Hardenize Organization API v1.123.0

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

Hardenize is a platform for continuous monitoring of network and security configuration. Hardenize supports individual accounts, intended for use by a single person, and organization accounts, which are shared among potentially many individuals. Whereas individual accounts are limited, organization accounts can have access to all Hardenize features. The Organization API, documented here, provides ability to manage and retrieve information from organization accounts.

Overview

Stability and Versioning

We aim to provide a stable API that will not break your code as we make new releases. However, this is a living API, which contains parts that are stable, as well as parts that are still under active development. As you read this documentation and adopt the API features, please observe the provided notices to understand what changes we may make in the future.

By default (in absence of any warnings), the API should be considered stable. That means that the future releases won't introduce incompatible changes. For example, we will not move or remove API endpoints, and we won't otherwise change the API structure. However, we may make forward-compatible changes even to the stable parts of the API to introduce new functionality. This means that we may add new API endpoints, new fields to existing objects, and in some cases even new field values where that makes sense (for some non-critical fields). To ensure that no breakage takes place, please ensure that your code ignores unknown fields and unknown field values in response objects.

Parts of this API that are not stable are marked with Under Development and can change without notice. The lifecycle of an API extension is roughly that we will release new parts early, polish them in response to your feedback, and declare them stable once they're considered mature.

Base Location

This specification shows the API endpoints relative to the API's base location, which is shown below. Before you use the base URL, replace the {org} placeholder with your organization's label:

• https://api.hardenize.com/v1/org/{org}/

The organization label is easy to find, just access your account and observe the URL in the browser. It's going to be the last segment of the URL when you navigate to your account's homepage. The URL may be in one of the two following formats:

• https://www.hardenize.com/org/feistyduck/
• https://app.redsift.cloud/sift/hardenize/org/red-sift-hardenize.feistyduck/

In the first URL, the label is feistyduck. In the second, the label includes prefix and is red-sift-hardenize.feistyduck.

Request Methods

When it comes to how we use HTTP request methods, we try to follow the spirit of the HTTP specification. We use GET for requests that retrieve information without making any changes on the server. We use POST for requests that modify data. We use DELETE when data is being deleted.

Paths

We use path segments to group API endpoints with common functions, or endpoints that manage the same type of entity (e.g., certificates). Wherever possible, we use plural forms, for example hosts and groups.

We also use path segment parameters (Section 3.3 in the URI RFC) for types of requests that don't alter resource state but request an action to be performed. A nice way to think about this model is that some resources have buttons, and that you are able to push these buttons via actions. You could say that these endpoints are controllers, and they're common in RPC-style APIs.

The first action we implemented was for webhook testing; to test a webhook, you first build a path that identifies a specific webhook, then append a path segment parameter to indicate which action to perform. The complete path then looks like this: /eventHooks/b349dd;test. Although path segments are not very commonly seen in practice, we believe they're very well suited for this particular use case.

HTTP Response Codes

HTTP doesn't provide a full range of useful response codes, but we try to use the status code that makes more sense. In most cases you'll only need to differentiate between 2xx (all good), 4xx (your fault), and 5xx (our fault) responses.

• 200 OK - successful operation; body contains response
• 201 Created - entity created
• 202 Accepted - entity exists, but we don't want to raise an error
• 204 No Content - successful operation; no further information in the body
• 206 Partial Content - partial resource delivered as requested
• 303 See Other - operation results not yet available
• 400 Bad Request - invalid request (your fault); body contains error messages
• 401 Not Authenticated - credentials not provided or invalid
• 403 Forbidden - you are not authorized to perform action
• 404 Not Found - entity not found or invalid URL
• 405 Method Not Allowed - endpoint doesn't support the attempted request method
• 409 Conflict - conflict with the current state of the target resource
• 416 Range Not Satisfiable - unable to provide the request range
• 422 Unprocessable Entity - request is valid, but cannot be processed, usually due to some business rule.
• 429 Too Many Requests - too many requests, in succession or at the same time
• 500 Internal Server Error - request processing failed (our fault)
• 502 Bad Gateway - API not currently available, for example down for maintenance
• 503 Service Unavailable - Unable to respond, possibly due to being overloaded

MIME Types

Most API endpoints in this specification respond with a JSON object and thus use the application/json MIME type. There are a couple of situations when one endpoint may return different objects depending on context; we use additional MIME types to help you to determine what the responses contain:

• Error responses - if an endpoint is unable to complete successfully, its response will use a non-200 status code and include an ErrorResponse object in the body. The application/vnd.hardenize.v1.error-response+json MIME type will be used.

• Operation statuses - API endpoints that return operation results may return operation status objects if called too early. When that happens, the response body will include an OperationStatus object and use the application/vnd.hardenize.v1.operation-status+json MIME type.

Errors

If an endpoint fails to complete successfully, the response body may include an ErrorResponse instance with one or more error messages. Messages can be associated with the entire transaction or, optionally, with a specific parameter.

{
  "errors": [
    {
      "message": "Operation failed, but we don't want why."
    },
    {
      "param": "firstName",
      "message": "Invalid field value, please try again."
    }
  ]
}

Error responses use a non-200 status code and the application/vnd.hardenize.v1.error-response+json MIME type.

Request Limits

We enforce API usage limits in order to preserve the integrity of our systems. For example, it's very easy to deploy a client that sends thousands of requests by mistake; we wish to defend against situations like that. At this time, we have two main mechanisms that can refuse a request. First, we monitor access rate using the token bucket algorithm, and, by default, allow approximately one request per second, with an allowance for short-term bursts. Second, we don't allow more than 5 concurrent requests. These parameters are enforced separately on individual user access and on all API requests for the same organization. If you're using multiple service accounts, they will share the same organization limits.

Every API response includes the X-Request-Allowance header that contains our view of how you're using the API. This is what the output may look like:

r: 57/60 (+1/1s); c: 1/5

The line begins with information about the request rate limits. The first value (57) shows your current request allowance, the second (60) the maximum value. In the brackets, we show that the allowance will be increased (up to the maximum) at the rate of one per second. The second part of the output shows concurrent requests; in this case one of out maximum five.

For best results, configure your client to submit requests at the same rate at which the tokens regenerate; by default, that's one per second. If you have a request refused (in this case we'll use the 429 response code), wait for a full minute, at which point your burst allowance will be fully restored.

Please get in touch if our default limits don't work for your use cases. We may be able to help by configuring different limits for your organization.

We have additional safety checks that may apply as well. If you're sending requests so fast that we come to believe our main application may be affected, we may reject them early, at the reverse proxy level. In this case you'll observe a 429 response but no X-Request-Allowance header. Limits at this level are designed to kick in only as last resort.

Suborganization Request Limits

The standard request limits described in the previous section apply to all organizations, but additional limits may apply to suborganizations. In this case, we check the individual organization limits as well as the parent limits that apply to all suborganizations in aggregate. There are no default settings for these limits, as different values make sense depending on the number of suborganizations used. If a request is rejected because of the parent restrictions, the X-Parent-Request-Allowance header will be included in the response. This header uses the same format as the X-Request-Allowance response header.

Resource Identifiers

In this API, every resource has an identifier that uniquely identifies within the parent collection. Wherever it makes sense we try to use natural identifiers, for example hostname for host entities. Where that's not possible we use a synthetic identifier and call it id. In this case, treat the identifier as opaque. Despite the fact that the identifier names can vary from entity to entity, they're easy to spot because they're always the first field listed in the documentation.

Data Formats

• For dates, we use ISO8601, or, more specifically, the profile specified in RFC 3339, Section 5.6.

• We typically use hexadecimal encoding for binary data, except in some cases where there are already well-established standards, for example for certificates, which use base64 encoding.

Pagination

Pagination is typically used with API endpoints that may return large amounts of data, where not all of it might be needed, or at least not straight away. If an endpoint supports pagination, clients can initially read only a portion of the response, then come later for the rest. With this approach, the amount of data that needs to be read is minimized, which reduces network traffic and the response latency of interactive operations. There are other benefits. For example potentially expensive operations are cached and don't have to be repeated. Similarly, the data set remains the same, even if the source of the data changes.

We support pagination by splitting operation results into pages of rows, with clients able to collect one, several, or all pages with a single request. Different API endpoints may differ in what they support, in the sense that some may force pagination and some may not allow it.

Clients should use the Range request header to request only one part of the entire resource. For example, the following will obtain only the first page:

Range: pages=1-1

If the server provided a partial response as requested, it will use the 206 Partial Content status code. In this case, the response will also include the Content-Range header that shows what pages have been provided, as well as indicate the total amount of pages available:

Content-Range: pages 1-1/10

We support only retrieval of a single continuous range of pages. If the server cannot fulfil the request, the 416 Not Satisfiable status code will be provided.

Changelog

v1.123.0 (21 November 2024)

• Added /account/;stats endpoint

• Experimental: Certificate expiration can now be tracked via issues.

• Improved Issues documentation.

• Added the Get Host Exclusions endpoint.

v1.122.0 (29 October 2024)

• Added domains and subdomains fields to GetHostStatsResponse

v1.121.0 (22 October 2024)

• Added /hosts/;stats endpoint

v1.120.0 (3 October 2024)

• Extended DmarcReport object with field policy

• Extended SpfReport object with field lookups

v1.119.0 (26 September 2024)

• Extended List certificate summaries with new parameter: nameDigestNewer.

• Extended CertificateSummary object with field nameDigestNewer.

v1.118.0 (26 July 2024)

• Extended List certificate summaries with new parameter: ownership.

• Extended the CertificateSummary object with fields active and caPathLen.

• Extended List expiring endpoints with new parameters: expiredSince, expiredForTier, expiredForDays, expireBy, and expireInTier.

• Extended the CertStats object with TotalsStats

v1.117.0 (25 July 2024)

• Added extras field to CertificateSummary

v1.116.0 (25 July 2024)

• Added new certsLabels field to GetCert that will return a list of CertLabel

• Added extras field to the output CreateCertStats

• Renamed GetCertExtras to CertExtras

v1.115.0 (25 July 2024)

• Added integration parameter to the List Hosts endpoint.

v1.114.0 (16 July 2024)

• Added hostClassificationStatus and hostClassificationTags to ExpiringEndpoint

v1.113.0 (11 July 2024)

• Added definitionIds parameter to ListIssues endpoint.

v1.112.0 (09 July 2024)

• Added classificationStatus and classificationTags to Host

v1.111.0 (08 July 2024)

• Added extended request field to /hosts/{hostname}/services

• Added additional extras field to the output of /hosts/{hostname}/services when extended is true

v1.110.0 (08 July 2024)

• Added the same request parameters from the GET /certs endpoint to the POST /certs/listCerts endpoint.

v1.109.0 (28 June 2024)

• Added new endpoint /hosts/{hostname}/services

• Added new field certs to ServiceData schema

v1.108.0 (19 June 2024)

• removed notificationsRecipients from Certificate Monitoring API

• Removed notificationsAdditionalEmailAddress from Certificate Monitoring API

• Added notificationsEmailAddresses to Certificate Monitoring API

v1.107.0 (13 June 2024)

• Added new field revokedNotExpired to SummaryStats schema.

• Added new fields

v1.106.0 (07 June 2024)

The following new API endpoints have been added:

• /config/hostDefaults
• /config/certificateMonitoring
• /config/ctMonitoring

v1.105.0 (06 June 2024)

• Extend CertDiscovery object with ctLog field

• Extend CertCtLog object with name field

v1.104.0 (4 June 2024)

• Updated array type for field records of HostCaaHistory schema from array of bytes to array of strings.

v1.103.0 (30 May 2024)

• Experimental: Certificate discoveries can now create issues.

• Experimental: Issues can now be dispatched as two events: issue.new and issue.update.

v1.102.0 (24 May 2024)

• New query param called "since" added to Get Cert Discoveries endpoint that's applied to the creation time

v1.101.0 (21 May 2024)

• These new fields have been added to the Certificate schema:
  1. lifetime
  2. lifetimeDays
  3. ku
  4. eku
  5. mustStaple
  6. aki
  7. ski
  8. caIssuers
  9. crl
  10. ocsp
  11. ctInfos shown only in extended mode
  12. Added extras section which contains the following attributes: a. status b. certsDueDays c. certsOverdueDays d. certsCriticalDays

v1.100.0 (20 May 2024)

• Fixed incorrect status value for CertDiscovery

v1.099.0 (9 May 2024)

• Added new API endpoints:
  1. List Certificate Discoveries
  2. Get Cert Discovery
  3. Update Cert Discovery

v1.098.0 (24 April 2024)

• Fixed API inconsistencies for expiring endpoints

v1.097.0 (24 April 2024)

• Added new get certificate statistics endpoint

• Added 'lifetimes' field to AnalysisStats

v1.096.0 (23 April 2024)

• Added two more query parameters:

  1. regRegistry
  2. regPublic

• Extended List Hosts with new fields in the response

v1.095.0 (22 April 2024)

• Added new endpoint for expiring endpoints retrieval

v1.094.0 (17 April 2024)

• Extended DomainsReportResponse and HostReportResponse with two more attributes
  1. groups
  2. tags

v1.093.2 (15 April 2024)

• Added "Maturity: Under Development" for every experimental API endpoint.

v1.093.1 (08 April 2024)

• Added shortId to the Certificate object.

• Added API docs for /certs/revocationHistory endpoint

• Added API docs for /certs/ctLogList endpoint

• Added API docs for /certs/issuanceHistory endpoint

• Added API docs for /certs/expiringCerts endpoint

v1.092.4 (17 March 2024)

• Added API docs for /assessments/ and /reportCards/ endpoints

v1.092.3 (04 March 2024)

• Changed the type of the Group identifier from integer to string. Modified relevant JSON response examples

v1.092.2 (29 February 2024)

• Fixed example value of the Event.data property.

v1.092.1 (28 February 2024)

• Added description to most of OrgDashboardStats properties.

v1.092.0 (12 February 2024)

• Added group parameter to /certs/;stats to return group-related statistics.

• Added /dashboards/;stats to return dashboard statistics.

v1.091.0 (7 February 2024)

• Modified /certs/;stats to return more detailed statistics.

v1.090.1 (1 February 2024)

• Modified /certs/;stats endpoint to be an async operation and marked as experimental.

v1.090.0 (31 January 2024)

• Added /certs/;stats endpoint to retrieve certificate statistics.

v1.089.0 (25 January 2024)

• Added /hosts/{hostname}/pdfReport endpoint to request a PDF report for a host.

v1.088.0 (27 October 2023)

• Added groups parameter to the response of the List Issues endpoint.

• Added groups parameter to the List Issues endpoint. This parameter can be used to filter issues by group names.

v1.087.0 (26 October 2023)

• Added optional "nx" request param to "List hosts" endpoint

v1.086.2 (20 September 2023)

• Added HTTP status 409 to the list of possible responses.

v1.086.1 (7 September 2023)

• The OpenApi schema was cleaned and various syntax issues were fixed.

v1.086.0 (6 June 2023)

• The names of several audit log events have been changed to improve the name consistency. The audit log API may see further changes until we declare it stable.

v1.085.0 (3 April 2023)

• Audit log API endpoints are now available in preview. The goal of this initial release is to requested feedback from our customers, helping us finalize the API and the data model. In subsequent releases, we will focus on completing the taxonomy of events.

• The HDB and Monitor Network API endpoints have been removed. These two sections were experimental and used only internally within our development team.

v1.084.0 (28 February 2023)

• We reviewed our APIs for stability and removed the "Under Development" indicators from a variety sections. There are two section that continue to be under development at this time: Issues and Search.

v1.083.0 (31 January 2023)

• Issues: Added new "Update issue" endpoint

v1.082.0 (5 November 2022)

• Organizations have been extended to support a separate label field. Labels are used in the user interfaces as well as in the URLs exposed to end users. Previously, organization ID also served as a label. Now it's possible to select a nicer, user friendly, label when an organization is created.

v1.081.0 (29 October 2022)

• The Update Organization endpoint has been extended to support modification of organization name.

v1.080.0 (15 September 2022)

• New integrations: CSC and Safenames.

v1.079.0 (17 August 2022)

• Issues: Renamed fixed status to completed, which is more neutral and can be used in a variety of situations.

• Issues: Added a variety of additional statuses, including abandoned, bogus, deprecated, ignored, orphaned, and snoozed.

• Issues: New field: snoozedUntil.

• Issues: New fields: autoOpen and autoPreservedStatus.

v1.078.0 (28 July 2022)

• Added support for programmatic user management, via the new Users section.

• Added support for service accounts, which are special user accounts that can only access the API.

• Modified the UpdateUser endpoint to return a User object and the 200 status code instead of 204 previously.

• Removed the Findings endpoints as they have been replaced by Issues.

v1.077.0 (30 June 2022)

• Extended Issues with the details field. This new field is populated in the Get issue and Transfer issues endpoints and provides additional issue-specific information.

v1.076.0 (23 June 2022)

• Added lastRegLookupTime field to Host

v1.075.0 (17 June 2022)

• Added Issues section.

• Deprecated Findings, which will be removed as soon as all detections are migrated to Issues.

v1.074.0 (27 May 2022)

• Added Identities section.

v1.073.0 (25 May 2022)

• Added support for zone transfers. Hosts whose names match a DNS zone can be configured to perform a zone transfer once a way, either with the primary indicated in the corresponding SOA record, or with an explicitly configured host. There is also a new endpoint to perform a zone transfer on demand, which is useful for testing or to obtain the zone data as needed.

v1.072.0 (28 April 2022)

• Added Findings section.

v1.071.0 (28 March 2022)

• Extended the Host object with new fields: regNx, regNxTime, regRegistry, and regPublic.

v1.070.0 (2 March 2022)

• New Search API endpoint to give direct access to the search functionality.

• Added sanCount field to Certificate.

v1.069.0 (3 November 2021)

• Added tags field to the various Integrations end-points.

v1.068.0 (22 September 2021)

• Added matchIntegration to HostDiscovery. This field is set to true for all discoveries made via an integration with third-party platforms (e.g., cloud accounts).

• Added matchNameserver to HostDiscovery. This field is set to true for discoveries made via nameserver monitoring.

• Added matchInfo object to HostDiscovery. This field contains further information that describe the discovery origin, for example the name of the nameserver or integration details.

v1.067.0 (3 July 2021)

• Added field hostDiscoveryExcludeSuffixes to Organization. This new field can be used to specify multiple host suffixes that will be ignored during discovery.

• Renamed two fields belonging to the Organization object: 1) limitTotalHostsHard is now hostLimitHard; 2) hostsAutoimportSubdomains is now hostDiscoveryAutoimportSubdomains. The old names are no longer documented but will remain supported for at least three months following the update.

• New fields related to certificate discovery and limits added to Organization: certLimitHard, certDiscoveryEnabled, certDiscoveryError, and certDiscoveryErrorTime.

• New fields related to host discovery limits added to Organization: hostDiscoveryEnabled, hostDiscoveryLimitHard, hostDiscoveryError, and hostDiscoveryErrorTime.

v1.066.0 (12 May 2021)

• Complete overhaul of the Nameserver Monitoring section. All endpoints have been reviewed, tweaked, refactored, and documented. New endpoints have been added. This section of the API has progressed from experimental to beta.

v1.065.0 (28 April 2021)

• New endpoint Get DigiCert Order is now available to fetch DigiCert order information when there is a configured DigiCert integration.

• A new API endpoint was introduced to support uniform fetching of results of asynchronous operations. Prior to this API revision, every operation defined its own results endpoint. The existing endpoints are now deprecated, but will continue to be supported.

• The X-Operation-Status-Code status code is now used by Get Response Results to communicate the operation status code, keeping it separate from the status code of the API endpoint itself.

• Endpoints that return operation results now use the application/vnd.hardenize.v1.operation-status+json MIME type when an OperationStatus object is in the response body.

• The OperationStatus object now includes the contentType field.

• Added a new section to better document the MIME types and the format of error responses.

v1.064.0 (17 March 2021)

• Added support for third-party integrations. In this first release, we support integration with AWS, Azure, and GCP cloud accounts.

v1.063.0 (18 February 2021)

• Added tags to Hosts.

• Added tags to Network Ranges.

• Extended groups with new endpoints to get and update a group.

• Added ability to change group name. Group identifiers are now automatically generated from the names, rather than explicitly specified.

• Added support auto groups, which are managed. Unlike groups that are manually maintained, hosts are added to and removed from auto-groups based on the assigned tags. A host that shares a tag with a group will be added to the group. A host that no longer shares any tags with the group will be removed.

v1.062.0 (12 December 2020)

• The Host object has been extended with an experimental config property that contains host configuration. We are initially exposing DMARC settings, but will proceed to add all other aspects of host configuraiton.

• Added new API endpoints for third party integrations

v1.061.0 (30 November 2020)

• Added new API endpoints to deal with SAML configuration.

v1.060.0 (14 November 2020)

• Added new API endpoints to support configuring multi-factor configuration.

v1.059.0 (2 September 2020)

• Extended the Host Discovery Keywords section to support exact matching

v1.058.0 (24 August 2020)

• Added new API endpoints to support configuring network scanning.

v1.057.0 (19 August 2020)

• Added new API endpoint to update certificate data. At this time, we support setting of the muted field, which controls if a certificate will be ignored for expiration notification purposes.

v1.056.0 (9 July 2020)

• Extended the Host Discovery Keywords section to support fine-grained control over what types of matching should be used on a per-keyword basis.

v1.055.0 (8 July 2020)

• Replaced discovered_hostname and effective_hostname fields in the Host Discovery API end-points, with a single hostname field. The Update operation no longer has the ability to change the hostname.

v1.054.0 (12 June 2020)

• New API endpoints to support host discovery via nameserver monitoring.

v1.053.0 (27 February 2020)

• Extended the API with a new section called "Monitor Network", which provides access to our distributed network of monitors that are available to run various network operations. This initial release includes two API endpoints: one that provides a list of available monitor locations and another to run a TLS check from one of the locations.

• Added another layer of request limit allowances that apply to all suborganizations created by the same parent.

• Certificates imported from our historical database now set the origin field to hdb (previously ct). This change makes it possible to distinguish certificates observed in real-time from those that are imported.

v1.052.0 (27 January 2020)

• Introduced several new API endpoints that provide search capabilities of our database of active (non-expired) public certificates. It is possible to search by hostname (exact match, wildcard certificate match, suffix match), keyword (which covers the Subject DN and SAN fields), SHA256, and SPKI.

v1.050.0 (16 January 2020)

• Added support for asynchronous operations. Clients are now able to request operations that will continue to be processed after they disconnect. This feature is typically used with operations that may take a long time and produce a large amount of data.

• Added support for result pagination. When an endpoint supports this feature (this will typically be true in the case of operations that may produce large amounts of data), clients can request the partial results, one page at a time.

v1.049.0 (8 January 2020)

• Extended the Host object with the groups field, which contains the identifiers of all groups the host belongs to.

• Added GetNetworkAccessConfig and UpdateNetworkAccessConfig endpoints that support retrieval and updating of network access restrictions configuration for the API and web UI components.

v1.048.0 (21 November 2019)

• Added CreateNetworkRange, DeleteNetworkRange, UpdateNetworkRange and ListNetworkRanges API endpoints.

v1.047.0 (21 October 2019)

• Added several fields to the Report0 object to indicate full and partial support for various SSL and TLS protocols. The fields that begin with the word "has" (e.g., hasSsl2) indicate that at least one endpoint behind hostname supports a particular protocol. The fields that begin with the word "supports" (e.g., supportsSsl2) indicate that all endpoints behind hostname support a particular protocol.

v1.046.0 (7 October 2019)

• Added field hasHttpsTls12OrBetter to the Report0 object.

v1.045.0 (19 September 2019)

• Added DeleteHostDiscoveries API endpoint.

v1.044.0 (18 September 2019)

• Added UpdateHostDiscoveries API endpoint.

v1.043.0 (24 July 2019)

• Added featureHostDiscovery to suborgs, making it possible to control host discovery on a per-suborg basis.

• Changed the default setting of hostsAutoimportSubdomains to false.

v1.042.0 (11 July 2019)

• Extended the MatchedCtEntry object by adding the tbsSha256 field.

• Extended the pki.cert.new event to always send newly-discovered precertificates, even when their certificate counterparts are already known. With this change consumers have more data and can decide what to keep and what to discard. The semantics of this event effectively haven't changed because any endpoints consuming the events would have had to differentiate between precertificates and certificates prior to this change.

v1.041.0 (4 July 2019)

• Extended the CertCtLog object by adding the type field to indicate CT log entry type (precertificate or certificate).

• Extended the Certificate object with issuerCa and validation fields.

v1.040.0 (19 June 2019)

• Added parentHashesComplete to the Certificate object. Added new value ctPlusRoot for the parentHashesSource field.

v1.039.0 (13 June 2019)

• Two fields added to the Certificate object: parentHashes and parentHashesSource.

• The Delete hosts operation no longer automatically removes all subdomains. Instead, only the explicitly-listed hosts are deleted. The new subdomains parameter can be used to enable the previous behaviour.

• Deprecated the notSymantec value of the symantecStatus field in the Certificate object. Previously, this field was not provided for CA certificates. Going forward, this field also won't be available on certificates that had not been issued from from Symantec's old infrastructure.

Authentication

• HTTP Authentication, scheme: Basic To begin to use the Hardenize Organization API, sign in into your organization and create a new service account, noting the automatically generated credentials. If you're working with suborganizations, request that master API credentials are generated when a new suborganization is created.

Assessments

Maturity: Under Development

The API endpoints in this section allow you to create an assessment, as well as retrieve a status about your assessment.

Create assessment

Code samples

POST /v1/org/{org}/assessments HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /assessments

Maturity: Under Development

Creates an assessment.

Body parameter

{
  "hostname": "example.com",
  "clearCache": false
}

Parameters

Parameter	In	Type	Description
body*	body	CreateAssessmentRequest	The hostname for which the assessment is created.

Example responses

200 Response

{
  "assessment": {
    "id": "eaa6b8c0-5a12-4e5d-add0-fdafb4e89f5d",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "in_progress",
    "epochTime": 1710854089,
    "statTcpConnections": 0,
    "statTcpEndpointsCount": 0,
    "expectedDuration": 0
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetAssessmentStatusResponse
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Gets status of an assessment

Code samples

GET /v1/org/{org}/assessments/{hostname};status HTTP/1.1
Host: api.hardenize.com

GET /assessments/{hostname};status

Maturity: Under Development

Retrieves the status of an assessment based on the provided hostname.

Parameters

Parameter	In	Type	Description
hostname*	path	string	The hostname for which assessment status is to be retrieved.

Example responses

200 Response

{
  "assessment": {
    "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "available",
    "statusMessage": null,
    "epochTime": 1710773815,
    "statTcpConnections": 51,
    "statTcpEndpointsCount": 12,
    "expectedTcpConnections": 50,
    "expectedDuration": 0
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetAssessmentStatusResponse
400	Bad Request	Bad request. The provided hostname is invalid.	Inline

Response Schema

Status Code 400

Name	Type	Required	Restrictions	Description
» error	string	false	none	none

Audit Log

Maturity: Under Development

Audit logs represent a record of key events associated with an organization. They're designed to help with gaining and understanding of activity within an organization, document the associated changes and highlight relevant security events.

Please note that, whilst this feature is still in development, we may change the event schema as well as remove all events from time to time if necessary.

List audit events

Code samples

GET /v1/org/{org}/auditlog HTTP/1.1
Host: api.hardenize.com

GET /auditlog

Retrieves the audit events recorded within the requested time frame. This endpoint will change in due course, as this section matures, to add limits, and support for pagination and filtering.

Parameters

Parameter	In	Type	Description
from	query	string(date-time)	Timestamp of the earliest audit event to return, inclusive.
to	query	string(date-time)	Timestamp of the latest audit event to return, inclusive.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListAuditEventsResponse

Configuration

Endpoints in this section provide access to the configuration of the current organization account, as well as make it possible to make configuration changes.

Get Access Control Configuration

Code samples

GET /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com

GET /config/accessControl

Retrieves the current configuration of network access controls. If there are no allowed network ranges in the configuration, that means that all IP addresses are allowed.

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Responses

Status	Meaning	Description	Schema
200	OK	Access Control Configuration	GetAccessControlConfigResponse

Get Certificate Monitoring Configuration

Code samples

GET /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com

GET /config/certificateMonitoring

Retrieves the current configuration of certificate monitoring.

Example responses

200 Response

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	Certificate Monitoring Configuration	CertificateMonitoringResponse

Get Certificate Transparency Monitoring Configuration

Code samples

GET /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com

GET /config/ctMonitoring

Retrieves the current configuration of certificate transparency monitoring.

Example responses

200 Response

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

Responses

Status	Meaning	Description	Schema
200	OK	Certificate Transparency Monitoring Configuration	CtMonitoringResponse

Get Host Defaults Configuration

Code samples

GET /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com

GET /config/hostDefaults

Retrieves the current configuration of host defaults.

Example responses

200 Response

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Responses

Status	Meaning	Description	Schema
200	OK	Host Defaults Configuration	HostDefaultsResponse

Get Host Exclusions

Code samples

GET /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com

GET /config/hostExclusions

Retrieves the current host exclusions

Example responses

200 Response

{
  "hostExclusions": [
    "example.com"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	Host Exclusions	HostExclusionsResponse

Get MFA Configuration

Code samples

GET /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com

GET /config/mfa

Retrieves the current multi-factor authentication (MFA) configuration.

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status	Meaning	Description	Schema
200	OK	MFA Configuration	GetMfaConfigResponse

Get Network Scanning Configuration

Code samples

GET /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com

GET /config/networkScanning

Retrieves the current network scanning configuration.

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetNetworkScanningConfigResponse

Get SAML Configuration

Code samples

GET /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com

GET /config/saml

Retrieves the current SAML configuration.

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status	Meaning	Description	Schema
200	OK	SAML Configuration	GetSamlConfigResponse

Update Access Control Configuration

Code samples

POST /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/accessControl

Updates the configuration of network access controls. When making changes to the allowed network ranges, please take care to whitelist the IP address from which the request is being made. To allow access from any IP address, submit an empty list. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values.

Body parameter

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateAccessControlConfigRequest	none

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateAccessControlConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update Certificate Monitoring Configuration

Code samples

POST /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/certificateMonitoring

Updates the configuration of certificate monitoring.

Body parameter

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom notification text",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": true,
  "certsDueDays": 45,
  "certsOverdueDays": 12,
  "certsCriticalDays": 6,
  "vendorCertsCriticalDays": 6,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	UpdateCertificateMonitoringRequest	none

Example responses

200 Response

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CertificateMonitoringResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update Certificate Transparency Monitoring Configuration

Code samples

POST /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/ctMonitoring

Updates the configuration of certificate transparency monitoring.

