and cookie hygiene rules."
weight: 180
---
The **HTTP / HTTPS** checker probes the web server declared by a *Server* service over plain HTTP (port 80) and HTTPS (port 443), then evaluates a battery of independent rules on the responses: reachability, the HTTP→HTTPS redirect chain, and the modern set of HTTP security headers (HSTS, CSP, frame options, cross-origin isolation…) along with cookie hygiene.
**Scope:** service-level. It attaches to services of type `abstract.Server` (a subdomain that publishes `A`/`AAAA` records) and is configured from that service's **Checks** tab.
Deep TLS and certificate analysis is intentionally delegated to the {{< relref "/reference/checkers/tls" >}} checker; this checker relies on TLS only as a transport.
## What it checks
| Rule | Verifies | Severity |
|------|----------|----------|
| `http.tcp_reachable` | Every probed IP accepts an HTTP connection on port 80. | Critical |
| `https.tcp_reachable` | Every probed IP accepts an HTTPS connection on port 443. | Critical |
| `http.https_redirect` | Plain HTTP redirects to an HTTPS URL on the same host. | Warning |
| `http.redirect_chain` | The redirect chain has no loops, excessive length, or scheme downgrades. | Warning |
| `http.redirect_permanence` | HTTP→HTTPS upgrade uses 301 or 308 (permanent) rather than 302/307. | Warning |
| `http.hsts` | Presence and quality of the Strict-Transport-Security header on HTTPS. | Warning |
| `http.csp` | Presence and quality of the Content-Security-Policy header on HTTPS. | Warning |
| `http.x_frame_options` | Responses set X-Frame-Options or a CSP `frame-ancestors` directive. | Warning |
| `http.x_content_type_options` | Responses set `X-Content-Type-Options: nosniff`. | Warning |
| `http.x_xss_protection` | Reports the legacy X-XSS-Protection header value (CSP is the proper replacement). | Info |
| `http.referrer_policy` | Responses set a privacy-preserving Referrer-Policy header. | Warning |
| `http.permissions_policy` | The Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation…). | Warning |
| `http.coop` | The Cross-Origin-Opener-Policy header is set for cross-origin process isolation. | Warning |
| `http.coep` | The Cross-Origin-Embedder-Policy header is set (required with COOP for cross-origin isolation). | Warning |
| `http.corp` | The Cross-Origin-Resource-Policy header restricts cross-origin embedding. | Warning |
| `http.cookie_flags` | Cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes. | Warning |
| `http.cookie_prefixes` | Cookies using the `__Secure-` / `__Host-` prefixes meet the RFC 6265bis constraints. | Warning |
| `http.cookie_size` | Flags Set-Cookie lines exceeding the 4096-byte minimum browsers must support. | Warning |
| `http.sri` | Reports cross-origin script/style tags missing Subresource Integrity attributes. | Warning |
| `http.security_txt` | Reports whether `/.well-known/security.txt` (RFC 9116) is published. | Warning |
## Options
| Option | Meaning | Default |
|--------|---------|---------|
| Per-request timeout (ms) (`probeTimeoutMs`) | Maximum time allowed for a single HTTP/HTTPS request. | 10000 |
| Max redirects to follow (`maxRedirects`) | Stop following redirects after this many hops. | 5 |
| User-Agent (`userAgent`) | User-Agent header sent with every request. | `happyDomain-checker-http/1.0` |
| Require HTTPS (`requireHTTPS`) | Plain HTTP must redirect to HTTPS. | true |
| Require HSTS (`requireHSTS`) | HTTPS responses must include a Strict-Transport-Security header. | true |
| Min HSTS max-age (days) (`minHSTSMaxAgeDays`) | Minimum acceptable HSTS max-age, in days. | 180 |
| Require Content-Security-Policy (`requireCSP`) | HTTPS responses must include a Content-Security-Policy header. | false |
## In happyDomain
This is a service-level checker: configure it from the **Checks** tab of the *Server* service on the relevant subdomain. For deep certificate posture, add the {{< relref "/reference/checkers/tls" >}} checker as well. For the general workflow of configuring and reading checks, see {{< relref "/pages/checks" >}}.
Reference in a new issue View git blame Copy permalink