Domain Detective

API Reference

Class

HttpAnalysis

Namespace DomainDetective
Assembly DomainDetective
Implements

Performs basic HTTP checks against a web endpoint.

Inheritance

  • Object
  • HttpAnalysis

Usage

This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.

Accepted by parameters

Constructors

Methods

public async Task AnalyzeUrl(String url, Boolean checkHsts, InternalLogger logger, Boolean collectHeaders = false, Boolean captureBody = false, CancellationToken cancellationToken = null, HttpRequestOptions requestOptions = null) #
Returns: Task

Performs an HTTP request to the specified URL.

Parameters

url System.String requiredposition: 0
The URL to query.
checkHsts System.Boolean requiredposition: 1
Whether to check for the presence of HSTS.
logger DomainDetective.InternalLogger requiredposition: 2
Logger used for error reporting.
collectHeaders System.Boolean = false optionalposition: 3
Whether to collect common security headers.
captureBody System.Boolean = false optionalposition: 4
Whether to capture the response body.
cancellationToken System.Threading.CancellationToken = null optionalposition: 5
Token to cancel the operation.
requestOptions DomainDetective.HttpRequestOptions = null optionalposition: 6
Optional request customization options.
public static async Task<HttpAnalysis> CheckUrl(String url, Boolean checkHsts = false, Boolean collectHeaders = false, Boolean captureBody = false, CancellationToken cancellationToken = null) #
Returns: Task<HttpAnalysis>

Convenience method to check a URL with default logging.

Parameters

url System.String requiredposition: 0
The URL to check.
checkHsts System.Boolean = false optionalposition: 1
Whether to check for HSTS.
collectHeaders System.Boolean = false optionalposition: 2
Whether to collect common security headers.
captureBody System.Boolean = false optionalposition: 3
Whether to capture the response body.
cancellationToken System.Threading.CancellationToken = null optionalposition: 4
Cancellation token to stop the operation.

Returns

A populated HttpAnalysis instance.

public static Void LoadHstsPreloadList(String filePath) #
Returns: Void

Loads a JSON array of preloaded HSTS hosts.

Parameters

filePath System.String requiredposition: 0
File path containing the preload list.

Properties

public String Subject { get; set; } #

Gets or sets the subject value.

public Nullable<Int32> StatusCode { get; set; } #

Gets the HTTP status code of the response.

public TimeSpan ResponseTime { get; set; } #

Gets the time taken to receive the response.

public Boolean HstsPresent { get; set; } #

Gets a value indicating whether the HSTS header was present.

public Nullable<Int32> HstsMaxAge { get; set; } #

Gets the max-age value from the HSTS header.

public Boolean HstsIncludesSubDomains { get; set; } #

Gets a value indicating whether includeSubDomains is present in the HSTS header.

public Boolean HstsTooShort { get; set; } #

Gets a value indicating whether the HSTS max-age is shorter than 18 weeks.

public List<String> UnknownHstsDirectives { get; set; } #

Collects unknown or invalid HSTS directives.

public Boolean HstsPreloaded { get; set; } #

Gets a value indicating whether the host is on the HSTS preload list.

public Boolean HstsPreloadDirectivePresent { get; set; } #

Gets a value indicating whether the preload token was found in the HSTS header.

public Boolean HstsPreloadEligible { get; set; } #

Gets a value indicating whether the HSTS header meets preload list requirements.

public Boolean XssProtectionPresent { get; set; } #

Gets a value indicating whether the X-XSS-Protection header was present.

public Boolean ExpectCtPresent { get; set; } #

Gets a value indicating whether the Expect-CT header was present.

public Nullable<Int32> ExpectCtMaxAge { get; set; } #

Gets the max-age value from the Expect-CT header.

public String ExpectCtReportUri { get; set; } #

Gets the report-uri value from the Expect-CT header.

public Boolean PublicKeyPinsPresent { get; set; } #
Obsolete("Public-Key-Pins header is deprecated.")