Body parameter

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": true,
  "closeCertExpired": false,
  "closeCertRevoked": true,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": true,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": false,
  "closeCaseInactiveDays": true,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": true,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": true,
  "escalateIssuerForbidden": false,
  "escalateForbiddenIssuerKeywords": [
    "string"
  ],
  "escalateCertMaxLifetimeExceeded": true
}

Parameters

Parameter	In	Type	Description
body	body	UpdateCtMonitoringRequest	none

Example responses

200 Response

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CtMonitoringResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update Host Defaults Configuration

Code samples

POST /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/hostDefaults

Updates the configuration of host defaults.

Body parameter

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostDefaultsRequest	none

Example responses

200 Response

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	HostDefaultsResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update Host Exclusions

Code samples

POST /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/hostExclusions

Updates the list of host exclusions

Body parameter

{
  "hostExclusions": [
    [
      "example.com"
    ]
  ]
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostExclusionsRequest	none

Example responses

200 Response

{
  "hostExclusions": [
    "example.com"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	HostExclusionsResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update MFA Configuration

Code samples

POST /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/mfa

Updates the MFA configuration for this organization.

Body parameter

{
  "mfaRequired": true
}

Parameters

Parameter	In	Type	Description
body	body	UpdateMfaConfigRequest	none

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateMfaConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation or MFA not enabled for this organization	None

Update Network Scanning Configuration

Code samples

POST /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/networkScanning

Updates the network scanning configuration for this organisation. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values. Because we carry out network scanning as a slow operation stretched over the course of an entire day, it may take up to 24 hours for your changes to become active.

Body parameter

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	UpdateNetworkScanningConfigRequest	none

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetNetworkScanningConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Update SAML Configuration

Code samples

POST /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/saml

Updates the SAML configuration for this organization.

Body parameter

{
  "enabled": true,
  "idpMetadata": "string"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateSamlConfigRequest	none

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateSamlConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation or MFA not enabled for this organization	None

Certificates

The API endpoints in this section allow you to retrieve information about all your certificates, as well as upload your new certificates to us as they become available.

Create certificate

Code samples

POST /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/x-pem-file

POST /certs

Use this API endpoint to upload a new certificate to your account. For example, if you've automated certificate generation, we suggest that you also automatically submit all new certificates to Hardenize. That way, when we observe the same certificate via Certificate Transparency, we will know for sure that it belongs to you. We may be able to determine that in any case if we see that the certificate has been installed, but uploading it to us makes this more reliable.

For best results, we recommend that you upload the entire certificate chain received from your CA. That will ensure we also add the required intermediates to your list of certificates. The leaf certificate must be placed first.

Body parameter

-----BEGIN CERTIFICATE-----
MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qv
s6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCC
AfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsO
UClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
Y29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5o
YXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDe
bJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2
pkP4CxvriyrLQwpB6s2RFQM=
-----END CERTIFICATE-----

Parameters

Parameter	In	Type	Description
body*	body	string	PEM-encoded certificate or certificate chain. If a chain is provided, the leaf certificate must be placed first.

Example responses

201 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.535Z",
    "notAfter": "2024-11-21T14:12:47.535Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.535Z",
    "revokedOn": "2024-11-21T14:12:47.535Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.535Z",
    "lastSeen": "2024-11-21T14:12:47.535Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.535Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.535Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.535Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Certificate created.	CreateCertResponse
202	Accepted	Certificate already exists.	CreateCertResponse
400	Bad Request	Invalid certificate chain.	None

Get certificate

Code samples

GET /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}

Returns the certificate with the given SHA256 hash, if available in the account.

Parameters

Parameter	In	Type	Description
sha256*	path	string	none
extended	query	boolean	if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect.

Detailed descriptions

extended: if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect.

Example responses

200 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.537Z",
    "notAfter": "2024-11-21T14:12:47.537Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.537Z",
    "revokedOn": "2024-11-21T14:12:47.537Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.538Z",
    "lastSeen": "2024-11-21T14:12:47.538Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.538Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.538Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.538Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  },
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Successfully retrieved certificate	GetCertResponse
404	Not Found	Certificate not found	None

Get certificate statistics

Code samples

GET /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com

GET /certs/;stats

Maturity: Under Development

Returns certificate statistics from the cache if they exist. If not returns 404 status.

Parameters

Parameter	In	Type	Description
group	query	string	If set, returns only the statistics for certificates that belong to the specified group.

Detailed descriptions

group: If set, returns only the statistics for certificates that belong to the specified group.

Example responses

202 Response

{
  "certStats": {
    "totals": {
      "activeOrNonExpired": 0,
      "onlyOwn": 0,
      "onlyThirdParty": 0,
      "onlyActive": 0
    },
    "summary": {
      "total": 0,
      "unique": 0,
      "certs": 0,
      "precerts": 0,
      "duplicates": 0,
      "valid": 0,
      "notYetValid": 0,
      "expired": 0,
      "effectivelyExpired": 0,
      "revoked": 0,
      "revokedNotExpired": 0,
      "endEntity": 0,
      "ca": 0
    },
    "thirdParty": {
      "total": 0,
      "unique": 0,
      "endEntity": 0,
      "ca": 0
    },
    "usage": {
      "active": 0,
      "expired": 0,
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "analysis": {
      "issuerCa": {
        "property1": 0,
        "property2": 0
      },
      "keyAlg": {
        "property1": 0,
        "property2": 0
      },
      "keyAlgLen": {
        "property1": 0,
        "property2": 0
      },
      "keyStrength": {
        "property1": 0,
        "property2": 0
      },
      "sigAlg": {
        "property1": 0,
        "property2": 0
      },
      "validation": {
        "property1": 0,
        "property2": 0
      },
      "lifetimes": {
        "property1": 0,
        "property2": 0
      },
      "wildcards": 0,
      "nonWildcards": 0
    },
    "activity": {
      "issuanceTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "revocationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "timestamp": "2024-11-21T14:12:47.540Z"
  },
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Successfully retrieved certificate statistics	CertsStatsResponse
404	Not Found	Certificate statistics not found	None

Get CT Log list

Code samples

GET /v1/org/{org}/certs/ctLogs HTTP/1.1
Host: api.hardenize.com

GET /certs/ctLogs

Retrieves the CT Log list.

Example responses

200 Response

{
  "ctLogs": [
    {
      "name": "Cloudflare 'Nimbus2023' Log",
      "url": "ct.cloudflare.com/logs/nimbus2023",
      "mmd": 86400,
      "lastIndex": 94000,
      "lastTimestamp": "2024-11-21T14:12:47.542Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	CT Log list	CtLogsResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	You don't have permission to perform this operation.	None

Get DigiCert Order

Code samples

GET /v1/org/{org}/certs/{sha256}/digicert/order HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}/digicert/order

This endpoint can be used to retrieve a DigiCert Order associated with a certificate, provided there is a working DigiCert CertCentral integration in place. When invoked, we look for the order information using the CertCentral API. If we obtain a response, this endpoint will pass through the results back in its response. The full documentation for the response is available in DigiCert's API documentation.

Please note that, before invoking the CertCentral API, we can't tell if a certificate is the configured DigiCert account. If it's not, you will see a 404 response. We have also noticed that CertCentral sometimes responds with a 503 status code for a certificate that resides in someone else's account. That might happen if you attempt to fetch order information for a managed/third-party certificate issued by DigiCert. We try to detect this case early by checking the certificate before talking to CertCentral.

There is no caching of order information at present, but we anticipate that it will be added in a future release.

Parameters

Parameter	In	Type	Description
sha256*	path	string	none

Responses

Status	Meaning	Description	Schema
200	OK	Order information available	None
400	Bad Request	Invalid request or certificate not applicable	None
404	Not Found	Certificate or order not found	None

List certificates

Code samples

GET /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com

GET /certs

By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
active	query	boolean	If set, returns only active or inactive certificates
expired	query	boolean	If set, returns only expired or non-expired certificates
expireInDays	query	integer	If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host	query	string	If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit	query	integer	If set, returns only up to the specified number of certificates.
newSince	query	string(date-time)	If set, returns only certificates added to the account since the specified date.
excludeDuplicates	query	boolean	if set to true, will return non duplicate certificates.
activeOrNonExpired	query	boolean	If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256	query	string	If set, returns only certificates whose public key (SPKI) matches the provided hash

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-11-21T14:12:47.543Z",
      "notAfter": "2024-11-21T14:12:47.543Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.543Z",
      "revokedOn": "2024-11-21T14:12:47.543Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-11-21T14:12:47.543Z",
      "lastSeen": "2024-11-21T14:12:47.543Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-11-21T14:12:47.543Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-11-21T14:12:47.543Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ]
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-11-21T14:12:47.544Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListCertsResponse

List certificates summaries

Code samples

GET /v1/org/{org}/certs/summaries HTTP/1.1
Host: api.hardenize.com

GET /certs/summaries

By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
active	query	boolean	If set, returns only active or inactive certificates
expired	query	boolean	If set, returns only expired or non-expired certificates
expireInDays	query	integer	If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host	query	string	If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit	query	integer	If set, returns only up to the specified number of certificates.
newSince	query	string(date-time)	If set, returns only certificates added to the account since the specified date.
excludeDuplicates	query	boolean	if set to true, will return non duplicate certificates.
activeOrNonExpired	query	boolean	If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256	query	string	If set, returns only certificates whose public key (SPKI) matches the provided hash
ownership	query	string	If set, returns only certificates whose ownership matches the value in the regex pattern

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.545Z",
      "notAfter": "2024-11-21T14:12:47.545Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.545Z",
      "revokedOn": "2024-11-21T14:12:47.545Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CertificateSummaryResponse

List expiring certificates

Code samples

GET /v1/org/{org}/certs/expiringCerts/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/expiringCerts/{groupLabel}

Maturity: Under Development

Retrieves expiring certificates.

Parameters

Parameter	In	Type	Description
groupLabel	path	string	If set, returns only the expiring certificates whose domain belongs to the specified group.
interval	query	integer	If set, returns only the expiring certificates in the last days days.
ignoreExpiredDays	query	integer	If set, returns certificates expired more than ignoreExpiredDays days ago.
limit	query	integer	If set, returns only the first limit expiring certificates.

Detailed descriptions

groupLabel: If set, returns only the expiring certificates whose domain belongs to the specified group.

interval: If set, returns only the expiring certificates in the last days days.

ignoreExpiredDays: If set, returns certificates expired more than ignoreExpiredDays days ago.

limit: If set, returns only the first limit expiring certificates.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.546Z",
      "notAfter": "2024-11-21T14:12:47.546Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.546Z",
      "revokedOn": "2024-11-21T14:12:47.546Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CertificateSummaryResponse
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

List expiring endpoints

Code samples

GET /v1/org/{org}/certs/expiringEndpoints/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/expiringEndpoints/{groupLabel}

Maturity: Under Development

Retrieves a list of expiring endpoints, which are network locations where we're seeing certificates that are about to expire. When using this API endpoint, first you need to think whether you want to see certificates that have already expired. By default, you will get all expired certificates. If you want to see only a subset, use one of expiredSince, expiredForDays, or expiredForTier parameters. The second decision is about what still-valid certificates you want to see and for how long in the future. By default, we return the certificates that fall within the overdue tier, but you can use the expireBy, expireInDays, or expireInTier parameters to override this. It is sometimes useful to use tiers, because they are always translated to the correct time ranges based on your current settings.

Parameters

Parameter	In	Type	Description
groupLabel	path	string	If set, returns only the expiring endpoints whose domain belongs to the specified group.
expiredForDays	query	integer	If set, returns only endpoints with certificates expired in the last expiredForDays days.
expiredSince	query	date-time	If set, returns only endpoints with certificates that expired since the provided timestamp.
expiredForTier	query	string	If set, converts the supplied tier to the correct expiredForDays value.
expireBy	query	date-time	If set, returns only endpoints with certificates that will expire by the provided timestamp.
expireInDays	query	integer	If set, returns only endpoints with certificates expiring in the next expireInDays days.
expireInTier	query	string	If set, converts the supplied tier to the correct expireInTier value.
limit	query	integer	If set, returns only the first limit expiring endpoints. The default limit is 1,000.
integration	query	string	none

Detailed descriptions

groupLabel: If set, returns only the expiring endpoints whose domain belongs to the specified group.

expiredForDays: If set, returns only endpoints with certificates expired in the last expiredForDays days.

expiredSince: If set, returns only endpoints with certificates that expired since the provided timestamp.

expiredForTier: If set, converts the supplied tier to the correct expiredForDays value.

expireBy: If set, returns only endpoints with certificates that will expire by the provided timestamp.

expireInDays: If set, returns only endpoints with certificates expiring in the next expireInDays days.

expireInTier: If set, converts the supplied tier to the correct expireInTier value.

limit: If set, returns only the first limit expiring endpoints. The default limit is 1,000.

Example responses

200 Response

{
  "expiringEndpoints": [
    {
      "hostname": "example.net",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceAddress": "127.0.0.1",
      "servicePort": 443,
      "certNotAfter": "2024-11-21T14:12:47.553Z",
      "certEffectiveNotAfter": "2024-11-21T14:12:47.553Z",
      "serviceLastSeen": "2024-11-21T14:12:47.553Z",
      "certShortId": "572908a",
      "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "certIssuerCa": "Let's Encrypt",
      "certSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345",
      "hostClassificationStatus": "active",
      "hostClassificationTags": [
        [
          "signin"
        ]
      ]
    }
  ],
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ExpiringEndpointsResponse
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

List issuance history

Code samples

GET /v1/org/{org}/certs/issuanceHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/issuanceHistory/{groupLabel}

Maturity: Under Development

Retrieves certificates issuance.

Parameters

Parameter	In	Type	Description
groupLabel	path	string	If set, returns only the certificates issuance whose domain belongs to the specified group.
interval	query	integer	If set, returns only the certificates issuance in the last days days.
limit	query	integer	If set, returns only the first limit certificates issuance.

Detailed descriptions

groupLabel: If set, returns only the certificates issuance whose domain belongs to the specified group.

interval: If set, returns only the certificates issuance in the last days days.

limit: If set, returns only the first limit certificates issuance.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.555Z",
      "notAfter": "2024-11-21T14:12:47.555Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.555Z",
      "revokedOn": "2024-11-21T14:12:47.555Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CertificateSummaryResponse
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

List revoked certificates

Code samples

GET /v1/org/{org}/certs/revocationHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/revocationHistory/{groupLabel}

Maturity: Under Development

Retrieves revoked certificates.

Parameters

Parameter	In	Type	Description
interval	query	integer	If set, returns only the revoked certificates which were revoked in the last days days.
limit	query	integer	If set, returns only the first limit revoked certificates.
groupLabel	path	string	If set, returns only the revoked certificates whose domain belongs to the specified group.

Detailed descriptions

interval: If set, returns only the revoked certificates which were revoked in the last days days.

limit: If set, returns only the first limit revoked certificates.

groupLabel: If set, returns only the revoked certificates whose domain belongs to the specified group.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.555Z",
      "notAfter": "2024-11-21T14:12:47.555Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.555Z",
      "revokedOn": "2024-11-21T14:12:47.555Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CertificateSummaryResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request certificates statistics

Code samples

POST /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com

POST /certs/;stats

Maturity: Under Development

Request statistics about certificates in the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertsStatsResponse

Parameters

Parameter	In	Type	Description
group	query	string	If set, returns only the statistics for certificates that belong to the specified group.

Detailed descriptions

group: If set, returns only the statistics for certificates that belong to the specified group.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted.	OperationStatus

Request certificates, paginated

Code samples

POST /v1/org/{org}/certs/;listCerts HTTP/1.1
Host: api.hardenize.com

POST /certs/;listCerts

Maturity: Under Development

Request a list of all your certificates.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: ListCertsResponse

Parameters

Parameter	In	Type	Description
active	query	boolean	If set, returns only active or inactive certificates
expired	query	boolean	If set, returns only expired or non-expired certificates
expireInDays	query	integer	If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host	query	string	If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit	query	integer	If set, returns only up to the specified number of certificates.
newSince	query	string(date-time)	If set, returns only certificates added to the account since the specified date.
excludeDuplicates	query	boolean	if set to true, will return non duplicate certificates.
activeOrNonExpired	query	boolean	If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256	query	string	If set, returns only certificates whose public key (SPKI) matches the provided hash

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Update certificate

Code samples

POST /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /certs/{sha256}

Updates the certificate with the given SHA256. Most certificate fields are read-only as they are extracted from certificates themselves. The fields that can be changed are related to how certificates are managed.

Body parameter

{
  "muted": true
}

Parameters

Parameter	In	Type	Description
sha256*	path	string	none
body	body	UpdateCertRequest	none

Example responses

200 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.557Z",
    "notAfter": "2024-11-21T14:12:47.557Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.557Z",
    "revokedOn": "2024-11-21T14:12:47.557Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.557Z",
    "lastSeen": "2024-11-21T14:12:47.557Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.558Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.558Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.558Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Certificate updated	UpdateCertResponse
404	Not Found	Certificate not found	None

Certificate Discoveries

Maturity: Under Development

This section provides access to the certificate discoveries functionality. When Certificate Transparency (CT) monitoring is enabled in a Hardenize account, we monitor worldwide issuance of public certificates in real time. We further examine the hosts embedded in each certificate and import relevant certificates into the account. We further create an instance of certificate discovery, where we analyze the certificate for misissuance and conformance with organization policies.

Certificate discoveries are updated daily until they are closed, either manually or by one of the configured policy rules. Please note that the discovery fields preserve the last open state; they're not updated once the discovery is closed.

Get certificate discovery

Code samples

GET /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com

GET /certDiscoveries/{id}

Maturity: Under Development

Returns the requested certificate discovery.

Example responses

200 Response

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.559Z",
      "notAfter": "2024-11-21T14:12:47.559Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.559Z",
      "revokedOn": "2024-11-21T14:12:47.559Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.559Z",
          "lastSeen": "2024-11-21T14:12:47.559Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.559Z",
          "lastSeen": "2024-11-21T14:12:47.559Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetCertDiscoveryResponse
404	Not Found	Cert discovery doesn't exist	None

List certificate discoveries

Code samples

GET /v1/org/{org}/certDiscoveries HTTP/1.1
Host: api.hardenize.com

GET /certDiscoveries

Maturity: Under Development

Returns a list of certificate discoveries matching the search criteria.

Parameters

Parameter	In	Type	Description
status	query	string	If set, returns only the certificate discoveries matching the status.
limit	query	integer	If set, returns only the first limit certificate discoveries.
since	query	string(date-time)	If set, returns only certificate discoveries created since the specified date.

Detailed descriptions

status: If set, returns only the certificate discoveries matching the status.

limit: If set, returns only the first limit certificate discoveries.

since: If set, returns only certificate discoveries created since the specified date.

Example responses

200 Response

{
  "certDiscoveries": [
    {
      "certDiscoveryId": 11766,
      "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
      "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "createdOn": "2022-06-17T00:00:00Z",
      "updatedOn": "2022-06-17T00:00:00Z",
      "closedOn": "2022-06-17T00:00:00Z",
      "escalated": false,
      "status": "open",
      "resolution": "undetermined",
      "certSummary": {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-11-21T14:12:47.561Z",
        "notAfter": "2024-11-21T14:12:47.561Z",
        "effectiveNotAfter": "2024-11-21T14:12:47.561Z",
        "revokedOn": "2024-11-21T14:12:47.561Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed"
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      },
      "matchedHosts": [
        [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ]
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListCertDiscoveriesResponse

Update certificate discovery

Code samples

POST /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /certDiscoveries/{id}

Maturity: Under Development

Updates the requested certificate discovery.

Body parameter

{
  "status": "closed",
  "resolution": "reconciled"
}

Parameters

Parameter	In	Type	Description
body*	body	UpdateCertDiscoveryRequest	none

Example responses

200 Response

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.562Z",
      "notAfter": "2024-11-21T14:12:47.562Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.562Z",
      "revokedOn": "2024-11-21T14:12:47.562Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.562Z",
          "lastSeen": "2024-11-21T14:12:47.562Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.562Z",
          "lastSeen": "2024-11-21T14:12:47.562Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Certificate updated	UpdateCertDiscoveryResponse
404	Not Found	Certificate not found	None

Dashboards

The API endpoints in this section allow you to retrieve information about your dashboards.

Request dashboard statistics

Code samples

POST /v1/org/{org}/dashboards/;stats HTTP/1.1
Host: api.hardenize.com

POST /dashboards/;stats

Maturity: Under Development

Request general statistics about the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CreateDashboardResponse

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted.	OperationStatus

DNS

DNS APIs can be used to synchronize your DNS configuration for Hardenize. Our first supported endpoint enables you to upload your DNS zone files, enabling Hardenize to discover new hosts.

Upload DNS zone

Code samples

POST /v1/org/{org}/dns/zones?root=example.com HTTP/1.1
Host: api.hardenize.com
Content-Type: text/plain

POST /dns/zones

Use this endpoint to upload your DNS zone file to Hardenize. The zone file will be parsed to find new hosts, which will then be added to the account.

Body parameter

$ORIGIN example.com.
$TTL 1h
@      IN  SOA   ns.example.com. admin.example.com. ( 2018081601 1d 2h 4w 1h )
@      IN  NS    ns
@      IN  MX    10 mx.example.com.
@      IN  A     192.0.2.1
       IN  AAAA  2001:db8:10::1
ns     IN  A     192.0.2.2
       IN  AAAA  2001:db8:10::2
www    IN  CNAME example.com.
mx     IN  A     192.0.2.3

Parameters

Parameter	In	Type	Description
root*	query	string	The root of the uploaded DNS zone, for example example.com.
body*	body	string	DNS zone file

Responses

Status	Meaning	Description	Schema
204	No Content	Zone successfully processed	None

Events

We use events to record various things of interest that happen in your account. For example, if we see a certificate that matches one of your domain names in Certificate Transparency (CT) logs, we can take that CT log entry and store it as an event. In this way, you can periodically retrieve the available events and stay up to date. Events are also used as basis for our event hooks, which provide real-time notifications.

We support the following event types:

Event Type	Description	Event Data
ct.entry	One CT log entry matched to the account. The purpose of this event is to enable you to interface directly with the public CT logs while seeing only CT log entries that are relevant to you. One event of this type is generated for every appearance of precertificate and certificate in public CT logs. This usually means that there will be 2-5 events for every precertificate, depending on the certificate validity period. Certificates are also commonly seen in the logs, although that's not guaranteed. In most situations, the pki.cert.new is the more appropriate choice of you only care about new issuance events. We collect all information from your CT log entries even if this event is not enabled; within 24 hours of certificate issuance, the aggregated information will be stored in the appropriate Certificate record.	MatchedCtEntry
issue.new	New issue. Emitted whenever a new issue is created.	Issue
issue.update	Updated issue. Emitted every time an issue is updated.	Issue
pki.cert.new	New certificate or precertificate added to the account, from any source, including Certificate Transparency, network, or manual upload. The purpose of this event is to enable you to react, in real-time, when a new certificate becomes known. You should be aware that you will get potentially multiple objects for the same issuance. You can check for this using the tbsSha256 field, which has the same value in the precertificate/certificate combo. This event is generated for own and third-party certificates, including CA certificates. If the latter group is not of interest, check the event data fields to discard them.	Certificate

Event Hooks

You can use event hooks to have your events pushed to you in real-time. We currently support two delivery mechanisms:

• PubSub; This event type is based on a message queue and appropriate when the event volume is very high. It's configured manually and enabled on a case-by-case basis.

• Webhooks; This is the default event delivery mechanism, where we submit events to a designated web server under your control.

PubSub Event Delivery

PubSub event delivery is a message queue that's implemented on top of Google's PubSub service, which is highly available and stores events for up to 7 days. When we enable this event delivery type, we create one PubSub subscription for the entire account and enable the corresponding hook type. From that point onwards, you can use the API to control exactly which events are delivered to you.

PubSub messages transport event data in the main message body, with the metadata included via the message attributes. PubSub implements at-least-once delivery which means that you may get duplicate events. You can deal with this by designing your processing so that the duplicates don't matter, or by adding a deduplication layer (e.g., based on the unique event identifier). Another characteristic of PubSub is that it doesn't guarantee delivery of events in the chronological order. As such, PubSub may not be a good choice when the order matters.

If you're receiving issue updated via PubSub, make sure to check that the revision of the event you're processing is higher than the last known revision. Issues are typically updated once a day, meaning that you will not normally experience ordering issue if you're consuming events continuously.

Webhook Event Delivery

This mechanism submits events to an HTTPS endpoint that you control. This endpoint must be able to accept and process POST requests with event information. The events are transported in the request bodies, using the same format as the events obtained when you pull this information via this API.

When you successfully accept an event we send, you must respond with the 204 No Content status code and no data in the response body. We are particular about the response code because we want to be sure the webhook has been processed correctly. Seeing a 200 response is not really a guarantee of that, as it's common to see web servers configured to always respond with 200 status code, even on processing failure.

Generally speaking, it's always helpful to use meaningful status codes as that will help us understand the type of failure and modify our behavior accordingly. For example:

• 400 Bad Request - our submission is invalid
• 429 Too Many Requests - we're sending too many requests
• 500 Internal Server Error - your processing failed
• 503 Service Unavailable - your service is currently not available
• 504 Gateway Timeout - your service didn't respond in time

You should enable keep-alives on your server and use a long timeout value so that we can efficiently send you events in bulk.

It is important that you verify that you are receiving webhooks from us, and not from someone else. There are a couple of ways in which this can be archived. First, you could generate a long random string and embed it in the webhook URL, making it difficult for anyone to just guess the destination you're using. Second, you should check the event metadata to ensure that it matches your expectations. The metadata, which is transported in the request headers, includes a signature based on a per-hook secret.

If a webhook fails, we will continue to attempt delivery over the next 24 hours. Overall, we will attempt delivery of every event to you for about 10 times, backing off exponentially from the first attempt. We may disable webhooks that stay broken for an extended period of time.

Event Hook Metadata

We deliver events along with their associated metadata, as follows:

• X-Hardenize-Org - contains the organization label, for example demo. This field always contains the absolute organization identifier, meaning in the case of suborganizations it will be in the form of parent.child.
• X-Hardenize-EventHookId - contains the unique event hook identifier. Even though the identifier is not security-sensitive as such, it's generated using a strong random number generator and can be used to verify that the traffic is genuinely coming from our systems.
• X-Hardenize-Signature - contains signature of the entire event payload, signed using the secret unique to the event hook. This secret is generated randomly when the hook is created.

Event Signatures

We use HMAC-256 to sign a timestamped event body. The X-Hardenize-Signature metadata field will therefore include both the timestamp and the actual signature.

X-Hardenize-Signature: t=1539185809044;
  hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8

To verify the signature, first locate the secret corresponding to the event hook, using the combination of X-Hardenize-Org and X-Hardenize-EventHookId fields. After that, parse the X-Hardenize-Signature field to extract the timestamp and signature values. To do this, split the value at the semicolon, then extract the key-value pairs. Next, create a new data buffer by appending the timestamp (e.g., 1539185809044), followed by a semicolon (i.e., ;), followed by the verbatim request body. Finally, calculate the HMAC-SHA256 of the data buffer and compare your result with our signature. Please note that our signature is hex-encoded for transport. To do a correct comparison you'll have to either hex-decode it first, or hex-encode your calculation.

If you're worried about replay attacks, you will also need to check that the timestamp doesn't deviate significantly from the time you have. For this to work correctly you need to ensure that you always have the correct time on your server. Additionally, you'll need to be processing the events in near-real time or otherwise account for the processing delay on your end.

If you are unable to validate the event metadata, you must refuse to process the event. If in a webhook, respond with the 400 status code.

Event Collection Best Practices

Even though event hooks are not difficult to set up initially, getting them to work reliably and unattended over an extended period of time will require some effort. Things break. Use event hooks only if there aren't better ways to access the information. For example, if you're interested in the ct.entry and pki.cert.* hooks, consider that we process all the events ourselves, and that information stored in them is always available to you via this API. For example, if you want to keep a copy of all your certificates, it's usually easier to retrieve new and updated certificates daily.

Further, consider these best practices for event hook implementation:

• No matter what you plan to do with the event data, the most important task for a hook is to accept the event. If your hook is continuously unable to receive an event, it will eventually be lost. This is true for all delivery mechanisms, although the parameters may differ.

• For best results, consider separating event receipt from processing. This is usually best done by acknowledging the event and placing into storage, for some other scheduled task to pick it up on a schedule. (Include authentication in this step.) In this case, even if the processing later fails, you'll still have the event. If you're receiving and processing events at the same time, unchecked processing failures may lead to event loss.

  There is greater potential from damage [if your receipt and processing are done at the same time] with PubSub delivery, because your failure to process one event may prevent you from seeing the events that follow it. You can be stuck in a loop where you're continuously trying and failing to process the same event. In this situation, the right strategy is to use a "dead-letter queue" to store the events that have failed.

• Even with the above, it's best to use the "belt and braces" approach. Configure and handle hooks when you need to observe events in real-time, but also setup daily tasks to retrieve events directly from us, eliminating duplicates. In this way you will ensure that no events are lost.

Create event hook

Code samples

POST /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks

Creates a new event hook. Every new event hook starts off as disabled, which means that it's not going to receive events straight away. The expected workflow is to first create an event hook, configure the receiving end, run tests to ensure correct operation, and then finally enable the hook.

Body parameter

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Parameters

Parameter	In	Type	Description
body	body	CreateEventHookRequest	none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook created	CreateEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None

Delete event hook

Code samples

DELETE /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /eventHooks/{id}

Deletes the event hook with the specified identifier.

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.

Responses

Status	Meaning	Description	Schema
204	No Content	Event hook deleted	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

Get event

Code samples

GET /v1/org/{org}/events/{id} HTTP/1.1
Host: api.hardenize.com

GET /events/{id}

Returns the event with the specified identifier.

Parameters

Parameter	In	Type	Description
id*	path	integer	Event identifier.

Example responses

200 Response

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2024-11-21T14:12:47.564Z",
    "apiVersion": "0.14.0",
    "data": {
      "field": "value"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetEventResponse
404	Not Found	Event doesn't exist	None

List event destinations

Code samples

GET /v1/org/{org}/eventDestinations HTTP/1.1
Host: api.hardenize.com

GET /eventDestinations

Lists all managed event destinations. Managed destinations are those that we control, for example PubSub topics.

