HTTP / HTTPS
The HTTP / HTTPS checker probes the web server declared by a Server service over plain HTTP (port 80) and HTTPS (port 443), then evaluates a battery of independent rules on the responses: reachability, the HTTPâHTTPS redirect chain, and the modern set of HTTP security headers (HSTS, CSP, frame options, cross-origin isolationâŚ) along with cookie hygiene.
Scope: service-level. It attaches to services of type abstract.Server (a subdomain that publishes A/AAAA records) and is configured from that service’s Checks tab.
Deep TLS and certificate analysis is intentionally delegated to the /en/reference/checkers/tls/ checker; this checker relies on TLS only as a transport.
What it checks
| Rule | Verifies | Severity |
|---|---|---|
http.tcp_reachable |
Every probed IP accepts an HTTP connection on port 80. | Critical |
https.tcp_reachable |
Every probed IP accepts an HTTPS connection on port 443. | Critical |
http.https_redirect |
Plain HTTP redirects to an HTTPS URL on the same host. | Warning |
http.redirect_chain |
The redirect chain has no loops, excessive length, or scheme downgrades. | Warning |
http.redirect_permanence |
HTTPâHTTPS upgrade uses 301 or 308 (permanent) rather than 302/307. | Warning |
http.hsts |
Presence and quality of the Strict-Transport-Security header on HTTPS. | Warning |
http.csp |
Presence and quality of the Content-Security-Policy header on HTTPS. | Warning |
http.x_frame_options |
Responses set X-Frame-Options or a CSP frame-ancestors directive. |
Warning |
http.x_content_type_options |
Responses set X-Content-Type-Options: nosniff. |
Warning |
http.x_xss_protection |
Reports the legacy X-XSS-Protection header value (CSP is the proper replacement). | Info |
http.referrer_policy |
Responses set a privacy-preserving Referrer-Policy header. | Warning |
http.permissions_policy |
The Permissions-Policy header restricts powerful APIs (camera, microphone, geolocationâŚ). | Warning |
http.coop |
The Cross-Origin-Opener-Policy header is set for cross-origin process isolation. | Warning |
http.coep |
The Cross-Origin-Embedder-Policy header is set (required with COOP for cross-origin isolation). | Warning |
http.corp |
The Cross-Origin-Resource-Policy header restricts cross-origin embedding. | Warning |
http.cookie_flags |
Cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes. | Warning |
http.cookie_prefixes |
Cookies using the __Secure- / __Host- prefixes meet the RFC 6265bis constraints. |
Warning |
http.cookie_size |
Flags Set-Cookie lines exceeding the 4096-byte minimum browsers must support. | Warning |
http.sri |
Reports cross-origin script/style tags missing Subresource Integrity attributes. | Warning |
http.security_txt |
Reports whether /.well-known/security.txt (RFC 9116) is published. |
Warning |
Options
| Option | Meaning | Default |
|---|---|---|
Per-request timeout (ms) (probeTimeoutMs) |
Maximum time allowed for a single HTTP/HTTPS request. | 10000 |
Max redirects to follow (maxRedirects) |
Stop following redirects after this many hops. | 5 |
User-Agent (userAgent) |
User-Agent header sent with every request. | happyDomain-checker-http/1.0 |
Require HTTPS (requireHTTPS) |
Plain HTTP must redirect to HTTPS. | true |
Require HSTS (requireHSTS) |
HTTPS responses must include a Strict-Transport-Security header. | true |
Min HSTS max-age (days) (minHSTSMaxAgeDays) |
Minimum acceptable HSTS max-age, in days. | 180 |
Require Content-Security-Policy (requireCSP) |
HTTPS responses must include a Content-Security-Policy header. | false |
In happyDomain
This is a service-level checker: configure it from the Checks tab of the Server service on the relevant subdomain. For deep certificate posture, add the /en/reference/checkers/tls/ checker as well. For the general workflow of configuring and reading checks, see /en/pages/checks/.