Gets a value indicating whether the Public-Key-Pins header was present.

public Boolean CspUnsafeDirectives { get; set; } #

Gets a value indicating whether the Content-Security-Policy contains unsafe directives.

public Dictionary<String, SecurityHeader> SecurityHeaders { get; } #

Gets a collection of detected security headers.

public HashSet<String> MissingSecurityHeaders { get; } #

Gets a collection of security headers that were not present.

public Boolean IsReachable { get; set; } #

Gets a value indicating whether the endpoint was reachable.

public String FailureReason { get; set; } #

If IsReachable is false, explains why.

public Version ProtocolVersion { get; set; } #

Gets the HTTP protocol version returned by the server.

public Boolean Http2Supported { get; set; } #

Gets a value indicating whether the server supports HTTP/2.

public Boolean Http3Supported { get; set; } #

Gets a value indicating whether the server supports HTTP/3.

public String QuicVersion { get; set; } #

Gets the QUIC version advertised in the Alt-Svc header.

public String ServerHeader { get; set; } #

Gets the value of the Server header if present.

public String NelRaw { get; set; } #

Raw NEL header if present.

public String ReportToRaw { get; set; } #

Raw Report-To header if present.

public String SpeculationRulesRaw { get; set; } #

Raw speculation-rules header if present.

public String Body { get; set; } #

Gets the response body when captureBody is enabled.

public Nullable<Int32> BodyLength { get; set; } #

Gets the decompressed body length in bytes when captureBody is enabled.

public String BodySha256 { get; set; } #

Gets the SHA-256 hash of the decompressed body when captureBody is enabled.

public Boolean MixedContentDetected { get; set; } #

Gets a value indicating whether HTTPS content references insecure HTTP resources.

public Int32 InsecureFormsCount { get; set; } #

Gets the number of forms with insecure http:// action URLs on an HTTPS page.

public List<String> InsecureFormActions { get; } #

Captures representative insecure form action URLs found on page.

public Boolean PermissionsPolicyPresent { get; set; } #

Gets a value indicating whether a Permissions-Policy header was present.

public Dictionary<String, String> PermissionsPolicy { get; } #

Gets parsed directives from the Permissions-Policy header.

public String ReferrerPolicy { get; set; } #

Gets the value of the Referrer-Policy header if present.

public String XFrameOptions { get; set; } #

Gets the value of the X-Frame-Options header if present.

public String CrossOriginOpenerPolicy { get; set; } #

Gets the value of the Cross-Origin-Opener-Policy header if present.

public String CrossOriginEmbedderPolicy { get; set; } #

Gets the value of the Cross-Origin-Embedder-Policy header if present.

public String CrossOriginResourcePolicy { get; set; } #

Gets the value of the Cross-Origin-Resource-Policy header if present.

public String XPermittedCrossDomainPolicies { get; set; } #

Gets the value of the X-Permitted-Cross-Domain-Policies header if present.

public Boolean OriginAgentClusterPresent { get; set; } #

Gets a value indicating whether the Origin-Agent-Cluster header was present.

public Boolean OriginAgentClusterEnabled { get; set; } #

Gets a value indicating whether Origin-Agent-Cluster is enabled.

public List<String> VisitedUrls { get; } #

Gets the URLs visited when following redirects.

public Int32 MaxRedirects { get; set; } #

Gets or sets the maximum number of redirects to follow.

public HttpRequestMethod RequestMethodUsed { get; set; } #

HTTP method used for the request.

public Boolean TlsValidationDisabled { get; set; } #

True when TLS validation was disabled for the request.

public String ProxyUsed { get; set; } #

Proxy URL used for the request when configured.

public List<String> RequestHeaderNames { get; } #

Request header names that were sent (best-effort; excludes defaults).

public Dictionary<String, String> InformationDisclosureHeaders { get; } #

Information disclosure headers observed (best-effort).

public Dictionary<String, String> CachingHeaders { get; } #

Caching headers observed (best-effort).

public HashSet<String> DeprecatedHeadersPresent { get; } #

Deprecated security headers observed.

public HashSet<String> MissingDeprecatedHeaders { get; } #

Deprecated security headers that were missing.

public Boolean CspFrameAncestorsPresent { get; set; } #

True when CSP contains a frame-ancestors directive.

public TimeSpan Timeout { get; set; } #

Gets or sets the HTTP request timeout.

public Version RequestVersion { get; set; } #

Gets or sets the HTTP version used for requests.

public static IList<String> DefaultSecurityHeaders { get; } #

Gets the default security headers checked when HttpRequestOptions) is called with header collection enabled. The list includes modern headers such as Content-Security-Policy, Referrer-Policy, X-Frame-Options, Permissions-Policy and Origin-Agent-Cluster. Modify this list to customize which headers are captured.

public virtual List<Assessment> Assessments { get; } #

Structured assessments captured during HTTP analysis.

public IReadOnlyList<RecommendationAdvice> Recommendations { get; } #

Actionable recommendations derived from assessments.

{{ include "footer" }}