Example responses

200 Response

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventDestinationsResponse

List event hooks

Code samples

GET /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com

GET /eventHooks

Lists event hooks that are configured in the account.

Example responses

200 Response

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventHooksResponse

List event types

Code samples

GET /v1/org/{org}/eventTypes HTTP/1.1
Host: api.hardenize.com

GET /eventTypes

Lists all available event types, showing how they're configured for the account.

Example responses

200 Response

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventTypesResponse

List events

Code samples

GET /v1/org/{org}/events HTTP/1.1
Host: api.hardenize.com

GET /events

Lists events available in the account. By default, all events are listed, with the earliest first. Because there is a forced limit of 100 events per invocation, to iterate over more than 100 events you will need to submit multiple requests, remember the timestamp of the last retrieved event, and use it as the since parameter in the subsequent invocation. If you provide one of the optional parameters, only the events matching the specified filters will be listed. If you provide multiple parameters, only the events matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
since	query	string(date-time)	Returns only events that ocurred after the supplied time.
type	query	string	Returns only events that match the supplied type.
limit	query	integer	Limits the number of events in the response. The limit can range between 1 and 100. The default is 100.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2024-11-21T14:12:47.566Z",
      "apiVersion": "0.14.0",
      "data": {
        "field": "value"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventsResponse

Test event hook

Code samples

POST /v1/org/{org}/eventHooks/{id};test HTTP/1.1
Host: api.hardenize.com

POST /eventHooks/{id};test

Tests the event hook with the specified identifier. By default, we send a test event, but it's possible to request mock events of other types using the eventType parameter. This API endpoint executes synchronously and may take longer than other API calls (especially in case of unresponsive receiving servers).

By default, we submit valid and syntactically events. During the configuration phase, it's useful to test how the receiver behaves with invalid data. We use the invalid parameter for this purpose. Set to any value except none, it instructs the API to intentionally break one element of the submission. In this case, the success criteria also changes. By default, we expect a 204 response, except when we're sending you a broken submission, in which case we expect a 400 in return.

Please note that, when testing deliveries via intermediaries, we're not able to detect processing failures of the final recipient, only of the intermediary. For example, when testing PubSub delivery, this endpoint will return success after successfully publishing to the message queue. Testing with broken events is still useful, but you'll need to detect the failures on the receiving end.

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.
invalid	query	string	Instructs the API to intentionally break one of the elements of the test submission. Default: none
eventType	query	string	Determines the event type that will be sent to the event hook.

Enumerated Values

Parameter	Value
invalid	none
invalid	hookId
invalid	org
invalid	payload
invalid	signature
eventType	ct.entry
eventType	issue.new
eventType	issue.update
eventType	pki.cert.new
eventType	test

Example responses

200 Response

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook test completed	TestEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

Update event hook

Code samples

POST /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks/{id}

Updates the event hook with the specified identifier.

Body parameter

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.
body	body	UpdateEventHookRequest	none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook updated	UpdateEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

Update event type

Code samples

POST /v1/org/{org}/eventTypes/{name} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventTypes/{name}

Updates one event type, changing the enabled property to the specified value. When an event type is enabled, events of that type will be generated and stored in the database. Associated notifications will be dispatched. This operation will fail if the event type is not available in the account.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
name*	path	string	Event type name.
body	body	UpdateEventTypeRequest	none

Example responses

200 Response

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateEventTypeResponse
403	Forbidden	Not allowed to change status of event that's not available	None
404	Not Found	Event type doesn't exist	None

Groups

We support groups as a general-purpose mechanism for categorization. For example, a host can be assigned zero, one, or more groups.

Create group

Code samples

POST /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups

Creates a new group. The name you choose should be short (especially if you're planning to assign multiple tags to individual entities) and must not already exist, using case-insensitive comparison.

Body parameter

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateGroupRequest	none

Example responses

201 Response

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Group created	CreateGroupResponse
400	Bad Request	Invalid parameters	None

Delete group

Code samples

DELETE /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /groups/{id}

Deletes a group. By default, only unused groups can be deleted, but you can specify the force parameter to override this behavior.

Parameters

Parameter	In	Type	Description
id*	path	string	The name of the group to delete.
force	query	boolean	If this parameter is provided and set to true, the specified group will be deleted even if it's still in use.

Responses

Status	Meaning	Description	Schema
204	No Content	Group deleted	None
400	Bad Request	Invalid input	None
403	Forbidden	Forbidden	None
404	Not Found	Group not found	None

Get group

Code samples

GET /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

GET /groups/{id}

Retrieves group information.

Parameters

Parameter	In	Type	Description
id*	path	string	Group identifier.

Responses

Status	Meaning	Description	Schema
200	OK	OK	None
400	Bad Request	Bad Request	None
403	Forbidden	Forbidden	None
404	Not Found	Not found	None

List groups

Code samples

GET /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com

GET /groups

Returns a complete list of all groups used by the organization.

Example responses

200 Response

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListGroupsResponse

Update group

Code samples

POST /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups/{id}

Updates a group.

Body parameter

{
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
id*	path	string	Group identifier.
body	body	UpdateGroupRequest	none

Responses

Status	Meaning	Description	Schema
204	No Content	Group updated	None
400	Bad Request	Invalid input	None
403	Forbidden	Forbidden	None
404	Not Found	Group not found	None

Host Discovery

Host discovery is a feature of Hardenize designed to make it easier for organizations to build their host inventories and keep them up to date. Having a good inventory is key to having good visibility, so we aim to automate the maintenance tasks wherever possible. Where full automation is not possible, we do as much work as we can and present the information for manual review.

There are three principal ways in which new hosts are discovered. The first is the use of authoritative sources. For example, new hosts could be added manually (e.g., from a list of organization's domain names) or could be imported via an integration with existing systems (e.g., authoritative name servers). All accounts are initially populated with data in this way.

Once an account is bootstrapped, our automated discovery features kick in. An important source of information is our monitoring of public infrastructure. We maintain both historical databases and also follow new information that appears on the network. We then inspect these sources to import information that's connected to the account. A good example of this approach is import of new certificates via Certificate Transparency monitoring.

Finally, the third approach is the analysis and import from the data obtained from our own active monitoring of the hosts that are already in an account's host inventory. Because in this case we know that we're dealing with the data that belongs to the account owner, we're able to further refine our understanding and apply heuristics to make even more useful conclusions. For example, as we can your web sites we record and extract useful information from them.

How Host Discovery Works

To support host discovery, we monitor all hosts we come across (as part of both public and private monitoring). When we encounter a relevant host, we import it into the account and add it to the list od discovered hosts.

In some cases (e.g., suffix matching), our discovery is 100% accurate, and then we are able to add thew newly discovered host directly to the inventory. When that's not possible, the new host sits on the discovery list until a decision about it can be made.

If a host is not classified as belonging to the organization, the decision about it stays in the account so that it can be reused in the future.

Delete host discoveries

Code samples

DELETE /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hostDiscoveries/*

Deletes a list of host discoveries.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true
}

Parameters

Parameter	In	Type	Description
body	body	DeleteHostDiscoveriesRequest	none

Example responses

200 Response

{
  "ids": [
    1
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	DeleteHostDiscoveriesResponse
400	Bad Request	Invalid request	None

Get host discovery

Code samples

GET /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries/{id}

Returns the specified host discovery.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the host discovery to be fetched.

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-11-21T14:12:47.570Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-11-21T14:12:47.570Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryResponse
404	Not Found	Host discovery doesn't exist	None

List host discoveries

Code samples

GET /v1/org/{org}/hostDiscoveries HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries

Returns a list of all host discoveries in the account. Optionally, use one of the supported filtering parameters to retrieve only the discoveries that match specific criteria.

Parameters

Parameter	In	Type	Description
resolution	query	string	If set, returns only the host discoveries with this particular resolution set.
discoveredSince	query	string(date-time)	If set, returns only the hosts discoveries that have happened since the supplied date.
origin	query	string	If set, returns only the host discoveries found with this match location.
limit	query	integer	If set, returns only up to the specified number of hosts.

Enumerated Values

Parameter	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing
origin	hdb

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-11-21T14:12:47.571Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-11-21T14:12:47.571Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveriesResponse

Update host discoveries

Code samples

POST /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/*

Updates a list of host discoveries.

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostDiscoveriesRequest	none

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-11-21T14:12:47.572Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-11-21T14:12:47.573Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveriesResponse
400	Bad Request	Invalid request	None

Update host discovery

Code samples

POST /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/{id}

Updates the specified host discovery. Setting the effective hostname is optional, but if a value is provided, it must be the same as the discovered hostname or one of its parents, and must not be a TLD (on the public suffix list). E.g if the discovered hostname is "www.test.example.com", you may set the effective hostname to "test.example.com" or "example.com", but not "com" and not "example.org".

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the host discovery to be updated.
body	body	UpdateHostDiscoveryRequest	none

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-11-21T14:12:47.574Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-11-21T14:12:47.574Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveryResponse
404	Not Found	Host discovery doesn't exist	None

Host Discovery Nameservers

Nameserver monitoring is one of our favourite discovery techniques. We monitor the world's domain names to determine what nameservers they are delegated to and use that information to build a special discovery database. This subsequently enables us to quickly find all domain names delegated to a particular nameserver.

This discovery technique can be used only with an organization's private DNS nameservers, meaning that they host only domain names that belong to the same organization. They can be managed and provided by a third-party, but the name itself must not be shared.

We like this technique because it requires virtually no effort to identify new domains that belong to the organization. Once the private nameservers are identified, the discoveries happen automatically via continuous monitoring of new domains that appear in the name servers. Further, we help discover the private nameservers by monitoring all nameservers used by an account and looking for ones that appear to be used exclusively by the organization's domain names.

Create host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers

Creates one or more nameservers to for discovery purposes. Only private nameservers can be added to monitoring. As a way of enforcing this requirement, we check that the nameserver hostname matches a domain name that's in the host inventory. For example, if example.com is an organization domain name, then ns1.example.com nameserver can be added but ns1.example.org cannot.

Public servers must not be submitted for monitoring, even if they're under a domain name that is in the inventory.

Body parameter

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostDiscoveryNameserverRequest	none

Example responses

204 Response

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
204	No Content	OK	CreateHostDiscoveryNameserverResponse
400	Bad Request	Invalid request	None

Delete host discovery nameserver

Code samples

DELETE /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryNameservers/{hostname}

Deletes a host discovery nameserver.

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.

Responses

Status	Meaning	Description	Schema
204	No Content	Nameserver deleted	None
404	Not Found	Nameserver not found	None

Get host discovery nameserver

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/{hostname}

Retrieves a host discovery nameserver.

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryNameserverResponse
404	Not Found	Nameserver not found	None

List host discovery nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers

Returns a list of all host discovery nameservers in the account.

Example responses

200 Response

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveryNameserversResponse

List not-monitored private nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/privateNotMonitored HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/privateNotMonitored

Returns a list of all private nameservers that are not already monitored. Our ability to discover your private nameservers depends on active monitored of the host inventory. As part of a host assessment, we check the nameservers and store them in the database. This endpoint builds a list of all nameservers we are aware of, keeps only those that are potentially private (based on the hostnames matching), and removes those that are already monitored.

Example responses

200 Response

[
  "example.com"
]

Responses

Status	Meaning	Description	Schema
200	OK	OK	Inline

Response Schema

Update host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers/{hostname}

Updates one host discovery nameserver.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.
body	body	UpdateHostDiscoveryNameserverRequest	none

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Nameserver updated	GetHostDiscoveryNameserverResponse
400	Bad Request	Invalid parameters	None
404	Not Found	Nameserver not found	None

Host Discovery Keywords

Hardenize supports discovery of new hosts based on keyword matching. To support this type of discovery we maintain a database of all domains and subdomains globally. When a keyword is added to an account, we schedule continuous monitoring of this database to discover all hostnames that match it.

Our keyword matching discovery is different from subdomain matching because keywords can match anywhere in the hostname. Additionally, we implement additional advanced matching techniques that look for variations. Our fuzzy matching starts with a keyword and generates many similar phrases using techniques designed to catch, for example, typosquatting. Separately, we have detection of confusables, where we detect phrases that are visually similar or identical to the configured keyword. We detect simple character substitution (e.g., tw1tter instead of twitter), as well as advanced obfuscation attempts using Unicode look-alike characters (also known as homoglyphs or homographs). If you'd like to see some examples, we maintain a public project where we showcase our detection of confusables for some popular keywords.

Using Keyword Discovery

To use keyword discovery, specify one or more keywords, configuring them according to what you wish to be discovered. We recommend that you initially start with stricter keywords, for example only domains that match a keyword exactly. With this approach, you will initially have fewer matches to deal with. As you settle on a discovery review workflow that works for you, you can then then pursue less strict matching, which will generate more useful matches (e.g., entire labels anywhere in the hostname), but is also likely produce false positives.

When a new keyword is added (or a keyword configured), we need to scan our entire database, which is a slow operation. Especially in the case of fuzzy and confusables matching, one keyword may result in hundreds of variations that we search for. The results of the first scan are therefore made available over night. Once that first scan is complete, we continue with real-time monitoring of newly observed domains and subdomains.

Match Limits

Because we have hundreds of millions in our database, keyword matching can result in too many matches when using with a phrase that's not specific enough. In order to deal with this problem, there is a limit to how many matches can be imported at any one time. This limit is designed to kick in when the keyword is used the first time. By default, this limit is set to 10,000 matches. If a keyword reaches this limit, it is disabled with an appropriate error message.

Availability

Keyword discovery features vary across account tiers. If keywords are enabled on an account, there are separate limits for standard and advanced keywords. The advanced keyword allowance can be used to create standard keywords, but the reverse is not possible. Advanced keywords (that support fuzzy matching and confusables) are an add-on and can be added to any package.

Create host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords

Creates a new keyword to be used for host discovery. It's important to choose a good keyword that will not produce many false positives. For example, if you specified the word com, we would match on millions of hostnames.

Keyword matching never returns any hostnames that are considered to belong to the account organization. The exclusion happens automatically because those hostnames should have already been added to the account via suffix matching.

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostDiscoveryKeywordRequest	none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CreateHostDiscoveryKeywordResponse
400	Bad Request	Invalid request	None

Delete host discovery keyword

Code samples

DELETE /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryKeywords/{keyword}

Deletes a host discovery keyword.

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to delete.

Responses

Status	Meaning	Description	Schema
204	No Content	Keyword deleted	None
404	Not Found	Keyword not found	None

Get host discovery keyword

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords/{keyword}

Retrieves a host discovery keyword.

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to fetch.

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryKeywordResponse
404	Not Found	Keyword not found	None

List host discovery keywords

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords

Returns a list of all host discovery keywords in the account.

Example responses

200 Response

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveryKeywordsResponse

Update host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords/{keyword}

Updates host discovery keyword

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to update.
body	body	UpdateHostDiscoveryKeywordRequest	none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveryKeywordResponse
400	Bad Request	Invalid request	None

Hosts

Host management, which provides abilities to create and delete your hosts, as well as configure how they're monitored. You are also able to manage how hosts are discovered in this section.

In this section and elsewhere in the API, wherever we accept hostnames, we validate them and perform canonicalization: we convert them to lowercase, and strip the trailing dot if present. This means that the hosts we keep in the database will potentially be different at the character level from the hosts you input. However, they will be semantically the same.

Bulk create hosts

Code samples

POST /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts

Adds one or more hosts to the account. No errors will be reported if the list includes one or more hosts that already exist. In that situation, the existing hosts will be treated in the same way as the new hosts when it comes to their status and group membership. New groups are added if required, but existing group memberships won't be affected. If the status field is not provided then the initial host status will be automatically decided following the account rules for newly discovered hosts. By default, if a hostname with the www prefix is submitted, we strip the prefix and store only the parent domain. Our assessments always check both hostname variants. This behavior doesn't apply to special wholesale accounts.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostsRequest	Names of the hosts that are to be created, along with their initial status.

Responses

Status	Meaning	Description	Schema
204	No Content	Hosts added to the account	None
400	Bad Request	Invalid request	None

Bulk delete hosts

Code samples

DELETE /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hosts

Deletes one or more hosts from the account. This operation will delete all the data exclusively associated with the specified hosts, as well as all their history. The subdomains are also deleted if the subdomains option is enabled. Use the delete operation only on the hosts that have been added to your account by mistake, in other words on the hosts that don't belong to you. For hosts that do belong to you but you wish to ignore, set their status to archived. Please note that not all host data may be immediately deleted; for some data that may be shared among different hosts we use reference counting via a garbage collection process that runs from time to time. Role: Admin.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Parameters

Parameter	In	Type	Description
body	body	DeleteHostsRequest	none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	Hosts successfully deleted	DeleteHostsResponse
400	Bad Request	Invalid request	None

Bulk update hosts

Code samples

POST /v1/org/{org}/hosts/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts/*

Updates one or more hosts that are already stored in the account.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostsRequest	none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	Hosts successfully updated	UpdateHostsResponse
400	Bad Request	Invalid request	None

Get host

Code samples

GET /v1/org/{org}/hosts/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}

Returns the host with the specified name.

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host whose data you wish to retrieve.

Example responses

200 Response

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.581Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.581Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.581Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.581Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.581Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.581Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.581Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.581Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.581Z",
      "domainExpireTime": "2024-11-21T14:12:47.581Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostResponse
400	Bad Request	Invalid request	None
404	Not Found	Host not found	None

Get Host Screenshot

Code samples

GET /v1/org/{org}/hosts/{hostname}/screenshot HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}/screenshot

Returns screenshot for the specified host

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host whose screenshot you wish to retrieve.

Example responses

200 Response

Responses

Status	Meaning	Description	Schema
200	OK	OK	string
400	Bad Request	Invalid request	None
404	Not Found	Host not found	None

Get host services

Code samples

GET /v1/org/{org}/hosts/{hostname}/services HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}/services

Returns the services, endpoints and certificates for a host with the specified name.

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host whose data you wish to retrieve.
extended	query	boolean	if set, returns host with extras field. Setting to false has no effect.

Detailed descriptions

extended: if set, returns host with extras field. Setting to false has no effect.

Example responses

200 Response

{
  "hostServices": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-11-21T14:12:47.582Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-11-21T14:12:47.582Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ]
      }
    ],
    "certificates": [
      {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-11-21T14:12:47.582Z",
        "notAfter": "2024-11-21T14:12:47.582Z",
        "effectiveNotAfter": "2024-11-21T14:12:47.582Z",
        "revokedOn": "2024-11-21T14:12:47.582Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed"
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      }
    ],
    "extras": {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.582Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.582Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.582Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.582Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.582Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.582Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.582Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.582Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.582Z",
      "domainExpireTime": "2024-11-21T14:12:47.582Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostServicesResponse
400	Bad Request	Invalid request	None
404	Not Found	Host not found	None

Get host stats

Code samples

GET /v1/org/{org}/hosts/;stats HTTP/1.1
Host: api.hardenize.com

GET /hosts/;stats

Returns host statistics from the database. If not returns 404 status.

Example responses

200 Response

{
  "monitored": 0,
  "archived": 0,
  "idle": 0,
  "total": 0,
  "domains": 0,
  "subdomains": 0
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostStatsResponse
404	Not Found	Host stats not found	None

List hosts

Code samples

GET /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com

GET /hosts

Returns a list of all hosts in the account. If you provide one of the optional parameters, only the hosts matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
group	query	string	If set, returns only the hosts that belong to the specified group.
hostname	query	string	If set, returns only the hosts whose names match the parameter. One or more hosts may be returned, depending on whether subdomains are being included.
limit	query	integer	If set, returns only up to the specified number of hosts.
nx	query	boolean	If set, returns only the hosts with nx matching this value
origin	query	string	If set, returns only the hosts whose origin matches the parameter.
status	query	string	If set, returns only the hosts whose statuses match the parameter.
subdomains	query	boolean	If set, extends the host matching to include all subdomains of the specified name. Default: true.
regRegistry	query	boolean	If set, extends the host matching to include all domains immediately under a registry suffix.
regPublic	query	boolean	If set, extends the host matching to include all domains immediately under a public suffix.

Enumerated Values

Parameter	Value
origin	cert
origin	ct
origin	hdb
origin	manual
status	monitored
status	idle
status	archived

Example responses

200 Response

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.584Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.584Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.584Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.584Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.584Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.584Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.584Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.584Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.584Z",
      "domainExpireTime": "2024-11-21T14:12:47.584Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostsResponse
400	Bad Request	Invalid request	None

Request hosts PDF report

Code samples

POST /v1/org/{org}/hosts/{hostname}/pdfReport HTTP/1.1
Host: api.hardenize.com

POST /hosts/{hostname}/pdfReport

Requests a PDF of a report for the specified host. The PDF will be generated asynchronously from the latest assessment results, and it wont trigger an assessment it's self.

Successful response file: PdfFile

Parameters

Parameter	In	Type	Description
hostname	path	undefined	The name of the host

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus

Request zone transfer

Code samples

POST /v1/org/{org}/hosts/{hostname};zoneTransfer HTTP/1.1
Host: api.hardenize.com

POST /hosts/{hostname};zoneTransfer

Asynchronous operation. Requests a zone transfer for this name, using the configured settings. This endpoint is useful if you wish to test if a zone transfer can be successfully completed, or if you wish to inspect the state of a particular zone in real time.

DNS zone transfers are usually not allowed from public IP addresses. For this reason we perform this type of zone transfer from a separate set static IP addresses, also known as our integrations outbound addresses. You'll find them documented in your Hardenize account. However, even though these IP addresses uniquely identify us, they shouldn't be trusted as such, given that we use them for all our integrations traffic and all our customers.

Successful response data schema: ZoneTransferResponse

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host.

Detailed descriptions

hostname: The name of the host.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Identities

To find related domain names, we monitor all configuration aspects of your known domain names and hosts to extract your unique identities. With those in hand, we then continuously monitor global databases to discover new domain names associated with those identities.

Identities are automatically discovered, but need to be manually verified and enabled. This is because the process of finding associated domains is not exact. Some identities, although correct, can be considered to be weak because they will result in false positives. For example, an identity digicert may find DigiCert, Inc. but also DigiCert Sdn. Bhd. These are two different companies. At the end of the day, it's up to you to determine if a particular identity is useful. False positives create more work for you because they beed to be manually reviewed and excluded, but sometimes there may not be a better way to discover everything that needs to be discovered.

Delete identity

Code samples

DELETE /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /identities/{id}

Delete an existing identity. This endpoints should be used to remove identities that were mistakenly considered to be unique, after they are reviewed.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be deleted.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Get identity

Code samples

GET /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

GET /identities/{id}

Returns the specified identity.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be fetched.

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-11-21T14:12:47.586Z",
    "lastSeen": "2024-11-21T14:12:47.586Z",
    "lastCheck": "2024-11-21T14:12:47.586Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-11-21T14:12:47.586Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIdentityResponse
404	Not Found	Identity doesn't exist	None

List identities

Code samples

GET /v1/org/{org}/identities HTTP/1.1
Host: api.hardenize.com

GET /identities

Returns a list of all identities in the account.

Example responses

200 Response

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2024-11-21T14:12:47.586Z",
      "lastSeen": "2024-11-21T14:12:47.586Z",
      "lastCheck": "2024-11-21T14:12:47.586Z",
      "error": "Not a unique identity.",
      "errorTime": "2024-11-21T14:12:47.586Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIdentitiesResponse

Update identity

Code samples

POST /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /identities/{id}

Updates the specified identity. The only supported operation is control of whether an identity is enabled, meaning it's actively used to discover associated assets. Only unique identities can be enabled. Normally, only unique identities will be added, but it's possible that an identity is identified as shared after the fact. Such identities will be automatically disabled and should be removed.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be updated.
body	body	UpdateIdentityRequest	none

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-11-21T14:12:47.587Z",
    "lastSeen": "2024-11-21T14:12:47.587Z",
    "lastCheck": "2024-11-21T14:12:47.587Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-11-21T14:12:47.587Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateIdentityResponse
400	Bad Request	Invalid request; details in the response	None
404	Not Found	Identity doesn't exist	None

Integrations

The API endpoints in this section allow you to configure Hardenize to access information in third party systems that contain information about your infrastructure. For example, if you use AWS Route 53, we can pull information about your registered domains as well as the configured DNS zones.

Different types of integrations require different workflows. For example, some integrations (for example, Azure) require only parameters that can be obtained from the other vendor. In other cases (for example, AWS and GCP) you will need to get some data from us, submit it to the third-party, and finally come back to us again to finalize the integration. Please refer to the documentation for more information.

AWS: Setup integrations

Code samples

POST /v1/org/{org}/integrations/aws/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/aws/;setup

Prepares your Hardenize account to support AWS integrations and returns the parameters that will need to be used on the AWS side.

Example responses

200 Response

{
  "externalId": "hardenize-1uspdz"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	SetupAwsIntegrationsResponse
403	Forbidden	Forbidden	None

Create integration

Code samples

POST /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations

Creates a new integration in your account.

Body parameter

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

Parameters

Parameter	In	Type	Description
body	body	CreateIntegrationRequest	none

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.589Z",
    "nextRunTime": "2024-11-21T14:12:47.589Z",
    "lastRunTime": "2024-11-21T14:12:47.589Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CreateIntegrationResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Delete integration

Code samples

DELETE /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

DELETE /integrations/{integrationId}

Delete an existing integration.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

GCP: Setup integrations

Code samples

POST /v1/org/{org}/integrations/gcp/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/gcp/;setup

Prepares your Hardenize account to support GCP integrations and returns the parameters that will need to be used on the GCP side.

Example responses

200 Response

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	SetupGcpIntegrationsResponse
403	Forbidden	Forbidden	None

Get integration

Code samples

GET /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

GET /integrations/{integrationId}

Retrieves one integration

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.590Z",
    "nextRunTime": "2024-11-21T14:12:47.590Z",
    "lastRunTime": "2024-11-21T14:12:47.590Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIntegrationResponse
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

List integrations

Code samples

GET /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com

GET /integrations

Returns a list of currently configured integrations.

Example responses

200 Response

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2024-11-21T14:12:47.590Z",
      "nextRunTime": "2024-11-21T14:12:47.590Z",
      "lastRunTime": "2024-11-21T14:12:47.590Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIntegrationsResponse
403	Forbidden	Forbidden	None

Request integration run

Code samples

POST /v1/org/{org}/integrations/{integrationId};run HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};run

Request integration to run as soon as possible. This endpoint will scheduled the integration, updating the nextRunTime field. A background process will pick up the change and the integration should run within a few minutes. After the integration has run, the lastRunTime field will be updated.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
400	Bad Request	Invalid request (integration disabled)	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Test integration connectivity

Code samples

POST /v1/org/{org}/integrations/{integrationId};test HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};test

Tests if the integration is correctly configured and we are able to successfully connect to the third-party system. If you're interested in the operation of an integration beyond authentication, use the run option, which will authenticate but also attempt to exercise all the configured functionality.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "success": false,
  "error": "Failed to authenticate"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	TestIntegrationResponse
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Update integration

Code samples

POST /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations/{integrationId}

Update an existing integration

Body parameter

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateIntegrationRequest	none
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.591Z",
    "nextRunTime": "2024-11-21T14:12:47.591Z",
    "lastRunTime": "2024-11-21T14:12:47.591Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateIntegrationResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Issues

Maturity: Under Development

The Issues subsystem is where we track actionable insights for aspects of network infrastructure that need to be worked on. At this time, for example, we generate issues for a variety of problems related to DNS configuration, domain name registration, CT monitoring, and certificate expiration.

An issue is given a unique identifier for tracking purposes. Their title and description will explain the basics. Look at the subject, subjectDomain, and severity fields to understand the potential impact. Additional metadata fields are available to help you make sense of the problem and its severity. Issue fields are documented in the Issue schema.

Conceptually, issues are simple. We create them when we encounter problems we think you might want to know about it. After that, you can choose to act on them. We automatically close issues when we detect that they are no longer manifesting.

Issue Lifecycle

At the most basic level, we track issues based on whether they are open or closed. This is done via the open field. An open issue points to something that needs to be worked on. Once the work is complete, the issue is considered closed.

When nuance is required, the status field is used to provide a more granular description of issue status, describing, for example, how it will be dealt with or how it's been resolved.

Most issues will have one of the two main statuses:

• active - the default status for open issues. This status will remain until the issue is resolved or the status is changed to one of the manual statuses documented below.

• completed - the work on the issue has been completed. For issues opened automatically, this means that the issue is no longer manifesting. The issue is considered closed.

Issues can have one of the following statuses if they are ignored or if dealing with them is postponed:

• ignored - the underlying problem hasn't been fixed, but the issue is not going to be addressed and should be considered closed. For example, you might want to use this status if the problem is considered to be insignificant or an acceptable risk.

• snoozed - dealing with this issue has been postponed, either indefinitely or until a certain point of time, after which the status will revert back to active. The issue remains open, but will usually be hidden from the default view.

• bogus - the issue is flagged as incorrect; the issue is considered closed. Every time you use this status we get a notification, which we may investigate to determine if our assessment needs tuning. If we're not sure why you flagged the issue as incorrect we may get in touch to discuss.

Finally, there are several status that we use when issues are no longer relevant:

• orphaned - the issue has been closed because it was attached to an asset that no longer exists or is no longer being monitored. The issue is closed.

• abandoned - the issue is no longer being updated; this status is typically used for issues that are automatically created from monitoring, but monitoring is no longer taking place for some reason. This could sometimes happen if the nature of the subject changes (e.g., a domain stops being a DNS zone) and the issue falls down through the cracks or if the monitoring policy changes (e.g., you decide to no longer alert on low-severity problems). The issue is closed.

• deprecated - used when the logic behind the issue no longer applies, typically because it is no longer relevant or it is superseded by another detection. The issue is closed.

Open issues can only be active or snoozed. Closed issues can take any of the other statuses.

In our current implementation, we support only issues that are created automatically from infrastructure monitoring. They are also automatically closed. Until that happens, it's possible to override the active status and change it to one of ignored, snoozed, or bogus.

There is a periodic background process that looks for issues that are no longer relevant and assigns them one of abandoned, deprecated, or orphaned.

Get issue

Code samples

GET /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com

GET /issues/{issueId}

Returns the issue that matches the supplied identifier.

Parameters

Parameter	In	Type	Description
issueId*	path	integer	The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIssueResponse
400	Bad Request	Invalid request	None
404	Not Found	Issue not found	None

List issues

Code samples

GET /v1/org/{org}/issues HTTP/1.1
Host: api.hardenize.com

GET /issues

Returns a list of issues. This endpoint provides partial issue information intended for lists and summaries. For example, issue details are not returned. Complete issue information can be retrieved by fetching an issue directly or by requesting a bulk transfer.

Parameters

Parameter	In	Type	Description
open	query	boolean	If set, returns only issues that are open or closed as requested.
status	query	string	If set, returns only issues that match the requested status.
updatedSince	query	string(date-time)	If set, returns only issues created or updated since the provided timestamp.
group	query	array[string]	If set, returns only issues that match ALL the requested groups.
definitionIds	query	string	If set, should contain a comma separated list of definition ids to filter on

Example responses

200 Response

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIssuesResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Transfer issues

Code samples

POST /v1/org/{org}/issues/;transfer HTTP/1.1
Host: api.hardenize.com

POST /issues/;transfer

Initiates an issue transfer, which is an asynchronous operation. This operation is intended for transfer of complete issue information, which may involve a great number of issues as well as large amount of data.

Successful response data schema: ListIssuesResponse

Parameters

Parameter	In	Type	Description
open	query	boolean	If set, returns only issues that are open or closed as requested.
status	query	string	If set, returns only issues that match the requested status.
updatedSince	query	string(date-time)	If set, returns only issues created or updated since the provided timestamp.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Update issue

Code samples

POST /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /issues/{issueId}

Updates an issue. At this time we support setting issue status to one of bogus, ignored, or snoozed. Setting status to bogus and ignored causes the issue to be permanently dismissed and thus closed. The use of the snooze status requires that snoozeTimestamp is set.

Body parameter

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateIssueRequest	none
issueId*	path	integer	The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIssueResponse
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
404	Not Found	Issue not found	None

Network Ranges

Add, remove, and update your network ranges. If your organization has access to network scanning in Hardenize, you can also optionally enable scanning for a network range. At this time, scanning is available immediately for IPv4 ranges up to a /22. We manually enable scanning of larger ranges, usually after discussing the requirements with the customer. We don't scan IPv6 ranges.

Create network range

Code samples

POST /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges

Creates a new network range. The range can not overlap any existing range. The label you choose should be short. "scan" is optional and will only be allowed if your organization has that feature enabled and the range is suitably small: /24 for IPv4 and /128 for IPv6.

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	NetworkRange	none

Responses

Status	Meaning	Description	Schema
201	Created	Network range created	None
400	Bad Request	Invalid parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Delete network range

Code samples

DELETE /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com

DELETE /networkRanges/{range}

Deletes a network range if it exists

Parameters

Parameter	In	Type	Description
range*	path	string	The network range to delete.

Responses

Status	Meaning	Description	Schema
204	No Content	Network range deleted	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Network range not found	None

List network ranges

Code samples

GET /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com

GET /networkRanges

Returns all configured network ranges.

Example responses

200 Response

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListNetworkRangesResponse

Update network range

Code samples

POST /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges/{range}

Update the label/description/scan of a network range

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
range*	path	string	The network range to update.
body	body	UpdateNetworkRangeRequest	none

Responses

Status	Meaning	Description	Schema
204	No Content	Network range updated	None
400	Bad Request	Invalid parameters	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Network range not found	None

Operations

For activities that may take a long time, we support asynchronous operations that enable you to submit a request and disconnect while our servers continue to work on the requested task. The documentation for each API endpoint will indicate if asynchronous operation is supported and whether it's required or optional.

When a request to do some work asynchronously is submitted, we respond with the 202 Accepted response, indicating that work is being scheduled but that it is not yet completed. This is in contrast to the standard 200 OK response that you get when a request is immediately completed. When you see a 202 response, the body of the response will include an OperationStatus object that tracks the status of the requested work. For example:

HTTP/1.1 202 Accepted
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8
Location: /v1/org/{org}/operations/6e7b190fa8d4ba14f707

{
    "id": "6e7b190fa8d4ba14f707",
    "done": false,
    "statusCode": 202
}

The best way to think about asynchronous work is that your initial request creates a task which, when complete, produces some results. The task status and its results are two separate resources.

We also provide a set of endpoints that enable you to monitor operation progress. When an operation is created it is assigned a unique identifier, which is part of the operation status. Once you know this identifier you can use it to look up the updated operation status. In addition, the 202 response includes a Location header that contains a link to the operation status.

From this point, the expected workflow is that you will periodically poll the Get Operation endpoint and monitor the value in the done field, which will start as false and change to true when the work is completed. At this point the statusCode field will contain the final value, which should be interpreted as the HTTP status code you would have received had the operation been invoked synchronously. Additionally, the status object main contain further information about the results, for example the number of pages and rows per page. For example:

HTTP/1.1 200 OK
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8

{
    "id": "6e7b190fa8d4ba14f707",
    "done": true,
    "statusCode": 200,
    "pages": 100,
    "rows": 99754,
    "rowsPerPage": 1000
}

If the status code is 200 OK, then the operation has been successful and you can retrieve the results with a further GET method to the Get Operation Results endpoint. Depending on the operation, results may be available on failure as well. In that situation, for example, the results may include further error information.

If you attempt to access operation results before they're ready, you will be redirected to the Get Operation endpoint with a 303 See Other response. In this case, the response body will also include the operation status. If you observe a 404 Not Found response, that means that the operation has expired and should be submitted again if desired. The server will make a best-effort attempt to preserve operation results for as long as possible, but the expectation is that the results will be consumed immediately as they become available. In case of partial (paginated) access, it is recommended that the results are collected in under one hour.

Cancel Operation

Code samples

DELETE /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /operations/{id}

Requests cancellation of the operation with the supplied identifier. The server will attempt to carry out the request, but there are no guarantees that the operation will be successful. Clients that request operations that take a long time (and thus probably require significant resources) should always cancel if they give up waiting.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Responses

Status	Meaning	Description	Schema
202	Accepted	Cancellation request accepted	None
400	Bad Request	Invalid parameters	None
404	Not Found	Operation not found	None

Get Operation Results

Code samples

GET /v1/org/{org}/operations/{id}/results HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}/results

Retrieves the results generated by the operation with the supplied identifier. If the operation completed, this endpoint will deliver the same data as if the operation were invoked directly and completed in the same HTTP request. The original operation HTTP status code will be placed in the X-Operation-Status-Code response header. This is done to distinguish failures of the API from operation failures.

If this endpoint is called while the operation is still in progress, this endpoint will respond with the 303 status code and include the operation status information in the response body.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Example responses

303 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status	Meaning	Description	Schema
200	OK	Operation results are in the response body	None
206	Partial Content	Partial results are in the response body	None
303	See Other	Operation not yet completed	OperationStatus
400	Bad Request	Invalid request	None
404	Not Found	Operation not found	None

Get Operation Status

Code samples

GET /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}

Retrieves the status of the operation with the supplied identifier.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Example responses

200 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status	Meaning	Description	Schema
200	OK	Request successful	OperationStatus
400	Bad Request	Invalid parameters	None
404	Not Found	Operation not found	None

Reports

Maturity: Under Development

In the Report section of the API we provide summaries of the reports done for your monitored hosts. This is the same information that's available in the web application under the Hosts navigation. This section of the API is transient and will be replaced with a more comprehensive implementation in the near future. That's why we have the zero ("0") in the endpoint path.

List reports

Code samples

GET /v1/org/{org}/reports0 HTTP/1.1
Host: api.hardenize.com

GET /reports0

Returns all available reports. If you provide one of the optional parameters, only the reports matching the specified filters will be listed. If you provide multiple parameters, only the reports matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
format	query	string	Response format. Default: json.
name	query	string	The name of the host whose report summary you wish to retrieve.
subdomains	query	boolean	If set, extends the host matching to include all subdomains of the specified name. Default: false.
group	query	string	If set, returns only the summaries for hosts that belong to the specified group.

Enumerated Values

Parameter	Value
format	csv
format	json

Example responses

200 Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "wwwXcto": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListReports0Response

Request Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates

Maturity: Under Development

Request certificates report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertificateReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Parameters

Parameter	In	Type	Description
body	body	CertificateReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request DMARC Report

Code samples

POST /v1/org/{org}/reports/dmarc HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/dmarc

Maturity: Under Development

Request DMARC report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DmarcReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	DmarcReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Domains Report

Code samples

POST /v1/org/{org}/reports/domains HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/domains

Maturity: Under Development

Request domains report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DomainsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	DomainsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Expiring Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates/expiringEndpoints HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates/expiringEndpoints

Maturity: Under Development

Request expiring certificates report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertificateExpiringEndpointsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	CertificateExpiringEndpointsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Host Discoveries Report

Code samples

POST /v1/org/{org}/reports/hostDiscoveries HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hostDiscoveries

Maturity: Under Development

Request host discoveries report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DiscoveryHostReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	DiscoveryHostReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Hosts Report

Code samples

POST /v1/org/{org}/reports/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hosts

Maturity: Under Development

Request host discoveries report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: HostsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	HostsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Ip Addresses Report

Code samples

POST /v1/org/{org}/reports/ipAddresses HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/ipAddresses

Maturity: Under Development

Request ip addresses report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: IpAddressReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	IpAddressReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Issues Report

Code samples

POST /v1/org/{org}/reports/issues HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/issues

Maturity: Under Development

Request issues report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: IssuesReportResponse

Body parameter

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	IssuesReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Network Ranges Report

Code samples

POST /v1/org/{org}/reports/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/networkRanges

Maturity: Under Development

Request network ranges report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: NetworkRangesReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	NetworkRangesReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Open Ports Report

Code samples

POST /v1/org/{org}/reports/openPorts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/openPorts

Maturity: Under Development

Request open ports report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: OpenPortsReportResponse

Body parameter

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	OpenPortsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Request Spf Report

Code samples

POST /v1/org/{org}/reports/spf HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/spf

Maturity: Under Development

Request spf report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: SpfReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	SpfReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Report Cards

Maturity: Under Development

In the Report section of the API we provide summaries of the report cards done for your monitored hosts.

List report cards

Code samples

GET /v1/org/{org}/reportCards HTTP/1.1
Host: api.hardenize.com

GET /reportCards

Maturity: Under Development

Retrieves all report cards.

Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
group	query	string	If set, returns only the report cards that belong to the specified group.
newSince	query	string(date-time)	If set, returns only report cards added to the account since the specified date.

Detailed descriptions

group: If set, returns only the report cards that belong to the specified group.

Example responses

200 Response

{
  "reportCards": [
    {
      "reportVersion": 1,
      "domainPunycode": "example.com",
      "domainUnicode": "example.com",
      "available": true,
      "hardenizeVersion": "v1.1603.1",
      "timestamp": "2024-11-21T14:12:47.603Z",
      "sections": [
        {
          "id": "SECTION_DOMAIN",
          "name": "Domain",
          "items": [
            {
              "id": "ITEM_DOMAIN_REGISTRATION",
              "name": "Domain Registration",
              "status": "good",
              "remarks": [
                {
                  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                  "title": "Nameserver is not operational",
                  "content": "Good. The private key associated with this certificate is secure.",
                  "severity": "good",
                  "data": {
                    "Name": "dns1.registrar-servers.com.",
                    "Address": "2610:a1:1024::200",
                    "Reverse name": "dns1.registrar-servers.com."
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListReportCardsResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Retrieves a report card for a specified hostname

Code samples

GET /v1/org/{org}/reportCards/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /reportCards/{hostname}

Maturity: Under DevelopmentRetrieves a report card for the specified hostname.

Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
hostname*	path	string	If set, returns only the report card for the specified hostname.

Detailed descriptions

hostname: If set, returns only the report card for the specified hostname.

Example responses

200 Response

{
  "reportCard": {
    "reportVersion": 1,
    "domainPunycode": "example.com",
    "domainUnicode": "example.com",
    "available": true,
    "hardenizeVersion": "v1.1603.1",
    "timestamp": "2024-11-21T14:12:47.603Z",
    "sections": [
      {
        "id": "SECTION_DOMAIN",
        "name": "Domain",
        "items": [
          {
            "id": "ITEM_DOMAIN_REGISTRATION",
            "name": "Domain Registration",
            "status": "good",
            "remarks": [
              {
                "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                "title": "Nameserver is not operational",
                "content": "Good. The private key associated with this certificate is secure.",
                "severity": "good",
                "data": {
                  "Name": "dns1.registrar-servers.com.",
                  "Address": "2610:a1:1024::200",
                  "Reverse name": "dns1.registrar-servers.com."
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetReportCardResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Suborganizations

Depending on the type of subscription, organization accounts can be configured to allow creation of nested organizations. These suborganizations are designed to be fully independent, although it's possible to retain some level of control over them via the parent account.

New suborganizations support the same API endpoints, although the capabilities will typically be different to that of the parent account. To access a suborganization via this API, first use the parent account to create a new set of master API credentials. Subsequently, use the new credentials to access the suborganization directly. Do note that the suborganization identifiers exposed by this API are relative to that of the parent account. When accessing suborganization APIs directly you need to use the complete account identifier, which will be in the form of parent.child. Attempting to use an incorrect identifier will result in a 404 response.

Create Organization

Code samples

POST /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs

Creates a new suborganization under this account. If successful, this endpoint returns full information about the newly-created organization.

Body parameter

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter	In	Type	Description
body	body	CreateOrgRequest	none

Example responses

200 Response

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Organization created	CreateOrgResponse
400	Bad Request	Invalid parameters or organization with the supplied id or name already exists.	None
403	Forbidden	Account doesn't support suborganizations	None

Delete Organization

Code samples

DELETE /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /suborgs/{id}

Permanently deletes one nested organization. Because this operation is irreversible and thus quite dangerous, this endpoint is typically disabled by default, and may be enabled on sandbox accounts only. The recommended way to delete organizations is to set the status to deleted.

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.

Responses

Status	Meaning	Description	Schema
204	No Content	Organization deleted	None
403	Forbidden	Account doesn't support suborganizations, or the delete operation not permitted	None
404	Not Found	Organization doesn't exist	None

Get Organization

Code samples

GET /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

GET /suborgs/{id}

Returns the specified nested organization.

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetOrgResponse
403	Forbidden	Account doesn't support suborganizations	None
404	Not Found	Organization doesn't exist	None

List Organizations

Code samples

GET /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com

GET /suborgs

Returns a complete list of all organizations nested under this account.

Example responses

200 Response

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListOrgsResponse
403	Forbidden	Account doesn't support suborganizations	None

Update Organization

Code samples

POST /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs/{id}

Updates the desired nested organization.

Body parameter

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.
body	body	UpdateOrgRequest	none

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateOrgResponse
403	Forbidden	Account doesn't support suborganizations	None
404	Not Found	Organization doesn't exist	None

Search

Maturity: Under Development

At the Business tier and higher, Hardenize accounts include a search engine that's updated in real time whenever new data becomes available. The search engine contains multiple indexes, each tracking a different type of data. At this time, we support the network and certificates indexes. Our search engine is based on Elasticsearch, a de-facto standard.

Request search

Code samples

POST /v1/org/{org}/search HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /search

Request a search to the search engine. The index parameter should contain the desired index and the query parameter should contain the desired query in the Elasticsearch query format. By default, the results will be in JSON format. If you wish CSV output instead, supply a list of field names in the columns parameter. Please note that, as a limitation of Elasticsearch, array fields cannot be placed in CSV output in their entirety; only the first value will be.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Body parameter

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateSearchRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Users

This section provides support for user management, covering both accounts with access to the application as well as service accounts, a special type of account that's designed for API access.

Cancel invite

Code samples

POST /v1/org/{org}/users/{id};cancelInvite HTTP/1.1
Host: api.hardenize.com

POST /users/{id};cancelInvite

Cancels invitation for this user, if it has not already been accepted. Role: Admin.

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier

Responses

Status	Meaning	Description	Schema
204	No Content	User invite cancelled	None
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None
404	Not Found	User with given email doesn't exist within organization	None

Create service account

Code samples

POST /v1/org/{org}/users;serviceAccount HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;serviceAccount

Creates a new service account. Role: Admin.

Body parameter

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2024-11-21T14:12:47.607Z"
}

Parameters

Parameter	In	Type	Description
body	body	CreateServiceAccountRequest	none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-11-21T14:12:47.608Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Service account created	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None

Get user

Code samples

GET /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com

GET /users/{id}

Retrieves the available information for the requested user account.

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-11-21T14:12:47.608Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	User	GetUserResponse
404	Not Found	User with given email doesn't exist within organization	None

Invite new user

Code samples

POST /v1/org/{org}/users;invite HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;invite

Invites a new user to the organization. When this endpoint is used, an email is sent to the provided email address, asking the user to join the organization.

Body parameter

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Parameters

Parameter	In	Type	Description
body	body	InviteUserRequest	none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-11-21T14:12:47.609Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	User invited	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None

List users

Code samples

GET /v1/org/{org}/users HTTP/1.1
Host: api.hardenize.com

GET /users

Lists users that belong to the organization. We don't store user passwords raw in our database and so they will not be provided. Use the password reset function instead.

Example responses

200 Response

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2024-11-21T14:12:47.609Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	Users	ListUsersResponse

Update user

Code samples

POST /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users/{id}

Updates the specified user. Role: Admin.

Body parameter

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2024-11-21T14:12:47.609Z",
  "status": "retired",
  "role": "observer"
}

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier
body	body	UpdateUserRequest	none

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-11-21T14:12:47.609Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	User updated	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None
404	Not Found	User with given email doesn't exist within organization	None

Account

Request account statistics

Code samples

POST /v1/org/{org}/account/;stats HTTP/1.1
Host: api.hardenize.com

POST /account/;stats

Maturity: Under Development

Request general statistics about the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: AccountStatsResponse

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted.	OperationStatus

Schemas

cidr

"127.0.0.1/32"

IP address range in CIDR notation.

Properties

Name	Type	Description
anonymous	string	IP address range in CIDR notation.

GetAssessmentStatusResponse

{
  "assessment": {
    "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "available",
    "statusMessage": null,
    "epochTime": 1710773815,
    "statTcpConnections": 51,
    "statTcpEndpointsCount": 12,
    "expectedTcpConnections": 50,
    "expectedDuration": 0
  }
}

Properties

Name	Type	Description
assessment	AssessmentStatus	Contains information about the status of an assessment.

CreateAssessmentRequest

{
  "hostname": "example.com",
  "clearCache": false
}

Contains information needed to create new assessment

Properties

Name	Type	Description
hostname	string	none
clearCache	boolean	none

AssessmentStatus

{
  "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
  "host": "example.com",
  "path": "/",
  "unicodeHost": "example.com",
  "status": "available",
  "statusMessage": null,
  "epochTime": 1710773815,
  "statTcpConnections": 51,
  "statTcpEndpointsCount": 12,
  "expectedTcpConnections": 50,
  "expectedDuration": 0
}

Contains information about the status of an assessment.

Properties

Name	Type	Description
id	string	none
host	string	Name of the host for which the assessment is done.
path	string	Denotes if it is a root assessment.
unicodeHost	string	Hostname converted to unicode.
status	string	Status of the assessment.
statusMessage	string	none
epochTime	integer	.
statTcpConnections	integer	Total number of TCP connections created during the assessment.
statTcpEndpointsCount	integer	Total number of IP addresses communicated with.
expectedTcpConnections	integer	Total number of TCP connections we are expecting, available only for repeated assessments.
expectedDuration	integer	Expected duration of the assessment.

Enumerated Values

Property	Value
status	not_available
status	queued
status	in_progress
status	failed
status	completed
status	available

AuditEvent

{
  "id": 10001,
  "actorType": "u",
  "actorId": "userId:12090749",
  "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
  "timestamp": "2018-09-03T14:09:59.000Z",
  "remoteAddr": "18.233.176.231",
  "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
  "resourceType": "user",
  "resourceId": "12090749",
  "action": "user.auth.succeeded",
  "status": 200,
  "details": {
    "method": "password"
  }
}

Contains information about one audit log event.

Properties

Name	Type	Description
id*	integer	none
actorType*	string	Indicates whether the action was carried by an anonymous actor before authentication (a), the system (s), or by an authenticated user or organization (u).
actorId	string	Contains a unique identifier associated with the actor. This value will typically contain a reference to a user, with a prefix userId or to an organization, with a prefix orgId:. The value is stable over the long term.
actorName	string	Contains further information that describes the actor. For users it may contain the name and email address. For organizations, the name. The value here may should not be considered stable as it may change over time, if users or organizations are renamed.
timestamp*	string(date-time)	The UTC timestamp of the event.
remoteAddr	string	The remote IP address of the actor. Not available for system events.
sessionId	string	The actor's unique session identifier. Not available for system events. Please note that we regenerate session IDs after each successful authentication. As a result, you may see one ID at the point when authentication takes place, then another ID immediately after, when we record the sign-in event.
userAgent	string	The user agent associated with the event. Not all events will have this field, but key events associated with user activity will.
resourceType*	string	Indicates resource type.
resourceId*	string	The unique identifier associated with the resource.
action*	string	The unique action identifier.
status*	integer	Status of the event as a HTTP status code.
details	object	Contains additional information specific to the audit event. This field should be considered informational at this point in time.

Enumerated Values

Property	Value
actorType	a
actorType	s
actorType	u
action	org.user.deleted
action	org.user.disabled
action	org.user.enabled
action	org.user.invited
action	org.user.uninvited
action	org.user.joined
action	org.user.profile_changed
action	org.user.session_started
action	user.created
action	user.deleted
action	user.email_changed
action	user.profile_changed
action	user.auth.mfa_removed_by_admin
action	user.auth.password_changed
action	user.auth.password_reset_requested
action	user.auth.password_reset
action	user.auth.password_reset_by_admin
action	user.auth.failed
action	user.auth.forbidden
action	user.auth.signed_in
action	user.auth.signed_out
action	user.auth.succeeded

CertDiscoverySummary

{
  "certDiscoveryId": 11766,
  "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "createdOn": "2022-06-17T00:00:00Z",
  "updatedOn": "2022-06-17T00:00:00Z",
  "closedOn": "2022-06-17T00:00:00Z",
  "escalated": false,
  "status": "open",
  "resolution": "undetermined",
  "certSummary": {
    "shortId": "572908a",
    "label": "ssl760680.cloudflaressl.com",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "ownership": "own",
    "notBefore": "2024-11-21T14:12:47.612Z",
    "notAfter": "2024-11-21T14:12:47.612Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.612Z",
    "revokedOn": "2024-11-21T14:12:47.612Z",
    "hosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "extras": {
      "status": "ok",
      "certsDueDays": 60,
      "certsOverdueDays": 13,
      "certsCriticalDays": 4,
      "certsLabels": "managed"
    },
    "active": true,
    "caPathLen": -1,
    "nameDigestNewer": true
  },
  "matchedHosts": [
    [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ]
  ]
}

Contains complete information about a certificate discovered in one of the monitored CT logs.

Properties

Name	Type	Description
certDiscoveryId	integer(int64)	Unique identifier.
certSha256	string	The SHA256 hash of the associated certificate, if any.
precertSha256	string	The SHA256 hash of the associated precertificate, if any.
tbsSha256	string	The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination.
createdOn	string(date-time)	Indicates when this certificate discovery was created.
updatedOn	string(date-time)	Indicates when this certificate discovery was last updated.
closedOn	string(date-time)	Indicates when this certificate discovery was last closed.
escalated	boolean	Indicates when this certificate discovery was escalated.
status	string	Indicates the status of this certificate discovery.
resolution	string	Indicates the discovery resolution.
certSummary	CertificateSummary	Contains summary information about one certificate.
matchedHosts	[string]	List of organization hosts that were observed in the certificate.

Enumerated Values

Property	Value
status	triage
status	open
status	closed
resolution	undetermined
resolution	reconciled
resolution	policyViolation
resolution	fraudulent

CertDiscovery

{
  "certDiscoveryId": 11766,
  "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "createdOn": "2022-06-17T00:00:00Z",
  "updatedOn": "2022-06-17T00:00:00Z",
  "closedOn": "2022-06-17T00:00:00Z",
  "escalated": false,
  "status": "open",
  "resolution": "undetermined",
  "certSummary": {
    "shortId": "572908a",
    "label": "ssl760680.cloudflaressl.com",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "ownership": "own",
    "notBefore": "2024-11-21T14:12:47.613Z",
    "notAfter": "2024-11-21T14:12:47.613Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.613Z",
    "revokedOn": "2024-11-21T14:12:47.613Z",
    "hosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "extras": {
      "status": "ok",
      "certsDueDays": 60,
      "certsOverdueDays": 13,
      "certsCriticalDays": 4,
      "certsLabels": "managed"
    },
    "active": true,
    "caPathLen": -1,
    "nameDigestNewer": true
  },
  "certKnown": false,
  "certInstalled": true,
  "certExpired": false,
  "certRevoked": false,
  "issuerAllowed": true,
  "issuerAllowedKeyword": "GlobalSign",
  "issuerNotAllowed": false,
  "issuerForbidden": false,
  "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "caaMismatch": false,
  "caaMatchFull": false,
  "notCtCompliant": false,
  "maxLifetimeExceeded": false,
  "timeoutCaseInactive": false,
  "timeoutCertNotInstalled": false,
  "matchedHosts": [
    [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ]
  ],
  "matchedHostsInfo": {
    "property1": {
      "wildcard": false,
      "caa": {
        "records": [
          "string"
        ],
        "source": "string",
        "time": "2022-06-17T00:00:00Z",
        "allowed": true,
        "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
      }
    },
    "property2": {
      "wildcard": false,
      "caa": {
        "records": [
          "string"
        ],
        "source": "string",
        "time": "2022-06-17T00:00:00Z",
        "allowed": true,
        "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
      }
    }
  },
  "matchedHostsCaaHistory": {
    "property1": [
      {
        "policyHostname": "string",
        "status": "present",
        "statusMessage": "string",
        "firstSeen": "2024-11-21T14:12:47.613Z",
        "lastSeen": "2024-11-21T14:12:47.613Z",
        "records": [
          "string"
        ]
      }
    ],
    "property2": [
      {
        "policyHostname": "string",
        "status": "present",
        "statusMessage": "string",
        "firstSeen": "2024-11-21T14:12:47.613Z",
        "lastSeen": "2024-11-21T14:12:47.613Z",
        "records": [
          "string"
        ]
      }
    ]
  },
  "matchedWildcardHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "ctLogs": [
    {
      "name": "rocketeer",
      "log": "ct.googleapis.com/rocketeer",
      "timestamp": 1533791245857,
      "index": 232455,
      "type": "cert",
      "sources": [
        "log",
        "tls"
      ]
    }
  ]
}

Contains complete information about a certificate discovered in one of the monitored CT logs.

Properties

Name	Type	Description
certDiscoveryId	integer(int64)	Unique identifier.
certSha256	string	The SHA256 hash of the associated certificate, if any.
precertSha256	string	The SHA256 hash of the associated precertificate, if any.
tbsSha256	string	The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination.
createdOn	string(date-time)	Indicates when this certificate discovery was created.
updatedOn	string(date-time)	Indicates when this certificate discovery was last updated.
closedOn	string(date-time)	Indicates when this certificate discovery was last closed.
escalated	boolean	Indicates when this certificate discovery was escalated.
status	string	Indicates the status of this certificate discovery.
resolution	string	Indicates the discovery resolution.
certSummary	CertificateSummary	Contains summary information about one certificate.
certKnown	boolean	True if the certificate is confirmed as known. This may happen if the certificate is explicitly uploaded via the API, or if we observe the certificate in one of your CA accounts (via an integration).
certInstalled	boolean	True if the certificate has been installed.
certExpired	boolean	True if the certificate has expired.
certRevoked	boolean	True if the certificate has been revoked.
issuerAllowed	boolean	True if the certificate issuer matched one of the configured keywords.
issuerAllowedKeyword	string	If issuerAllowed is true, this field contains the keyword that matched.
issuerNotAllowed	boolean	True if the certificate issuer didn't match any configured keywords.
issuerForbidden	boolean	True if certificate issuer contains a keyword that is forbidden.
issuerForbiddenKeyword	string	If issuerForbiddenKeyword is true, this field contains the keyword that matched.
caaMismatch	boolean	True if the certificate doesn't match the CAA configuration observed immediately after the issuance has been retrieved from a CT log.
caaMatchFull	boolean	True if all hosts in the certificate matched the CAA configuration observed immediately after the issuance has been retrieved from a CT log.
notCtCompliant	boolean	True if the certificate is not CT compliant with one or more major vendors, such as Apple, Google, and Microsoft.
maxLifetimeExceeded	boolean	True if the certificate lifetime is longer than the currently allowed maximum.
timeoutCaseInactive	boolean	True when a certificate discovery is closed due to inactivity.
timeoutCertNotInstalled	boolean	True on a certificate discovery that's closed because the certificate has not been seen installed.
matchedHosts	[string]	List of organization hosts that were observed in the certificate.
matchedHostsInfo	object	A map containing information about matched hosts, where the keys are hostnames and the values are objects of type DiscoveryHostInfo.
» additionalProperties	DiscoveryHostInfo	Contains information about the host in the cert discovery
matchedHostsCaaHistory	object	A map containing the history of Certification Authority Authorization (CAA) records for the matched hosts, where the keys are hostnames and the values are arrays of type HostCaaHistory.
» additionalProperties	[HostCaaHistory]	none
matchedWildcardHosts	[string]	List of organization hosts that match wildcard domains in the certificate, if any.
ctLogs	[CertCtLog]	One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain.

Enumerated Values

Property	Value
status	triage
status	open
status	closed
resolution	undetermined
resolution	reconciled
resolution	policyViolation
resolution	fraudulent

DiscoveryHostInfo

{
  "wildcard": false,
  "caa": {
    "records": [
      "string"
    ],
    "source": "string",
    "time": "2022-06-17T00:00:00Z",
    "allowed": true,
    "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
  }
}

Contains information about the host in the cert discovery

Properties

Name	Type	Description
wildcard	boolean	Indicates whether the host was matched using wildcard.
caa	DiscoveryCaaHostInfo	Contains information about the certificate authority authorization host in the cert discovery

DiscoveryCaaHostInfo

{
  "records": [
    "string"
  ],
  "source": "string",
  "time": "2022-06-17T00:00:00Z",
  "allowed": true,
  "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}

Contains information about the certificate authority authorization host in the cert discovery

Properties

Name	Type	Description
records	[string]	none
source	string	none
time	string(date-time)	none
allowed	boolean	none
error	string	none

HostCaaHistory

{
  "policyHostname": "string",
  "status": "present",
  "statusMessage": "string",
  "firstSeen": "2024-11-21T14:12:47.615Z",
  "lastSeen": "2024-11-21T14:12:47.615Z",
  "records": [
    "string"
  ]
}

Properties

Name	Type	Description
policyHostname	string	The hostname of the CAA policy.
status	string	The status of the CAA policy.
statusMessage	string	A message describing the status of the CAA policy.
firstSeen	string(date-time)	The date and time when the CAA policy was first seen.
lastSeen	string(date-time)	The date and time when the CAA policy was last seen.
records	[string]	A list of DNS records.

Enumerated Values

Property	Value
status	dnsError,
status	none,
status	present,

Certificate

{
  "shortId": "572908a",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "validation": "dv",
  "notBefore": "2024-11-21T14:12:47.616Z",
  "notAfter": "2024-11-21T14:12:47.616Z",
  "effectiveNotAfter": "2024-11-21T14:12:47.616Z",
  "revokedOn": "2024-11-21T14:12:47.616Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "ECDSAwithSHA256",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "sanCount": 1,
  "caPathLen": -1,
  "wildcard": true,
  "selfSigned": false,
  "firstSeen": "2024-11-21T14:12:47.616Z",
  "lastSeen": "2024-11-21T14:12:47.616Z",
  "seenInstalled": true,
  "active": true,
  "precert": false,
  "duplicate": false,
  "managed": true,
  "ownership": "own",
  "label": "ssl760680.cloudflaressl.com",
  "matchesOrgHost": true,
  "symantecStatus": "symantecExcluded",
  "ctRequired": true,
  "ctCompliant": true,
  "ctLogs": [
    {
      "name": "rocketeer",
      "log": "ct.googleapis.com/rocketeer",
      "timestamp": 1533791245857,
      "index": 232455,
      "type": "cert",
      "sources": [
        "log",
        "tls"
      ]
    }
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "origin": "ct",
  "originTitle": "CT",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "parentHashes": [
    "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
    "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
  ],
  "parentHashesSource": "ct",
  "parentHashesComplete": true,
  "analysis": {
    "id": "ITEM_DOMAIN_REGISTRATION",
    "name": "Domain Registration",
    "status": "good",
    "remarks": [
      {
        "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
        "title": "Nameserver is not operational",
        "content": "Good. The private key associated with this certificate is secure.",
        "severity": "good",
        "data": {
          "Name": "dns1.registrar-servers.com.",
          "Address": "2610:a1:1024::200",
          "Reverse name": "dns1.registrar-servers.com."
        }
      }
    ]
  },
  "matchedHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "matchedWildcardHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "thirdPartyHosts": [
    "hardenize.com"
  ],
  "deployments": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-11-21T14:12:47.616Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-11-21T14:12:47.616Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ]
      }
    ]
  },
  "lifetime": "PT17652H",
  "lifetimeDays": 736,
  "ku": [
    "keyEncipherment",
    "digitalSignature"
  ],
  "eku": [
    "serverAuth",
    "clientAuth"
  ],
  "mustStaple": true,
  "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
  "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
  "caIssuers": [
    "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
  ],
  "crl": [
    "http://crl3.digicert.com/sha2-ev-server-g2.crl",
    "http://crl4.digicert.com/sha2-ev-server-g2.crl"
  ],
  "ocsp": [
    "http://ocsp.digicert.com"
  ],
  "ctInfos": [
    {
      "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
      "timestamp": "2024-11-21T14:12:47.616Z",
      "name": "Google 'Xenon2024' log",
      "status": "Qualified"
    }
  ]
}

Contains information about one certificate.

Properties

Name	Type	Description
shortId	string	Short identifier for the certificate. This value is not unique.
sha256*	string	Hex-encoded SHA256 hash of the certificate in DER format.
tbsSha256	string	Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo.
subject*	string	Subject distinguished name.
serial*	string	Hex-encoded serial number.
issuer*	string	Issuer distinguished name.
issuerCa	string	The name of the issuing CA, according to CCADB.
validation	string	Certificate validation type.
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
effectiveNotAfter*	string(date-time)	ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2).
revokedOn*	string(date-time)	Revocation timestamp, if available.
keyAlg*	string	Private key algorithm, for example RSA or EC.
keyLen*	integer	Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength*	integer	Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg*	string	Certificate signature algorithm.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
hosts*	[string]	All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
sanCount	integer	The number of hostnames in the SAN field of the certificate.
caPathLen*	integer	Indicates if this is a CA certificate. Leaf certificates will have -1 in this field, indicating that they cannot issue further certificates. CA certificates will have 0 or a positive number. CA certificates without path length limit will have 2,147,483,647.
wildcard*	boolean	Set to true if at least one of the allowed hosts is a wildcard.
selfSigned*	boolean	Set to true if this is a self-signed certificate.
firstSeen*	string(date-time)	The first time this certificate was seen, which could be a variety of sources for example, CT, manual upload, or installed on a server.
lastSeen*	string(date-time)	The last time this certificate was seen installed on a server.
seenInstalled*	boolean	Indicates if this certificate has been seen installed on a server.
active*	boolean	Indicates if this certificate has been seen installed recently.
precert*	boolean	Indicates if the returned certificate is, in fact, a precertificate.
duplicate*	boolean	Set to true on a precertificate for which the certificate is known.
managed*	boolean	Indicates if this certificate is managed, i.e. provided by a third-party service that will also automatically renew the certificate when it becomes due.
ownership*	string	Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false.
label	string	The label is a human-readable string that can be used to identify the certificate.
matchesOrgHost*	boolean	Indicates if at least one of the host listed in the certificates matches a hosts that belongs to the organisation.
symantecStatus	string	Indicates if this certificate was issued from Symantec's PKI infrastructure. This field is not set when it's not necessary, as absence of value indicates that the certificate did not come from Symantec. This field is also never set on CA intermediates and roots.
ctRequired	boolean	Indicates whether certificate is required to be logged to CT for use on public sites. This is a requirement for all certificates issued from May 2018 onwards, as well for some earlier Symantec certificates.
ctCompliant	boolean	Indicates whether certificate embeds sufficient SCTs to satisfy CT policies of major platforms.
ctLogs*	[CertCtLog]	One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain.
pem*	string	Base64-encoded certificate in DER format.
origin*	string	Indication of where this certificate came from. This field will contain ct if the certificate was found via real-time monitoring of Certificate Transparency logs, hdb if we imported it from our historical certificate database, net if the certificate was found installed on the network, or manual if the certificate was provided to us (e.g., if it was uploaded via the API).
originTitle	string	Human readable version of the origin enum value
originInfo	OriginInfo	Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
parentHashes	[string]	Contains the SHA256 fingerprints of parent certificates, if they are known. We currently populate this field only using the information obtained from CT log entries. When the object is a precertificate, the parent hashes may include a special precertificate signer CA certificate.
parentHashesSource	string	Indicates the source of the parent hashes provided in the parentHashes field. If the field contains ct, that means that the parent hashes are exactly as seen in CT. CT entries are not guaranteed to include the root; if we're able to find the right root, we'll use the value ctPlusRoot to indicate that the bulk of the chain is from CT, but that we appended a root to it. The value hardenize is reserved for future use, when we implement path building to identify the hashes for certificates only seen online (and not in CT).
parentHashesComplete	boolean	True if the parent hashes are available and form a complete chain, false if parent hashes are available but the chain is not complete. This field is not available when parent hashes are not available.
analysis	ReportCardItem	Describes the item in each report card section.
matchedHosts	[string]	none
matchedWildcardHosts	[string]	none
thirdPartyHosts	[string]	none
deployments	Deployment	none
lifetime	string	Contains the ISO-8601 formatted duration of the validity of the certificate
lifetimeDays	integer	Contains the number of days the certificate is valid.
ku	[string]	Key Usage extension values.
eku	[string]	Extended Key Usage extension values.
mustStaple	boolean	Indicates whether the certificate must support OCSP Stapling.
aki	string	Authority Key Identifier extension value.
ski	string	Subject Key Identifier extension value.
caIssuers	[string]	List of URLs where the certificate issuer's CA certificates can be obtained.
crl	[string]	List of URLs where the Certificate Revocation Lists (CRLs) for the certificate can be obtained.
ocsp	[string]	List of URLs where the OCSP responses for the certificate can be obtained.
ctInfos	[CtInfo]	none

Enumerated Values

Property	Value
validation	dv
validation	ev
validation	iv
validation	ov
validation	s
validation	u
validation	na
sigAlg	RSAwithMD2
sigAlg	RSAwithMD5
sigAlg	RSAwithSHA1
sigAlg	RSAwithSHA256
sigAlg	RSAwithSHA384
sigAlg	RSAwithSHA512
sigAlg	RSAPSS
sigAlg	DSAwithSHA1
sigAlg	DSAwithSHA256
sigAlg	ECDSAwithSHA1
sigAlg	ECDSAwithSHA256
sigAlg	ECDSAwithSHA384
sigAlg	ECDSAwithSHA512
ownership	own
ownership	thirdParty
symantecStatus	phaseOneAffected
symantecStatus	phaseOneNotAffected
symantecStatus	phaseTwoAffected
symantecStatus	phaseTwoNotAffected
symantecStatus	symantecExcluded
origin	ct
origin	hdb
origin	manual
origin	net
parentHashesSource	ct
parentHashesSource	ctPlusRoot
parentHashesSource	hardenize

CertExtras

{
  "status": "ok",
  "certsDueDays": 60,
  "certsOverdueDays": 13,
  "certsCriticalDays": 4,
  "certsLabels": "managed"
}

Properties

Name	Type	Description
status	string	none
certsDueDays	integer	When certificates become due. Certificates that expire in fewer days
certsOverdueDays	integer	When certificates become overdue. Certificates not renewed by this time are considered overdue
certsCriticalDays	integer	When certificates become critical. Certificates not replaced by this time are considered critical
certsLabels	any	List of certificate labels, indicating the type and management source of each certificate.

Enumerated Values

Property	Value
status	ok
status	warning
status	error
status	neutral
certsLabels	precert
certsLabels	managed
certsLabels	thirdParty
certsLabels	thirdPartyOwnHost
certsLabels	intermediate
certsLabels	root
certsLabels	selfSigned

CtInfo

{
  "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
  "timestamp": "2024-11-21T14:12:47.618Z",
  "name": "Google 'Xenon2024' log",
  "status": "Qualified"
}

Properties

Name	Type	Description
id	string	This field contains a HEX encoded SHA256 value of the unique identifier for the CT log server that created the Signed Certificate Timestamp
timestamp	string(date-time)	ISO 8601 timestamp. This field contains the timestamp indicating when the SCT was created. The timestamp is typically represented in milliseconds since the Unix epoch (January 1, 1970, 00:00:00 UTC)
name	string	A human-readable description of the CT log
status	string	The status of the CT log

Deployment

{
  "hosts": [
    {
      "hostname": "string",
      "service": "dns",
      "serviceHostname": "string",
      "lastSeen": "2024-11-21T14:12:47.618Z"
    }
  ],
  "services": [
    {
      "hostname": "string",
      "address": "string",
      "port": 0,
      "asNumber": 0,
      "asName": "string",
      "cloudProvider": "string",
      "cloudRegion": "string",
      "lastSeen": "2024-11-21T14:12:47.618Z",
      "certs": [
        "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
        "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
      ]
    }
  ]
}

Properties

Name	Type	Description
hosts	[HostData]	none
services	[ServiceData]	none

HostService

{
  "hosts": [
    {
      "hostname": "string",
      "service": "dns",
      "serviceHostname": "string",
      "lastSeen": "2024-11-21T14:12:47.619Z"
    }
  ],
  "services": [
    {
      "hostname": "string",
      "address": "string",
      "port": 0,
      "asNumber": 0,
      "asName": "string",
      "cloudProvider": "string",
      "cloudRegion": "string",
      "lastSeen": "2024-11-21T14:12:47.619Z",
      "certs": [
        "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
        "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
      ]
    }
  ],
  "certificates": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.619Z",
      "notAfter": "2024-11-21T14:12:47.619Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.619Z",
      "revokedOn": "2024-11-21T14:12:47.619Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ],
  "extras": {
    "hostname": "🔥.hardenize.com",
    "punyHostname": "xn--4v8h.hardenize.com",
    "createdOn": "2024-11-21T14:12:47.619Z",
    "status": "archived",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "name": "thename"
    },
    "lastAxfrTime": "2024-11-21T14:12:47.619Z",
    "axfrError": "string",
    "lastAxfrErrorTime": "2024-11-21T14:12:47.619Z",
    "lastRegLookupTime": "2024-11-21T14:12:47.619Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "nx": true,
    "nxTime": "2024-11-21T14:12:47.619Z",
    "regRegistry": true,
    "regPublic": true,
    "regNx": false,
    "regNxTime": "2024-11-21T14:12:47.619Z",
    "lastAssessmentTime": "2024-11-21T14:12:47.619Z",
    "assessmentError": "Host not found",
    "lastAssessmentAttemptTime": "2024-11-21T14:12:47.619Z",
    "groups": [
      "mygroup"
    ],
    "tags": [
      "production"
    ],
    "domainRegistrant": "string",
    "domainRegistrarName": "string",
    "domainStatuses": [
      "string"
    ],
    "domainCreationTime": "2024-11-21T14:12:47.619Z",
    "domainExpireTime": "2024-11-21T14:12:47.619Z",
    "domainRegistryLock": false,
    "domainRegistrarLock": false,
    "domainLookupStatus": "string",
    "config": {},
    "classificationStatus": "active",
    "classificationTags": [
      "signin"
    ]
  }
}

Properties

Name	Type	Description
hosts	[HostData]	none
services	[ServiceData]	none
certificates	[CertificateSummary]	[Contains summary information about one certificate. ]
extras	Host	The Host object represents one of your hosts that resides in our database.

HostData

{
  "hostname": "string",
  "service": "dns",
  "serviceHostname": "string",
  "lastSeen": "2024-11-21T14:12:47.620Z"
}

Properties

Name	Type	Description
hostname	string	none
service	string	none
serviceHostname	string	none
lastSeen	string(date-time)	none

Enumerated Values

Property	Value
service	dns
service	ftp
service	html
service	http
service	https
service	imap
service	ldap
service	mongodb
service	mysql
service	nntp
service	other
service	pop3
service	postgres
service	rdp
service	redis
service	sip
service	smtp
service	ssh
service	telnet
service	tls
service	xmpp

ServiceData

{
  "hostname": "string",
  "address": "string",
  "port": 0,
  "asNumber": 0,
  "asName": "string",
  "cloudProvider": "string",
  "cloudRegion": "string",
  "lastSeen": "2024-11-21T14:12:47.620Z",
  "certs": [
    "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
    "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
  ]
}

Properties

Name	Type	Description
hostname	string	none
address	string	none
port	integer	none
asNumber	integer	none
asName	string	none
cloudProvider	string	none
cloudRegion	string	none
lastSeen	string(date-time)	none
certs	[string]	none

CertificateSummaryResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.620Z",
      "notAfter": "2024-11-21T14:12:47.620Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.620Z",
      "revokedOn": "2024-11-21T14:12:47.620Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Contains information about summaries of certificates.

Properties

Name	Type	Description
certs	[CertificateSummary]	List of certificate summaries

CertificateSummary

{
  "shortId": "572908a",
  "label": "ssl760680.cloudflaressl.com",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "ownership": "own",
  "notBefore": "2024-11-21T14:12:47.621Z",
  "notAfter": "2024-11-21T14:12:47.621Z",
  "effectiveNotAfter": "2024-11-21T14:12:47.621Z",
  "revokedOn": "2024-11-21T14:12:47.621Z",
  "hosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed"
  },
  "active": true,
  "caPathLen": -1,
  "nameDigestNewer": true
}

Contains summary information about one certificate.

Properties

Name	Type	Description
shortId	string	Short identifier for the certificate. This value is not unique. It is used in the Hardenize UI to refer to the certificate.
label	string	The label is a human-readable string that can be used to identify the certificate.
sha256*	string	Hex-encoded SHA256 hash of the certificate in DER format.
subject*	string	Subject distinguished name.
serial*	string	Hex-encoded serial number.
issuer*	string	Issuer distinguished name.
issuerCa	string	The name of the issuing CA, according to CCADB.
ownership	string	Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false.
notBefore*	string(date-time)	The date+time before which the certificate is not valid
notAfter*	string(date-time)	The date+time after which the certificate is not valid.
effectiveNotAfter*	string(date-time)	ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2).
revokedOn*	string(date-time)	Revocation timestamp, if available.
hosts*	[string]	All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
extras	CertExtras	none
active	boolean	True if the certificate has been seen installed recently.
caPathLen	integer	Indicates if the certificate is a leaf or a CA certificate. Leaves will have this value set to -1, CA certificates will have a 0 or some other non-zero value.
nameDigestNewer	boolean	True if a certificate with the same set of names but a later effective_not_after has been seen.

Enumerated Values

Property	Value
ownership	own
ownership	thirdParty

ExpiringEndpointsResponse

{
  "expiringEndpoints": [
    {
      "hostname": "example.net",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceAddress": "127.0.0.1",
      "servicePort": 443,
      "certNotAfter": "2024-11-21T14:12:47.621Z",
      "certEffectiveNotAfter": "2024-11-21T14:12:47.621Z",
      "serviceLastSeen": "2024-11-21T14:12:47.621Z",
      "certShortId": "572908a",
      "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "certIssuerCa": "Let's Encrypt",
      "certSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345",
      "hostClassificationStatus": "active",
      "hostClassificationTags": [
        [
          "signin"
        ]
      ]
    }
  ],
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Contains information about expiring endpoints.

Properties

Name	Type	Description
expiringEndpoints	[ExpiringEndpoint]	List of certificate summaries
extras	CertStatsExtras	none

ExpiringEndpoint

{
  "hostname": "example.net",
  "serviceHostname": "service.example.com",
  "serviceDomain": "example.com",
  "serviceAddress": "127.0.0.1",
  "servicePort": 443,
  "certNotAfter": "2024-11-21T14:12:47.622Z",
  "certEffectiveNotAfter": "2024-11-21T14:12:47.622Z",
  "serviceLastSeen": "2024-11-21T14:12:47.622Z",
  "certShortId": "572908a",
  "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "certIssuerCa": "Let's Encrypt",
  "certSan": "*.hardenize.com",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "asNumber": "12345",
  "hostClassificationStatus": "active",
  "hostClassificationTags": [
    [
      "signin"
    ]
  ]
}

Contains summary information about one expiring endpoint.

Properties

Name	Type	Description
hostname	string	The name of the host.
serviceHostname	string	The hostname of the service associated with the endpoint.
serviceDomain	string	The domain of the service associated with the endpoint.
serviceAddress	string	The IP address of service associated with the endpoint.
servicePort	integer	port number.
certNotAfter	string(date-time)	ISO 8601 timestamp indicating when the certificate for the endpoint expires.
certEffectiveNotAfter	string(date-time)	ISO 8601 timestamp indicating when the certificate for the endpoint expires.
serviceLastSeen	string(date-time)	ISO 8601 timestamp indicating when the service was last seen.
certShortId	string	First 7 characters of a hex-encoded SHA256 hash of the certificate in DER format.
certSha256	string	Hex-encoded SHA256 hash of the certificate in DER format.
certDn	string	Distinguished name of the endpoint's certificate.
certSerial	string	Hex-encoded serial number of the endpoint's certificate.
certIssuer	string	Issuer distinguished name.
certIssuerCa	string	The name of the issuing CA, according to CCADB.
certSan	string	All hosts specified in the endpoint's certificate's SAN extension, as Unicode.
asName	string	The name of the Autonomous System (AS).
asNumber	string	The number of the Autonomous System (AS).
hostClassificationStatus	string	Represents the status of content classification
hostClassificationTags	[string]	A list of content classification tags

Enumerated Values

Property	Value
hostClassificationStatus	active
hostClassificationStatus	inactive
hostClassificationStatus	parked

CertCtLog

{
  "name": "rocketeer",
  "log": "ct.googleapis.com/rocketeer",
  "timestamp": 1533791245857,
  "index": 232455,
  "type": "cert",
  "sources": [
    "log",
    "tls"
  ]
}

Properties

Name	Type	Description
name	string	The name is formed from the log field extracting the string after the last '/' or the same string if no '/' characters are present in the string
log*	string	CT log URL, with scheme omitted.
timestamp*	integer(int64)	Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
index	integer(int64)	This certificate's index in the referenced CT log. This field is available only when the matching objects are observed directly in CT logs.
type*	string	Indicates whether a CT log entry belongs to a certificate or precertificate. Normally, precertificate objects will include only precertificate CT log entries. However, certificate objects can include entries of either type. For example, if a certificate has been logged to CT via a precertificate, it will typically include CT log entries pertaining to both the precertificate as well as its own subsequent appearance in the CT logs.
sources*	[string]	Hardenize collects CT information from multiple sources. This set indicates all the places where we've collected the information we have on a certificate.

Enumerated Values

Property	Value
type	cert
type	precert

CtLogsResponse

{
  "ctLogs": [
    {
      "name": "Cloudflare 'Nimbus2023' Log",
      "url": "ct.cloudflare.com/logs/nimbus2023",
      "mmd": 86400,
      "lastIndex": 94000,
      "lastTimestamp": "2024-11-21T14:12:47.622Z"
    }
  ]
}

Properties

Name	Type	Description
ctLogs	[CtLog]	List of CT log objects

CtLog

{
  "name": "Cloudflare 'Nimbus2023' Log",
  "url": "ct.cloudflare.com/logs/nimbus2023",
  "mmd": 86400,
  "lastIndex": 94000,
  "lastTimestamp": "2024-11-21T14:12:47.623Z"
}

Properties

Name	Type	Description
name	string	The description of the log entry
url	string	The network endpoint
mmd	integer	The maximum merge delay value
lastIndex	integer	The last directly observed index in this log, if available
lastTimestamp	string(date-time)	ISO 8601 timestamp of the last observed index, if available

CreateIntegrationRequest

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

This object should contain all the information required to create a new integration in your account. Some of the information is generic and used for all integration types. Integration-specific information should be placed in the config field, whilst ensuring the the provided data matches the integration type.

Properties

Name	Type	Description
type*	string	Integration type that indicates which integration is being created.
name*	string	Name to assign to integration. Must be unique.
ref	string	Integration reference; this is an optional utility field intended to carry information that uniquely identifies the account we're connecting to.
tags	[string]	A list of tags. Tags are added to resources fetched from your configured integration and propagated to hosts. Tag names can use only letters and digits.
enabled*	boolean	Whether or not the integration should be enabled immediately.
config*	any	Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name	Type	Description
» anonymous	CreateAwsIntegrationConfig	AWS integration parameters.

xor

Name	Type	Description
» anonymous	CreateAzureIntegrationConfig	Azure integration parameters.

xor

Name	Type	Description
» anonymous	CreateCloudflareIntegrationConfig	Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

xor

Name	Type	Description
» anonymous	CreateCscIntegrationConfig	CSC integration parameters.

xor

Name	Type	Description
» anonymous	CreateDigiCertIntegrationConfig	DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted.

xor

Name	Type	Description
» anonymous	CreateGcpIntegrationConfig	GCP integration parameters.

xor

Name	Type	Description
» anonymous	CreateMarkMonitorIntegrationConfig	MarkMonitor integration parameters.

xor

Name	Type	Description
» anonymous	CreateNs1IntegrationConfig	NS1 integration parameters.

xor

Name	Type	Description
» anonymous	CreateSafenamesIntegrationConfig	Safenames integration parameters.

Enumerated Values

Property	Value
type	aws
type	azure
type	cloudflare
type	csc
type	digicert
type	gcp
type	markmonitor
type	ns1
type	safenames

AwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name	Type	Description
accountId*	string	AWS account ID.

CreateAwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name	Type	Description
accountId*	string	AWS account ID.

AzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43"
}

Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

Properties

Name	Type	Description
clientId*	string	Azure client identifier.
tenantId*	string	Azure tenant identifier.

CreateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Azure integration parameters.

Properties

Name	Type	Description
clientId*	string	Azure client identifier.
tenantId*	string	Azure tenant identifier.
secret*	string	Azure secret token.

DigiCertIntegrationConfig

{}

DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted.

Properties

Name	Type	Description
apiKey*	string	none

GcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name	Type	Description
project*	string	The GCP project name

CreateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name	Type	Description
project*	string	The GCP project name

CloudflareIntegrationConfig

{}

Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "27761d57fd9035185dfc45eb1275ecacd",
  "email": "postmaster@example.com"
}

Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

Properties

Name	Type	Description
apiKey	string	none
authKey	string	none
email	string	none

CscIntegrationConfig

{}

CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

Properties

None

CreateCscIntegrationConfig

{
  "apiKey": "23g78h23rgheriuh2r8h2rg8h2rgiuh23g",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

CSC integration parameters.

Properties

Name	Type	Description
apiKey*	string	none
bearerToken*	string	none

Ns1IntegrationConfig

{}

NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

NS1 integration parameters.

Properties

Name	Type	Description
apiKey*	string	none

MarkMonitorIntegrationConfig

{
  "username": "user"
}

MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name	Type	Description
username*	string	The MarkMonitor api username

CreateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

MarkMonitor integration parameters.

Properties

Name	Type	Description
username*	string	none
password*	string	none

SafenamesIntegrationConfig

{
  "username": "user"
}

Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name	Type	Description
username*	string	The Safenames username

CreateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Safenames integration parameters.

Properties

Name	Type	Description
username*	string	none
password*	string	none

CreateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.625Z",
    "nextRunTime": "2024-11-21T14:12:47.625Z",
    "lastRunTime": "2024-11-21T14:12:47.625Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

CreateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to create. Each host in this array must be a valid registrable domain (according to the Public Suffix List) or a subdomain of a registrable domain.
status	string	Desired host status. If the status is not specified, the initial status is determined based on the account's default status for new hosts as well as the status of parent hosts (depending on the configuration).
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled. For more information about how zone transfers are made, refer to the Request zone transfer endpoint.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig	CreateHostsRequestAxfrTsig	none
groups	[string]	List of groups to which the new hosts should be added. If the account is configured to inherit group membership from parent hosts, those groups are added in addition to the ones explicitly specified here.

Enumerated Values

Property	Value
status	monitored
status	idle
status	archived
axfr	auto
axfr	enabled
axfr	disabled

CreateHostsRequestAxfrTsig

{
  "name": "thename",
  "algorithm": "HMAC_MD5",
  "key": "base64key="
}

Properties

Name	Type	Description
name*	string	TSIG key name.
algorithm*	string	TSIG algorithm.
key*	string	TSIG key, Base64-encoded.

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

CreateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, and dashes. Periods can also be used, but only when keyword is matched across DNS labels. To avoid too many matches, we require that keywords have at least 5 characters, and up to 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines if the keyword will match domains and subdomains (all) or only domains.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables matching of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

CreateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

CreateHostDiscoveryNameserverRequest

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Properties

Name	Type	Description
hostnames*	[string]	none

UpdateHostDiscoveryNameserverRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled	boolean	Controls whether a nameserver is actively monitored. A nameserver could be disabled if it's responsible for too many matches, which usually indicates a misconfigured. Alternatively, a nameserver may be disabled if it no longer matches any of the organization's domains.

CreateHostDiscoveryNameserverResponse

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryNameserver	A keyword used for host discovery.

DiscoveryHostReportRequest

{
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
limit	integer	If set, returns only up to the specified number of host discoveries.
format	string	If set, returns host discoveries in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

DiscoveryHostReportResponse

{
  "discoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-11-21T14:12:47.627Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-11-21T14:12:47.627Z"
    }
  ]
}

Properties

Name	Type	Description
discoveries	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

CreateCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.628Z",
    "notAfter": "2024-11-21T14:12:47.628Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.628Z",
    "revokedOn": "2024-11-21T14:12:47.628Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.628Z",
    "lastSeen": "2024-11-21T14:12:47.628Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.628Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.628Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.628Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Properties

Name	Type	Description
cert	Certificate	Contains information about one certificate.

CreateEventHookRequest

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Properties

Name	Type	Description
hookType*	string	Desired event hook type.
eventTypes*	[string]	A list of event types to send to this event hook.
status	string	Initial status for this hook. Default: disabled.
destination*	string	Event hook destination; for webhooks, this must be an HTTPS URL. For deliveries via PubSub, you must supply here a valid destination obtained via the List Event Destinations API endpoint.

Enumerated Values

Property	Value
hookType	pubsub
hookType	webhook

CreateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Properties

Name	Type	Description
eventHook*	EventHook	Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

CreateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

None

CreateOrgRequest

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
id*	string	Unique ID that should be used to refer to the new organization. This value should be unique across all organizations that belong to the same parent. The syntax must match that of a DNS host label, using only lowercase characters. This field can be set, but cannot be updated.
name	string	Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value.
label	string	Organization label is a user-friendly identifier and also has to be unique across the organizations belonging to the same parent. Labels are shown in the application UI and URLs. This field is optional; if it is not provided, the id parameter will be used instead. This field can be set, but cannot be updated.
status	string	The initial status the organization should have. Default: active.
certLimitHard	integer	Hard limit on the number of certificates in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
commercialStatus	string	The initial commercial status for the new organization. Default: internal.
generateApiCredentials	boolean	If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost. Default: false.
hostDiscoveryAutoimportSubdomains	boolean	If set, newly discovered host that are subdomain of known hosts will be automatically added to the host inventory. Requires featureHostDiscovery to be enabled. Default: false.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled	boolean	Indicates if host discovery is enabled.
hostDiscoveryLimitHard	integer	Hard limit on the number of host discoveries in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
hostLimitHard	integer	Hard limit on the number of hosts in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
featureHostDiscovery	boolean	If set, enables the host discovery feature. The feature must be available in the parent organization. Default: false.
featureMfa	boolean	If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml	boolean	If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

CreateOrgResponse

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
org*	Organization	none

CreateGroupRequest

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
name*	string	Display name, typically used for human interaction. Groups also have an identifier, which we automatically generate from the names. Group identifiers and names must be unique, after whitespace is trimmed and text converted to lowercase.
auto	boolean	Indicates if this group is an auto-group, meaning that hosts are added to it and removed from based on whether they have matching tags. Hosts added to a group if they have at least one matching tag. Hosts are removed from a group if they have no matching tags.
tags	[string]	Tags associated with this group. Auto-groups only.

UpdateGroupRequest

{
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
tags	[string]	Tags associated with this group. Auto-tags only.

CreateGroupResponse

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Properties

Name	Type	Description
group*	Group	The Group object represents one account group.

CreateSearchRequest

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Encapsulates parameters required to submit a search. At minimum, provide the index and query fields. If you wish to get the data back in CSV format, supply the desired field names in the columns field. To know what field names are available, it's usually best to examine the JSON output of a limited number of results, then re-run the query to get CSV output.

Properties

Name	Type	Description
index*	string	The index against which the supplied query will be executed.
query*	string	The desired query, using the Elasticsearch query language.
limit	integer	When provided, the output will be limited to the requested number of results. This parameter can be useful when you're experimenting with a complex query and don't wish to incur the overhead of fetching, downloading, and processing the entire result set. Default: no limit.
columns	[string]	When this field is provided in the requests, search results will be provided in CSV format with the fields as specified.

Enumerated Values

Property	Value
index	certificates
index	network

CreateTlsCheckRequest

{
  "host": "hardenize.com",
  "port": 443,
  "location": "london",
  "resolverStrategy": "all"
}

TLS check parameters.

Properties

Name	Type	Description
host*	string	Endpoint hostname, which must be one of the names in the asset inventory. IP addresses are currently not supported.
port*	integer	Endpoint port, for example 443.
location*	string	Location from which the check should be performed.
resolverStrategy	string	DNS resolver strategy to use to convert hostname to IP addresses for testing. Default: all.

Enumerated Values

Property	Value
resolverStrategy	all
resolverStrategy	all4
resolverStrategy	all6
resolverStrategy	one4
resolverStrategy	one46
resolverStrategy	one6
resolverStrategy	one64

DeleteHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to delete.
subdomains	boolean	If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
preview	boolean	If set, this parameter enables preview mode, which means that no hosts will be deleted. Instead, the response will include the list of hosts that would have been deleted. Default: false.

DeleteHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts that have been deleted (or would have been deleted, in preview mode).
preview*	boolean	Indicates if the action was executed or only previewed.

Event

{
  "id": 10001,
  "type": "ct",
  "createdOn": "2024-11-21T14:12:47.632Z",
  "apiVersion": "0.14.0",
  "data": {
    "field": "value"
  }
}

Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled.

Properties

Name	Type	Description
id*	integer	none
type*	string	none
createdOn*	string(date-time)	none
apiVersion*	string	none
data*	string	none

EventDestination

{
  "destinationId": "pubsub://events/1/1005",
  "type": "pubsub",
  "project": "hz-events-pubsub",
  "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
  "subscription": "ep-1-1005",
  "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}

Contains information about one destination that can be used to receive events.

Properties

Name	Type	Description
destinationId*	string	Unique system-generated identifier.
type*	string	Destination type. Different fields may be available depending on this value.
project	string	PubSub project name.
topic	string	PubSub topic name.
subscription	string	PubSub subscription name.
subscriberCredentials	string	Contains raw Google GCP service account file that should be used to authenticate when retrieving from the subscription associated with this destination.

Enumerated Values

Property	Value
type	pubsub

EventHook

{
  "id": "bfc384726b6447a4b70a171de49e466f",
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive",
  "secret": "3685c06a966e4d0ea625d0b475719661"
}

Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

Properties

Name	Type	Description
id*	string	Contains the system-generated event hook identifier. This value is strongly random and, because it's provided with every event, can be used for an easy security check on the receiving end.
hookType*	string	Contains hook type.
eventTypes*	[string]	Contains the list of event types that will be sent to this hook.
status*	string	Indicates the current status of the event hook. The normal states are enabled and disabled. If a hook is determine to be inoperational, we will automatically disable it and change its state to failed.
destination	string	Contains the destination where events will be sent.
secret*	string	Contains a strongly random secret value unique to this hook. Used to sign events on delivery.

Enumerated Values

Property	Value
hookType	pubsub
hookType	webhook
status	enabled
status	disabled
status	failed

EventType

{
  "name": "ct",
  "available": true,
  "enabled": true
}

Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

Properties

Name	Type	Description
name*	string	none
available*	boolean	Specifies whether the account supports generation of this type of event.
enabled*	boolean	Specifies whether events of this type are currently being generated.

ErrorMessage

{
  "param": "string",
  "message": "string"
}

One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole.

Properties

Name	Type	Description
param	string	none
message*	string	none

ErrorResponse

{
  "errors": [
    {
      "param": "string",
      "message": "string"
    }
  ]
}

This object is returned whenever a processing error occurs. It contains a list of error messages, some of which may be attributed to specific request parameters.

Properties

Name	Type	Description
errors*	[ErrorMessage]	[One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole. ]

GetCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.633Z",
    "notAfter": "2024-11-21T14:12:47.633Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.633Z",
    "revokedOn": "2024-11-21T14:12:47.633Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.633Z",
    "lastSeen": "2024-11-21T14:12:47.633Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.633Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.633Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.633Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  },
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed"
  }
}

Properties

Name	Type	Description
cert*	Certificate	Contains information about one certificate.
extras	CertExtras	none

GetEventResponse

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2024-11-21T14:12:47.634Z",
    "apiVersion": "0.14.0",
    "data": {
      "field": "value"
    }
  }
}

Properties

Name	Type	Description
event*	Event	Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled.

GetHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-11-21T14:12:47.634Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-11-21T14:12:47.635Z"
  }
}

Properties

Name	Type	Description
hostDiscovery*	HostDiscovery	This object represents our discovery of a host which might be relevant to your organization.

GetHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

GetHostDiscoveryNameserverResponse

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryNameserver*	HostDiscoveryNameserver	A keyword used for host discovery.

GetAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Current network access configuration.

Properties

Name	Type	Description
apiNetworks*	[string]	List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade*	string	If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks*	[string]	List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade*	string	If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property	Value
apiNetworksCascade	disabled
apiNetworksCascade	enabled
appNetworksCascade	disabled
appNetworksCascade	enabled

GetIssueResponse

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Properties

Name	Type	Description
integration	Issue	none

SetupAwsIntegrationsResponse

{
  "externalId": "hardenize-1uspdz"
}

Information needed to set up an AWS integration.

Properties

Name	Type	Description
externalId*	string	The externalId parameter to use when creating the integration AWS role.

SetupGcpIntegrationsResponse

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Information needed to set up a GCP integration.

Properties

Name	Type	Description
serviceAccount*	string	Email address of the service account you need to grant access for

HostExclusionsResponse

{
  "hostExclusions": [
    "example.com"
  ]
}

The current list of host exclusions.

Properties

Name	Type	Description
hostExclusions	[string]	none

HostDefaultsResponse

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

The current host defaults configuration.

Properties

Name	Type	Description
newHostStatus	string	The new host status.
newHostInheritStatus	boolean	The new host inherit status.
newHostInheritGroup	boolean	The new host inherit group.

Enumerated Values

Property	Value
newHostStatus	archived
newHostStatus	monitored
newHostStatus	idle

UpdateHostDefaultsRequest

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

When set default host configuration is overwritten.

Properties

Name	Type	Description
newHostStatus	string	The new host status.
newHostInheritStatus	boolean	The new host inherit status.
newHostInheritGroup	boolean	The new host inherit group.

Enumerated Values

Property	Value
newHostStatus	archived
newHostStatus	monitored
newHostStatus	idle

UpdateHostExclusionsRequest

{
  "hostExclusions": [
    [
      "example.com"
    ]
  ]
}

List of hosts to exclude

Properties

Name	Type	Description
hostExclusions	[string]	none

CertificateMonitoringResponse

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

The current certificate monitoring configuration.

Properties

Name	Type	Description
notificationsEmailAddresses	[string]	none
notificationsCustomText	string	none
pkiTeamId	string	none
notificationsSendOverdue	boolean	none
notificationsSendCritical	boolean	none
certsDueDays	integer(int32)	none
certsOverdueDays	integer(int32)	none
certsCriticalDays	integer(int32)	none
vendorCertsCriticalDays	integer(int32)	none
monitorNetworks	boolean	none
includeNetworks	[cidr]	Contains a list of network ranges that are included in certificate monitoring.
excludeNetworks	[cidr]	Contains a list of network ranges that are excluded from certificate monitoring.

UpdateCertificateMonitoringRequest

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom notification text",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": true,
  "certsDueDays": 45,
  "certsOverdueDays": 12,
  "certsCriticalDays": 6,
  "vendorCertsCriticalDays": 6,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

When set the default certificate monitoring configuration is overwritten.

Properties

Name	Type	Description
notificationsEmailAddresses	[string]	none
notificationsCustomText	string	none
pkiTeamId	string	If not supplied, the value remains the same as before. To delete, use an empty string
notificationsSendOverdue	boolean	none
notificationsSendCritical	boolean	none
certsDueDays	integer(int32)	none
certsOverdueDays	integer(int32)	none
certsCriticalDays	integer(int32)	none
vendorCertsCriticalDays	integer(int32)	none
monitorNetworks	boolean	none
includeNetworks	[cidr]	Contains a list of IP address range in CIDR notation that are included in certificate monitoring
excludeNetworks	[cidr]	Contains a list of IP address range in CIDR notation that are excluded from certificate monitoring

CtMonitoringResponse

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

The current certificate transparency monitoring configuration.

Properties

Name	Type	Description
discoveryEmailNotifications	string	The discovery email notification recipients.
closeCertKnown	boolean	none
closeCertInstalled	boolean	none
closeCertExpired	boolean	none
closeCertRevoked	boolean	none
closeCaaMatchFull	boolean	none
closeIssuerAllowed	boolean	none
closeAllowedIssuerKeywords	[string]	none
closeAllowedIssuerKeywordsOverrides	[CloseAllowedIssuerKeywordsOverride]	[Allowed issuer keywords to override ]
closeCaseInactive	boolean	none
closeCaseInactiveDays	integer(int32)	none
escalateCertNotInstalled	boolean	none
escalateCertNotInstalledDays	integer(int32)	none
escalateCaaMismatch	boolean	none
escalateCertNotCtCompliant	boolean	none
escalateIssuerNotAllowed	boolean	none
escalateIssuerForbidden	boolean	none
escalateForbiddenIssuerKeywords	[string]	none
escalateCertMaxLifetimeExceeded	boolean	none

Enumerated Values

Property	Value
discoveryEmailNotifications	all
discoveryEmailNotifications	escalations
discoveryEmailNotifications	none

CloseAllowedIssuerKeywordsOverride

{
  "pattern": "string",
  "keywords": [
    "string"
  ]
}

Allowed issuer keywords to override

Properties

Name	Type	Description
pattern	string	none
keywords	[string]	none

UpdateCtMonitoringRequest

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": true,
  "closeCertExpired": false,
  "closeCertRevoked": true,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": true,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": false,
  "closeCaseInactiveDays": true,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": true,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": true,
  "escalateIssuerForbidden": false,
  "escalateForbiddenIssuerKeywords": [
    "string"
  ],
  "escalateCertMaxLifetimeExceeded": true
}

New CT monitoring configuration

Properties

Name	Type	Description
discoveryEmailNotifications	string	The discovery email notification recipients.
closeCertKnown	boolean	none
closeCertInstalled	boolean	none
closeCertExpired	boolean	none
closeCertRevoked	boolean	none
closeCaaMatchFull	boolean	none
closeIssuerAllowed	boolean	none
closeAllowedIssuerKeywords	[string]	none
closeAllowedIssuerKeywordsOverrides	[CloseAllowedIssuerKeywordsOverride]	[Allowed issuer keywords to override ]
closeCaseInactive	boolean	none
closeCaseInactiveDays	integer(int32)	none
escalateCertNotInstalled	boolean	none
escalateCertNotInstalledDays	integer(int32)	none
escalateCaaMismatch	boolean	none
escalateCertNotCtCompliant	boolean	none
escalateIssuerNotAllowed	boolean	none
escalateIssuerForbidden	boolean	none
escalateForbiddenIssuerKeywords	[string]	none
escalateCertMaxLifetimeExceeded	boolean	none

Enumerated Values

Property	Value
discoveryEmailNotifications	all
discoveryEmailNotifications	escalations
discoveryEmailNotifications	none

GetMfaConfigResponse

{
  "mfaRequired": true
}

The current multi-factor authentication (MFA) configuration.

Properties

Name	Type	Description
mfaRequired*	boolean	If set, all users must have multi-factor enabled in order to access this organization.

UpdateAwsIntegrationConfig

{
  "accountId": "123456789012"
}

Properties

Name	Type	Description
accountId	string	The account identifier of the AWS Role created for this integration. The identifier is just the number part of the entire Amazon Role Number (ARN) string.

UpdateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Properties

Name	Type	Description
clientId	string	Azure client identifier.
tenantId	string	Azure tenant identifier.
secret	string	Azure secret token.

UpdateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "a986c4a2d345acd9663018742f3600bf9edba",
  "email": "postmaster@example.com"
}

Properties

Name	Type	Description
apiKey	string	The Cloudflare API key
authKey	string	Cloudflare global api key (legacy auth)
email	string	none

UpdateCscIntegrationConfig

{
  "apiKey": "23g923guh3uh2gj2dokd",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

Properties

Name	Type	Description
apiKey	string	The CSC API key
bearerToken	string	The CSC API bearer token

UpdateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

Properties

Name	Type	Description
apiKey	string	The DigiCert API key

UpdateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

Properties

Name	Type	Description
project	string	The GCP project name

UpdateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name	Type	Description
username	string	The MarkMonitor API username
password	string	The MarkMonitor API password

UpdateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name	Type	Description
username	string	The Safenames username
password	string	The Safenames password

UpdateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

Properties

Name	Type	Description
apiKey	string	The DigiCert API key

UpdateIntegrationRequest

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

This object is designed to carry the information you wish to use to update a particular integration. Include only the fields you wish to change; all other fields will remain unchanged. The data in the config field must be appropriate for the integration type.

Properties

Name	Type	Description
name	string	Name to assign to integration. Must be unique.
ref	string	Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
tags	[string]	A list of tags. Tags are added to resources fetched from your configured integration. Tag names can use only letters and digits.
enabled	boolean	Whether or not the integration should be enabled immediately.
config	any	Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name	Type	Description
» anonymous	UpdateAwsIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateAzureIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateCloudflareIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateCscIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateDigiCertIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateGcpIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateNs1IntegrationConfig	none

GetIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-11-21T14:12:47.639Z",
    "lastSeen": "2024-11-21T14:12:47.639Z",
    "lastCheck": "2024-11-21T14:12:47.639Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-11-21T14:12:47.639Z"
  }
}

Properties

Name	Type	Description
identity*	Identity	This object represents an identity.

Identity

{
  "identityId": 11113,
  "type": "dns_soa_rname",
  "enabled": true,
  "identity": "postmaster@example.com",
  "createdOn": "2024-11-21T14:12:47.639Z",
  "lastSeen": "2024-11-21T14:12:47.639Z",
  "lastCheck": "2024-11-21T14:12:47.639Z",
  "error": "Not a unique identity.",
  "errorTime": "2024-11-21T14:12:47.639Z"
}

This object represents an identity.

Properties

Name	Type	Description
identityId*	integer	A unique identifier which you can use to refer to a particular identity when updating.
type*	string	The type of identity, for example WHOIS registrant or email address.
enabled*	boolean	If this identity is enabled for discovery
identity*	string	The identity text.
createdOn*	string(date-time)	Indicates when was the first time we observed this identity.
lastSeen*	string(date-time)	Indicates the last time we observed this identity.
lastCheck	string(date-time)	Indicates the last time we looked for new assets connected to this identity.
error	string	The text of the error message. If an error occurs, the identity may be disabled. This may happen if a shared identity is initially added as unique, but later determined to actually be shared.
errorTime	string(date-time)	Contains the time of the most recent error related to this identity.

Enumerated Values

Property	Value
type	cert_dn_o
type	dns_mx
type	dns_soa_rname
type	whois_email
type	whois_registrant

GetIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.640Z",
    "nextRunTime": "2024-11-21T14:12:47.640Z",
    "lastRunTime": "2024-11-21T14:12:47.640Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

UpdateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-11-21T14:12:47.640Z",
    "nextRunTime": "2024-11-21T14:12:47.640Z",
    "lastRunTime": "2024-11-21T14:12:47.640Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

UpdateMfaConfigRequest

{
  "mfaRequired": true
}

Desired changes to the multi-factor authentication configuration.

Properties

Name	Type	Description
mfaRequired	boolean	If set, all users must have multi-factor enabled in order to access this organization.

UpdateMfaConfigResponse

{
  "mfaRequired": true
}

The multi-factor authentication (MFA) configuration after a successful update operation.

Properties

Name	Type	Description
mfaRequired*	boolean	If set, all users must have multi-factor enabled in order to access this organization.

GetNetworkScanningConfigResponse

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

The current network scanning configuration.

Properties

Name	Type	Description
netscanStatic*	boolean	If set, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic*	boolean	If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps*	boolean	If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions*	[cidr]	Contains a list of network ranges that will be excluded from network scanning.

GetSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The current SAML configuration.

Properties

Name	Type	Description
enabled*	boolean	If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata	string	Identity Provider (IdP) metadata XML.

UpdateSamlConfigRequest

{
  "enabled": true,
  "idpMetadata": "string"
}

Encapsulates desired changes to the SAML cofiguration.

Properties

Name	Type	Description
enabled	boolean	If set, enables SAML for this organization. Requires correctly configured IdP metadata.
idpMetadata	string	Identity Provider (IdP) metadata XML. To remove existing metadata, set this value to an empty string. This will be detected and the field will be set to null.

UpdateSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The SAML configuration after a successful update operation.

Properties

Name	Type	Description
enabled*	boolean	If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata	string	Identity Provider (IdP) metadata XML.

OperationStatus

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Properties

Name	Type	Description
id*	string	Unique operation identifier.
done*	boolean	If false, indicates that the operation is still in progress. If true, indicates that all processing ended.
statusCode	integer	HTTP status code of the operation, typically 200 (completed), 400 (bad request), 404 (requested data not found), 410 (operation cancelled), 500 (internal server error), 502 (remote server or service malfunctioned), and 503 (remote server or service not available). This field is available only after operation completes.
contentType	string	The content type associated with operation results.
pages	integer	How many pages there there in the operation result.
rows	integer	Total number of rows in the operation result.
rowsPerPage	integer	How many rows there are in each result page.

FetchDigiCertOrderRequest

{}

This object is currently only a placeholder that's used to support adding additional fetch parameters in the future. For now, only an empty object is required to be included in the request body.

Properties

None

GetOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
suborg	Organization	none

Group

{
  "id": "production",
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

The Group object represents one account group.

Properties

Name	Type	Description
id*	string	none
name*	string	none
auto*	boolean	True if this group is an auto-group.
tags	[string]	Tags associated with this group. Auto-groups only.

HdbCertsByHostSuffixRequest

{
  "host": "example.com",
  "includeExactMatch": true,
  "includeWildcardMatch": true,
  "includeSubDomains": true,
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by host suffix. You must supply at least one of includeExactMatch, includeWildcardMatch or includeSubDomains.

Properties

Name	Type	Description
host*	string	Host suffix to search by (e.g., example.com).
includeExactMatch	boolean	Include certificates containing the exact hostname. Default: false.
includeWildcardMatch	boolean	Include certificates that match the host suffix due to containing a wildcard in them. For example, for www.example.com, a wildcard match would include certificates with *.example.com. Default: false.
includeSubDomains	boolean	Include certificates containing any subdomain of the supplied host suffix. Default: false.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsByKeywordRequest

{
  "keyword": "example",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by keyword.

Properties

Name	Type	Description
keyword*	string	The keyword to be used in the search.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsBySpkiRequest

{
  "spki": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by SPKI.

Properties

Name	Type	Description
spki*	string	SHA256 hash of the requested SPKI.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertResponse

{
  "cert": {
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "unpacked": {
      "label": "www.example.com",
      "subject": "CN=www.example.com",
      "commonNames": [
        "www.example.com"
      ],
      "san": [
        "mail.example.com"
      ],
      "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
      "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
      "issuer": "Let's Encrypt Authority X3",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
      "notBefore": "2024-11-21T14:12:47.642Z",
      "notAfter": "2024-11-21T14:12:47.642Z",
      "issuerUrls": [
        "http://cert.int-x3.letsencrypt.org/"
      ],
      "crlUrls": [
        "http://crl.pki.goog/GTS1O1.crl"
      ],
      "ocspUrls": [
        "http://ocsp.pki.goog/gts1o1"
      ],
      "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
      "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
      "keyUsage": [
        "keyEncipherment"
      ],
      "extendedKeyUsage": [
        "serverAuth"
      ],
      "scts": [
        {
          "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
          "logName": "DigiCert Yeti2020 Log",
          "timestamp": "2024-11-21T14:12:47.642Z"
        }
      ],
      "mustStaple": true,
      "sigAlg": {
        "oid": "1.2.840.113549.1.1.11",
        "name": "SHA256withRSA"
      },
      "subjectKey": {
        "algName": "RSA",
        "bits": 2048,
        "strength": 112,
        "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
      },
      "ca": true,
      "caPathLen": 1
    }
  }
}

A single certificate returned by a HDB search.

Properties

Name	Type	Description
cert*	HdbCert	A certificate as returned by a HDB search.

HdbCertsListResponse

{
  "certs": [
    {
      "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "subject": "CN=www.example.com",
      "notAfter": "2024-11-21T14:12:47.643Z",
      "names": [
        "example.com"
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
    }
  ]
}

A list of certificates as returned by a HDB search.

Properties

Name	Type	Description
certs*	[HdbCertsListCert]	[A certificate as returned by a HDB search.]

HdbCertsListCert

{
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "subject": "CN=www.example.com",
  "notAfter": "2024-11-21T14:12:47.643Z",
  "names": [
    "example.com"
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
}

A certificate as returned by a HDB search.

Properties

Name	Type	Description
sha256*	string	SHA256 hash of the certificate.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
subject*	string	Certificate subject Distinguished Name in text format.
notAfter*	string(date-time)	ISO 8601 timestamp.
names	[string]	none
pem	string	Base64-encoded certificate in DER format.

HdbCert

{
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "unpacked": {
    "label": "www.example.com",
    "subject": "CN=www.example.com",
    "commonNames": [
      "www.example.com"
    ],
    "san": [
      "mail.example.com"
    ],
    "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
    "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
    "issuer": "Let's Encrypt Authority X3",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
    "notBefore": "2024-11-21T14:12:47.643Z",
    "notAfter": "2024-11-21T14:12:47.643Z",
    "issuerUrls": [
      "http://cert.int-x3.letsencrypt.org/"
    ],
    "crlUrls": [
      "http://crl.pki.goog/GTS1O1.crl"
    ],
    "ocspUrls": [
      "http://ocsp.pki.goog/gts1o1"
    ],
    "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
    "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
    "keyUsage": [
      "keyEncipherment"
    ],
    "extendedKeyUsage": [
      "serverAuth"
    ],
    "scts": [
      {
        "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
        "logName": "DigiCert Yeti2020 Log",
        "timestamp": "2024-11-21T14:12:47.643Z"
      }
    ],
    "mustStaple": true,
    "sigAlg": {
      "oid": "1.2.840.113549.1.1.11",
      "name": "SHA256withRSA"
    },
    "subjectKey": {
      "algName": "RSA",
      "bits": 2048,
      "strength": 112,
      "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
    },
    "ca": true,
    "caPathLen": 1
  }
}

A certificate as returned by a HDB search.

Properties

Name	Type	Description
pem*	string	Base64-encoded certificate in DER format.
unpacked	UnpackedCert	Various information parsed from the certificate.

Host

{
  "hostname": "🔥.hardenize.com",
  "punyHostname": "xn--4v8h.hardenize.com",
  "createdOn": "2024-11-21T14:12:47.644Z",
  "status": "archived",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "name": "thename"
  },
  "lastAxfrTime": "2024-11-21T14:12:47.644Z",
  "axfrError": "string",
  "lastAxfrErrorTime": "2024-11-21T14:12:47.644Z",
  "lastRegLookupTime": "2024-11-21T14:12:47.644Z",
  "origin": "hdb",
  "originTitle": "HDB",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "nx": true,
  "nxTime": "2024-11-21T14:12:47.644Z",
  "regRegistry": true,
  "regPublic": true,
  "regNx": false,
  "regNxTime": "2024-11-21T14:12:47.644Z",
  "lastAssessmentTime": "2024-11-21T14:12:47.644Z",
  "assessmentError": "Host not found",
  "lastAssessmentAttemptTime": "2024-11-21T14:12:47.644Z",
  "groups": [
    "mygroup"
  ],
  "tags": [
    "production"
  ],
  "domainRegistrant": "string",
  "domainRegistrarName": "string",
  "domainStatuses": [
    "string"
  ],
  "domainCreationTime": "2024-11-21T14:12:47.644Z",
  "domainExpireTime": "2024-11-21T14:12:47.644Z",
  "domainRegistryLock": false,
  "domainRegistrarLock": false,
  "domainLookupStatus": "string",
  "config": {},
  "classificationStatus": "active",
  "classificationTags": [
    "signin"
  ]
}

The Host object represents one of your hosts that resides in our database.

Properties

Name	Type	Description
hostname*	string	A fully-qualified domain name.
punyHostname	string	A fully-qualified domain name, as Punycode.
createdOn*	string(date-time)	none
status*	string	This host's monitoring status. If the status is monitored, we're going to use all account features to monitor this host, including active network monitoring. If the status is idle, we're going to use only passive information gathering (e.g., via Certificate Transparency). If the status is archived, we're not going to perform any host-related activity, but existing data will be preserved. This status is intended for use with hosts that are no longer of interest, but whose history should be preserved.
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig	HostAxfrTsig	none
lastAxfrTime	string(date-time)	The time of the last successful zone transfer.
axfrError	string	The error message associated with the last unsuccessful zone transfer.
lastAxfrErrorTime	string(date-time)	The time of the last unsuccessful zone transfer.
lastRegLookupTime	string(date-time)	The time of the last successful domain registration lookup
origin*	string	Indication of where this host came from.
originTitle	string	Human readable version of the origin enum value
originInfo	OriginInfo	Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
nx*	boolean	If true, this host effectively doesn't exist in the DNS.
nxTime	string(date-time)	When nx is true, this field contains the timestamp of when we first detected that it no longer exists in the DNS.
regRegistry*	boolean	True if this host is a registrable domain name under a registry (IANA) suffix. If this field is true then regPublic will also be true. Updated based on the latest Public Suffix List information.
regPublic*	boolean	True if this host is a registrable domain name under any public suffix. This field can be true when regRegistry is not. Updated based on the latest Public Suffix List information.
regNx	boolean	If true, this field indicates that the registrable domain doesn't exist. Absent if the host is not a registrable domain name.
regNxTime	string(date-time)	When regNx is true, this field contains the timestamp of when we first detected that the registrable domain name no longer exists.
lastAssessmentTime	string(date-time)	The time of the last successful assessment.
assessmentError	string	Error message, which is available only if the last assessment resulted in an error.
lastAssessmentAttemptTime	string(date-time)	When was the last assessment attempted?
groups*	[string]	Under Development: Identifiers of all groups this host belongs to.
tags*	[string]	none
domainRegistrant	string	The individual or entity who registers a domain name.
domainRegistrarName	string	The name of the domain registrar with whom the domain name is registered.
domainStatuses	[string]	The statuses of the domain name within the domain registry.
domainCreationTime	string(date-time)	The date and time when the domain name was initially registered or create.
domainExpireTime	string(date-time)	The date and time when the domain registration is set to expire.
domainRegistryLock	boolean	This field indicates whether the domain name has a registry lock applied to it.
domainRegistrarLock	boolean	This field indicates whether the domain name has a registrar lock applied to it.
domainLookupStatus	string	Represents the status of the domain ok, if present otherwise unknown
config	object	Under Development: This field is an object that contains detailed host configuration. It's not fully documented at this time because we're still working on the data model. You can use the data in this field if it's useful to you, but do note that the format is very likely to change.
classificationStatus	string	Represents the status of content classification
classificationTags	[string]	A list of content classification tags

Enumerated Values

Property	Value
status	archived
status	idle
status	monitored
axfr	auto
axfr	enabled
axfr	disabled
origin	cert
origin	ct
origin	hdb
origin	manual
classificationStatus	active
classificationStatus	inactive
classificationStatus	parked

HostAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "name": "thename"
}

Properties

Name	Type	Description
algorithm*	string	Axfr transfer algorithm
name*	string	Axfr transfer name

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

HostDiscovery

{
  "discoveryId": 11113,
  "autoResolved": false,
  "hostname": "www.🔥.hardenize.com",
  "discoveredTime": "2024-11-21T14:12:47.645Z",
  "origin": "hdb",
  "originTitle": "HDB",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "matchInfo": {
    "certdno": {
      "o": "Cloudflare, Inc."
    },
    "integration": {
      "name": "AWS Production",
      "type": "aws",
      "ref": "string"
    },
    "keyword": {
      "matches": [
        {
          "encoding": "ascii",
          "keyword": "string",
          "matchPosition": "anywhere",
          "matchScope": "all",
          "search": "bitSquatting"
        }
      ]
    },
    "mx": {
      "mx": "mail.example.com"
    },
    "nameserver": {
      "matches": [
        {
          "name": "ns1.hardenize.com",
          "firstSeen": "2021-09-21T15:32:02.322Z"
        }
      ]
    },
    "rname": {
      "email": "postmaster@example.com"
    },
    "whois": {
      "keywords": [
        "example.com"
      ]
    }
  },
  "matchCertDNO": false,
  "matchIntegration": true,
  "matchKeyword": false,
  "matchMx": false,
  "matchNameserver": false,
  "matchSubdomain": false,
  "matchRname": false,
  "matchWhois": false,
  "resolution": "pending",
  "updatedTime": "2024-11-21T14:12:47.645Z"
}

This object represents our discovery of a host which might be relevant to your organization.

Properties

Name	Type	Description
discoveryId*	integer	A unique identifier which you can use to refer to a particular host discovery when updating
autoResolved*	boolean	We may have automatically resolved your discovery. If we have, this will be set to true
hostname*	string	The hostname that we discovered, that we think might be relevant to you
discoveredTime	string(date-time)	The date and time that we made this particular discovery
origin*	string	The location at which we discovered the hostname.
originTitle	string	Human readable version of the origin enum value
originInfo	OriginInfo	Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
matchInfo	MatchInfo	Information describing how the discovery came about.
matchCertDNO	boolean	True if discovery matched a certificates DN O field
matchIntegration	boolean	True if discovery was via a configured integration.
matchKeyword	boolean	True if discovery matched a keyword.
matchMx	boolean	True if discovery was via our DNS MX lookup.
matchNameserver	boolean	True if discovery was via our nameserver lookup.
matchSubdomain	boolean	True if discovery is a subdomain of a known host.
matchRname	boolean	True if discovery was via our DNS SOA RNAME lookup.
matchWhois	boolean	True if discovery was via our whois lookup.
resolution*	string	The current resolution state of the discovery. This is usually set to "pending" to indicate that you should resolve the discovery in some manner.
updatedTime	string(date-time)	The date and time that this discovery was last updated

Enumerated Values

Property	Value
origin	cert
origin	ct
origin	hdb
origin	manual
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

HostDiscoveryKeyword

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ],
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines what type of results the keyword will look for.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables mathing of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.
error	string	If keyword had been disabled because of an error, this field contains the error message.
errorTime	string(date-time)	If keyword had been disabled because of an error, this field contains the time the disabling took place.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label,
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

HostDiscoveryNameserver

{
  "hostname": "ns1.hardenize.com",
  "punyHostname": "ns1.hardenize.com",
  "createdOn": "2020-06-10T15:36:49.044Z",
  "enabled": false,
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name	Type	Description
hostname	string	A fully-qualified domain name.
punyHostname	string	A fully-qualified domain name, as Punycode.
createdOn	string(date-time)	Holds nameserver creation timestamp.
enabled	boolean	Indicates whether this nameserver is used for discovery. Nameservers are enabled by default and this field set to true. Nameservers that return too many matches (typically an indication of shared nameservers) will be disabled with an error message and timestamp provided.
error	string	When nameserver is disabled by the system, this field contains the error message that explains the problem.
errorTime	string(date-time)	Holds error timestamp; this is typically when the server had been disabled.

Integration

{
  "integrationId": 1,
  "name": "My Test Integration",
  "ref": "348394209898",
  "type": "aws",
  "enabled": true,
  "tags": [
    "production"
  ],
  "error": "Invalid credentials for logging in to integration",
  "errorTime": "2024-11-21T14:12:47.647Z",
  "nextRunTime": "2024-11-21T14:12:47.647Z",
  "lastRunTime": "2024-11-21T14:12:47.647Z",
  "lastRunErrors": [
    "Unable to obtain list of registered domain names."
  ],
  "config": {
    "accountId": "string"
  }
}

Represents a third-party integration.

Properties

Name	Type	Description
integrationId*	integer(int64)	Unique integration identifier.
name*	string	Integration name.
ref	string	Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
type*	string	Integration type
enabled*	boolean	Indicates if the integration is enabled.
tags*	[string]	none
error	string	If a fatal error occurs when we attempt to connect to the other party, the integration will be disabled; this field contains the error message.
errorTime	string(date-time)	The time when the error occured.
nextRunTime	string(date-time)	When an integration is enabled, this field indicates the next time it is scheduled to run.
lastRunTime	string(date-time)	If present, the last time the integration was attempted.
lastRunErrors	[string]	If any non-fatal errors are encountered, this field will contain the corresponding error messages. For example, if permissions are incorrectly configured, we may be able to connect to the third-party account but not perform all desired operations.
config*	any	Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name	Type	Description
» anonymous	AwsIntegrationConfig	AWS integration parameters.

xor

Name	Type	Description
» anonymous	AzureIntegrationConfig	Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	CloudflareIntegrationConfig	Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	CscIntegrationConfig	CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

xor

Name	Type	Description
» anonymous	DigiCertIntegrationConfig	DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	GcpIntegrationConfig	GCP integration parameters.

xor

Name	Type	Description
» anonymous	MarkMonitorIntegrationConfig	MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

xor

Name	Type	Description
» anonymous	Ns1IntegrationConfig	NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	SafenamesIntegrationConfig	Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Enumerated Values

Property	Value
type	aws
type	azure
type	cloudflare
type	csc
type	digicert
type	gcp
type	markmonitor
type	ns1
type	safenames

Issue

{
  "issueId": 10001,
  "revision": 1,
  "definitionId": "DNS1001",
  "subject": "OPAQUE",
  "subjectDomain": "example.com",
  "title": "Dangling Resource Record",
  "category": "DNS",
  "severity": "high",
  "cause": "OPAQUE",
  "causeDomain": "nxdomain.example.com",
  "causeIp": "192.168.1.1",
  "open": true,
  "status": "active",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": "2022-06-17T00:00:00Z",
  "lastClosed": "2022-06-17T00:00:00Z",
  "lastUpdated": "2022-06-17T00:00:00Z",
  "lastChecked": "2022-06-17T00:00:00Z",
  "lastConfirmed": "2022-06-17T00:00:00Z",
  "snoozedUntil": "2022-06-17T00:00:00Z",
  "details": {
    "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
    "rrDomain": "example.com",
    "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
    "rrType": "SRV",
    "danglingType": "nxdomain",
    "causeDomain": "nxdomain.example.com"
  },
  "groups": [
    "Product"
  ]
}

Properties

Name	Type	Description
issueId*	integer	Unique issue identifier.
revision*	integer	Issue revision. Starts at 1 and increments every time the issue is updated.
definitionId	string	Unique identifier of the definition from which this issue was created. Automatically created issues will always have this field set.
subject	string	Opaque value that identifies the subject of the issue. The subject describes the infrastructure element affected by the issue, for example a domain name. Provided for grouping and sorting purposes.
subjectDomain	string	If applicable, the domain name associated with the subject. Provided for grouping and sorting purposes.
title*	string	Descriptive issue title. Copied from the definition, if the issue has one.
category*	string	Issue category. Copied from the definition, if the issue has one, otherwise assigned at creation.
severity*	string	Issue severity.
cause	string	Opaque value that identifies the root cause of the issue. Provided for grouping and sorting purposes.
causeDomain	string	If applicable, the domain name associated with the cause. Provided for grouping and sorting purposes.
causeIp	string	If applicable, the IP address associated with the cause. Provided for grouping and sorting purposes.
open*	boolean	Indicates if this issue is open or closed.
status*	string	Describes the current issue status. Issues that are automatically created will use the active and completed statuses. An issue may become orphaned of the subject disappears or monitoring ceases.
auto*	boolean	If true, this issue was automatically created from a network observation, and will be automatically resolved once the problem has been addressed.
autoOpen	boolean	This field is used only with auto issue and tracks the status of the detected problem. Unlike issues themselves, which can be manually closed, this field always reflects what is observed at network level.
autoPreservedStatus	string	This field is used to preserve the status of an issue that is auto-closed. If we need to reopen the issue later, we will restore the correct status.
createdOn*	string(date-time)	Indicates when this issue was created.
lastClosed	string(date-time)	Indicates when this issue was last closed. An issue may have more than one timestamp in this field if it's closed then reopened.
lastUpdated*	string(date-time)	Indicates when this issue was last updated. This field will also be set immediately after an issue is created and the timestamp will be the same as in createdOn.
lastChecked	string(date-time)	Indicates when this issue was last checked. Always set for automatic issues.
lastConfirmed	string(date-time)	Indicates when this issue was last confirmed. Always set for automatic issues.
snoozedUntil	string(date-time)	If an issue is snoozed, this field contains an optional timestamp after which the issue will automatically be restored back to active status.
details	object	Contains issue-specific information. Issues are designed to track a variety of problems as well as notifications and other event types. For this reason, the main fields are generic in nature, but that's where this field comes in, to carry additiona data custom-tailored for the problem at hand. To interpret this object, examine the @type property and process it accordingly.
groups	[string]	List of all groups this issue belongs to.

Enumerated Values

Property	Value
severity	info
severity	low
severity	medium
severity	high
severity	critical
severity	urgent
status	abandoned
status	active
status	bogus
status	completed
status	deprecated
status	ignored
status	orphaned
status	snoozed

ListAuditEventsResponse

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Properties

Name	Type	Description
events	[AuditEvent]	[Contains information about one audit log event. ]

ListCertDiscoveriesResponse

{
  "certDiscoveries": [
    {
      "certDiscoveryId": 11766,
      "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
      "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "createdOn": "2022-06-17T00:00:00Z",
      "updatedOn": "2022-06-17T00:00:00Z",
      "closedOn": "2022-06-17T00:00:00Z",
      "escalated": false,
      "status": "open",
      "resolution": "undetermined",
      "certSummary": {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-11-21T14:12:47.660Z",
        "notAfter": "2024-11-21T14:12:47.660Z",
        "effectiveNotAfter": "2024-11-21T14:12:47.660Z",
        "revokedOn": "2024-11-21T14:12:47.660Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed"
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      },
      "matchedHosts": [
        [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ]
      ]
    }
  ]
}

Properties

Name	Type	Description
certDiscoveries*	[CertDiscoverySummary]	[Contains complete information about a certificate discovered in one of the monitored CT logs. ]

GetCertDiscoveryResponse

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.661Z",
      "notAfter": "2024-11-21T14:12:47.661Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.661Z",
      "revokedOn": "2024-11-21T14:12:47.661Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.661Z",
          "lastSeen": "2024-11-21T14:12:47.661Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.661Z",
          "lastSeen": "2024-11-21T14:12:47.661Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Properties

Name	Type	Description
certDiscovery*	CertDiscovery	Contains complete information about a certificate discovered in one of the monitored CT logs.

ListCertsResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-11-21T14:12:47.662Z",
      "notAfter": "2024-11-21T14:12:47.662Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.662Z",
      "revokedOn": "2024-11-21T14:12:47.662Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-11-21T14:12:47.662Z",
      "lastSeen": "2024-11-21T14:12:47.662Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-11-21T14:12:47.662Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-11-21T14:12:47.662Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ]
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-11-21T14:12:47.662Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name	Type	Description
certs*	[Certificate]	[Contains information about one certificate. ]

ListCertSummariesResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-11-21T14:12:47.663Z",
      "notAfter": "2024-11-21T14:12:47.663Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.664Z",
      "revokedOn": "2024-11-21T14:12:47.664Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-11-21T14:12:47.664Z",
      "lastSeen": "2024-11-21T14:12:47.664Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-11-21T14:12:47.664Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-11-21T14:12:47.664Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ]
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-11-21T14:12:47.664Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name	Type	Description
certs*	[Certificate]	[Contains information about one certificate. ]

ListEventDestinationsResponse

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Properties

Name	Type	Description
eventDestinations*	[EventDestination]	[Contains information about one destination that can be used to receive events. ]

ListEventHooksResponse

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Properties

Name	Type	Description
eventHooks*	[EventHook]	[Event hook objects contain information pertaining to a destination to which events are delivered (pushed). ]

ListEventsResponse

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2024-11-21T14:12:47.665Z",
      "apiVersion": "0.14.0",
      "data": {
        "field": "value"
      }
    }
  ]
}

Properties

Name	Type	Description
events*	[Event]	[Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled. ]

ListEventTypesResponse

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Properties

Name	Type	Description
eventTypes*	[EventType]	[Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them. ]

GetHostResponse

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.665Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.665Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.665Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.665Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.665Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.665Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.665Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.665Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.665Z",
      "domainExpireTime": "2024-11-21T14:12:47.665Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Properties

Name	Type	Description
host*	[Host]	[The Host object represents one of your hosts that resides in our database.]

GetHostStatsResponse

{
  "monitored": 0,
  "archived": 0,
  "idle": 0,
  "total": 0,
  "domains": 0,
  "subdomains": 0
}

Properties

Name	Type	Description
monitored	integer	none
archived	integer	none
idle	integer	none
total	integer	none
domains	integer	none
subdomains	integer	none

ListHostsResponse

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.666Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.666Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.666Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.666Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.666Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.666Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.666Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.666Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.666Z",
      "domainExpireTime": "2024-11-21T14:12:47.666Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Properties

Name	Type	Description
hosts*	[Host]	[The Host object represents one of your hosts that resides in our database.]

GetHostServicesResponse

{
  "hostServices": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-11-21T14:12:47.667Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-11-21T14:12:47.667Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ]
      }
    ],
    "certificates": [
      {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-11-21T14:12:47.667Z",
        "notAfter": "2024-11-21T14:12:47.667Z",
        "effectiveNotAfter": "2024-11-21T14:12:47.667Z",
        "revokedOn": "2024-11-21T14:12:47.667Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed"
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      }
    ],
    "extras": {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-11-21T14:12:47.667Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-11-21T14:12:47.667Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-11-21T14:12:47.667Z",
      "lastRegLookupTime": "2024-11-21T14:12:47.667Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-11-21T14:12:47.667Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-11-21T14:12:47.667Z",
      "lastAssessmentTime": "2024-11-21T14:12:47.667Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-11-21T14:12:47.667Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-11-21T14:12:47.667Z",
      "domainExpireTime": "2024-11-21T14:12:47.667Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  }
}

Properties

Name	Type	Description
hostServices*	HostService	none

ListHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-11-21T14:12:47.668Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-11-21T14:12:47.668Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveries*	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

ListHostDiscoveryKeywordsResponse

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveryKeywords*	[HostDiscoveryKeyword]	[A keyword used for host discovery.]

ListHostDiscoveryNameserversResponse

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveryNameservers*	[HostDiscoveryNameserver]	[A keyword used for host discovery.]

ListIdentitiesResponse

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2024-11-21T14:12:47.669Z",
      "lastSeen": "2024-11-21T14:12:47.669Z",
      "lastCheck": "2024-11-21T14:12:47.669Z",
      "error": "Not a unique identity.",
      "errorTime": "2024-11-21T14:12:47.669Z"
    }
  ]
}

Properties

Name	Type	Description
identities*	[Identity]	[This object represents an identity.]

ListIntegrationsResponse

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2024-11-21T14:12:47.669Z",
      "nextRunTime": "2024-11-21T14:12:47.669Z",
      "lastRunTime": "2024-11-21T14:12:47.669Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Properties

Name	Type	Description
integrations*	[Integration]	[Represents a third-party integration. ]

ListIssuesResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Properties

Name	Type	Description
issues	[Issue]	none

ListOrgsResponse

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Properties

Name	Type	Description
orgs*	[Organization]	none

ZoneTransferResponse

"string"

Zone data in plain text format.

Properties

Name	Type	Description
anonymous	string	Zone data in plain text format.

ListMonitorLocationsResponse

{
  "locations": [
    "atlanta",
    "frankfurt",
    "london",
    "miami",
    "sanjose",
    "saopaulo",
    "singapore",
    "sydney",
    "tokyo"
  ]
}

Properties

Name	Type	Description
locations*	[string]	none

ListNetworkRangesResponse

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name	Type	Description
networkRanges*	[NetworkRange]	none

ListReports0Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "wwwXcto": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Properties

Name	Type	Description
reports*	[Report0]	[Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error, warning, and good. The complete explanation of the possible values is available in the Report0Quality component. It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report. ]

GetReportCardResponse

{
  "reportCard": {
    "reportVersion": 1,
    "domainPunycode": "example.com",
    "domainUnicode": "example.com",
    "available": true,
    "hardenizeVersion": "v1.1603.1",
    "timestamp": "2024-11-21T14:12:47.671Z",
    "sections": [
      {
        "id": "SECTION_DOMAIN",
        "name": "Domain",
        "items": [
          {
            "id": "ITEM_DOMAIN_REGISTRATION",
            "name": "Domain Registration",
            "status": "good",
            "remarks": [
              {
                "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                "title": "Nameserver is not operational",
                "content": "Good. The private key associated with this certificate is secure.",
                "severity": "good",
                "data": {
                  "Name": "dns1.registrar-servers.com.",
                  "Address": "2610:a1:1024::200",
                  "Reverse name": "dns1.registrar-servers.com."
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Properties

Name	Type	Description
reportCard*	ReportCard	Contains a summary of report card.

ListReportCardsResponse

{
  "reportCards": [
    {
      "reportVersion": 1,
      "domainPunycode": "example.com",
      "domainUnicode": "example.com",
      "available": true,
      "hardenizeVersion": "v1.1603.1",
      "timestamp": "2024-11-21T14:12:47.672Z",
      "sections": [
        {
          "id": "SECTION_DOMAIN",
          "name": "Domain",
          "items": [
            {
              "id": "ITEM_DOMAIN_REGISTRATION",
              "name": "Domain Registration",
              "status": "good",
              "remarks": [
                {
                  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                  "title": "Nameserver is not operational",
                  "content": "Good. The private key associated with this certificate is secure.",
                  "severity": "good",
                  "data": {
                    "Name": "dns1.registrar-servers.com.",
                    "Address": "2610:a1:1024::200",
                    "Reverse name": "dns1.registrar-servers.com."
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

Properties

Name	Type	Description
reportCards*	[ReportCard]	[Contains a summary of report card. ]

ListGroupsResponse

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name	Type	Description
groups*	[Group]	[The Group object represents one account group.]

MatchedCtEntry

{
  "log": "ct.googleapis.com/icarus",
  "index": 251676662,
  "timestamp": 1538747492396,
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "3b5893340f0b241c599b27a8e74a13177d5ba6e87f30f6fc5ddc2c3f069e6546",
  "precert": false,
  "subject": "CN=www.example.com",
  "issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
  "hosts": [
    "example.com"
  ],
  "chain": [
    "MIIGJTCCBQ2gAwIBAgISA9CTYlAcEi7o1Cyk3RM9D6/JMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MDIxMTA2NTdaFw0xODA3MzExMTA2NTdaMBwxGjAYBgNVBAMTEWJvbm4tMDYucWx1ZWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+muYgsZOUD2epeJwP6ToDmE6YeO9T+gsf9ACuLbrQqC5JZPy+AmREuo3dU3dkmBRoU9Brpmo/KMQavKueGVW3DpAIJKemGBC0yWNFgTho4+DAOvSM4odcB96HPFIh0vp13LH5og/wsNZwt+n56mrUTrcqnZYbUwugBghb0QCptwCnHnKOk2/YdRRraasgmiFWYeNjCqBUR5iKqmubgBoCqqkBYzWUhjWc7aySKYQFpSlZ2d3t0IilJp5sZq5pDiHa58G6fGZSh9TIAZvuvozW762cghBZgEF3wlvKy1joSAWLalPYQcsd0v2G9F7vJOu6Rf9HAbmdKqnu0i8TExjwIDAQABo4IDMTCCAy0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQlgfnFoFLAegwCUrKiuz+Nu61SCDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDMGA1UdEQQsMCqCEWJvbm4tMDYucWx1ZWQubmV0ghV3d3cuYm9ubi0wNi5xbHVlZC5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYyC/mssAAAQDAEgwRgIhAMnyq3/kzpvp7LcXm3JqeCjh1dMB0fZTv9pIvpPCS4GPAiEA9f+JLP1KKuaXnwr3rin4Y8tBG8a10YGaKT3RnJOs7wIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWMgv5reAAAEAwBHMEUCIA1jzhkoel+MFmVIdspCwyKVdzZZsBwx8WiJixPju9ELAiEA4Xw2ABUkt3IK67G+GrABu1Ik+R/7BVFjo3GvMIRBJ+AwDQYJKoZIhvcNAQELBQADggEBAHKPt1cq8LEy0wmtmBoThNL6AevJz2WM/KRKBYvEHiXcLN3Z9a1eQ6c8g4A84AARBDgXUfkc3W29AIW0A5wTLVazUE5H7bIoiQJXT2Z6KMXxFqwx5pRu8f1oXUx3xLhJoHkDEGrbD5uy7j9bI25pI9g5obAY88es8ZFJz25PEozA2R/NpXZEnHVbvyOHx4Pr6z3ctuH+WWpK96jWEMBP5pAx5qXBYI5g9bHGy2nYuuq0ZIuOPVK1k7SlctBrrBJx2q1ANUaEfIyPjd2qsjfoI5//6Jn+jHDM1XrdvZ+7S60SDqXktwHS98o5jRZnGWLu1S6nVcHWQzjPBhiSvAukuJw=",
    "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=="
  ],
  "matchedHosts": [
    "example.com"
  ]
}

Contains information extracted from a CT log entry that had been matched against an account and imported.

Properties

Name	Type	Description
log*	string	CT log URL, with the scheme omitted.
index*	integer(int64)	Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
timestamp*	integer(int64)	This certificate's index in the referenced CT log.
sha256*	string	SHA256 hash of the leaf certificate/precertificate.
tbsSha256*	string	Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo.
precert*	boolean	Indicator of whether the leaf is a precertificate.
subject*	string	Certificate subject Distinguished Name in text format.
issuer*	string	Certificate issuer Distinguished Name in text format.
hosts*	[string]	Hostnames and IP addresses extracted from the leaf certificate.
chain*	[string]	Certificate chain stored in the matched CT log entry.
matchedHosts*	[string]	List of account hosts that were matched against the CT log entry.

MatchInfo

{
  "certdno": {
    "o": "Cloudflare, Inc."
  },
  "integration": {
    "name": "AWS Production",
    "type": "aws",
    "ref": "string"
  },
  "keyword": {
    "matches": [
      {
        "encoding": "ascii",
        "keyword": "string",
        "matchPosition": "anywhere",
        "matchScope": "all",
        "search": "bitSquatting"
      }
    ]
  },
  "mx": {
    "mx": "mail.example.com"
  },
  "nameserver": {
    "matches": [
      {
        "name": "ns1.hardenize.com",
        "firstSeen": "2021-09-21T15:32:02.322Z"
      }
    ]
  },
  "rname": {
    "email": "postmaster@example.com"
  },
  "whois": {
    "keywords": [
      "example.com"
    ]
  }
}

Information describing how the discovery came about.

Properties

Name	Type	Description
certdno	MatchInfoCertDNO	none
integration	MatchInfoIntegration	none
keyword	MatchInfoKeyword	none
mx	MatchInfoMx	none
nameserver	MatchInfoNameserver	none
rname	MatchInfoRname	none
whois	MatchInfoWhois	none

MatchInfoCertDNO

{
  "o": "Cloudflare, Inc."
}

Properties

Name	Type	Description
o	string	Certificate DN, O field to use when searching for matching certs

MatchInfoIntegration

{
  "name": "AWS Production",
  "type": "aws",
  "ref": "string"
}

Properties

Name	Type	Description
name	string	Integration name, copied from the configuration.
type	string	Integration type.
ref	string	Integration reference (e.g., account ID), copied from the configuration.

MatchInfoKeyword

{
  "matches": [
    {
      "encoding": "ascii",
      "keyword": "string",
      "matchPosition": "anywhere",
      "matchScope": "all",
      "search": "bitSquatting"
    }
  ]
}

Properties

Name	Type	Description
matches	[MatchInfoKeywordMatch]	none

MatchInfoKeywordMatch

{
  "encoding": "ascii",
  "keyword": "string",
  "matchPosition": "anywhere",
  "matchScope": "all",
  "search": "bitSquatting"
}

Properties

Name	Type	Description
encoding	string	Whether match was made against an ASCII version of the name or the Unicode version.
keyword	string	The keyword that matched.
matchPosition	string	Where in the name the keyword matched.
matchScope	string	Keyword scope.
search	string	Indication of which algorithm caused the match.

Enumerated Values

Property	Value
encoding	ascii
encoding	unicode
matchPosition	anywhere
matchPosition	label
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd
matchScope	all
matchScope	domains
search	bitSquatting
search	confusables
search	hyphenation
search	insertion
search	omission
search	repetition
search	replacement
search	substring
search	transposition
search	vowelSwap

MatchInfoMx

{
  "mx": "mail.example.com"
}

Properties

Name	Type	Description
mx	string	MX hostname to use when searching for matching MX records

MatchInfoNameserver

{
  "matches": [
    {
      "name": "ns1.hardenize.com",
      "firstSeen": "2021-09-21T15:32:02.322Z"
    }
  ]
}

Properties

Name	Type	Description
matches	[MatchInfoNameserverMatch]	none

MatchInfoNameserverMatch

{
  "name": "ns1.hardenize.com",
  "firstSeen": "2021-09-21T15:32:02.322Z"
}

Properties

Name	Type	Description
name	string	Nameserver name.
firstSeen	string(date-time)	Timestamp of the first observation of this name.

MatchInfoRname

{
  "email": "postmaster@example.com"
}

Properties

Name	Type	Description
email	string	Email to use when searching for matching DNS SOA records

MatchInfoWhois

{
  "keywords": [
    "example.com"
  ]
}

Properties

Name	Type	Description
keywords	[string]	List of keywords used when search the whois

OriginInfo

{
  "net": {
    "host": "aspmx.l.google.com",
    "address": "2a00:1450:400c:c00:0:0:0:1b",
    "port": 25,
    "protocol": "smtp"
  }
}

Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.

Properties

Name	Type	Description
net	OriginInfoNet	none

OriginInfoNet

{
  "host": "aspmx.l.google.com",
  "address": "2a00:1450:400c:c00:0:0:0:1b",
  "port": 25,
  "protocol": "smtp"
}

Properties

Name	Type	Description
host	string	Network hostname, when available.
address*	string	Network IPv4 or IPv6 address.
port*	integer	Network port.
protocol*	string	Network protocol.

Organization

{
  "id": "hardenize",
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
  "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryEnabled": true,
  "hostDiscoveryError": "string",
  "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostLimitHard": 10000,
  "hostDiscoveryLimitHard": 10000,
  "certLimitHard": 75000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
id*	string	Unique ID of an organization. The value stored in this field is always relative to that of the parent organization. For example, if the parent's ID is hardenize and you created a new nested organization called prod, you will observe this shorter identifier in the API responses. If you wish to access the nested organization via the API, you will need to specify its full identifier, which would be hardenize.prod.
name*	string	Human-readable organization name.
status*	string	By default, an organization will be active immediately after it is created. If the status is changed to dormant, all operations and features in the account will be disabled, however the users will still be able to access the organization and the data in the account. If the status is changed to suspended, the organization will effectively become deleted from an external perspective. The deleted status is made available to enable delayed deletion of accounts. An organization with this status is expected to be deleted in the near future; for example, there could be a weekly process that obtains a list of all organizations scheduled for deletion and actually deletes them.
commercialStatus*	string	The commercialStatus field is used to track how a suborganization is used, for accounting and billing purposes. When creating a suborganization, select the value that's the most appropriate. Update the value as the status changes (e.g., from trial to paying).
apiUsername	string	The username that can be used to access this organization's API.
apiPassword	string	The password that can be used to access this organization's API. Because we don't store plaintext in our database, this field is available only immediately after the organization is created.
hostDiscoveryAutoimportSubdomains*	boolean	Determines if newly discovered subdomains (of known organization hosts) will be automatically added to the inventory.
hostDiscoveryEnabled*	boolean	Indicates if host discovery is enabled.
hostDiscoveryError	string	When host discovery is disabled because of an error (e.g., too many hosts discovered), this field contains the error message.
hostDiscoveryErrorTime	string(date-time)	Indicates the time of error.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostLimitHard*	integer	Determines if there is a limit on the number of monitored hosts in the account. Set to -1 when there is no limit.
hostDiscoveryLimitHard*	integer	Hard limit on the number of host discoveries in the organization. Default: -1 (unlimited).
certLimitHard*	integer	Hard limit on the number of certificates in the organization.
featureHostDiscovery*	boolean	If set, host discovery is enabled for this organization.
featureMfa*	boolean	If set, multi-factor authentication is enabled for this organization.
featureSaml*	boolean	If set, SAML is enabled for this organization.

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

NetworkRange

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
label*	string	A short label to identify the network range.
description	string	A longer description of the purposes of the network range.
range*	string	The network range in CIDR format.
scan	boolean	Whether or not this network should be scanned.
tags	[string]	none

Report0

{
  "hostname": "example.com",
  "status": "completed",
  "reportTime": "2018-10-10T15:36:49.044Z",
  "hasDnssec": true,
  "hasSmtp": true,
  "hasSmtpTls": true,
  "hasSmtpDane": true,
  "hasSpf": true,
  "hasDmarc": true,
  "hasHttp": true,
  "hasHttps": true,
  "hasHttpsDane": true,
  "hasHttpsRedirection": true,
  "hasHttpsTls12OrBetter": true,
  "hasSsl2": true,
  "hasSsl3": true,
  "hasTls10": true,
  "hasTls11": true,
  "hasTls12": true,
  "hasTls13": true,
  "supportsSsl2": true,
  "supportsSsl3": true,
  "supportsTls10": true,
  "supportsTls11": true,
  "supportsTls12": true,
  "supportsTls13": true,
  "hasHsts": true,
  "hasHstsPreloaded": true,
  "nameServers": "string",
  "dnssec": "string",
  "emailTls": "string",
  "emailDane": "string",
  "spf": "string",
  "dmarc": "string",
  "wwwTls": "string",
  "wwwDane": "string",
  "wwwXssProtection": "string",
  "wwwXssProtectionEnabled": true,
  "wwwXcto": true,
  "hsts": "string",
  "hpkp": "string",
  "cookies": "string",
  "mixedContent": "string",
  "securityHeaders": "string",
  "csp": "string"
}

Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error, warning, and good. The complete explanation of the possible values is available in the Report0Quality component.

It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report.

Properties

Name	Type	Description
hostname*	string	none
status*	string	none
reportTime	string(date-time)	none
hasDnssec	boolean	none
hasSmtp	boolean	none
hasSmtpTls	boolean	none
hasSmtpDane	boolean	none
hasSpf	boolean	none
hasDmarc	boolean	none
hasHttp	boolean	none
hasHttps	boolean	none
hasHttpsDane	boolean	none
hasHttpsRedirection	boolean	none
hasHttpsTls12OrBetter	boolean	none
hasSsl2	boolean	none
hasSsl3	boolean	none
hasTls10	boolean	none
hasTls11	boolean	none
hasTls12	boolean	none
hasTls13	boolean	none
supportsSsl2	boolean	none
supportsSsl3	boolean	none
supportsTls10	boolean	none
supportsTls11	boolean	none
supportsTls12	boolean	none
supportsTls13	boolean	none
hasHsts	boolean	none
hasHstsPreloaded	boolean	none
nameServers	string(v0quality)	none
dnssec	string(v0quality)	none
emailTls	string(v0quality)	none
emailDane	string(v0quality)	none
spf	string(v0quality)	none
dmarc	string(v0quality)	none
wwwTls	string(v0quality)	none
wwwDane	string(v0quality)	none
wwwXssProtection	string(v0quality)	none
wwwXssProtectionEnabled	boolean	none
wwwXcto	boolean	none
hsts	string(v0quality)	none
hpkp	string(v0quality)	none
cookies	string(v0quality)	none
mixedContent	string(v0quality)	none
securityHeaders	string(v0quality)	none
csp	string(v0quality)	none

Enumerated Values

Property	Value
status	completed
status	failed
status	notAvailable

ReportCard

{
  "reportVersion": 1,
  "domainPunycode": "example.com",
  "domainUnicode": "example.com",
  "available": true,
  "hardenizeVersion": "v1.1603.1",
  "timestamp": "2024-11-21T14:12:47.675Z",
  "sections": [
    {
      "id": "SECTION_DOMAIN",
      "name": "Domain",
      "items": [
        {
          "id": "ITEM_DOMAIN_REGISTRATION",
          "name": "Domain Registration",
          "status": "good",
          "remarks": [
            {
              "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
              "title": "Nameserver is not operational",
              "content": "Good. The private key associated with this certificate is secure.",
              "severity": "good",
              "data": {
                "Name": "dns1.registrar-servers.com.",
                "Address": "2610:a1:1024::200",
                "Reverse name": "dns1.registrar-servers.com."
              }
            }
          ]
        }
      ]
    }
  ]
}

Contains a summary of report card.

Properties

Name	Type	Description
reportVersion	integer	none
domainPunycode	string	none
domainUnicode	string	none
available	boolean	none
hardenizeVersion	string	Hardenize application version that produced the report card data
timestamp	string(date-time)	none
sections	[ReportCardSection]	[Contains details about different section of the report card. ]

ReportCardSection

{
  "id": "SECTION_DOMAIN",
  "name": "Domain",
  "items": [
    {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    }
  ]
}

Contains details about different section of the report card.

Properties

Name	Type	Description
id	string	none
name	string	none
items	[ReportCardItem]	[Describes the item in each report card section. ]

ReportCardItem

{
  "id": "ITEM_DOMAIN_REGISTRATION",
  "name": "Domain Registration",
  "status": "good",
  "remarks": [
    {
      "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
      "title": "Nameserver is not operational",
      "content": "Good. The private key associated with this certificate is secure.",
      "severity": "good",
      "data": {
        "Name": "dns1.registrar-servers.com.",
        "Address": "2610:a1:1024::200",
        "Reverse name": "dns1.registrar-servers.com."
      }
    }
  ]
}

Describes the item in each report card section.

Properties

Name	Type	Description
id	string	none
name	string	none
status	string	none
remarks	[ReportCardRemark]	[Describes the remarks of a report card item. ]

Enumerated Values

Property	Value
status	none
status	good
status	warning
status	error
status	unknown

ReportCardRemark

{
  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
  "title": "Nameserver is not operational",
  "content": "Good. The private key associated with this certificate is secure.",
  "severity": "good",
  "data": {
    "Name": "dns1.registrar-servers.com.",
    "Address": "2610:a1:1024::200",
    "Reverse name": "dns1.registrar-servers.com."
  }
}

Describes the remarks of a report card item.

Properties

Name	Type	Description
id	string	none
title	string	none
content	string	none
severity	string	none
data	object	Additional data associated with the report remark
» additionalProperties	any	none

Enumerated Values

Property	Value
severity	good
severity	info
severity	neutral
severity	notice
severity	powerup
severity	warning
severity	unknown
severity	error

DmarcReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	[string]	If set, returns results which contain at least one of the specified tags.

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

DmarcReportResponse

{
  "dmarc": [
    {
      "key": "example.com",
      "policy": "reject",
      "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
    }
  ]
}

Properties

Name	Type	Description
dmarc	[DmarcReport]	none

DmarcReport

{
  "key": "example.com",
  "policy": "reject",
  "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
}

Properties

Name	Type	Description
key*	string	The domain name.
policy	string	DMARC receiver policy
policyText*	string	The text of the DMARC policy.

Enumerated Values

Property	Value
policy	none
policy	reject
policy	quarantine

DomainsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of domains.
format	string	If set, returns domains in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

DomainsReportResponse

{
  "domains": [
    {
      "name": "example.com",
      "punyName": "example.com",
      "dnsNx": false,
      "regNx": false,
      "lookupStatus": "OK",
      "registrant": "Privacy service provided by Withheld for Privacy ehf",
      "registrar": "NameCheap, Inc.",
      "statuses": [
        "clientTransferProhibited"
      ],
      "statusGood": true,
      "registrarLock": true,
      "registryLock": false,
      "registration": "2019-04-16T09:13:56Z",
      "expiration": "2024-04-16T09:13:56Z",
      "contactAbuse": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactAdmin": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrar": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrant": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactTechnical": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "groups": [
        "hardenize",
        "feistyduck"
      ],
      "tags": [
        "tag1",
        "tag2"
      ]
    }
  ]
}

Properties

Name	Type	Description
domains	[DomainsReport]	none

DomainsReport

{
  "name": "example.com",
  "punyName": "example.com",
  "dnsNx": false,
  "regNx": false,
  "lookupStatus": "OK",
  "registrant": "Privacy service provided by Withheld for Privacy ehf",
  "registrar": "NameCheap, Inc.",
  "statuses": [
    "clientTransferProhibited"
  ],
  "statusGood": true,
  "registrarLock": true,
  "registryLock": false,
  "registration": "2019-04-16T09:13:56Z",
  "expiration": "2024-04-16T09:13:56Z",
  "contactAbuse": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactAdmin": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrar": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrant": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactTechnical": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "groups": [
    "hardenize",
    "feistyduck"
  ],
  "tags": [
    "tag1",
    "tag2"
  ]
}

Properties

Name	Type	Description
name*	string	The domain name.
punyName*	string	The punycode representation of the domain name.
dnsNx*	boolean	Indicates whether the domain has DNSNX.
regNx*	boolean	Indicates whether the domain has RegNX.
lookupStatus	string	The lookup status of the domain.
registrant	string	The registrant of the domain.
registrar	string	The registrar of the domain.
statuses	[string]	The statuses associated with the domain.
statusGood	boolean	Status indicator (Good).
registrarLock	boolean	Registrar lock indicator.
registryLock	boolean	Registry lock indicator.
registration	string(date-time)	Domain registration date and time.
expiration	string(date-time)	Domain expiration date and time.
contactAbuse	Contact	none
contactAdmin	Contact	none
contactRegistrar	Contact	none
contactRegistrant	Contact	none
contactTechnical	Contact	none
groups	[string]	The groups associated with the domain.
tags	[string]	The tags associated with the domain.

Contact

{
  "type": "CONTACT_ABUSE",
  "firstName": "Redacted for Privacy",
  "organization": "Privacy service provided by Withheld for Privacy ehf",
  "street1": "Kalkofnsvegur 2",
  "city": "Reykjavik",
  "state": "Capital Region",
  "postcode": "101",
  "country": "IS",
  "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
  "phone": "+354.4212434"
}

Properties

Name	Type	Description
type	string	Type of contact.
firstName	string	First name of the contact.
organization	string	Organization of the contact.
street1	string	Street address of the contact.
city	string	City of the contact.
state	string	State or region of the contact.
postcode	string	Postal code of the contact.
country	string	Country of the contact.
email	string	Email address of the contact.
phone	string	Phone number of the contact.

IssuesReportRequest

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
type	string	if set, will filter the results with the specified type. Default: all
limit	integer	If set, returns only up to the specified number of issues.
format	string	If set, returns issues in the format specified. Default: JSON

Enumerated Values

Property	Value
type	all
type	active
type	orphaned
type	completed
type	ignored
type	snoozed
type	bogus
type	abandoned
type	deprecated
format	json
format	csv
format	xlsx

IssuesReportResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Properties

Name	Type	Description
issues	[Issue]	none

IssuesReport

{
  "issueId": 0,
  "revision": 0,
  "definitionId": "string",
  "subject": "string",
  "subjectDomain": "string",
  "title": "string",
  "category": "string",
  "severity": "string",
  "cause": "string",
  "causeDomain": "string",
  "causeIp": {
    "holder": {
      "originalHostName": "string",
      "hostName": "string",
      "address": 0,
      "family": 0
    },
    "canonicalHostName": "string"
  },
  "open": true,
  "status": "string",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": 0,
  "lastClosed": 0,
  "lastUpdated": 0,
  "lastChecked": 0,
  "lastConfirmed": 0,
  "snoozedUntil": 0,
  "details": {}
}

Properties

Name	Type	Description
issueId	integer	none
revision	integer	none
definitionId	string	none
subject	string	none
subjectDomain	string	none
title	string	none
category	string	none
severity	string	none
cause	string	none
causeDomain	string	none
causeIp	object	none
» holder	object	none
»» originalHostName	string	none
»» hostName	string	none
»» address	integer	none
»» family	integer	none
» canonicalHostName	string	none
open	boolean	none
status	string	none
auto	boolean	none
autoOpen	boolean	none
autoPreservedStatus	string	none
createdOn	integer	none
lastClosed	integer	none
lastUpdated	integer	none
lastChecked	integer	none
lastConfirmed	integer	none
snoozedUntil	integer	none
details	object	none

IpAddressReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

IpAddressReportResponse

{
  "ipAddresses": [
    {
      "ip": "123.101.73.30",
      "cloudIntegrationAccountId": "1234567890",
      "cloudResourceType": "Virtual Machine",
      "cloudResourceId": "vm-12345",
      "cloudIntegrationName": "Azure Integration",
      "cloudIntegrationRef": "azure://subscription/123456",
      "cloudResourceName": "MyVM",
      "cloudResourceZone": "Zone-1",
      "cloudProvider": "Azure",
      "asNumber": "8075",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "locCountryCode": "NL",
      "cloudRegion": "East US"
    }
  ]
}

Properties

Name	Type	Description
ipAddresses	[IpAddressReport]	none

IpAddressReport

{
  "ip": "123.101.73.30",
  "cloudIntegrationAccountId": "1234567890",
  "cloudResourceType": "Virtual Machine",
  "cloudResourceId": "vm-12345",
  "cloudIntegrationName": "Azure Integration",
  "cloudIntegrationRef": "azure://subscription/123456",
  "cloudResourceName": "MyVM",
  "cloudResourceZone": "Zone-1",
  "cloudProvider": "Azure",
  "asNumber": "8075",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "locCountryCode": "NL",
  "cloudRegion": "East US"
}

Properties

Name	Type	Description
ip*	string	The IP address.
cloudIntegrationAccountId	string	The ID of the cloud integration account.
cloudResourceType	string	The type of cloud resource.
cloudResourceId	string	The ID of the cloud resource.
cloudIntegrationName	string	The name of the cloud integration.
cloudIntegrationRef	string	The reference to the cloud integration.
cloudResourceName	string	The name of the cloud resource.
cloudResourceZone	string	The availability zone of the cloud resource.
cloudProvider	string	The cloud provider (e.g., Azure, AWS).
asNumber	string	The Autonomous System (AS) number.
asName	string	The name of the Autonomous System (AS).
locCountryCode	string	The country code of the location.
cloudRegion	string	The cloud region where the resource is located.

NetworkRangesReportRequest

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	[string]	If set, returns results with the specified tags.

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

NetworkRangesReportResponse

{
  "network-ranges": [
    {
      "range": "52.0.205.39/32",
      "label": "Lab DNS1",
      "description": "dns1-production-lab.hardenize.net"
    }
  ]
}

Properties

Name	Type	Description
network-ranges	[NetworkRangesReport]	none

NetworkRangesReport

{
  "range": "52.0.205.39/32",
  "label": "Lab DNS1",
  "description": "dns1-production-lab.hardenize.net"
}

Properties

Name	Type	Description
range*	string	The IP range in CIDR notation.
label*	string	A label or name for the IP range.
description	string	A description of the IP range.

OpenPortsReportRequest

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
address	string	If set, filters the response by the provided address. Address can be supplied as a network range in CIDR (192.168.10.1/24) form or as an individual IP address (192.168.10.1)
port	integer	If set, filters the response by the provided port.
transport	string	If set, filters the response by the provided transport.
service	string	If set, filters the response by the provided service.
hostname	string	If set, searching for "example.com" would find any open ports with a hostname being the same as "example.com" or a subdomain of it
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON

Enumerated Values

Property	Value
transport	tcp
transport	udp
format	json
format	csv
format	xlsx

OpenPortsReportResponse

{
  "open-ports": [
    {
      "address": "123.234.73.24",
      "port": 25,
      "transport": "tcp",
      "service": "smtp",
      "hostname": "example-com.mail.protection.outlook.com"
    }
  ]
}

Properties

Name	Type	Description
open-ports	[OpenPortsReport]	none

OpenPortsReport

{
  "address": "123.234.73.24",
  "port": 25,
  "transport": "tcp",
  "service": "smtp",
  "hostname": "example-com.mail.protection.outlook.com"
}

Properties

Name	Type	Description
address*	string	The IP address.
port*	integer	The port number.
transport*	string	The transport protocol (e.g., tcp, udp).
service*	string	The service name.
hostname	string	The hostname associated with the address.

SpfReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	[string]	If set, returns results with the specified tags.

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

SpfReportResponse

{
  "spf": [
    {
      "key": "example.com",
      "policyText": "v=spf1 include:spf.protection.outlook.com -all",
      "lookups": 8
    }
  ]
}

Properties

Name	Type	Description
spf	[SpfReport]	none

SpfReport

{
  "key": "example.com",
  "policyText": "v=spf1 include:spf.protection.outlook.com -all",
  "lookups": 8
}

Properties

Name	Type	Description
key*	string	The domain name.
policyText*	string	The SPF policy text.
lookups	integer	The number of SPF lookups

CertificateReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of certificates.
format	string	If set, returns certificates in the format specified. Default: JSON
active	boolean	If set, returns only active certificates.
revoked	boolean	If set, returns only revoked certificates.
expiring	boolean	If set, returns both expired certificates and the ones which expire in N days, where N is configurable at Settings -> Certificate Notifications -> When Certificates Become Overdue
expiringDays	integer	If set, overrides the default number of expiring days when 'expiring' is set to true.

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

CertificateReportResponse

{
  "certificates": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-11-21T14:12:47.681Z",
      "notAfter": "2024-11-21T14:12:47.681Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.681Z",
      "revokedOn": "2024-11-21T14:12:47.681Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-11-21T14:12:47.681Z",
      "lastSeen": "2024-11-21T14:12:47.681Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-11-21T14:12:47.682Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-11-21T14:12:47.682Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ]
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-11-21T14:12:47.682Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name	Type	Description
certificates	[Certificate]	[Contains information about one certificate. ]

PdfFile

"string"

PDF file content

Properties

Name	Type	Description
anonymous	string(binary)	PDF file content

CertificateExpiringEndpointsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of expired certificates.
integration	string	If set, filters the response with expired certificates which belong to an integration.
format	string	If set, returns expired certificates in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

CertificateExpiringEndpointsReportResponse

{
  "expiringEndpoints": [
    {
      "host": "example.com",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceLocation": "US-West",
      "port": 443,
      "certificateExpires": "2024-11-21T14:12:47.682Z",
      "serviceLastSeen": "2024-11-21T14:12:47.682Z",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "certificateSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345"
    }
  ]
}

Properties

Name	Type	Description
expiringEndpoints	[CertificateExpiringEndpointsReport]	none

CertificateExpiringEndpointsReport

{
  "host": "example.com",
  "serviceHostname": "service.example.com",
  "serviceDomain": "example.com",
  "serviceLocation": "US-West",
  "port": 443,
  "certificateExpires": "2024-11-21T14:12:47.683Z",
  "serviceLastSeen": "2024-11-21T14:12:47.683Z",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "certificateSan": "*.hardenize.com",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "asNumber": "12345"
}

Properties

Name	Type	Description
host	string	The hostname of the endpoint.
serviceHostname	string	The hostname of the service associated with the endpoint.
serviceDomain	string	The domain of the service associated with the endpoint.
serviceLocation	string	The location or region where the service is located.
port	integer	The port number of the endpoint.
certificateExpires	string(date-time)	ISO 8601 timestamp indicating when the certificate for the endpoint expires.
serviceLastSeen	string(date-time)	ISO 8601 timestamp indicating when the service was last seen.
sha256*	string	Hex-encoded SHA256 hash of the endpoint's certificate in DER format.
certificateDn	string	Distinguished name of the endpoint's certificate.
certificateSerial	string	Hex-encoded serial number of the endpoint's certificate.
issuer*	string	Distinguished name of the certificate issuer.
issuerCa	string	The name of the issuing CA for the endpoint's certificate, according to CCADB.
certificateSan	string	All hosts specified in the endpoint's certificate's SAN extension, as Unicode.
asName	string	The name of the Autonomous System (AS).
asNumber	string	The number of the Autonomous System (AS).

HostsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of domains.
format	string	If set, returns hosts in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv
format	xlsx

HostsReportResponse

{
  "hosts": [
    {
      "assetId": 11117,
      "hostname": "example.com",
      "creationTime": "2023-09-14T12:59:25Z",
      "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
      "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
      "groups": [
        "feistyduck",
        "hardenize"
      ],
      "tags": [
        "test"
      ],
      "errorMessage": "Hostname not found",
      "errorTime": "2023-09-15T08:47:45Z",
      "nxTime": "2023-09-15T08:47:00Z"
    }
  ]
}

Properties

Name	Type	Description
hosts	[HostReport]	none

HostReport

{
  "assetId": 11117,
  "hostname": "example.com",
  "creationTime": "2023-09-14T12:59:25Z",
  "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
  "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
  "groups": [
    "feistyduck",
    "hardenize"
  ],
  "tags": [
    "test"
  ],
  "errorMessage": "Hostname not found",
  "errorTime": "2023-09-15T08:47:45Z",
  "nxTime": "2023-09-15T08:47:00Z"
}

Properties

Name	Type	Description
assetId*	integer	The unique identifier for the asset.
hostname*	string	The hostname associated with the asset.
creationTime*	string(date-time)	The timestamp indicating when the asset was created.
summary	string	A summary of the host information in JSON format.
reportCard	string	A report card containing sections and items related to the asset.
groups	[string]	Groups which the asset belongs to, if any.
tags	[string]	Tags associated with the asset, if any.
errorMessage	string	An error message associated with the asset (if applicable).
errorTime	string(date-time)	The timestamp indicating when the error occurred (if applicable).
nxTime	string(date-time)	The timestamp indicating when the asset became non-existent (if applicable).

Report0Quality

{
  "quality": "good"
}

This field describes the quality of configuration of particular element. The four most commonly seen values here are good, warning, error, and neutral. Out of these, the best is cleary good, but neutral is all right, depending on your policies (e.g., you might not want to deploy a particular security technology). Hardenize uses warnings and errors only when something is broken, misconfigured, or has a negative security implication. Neither of these qualities is used if you don't have a particular security feature. We use unknown if we don't have enough information to make a judgement. Finally, warningAbsent and errorAbsent are special statuses that we use to indicate when warnings and errors are indicated due to absence of feature. This might happen, for example, if a site supports plaintext HTTP but not encrypted HTTPS.

Properties

Name	Type	Description
quality	string	none

Enumerated Values

Property	Value
quality	good
quality	error
quality	errorAbsent
quality	neutral
quality	unknown
quality	warning
quality	warningAbsent

TestEventHookResponse

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Embeds a transcript of an event hook test, providing request and response information, as well as an indication of whether the hook is operating correctly.

Properties

Name	Type	Description
successful	boolean	Indication of whether the event hook test was successful. If the HTTP request itself is successful, the status code must be in the 2xx range. If the test is not successful, the errorMessage field will contain an explanation.
errorMessage	string	Error message, in case of test failure only.
durationMillis	integer(int64)	Duration of the HTTP request submitted to the hook, in milliseconds.
pubsub	object	Webhook-specific diagnostic information.
» destination	string	PubSub destination.
» message	string	Message body.
» attributes	object	Message attributes.
» messageId	string	PubSub message ID.
webook	object	Webhook-specific diagnostic information.
» request	object	Information about the submitted HTTP request, including some selected request headers.
»» method	string	Request method; always POST.
»» url	string	Webhook URL used for the test.
»» headers	object	Selected HTTP request headers.
»» body	string	Raw request body, as a string.
» response	object	Information about the HTTP response received from the remote server.
»» statusCode	integer	HTTP response status code obtained from the remote server.
»» headers	object	Complete HTTP response headers received from the remote server.
»» body	string	Raw response body, as a string.

UpdateCertRequest

{
  "muted": true
}

Updates one certificate. All fields are optional, but at least one field must be provided.

Properties

Name	Type	Description
muted	boolean	If set to true, certificate notifications will be disabled for this certificate, even if it's observed on the network near its expiration.

UpdateCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-11-21T14:12:47.684Z",
    "notAfter": "2024-11-21T14:12:47.684Z",
    "effectiveNotAfter": "2024-11-21T14:12:47.684Z",
    "revokedOn": "2024-11-21T14:12:47.684Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-11-21T14:12:47.684Z",
    "lastSeen": "2024-11-21T14:12:47.684Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-11-21T14:12:47.685Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-11-21T14:12:47.685Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ]
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-11-21T14:12:47.685Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Properties

Name	Type	Description
cert*	Certificate	Contains information about one certificate.

UpdateCertDiscoveryRequest

{
  "status": "closed",
  "resolution": "reconciled"
}

Contains parameters of a Cert Discovery which can be updated.

Properties

Name	Type	Description
status	string	If set, updates the certificate discovery status. Reopening a discovery will automatically clear the resolution.
resolution	string	If set, updates the certificate discovery resolution

Enumerated Values

Property	Value
status	open
status	closed
resolution	undetermined
resolution	reconciled
resolution	policyViolation
resolution	fraudulent

UpdateCertDiscoveryResponse

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-11-21T14:12:47.686Z",
      "notAfter": "2024-11-21T14:12:47.686Z",
      "effectiveNotAfter": "2024-11-21T14:12:47.686Z",
      "revokedOn": "2024-11-21T14:12:47.686Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed"
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.686Z",
          "lastSeen": "2024-11-21T14:12:47.686Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-11-21T14:12:47.686Z",
          "lastSeen": "2024-11-21T14:12:47.686Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Properties

Name	Type	Description
certDiscovery*	CertDiscovery	Contains complete information about a certificate discovered in one of the monitored CT logs.

UpdateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Update the network range information. You must supply one or more of these values. The range itself can't be changed with this operation. Instead, delete the range and create it again.

Properties

Name	Type	Description
label	string	A short label to identify the network range
description	string	A longer description of the purposes of the network range
scan	boolean	Whether or not this network should be scanned
tags	[string]	none

UpdateIssueRequest

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Updates an issue

Properties

Name	Type	Description
status	string	Set a new status.
snoozedUntil	string(date-time)	Set status back to active automatically after this time.

Enumerated Values

Property	Value
status	active
status	bogus
status	ignored
status	snoozed

UpdateUserRequest

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2024-11-21T14:12:47.687Z",
  "status": "retired",
  "role": "observer"
}

Updates attributes for a user. All fields are optional, but at least one field must be provided.

Properties

Name	Type	Description
name	string	Change the users name or service account's description
deleteMfa	boolean	Will delete MFA for a user if it is enabled. Allowing them to log in using only their email address and password. Not for service accounts.
resetPassword	boolean	Changes the password to a new random one. For service accounts only
expirationTime	string(date-time)	Update expiration time. For service accounts only
status	string	Update user status
role	string	Update user role

Enumerated Values

Property	Value
status	active
status	retired
role	owner
role	admin
role	member
role	observer

UpdateEventHookRequest

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Provides new field values to update an existing event hook. No fields are required, but you need to provide at least of the supported fields.

Properties

Name	Type	Description
eventTypes	[string]	An updated list of event types to send to this event hook.
destination	string	Event hook destination; for webhooks, this must be a HTTPS URL.
status	string	New event hook status.

Enumerated Values

Property	Value
status	enabled
status	disabled
status	failed

UpdateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Returned after a successful event hook update operation.

Properties

Name	Type	Description
eventHook*	EventHook	Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

UpdateEventTypeRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled*	boolean	New setting for whether event type is enabled.

UpdateEventTypeResponse

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Properties

Name	Type	Description
eventType*	EventType	Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

UpdateHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-11-21T14:12:47.688Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-11-21T14:12:47.688Z"
  }
}

Properties

Name	Type	Description
hostDiscovery*	HostDiscovery	This object represents our discovery of a host which might be relevant to your organization.

UpdateHostsChanges

{
  "status": "monitored",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "key": "base64key=",
    "name": "thename"
  },
  "groupOp": "add",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
status	string	Desired host status.
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zones SOA record, use this hostname or IP address instead. Set to a blank string to remove.
axfrTsig	UpdateHostsChangesAxfrTsig	none
groupOp	string	This parameter selects one of three operations. The add operation will add the specified groups to the hosts. The remove operation will remove the specified groups from the hosts. The set operation will first remove all existing tags from the hosts, then apply the specified groups. This field is mandatory when at least one group is specified.
groups	[string]	List of tags that should be used in the requested tag operation.

Enumerated Values

Property	Value
status	monitored
status	idle
status	archived
axfr	auto
axfr	enabled
axfr	disabled
groupOp	add
groupOp	remove
groupOp	set

UpdateHostDiscoveryRequest

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
resolution*	string	If set, updates the discoveries resolution.
groups	[string]	When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

UpdateHostsChangesAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "key": "base64key=",
  "name": "thename"
}

Properties

Name	Type	Description
algorithm	string	Axfr transfer algorithm
key	string	Axfr transfer key
name	string	Axfr transfer name

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

UpdateHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name	Type	Description
ids*	[integer]	List of discovery ids to update.
preview	boolean	If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false
changes	UpdateHostDiscoveriesChanges	none

UpdateHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-11-21T14:12:47.689Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-11-21T14:12:47.689Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveries*	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

UpdateHostDiscoveriesChanges

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
resolution	string	If set, updates the discoveries resolution.
groups	[string]	When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

DeleteHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name	Type	Description
ids*	[integer]	List of discovery ids to delete.
preview	boolean	If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false

DeleteHostDiscoveriesResponse

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name	Type	Description
ids*	[integer]	List of affected discovery ids.
preview*	boolean	Whether or not we ran in preview mode.

UpdateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines what type of results the keyword will look for.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables matching of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label,
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

UpdateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

UpdateIdentityRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled	boolean	Enable/disable an identity.

UpdateIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-11-21T14:12:47.690Z",
    "lastSeen": "2024-11-21T14:12:47.690Z",
    "lastCheck": "2024-11-21T14:12:47.690Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-11-21T14:12:47.690Z"
  }
}

Properties

Name	Type	Description
identity*	Identity	This object represents an identity.

TlsCheck

{
  "request": {
    "host": "hardenize.com",
    "port": 443,
    "location": "london",
    "resolverStrategy": "all"
  },
  "responses": [
    {
      "endpoint": {
        "host": "hardenize.com",
        "address": "104.17.158.13",
        "port": 443,
        "location": "london"
      },
      "status": "success",
      "connections": [
        {
          "remoteAddress": "104.17.158.13",
          "remotePort": 443,
          "tls": {
            "protocol": "TLSv1.3",
            "suite": "TLS_AES_256_GCM_SHA384",
            "certificates": [
              "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
              "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
              "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
            ]
          }
        }
      ]
    }
  ],
  "certificates": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "notBefore": "2024-11-21T14:12:47.691Z",
      "notAfter": "2024-11-21T14:12:47.691Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
    }
  ]
}

Properties

Name	Type	Description
request*	CreateTlsCheckRequest	TLS check parameters.
responses*	[TlsCheckResponse]	none
certificates*	[NetworkCertificate]	Certificates observed across all network operations.

TlsCheckResponse

{
  "endpoint": {
    "host": "hardenize.com",
    "address": "104.17.158.13",
    "port": 443,
    "location": "london"
  },
  "status": "success",
  "connections": [
    {
      "remoteAddress": "104.17.158.13",
      "remotePort": 443,
      "tls": {
        "protocol": "TLSv1.3",
        "suite": "TLS_AES_256_GCM_SHA384",
        "certificates": [
          "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
          "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
          "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
        ]
      }
    }
  ]
}

Properties

Name	Type	Description
endpoint	NetworkEndpoint	none
status	string	none
connections	[NetworkConnection]	none

Enumerated Values

Property	Value
status	success
status	failure

NetworkCertificate

{
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "notBefore": "2024-11-21T14:12:47.692Z",
  "notAfter": "2024-11-21T14:12:47.692Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "ECDSAwithSHA256",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
}

Properties

Name	Type	Description
sha256*	string	Hex-encoded SHA256 hash of the certificate in DER format.
subject*	string	Subject distinguished name.
issuer*	string	Issuer distinguished name.
serial*	string	Hex-encoded serial number.
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
keyAlg*	string	Private key algorithm, for example RSA or EC.
keyLen*	integer	Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength*	integer	Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg*	string	Certificate signature algorithm.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
hosts*	[string]	All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
pem*	string	none

Enumerated Values

Property	Value
sigAlg	RSAwithMD2
sigAlg	RSAwithMD5
sigAlg	RSAwithSHA1
sigAlg	RSAwithSHA256
sigAlg	RSAwithSHA384
sigAlg	RSAwithSHA512
sigAlg	RSAPSS
sigAlg	DSAwithSHA1
sigAlg	DSAwithSHA256
sigAlg	ECDSAwithSHA1
sigAlg	ECDSAwithSHA256
sigAlg	ECDSAwithSHA384
sigAlg	ECDSAwithSHA512

NetworkConnection

{
  "remoteAddress": "104.17.158.13",
  "remotePort": 443,
  "tls": {
    "protocol": "TLSv1.3",
    "suite": "TLS_AES_256_GCM_SHA384",
    "certificates": [
      "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
      "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
      "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
    ]
  }
}

Properties

Name	Type	Description
remoteAddress*	string	none
remotePort*	integer	none
tls	TlsConnection	none

TlsConnection

{
  "protocol": "TLSv1.3",
  "suite": "TLS_AES_256_GCM_SHA384",
  "certificates": [
    "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
    "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
    "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
  ]
}

Properties

Name	Type	Description
protocol	string	none
suite	string	none
certificates	[string]	none

Enumerated Values

Property	Value
protocol	TLSv1.3
protocol	TLSv1.2
protocol	TLSv1.0
protocol	SSLv3
protocol	SSLv2

NetworkEndpoint

{
  "host": "hardenize.com",
  "address": "104.17.158.13",
  "port": 443,
  "location": "london"
}

Properties

Name	Type	Description
host	string	none
address	string	none
port	integer	none
location	string	none

TestIntegrationResponse

{
  "success": false,
  "error": "Failed to authenticate"
}

Properties

Name	Type	Description
success*	boolean	Whether or not the test succeeded
error	string	If the test failed, a suitable error message

UpdateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to update.
preview	boolean	If set, doesn't carry out the operation, but returns a list of hosts that would have been affected. Default: false
subdomains	boolean	If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
changes	UpdateHostsChanges	none

UpdateHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts that have been updated (or would have been updated, in preview mode).
preview*	boolean	Indicates if the action was executed or only previewed.

UpdateAccessControlConfigRequest

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

All fields are optional. Supply only the fields that need updating.

Properties

Name	Type	Description
apiNetworks	[cidr]	List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade	string	If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks	[cidr]	List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade	string	If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property	Value
apiNetworksCascade	disabled
apiNetworksCascade	enabled
appNetworksCascade	disabled
appNetworksCascade	enabled

UpdateAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Management access restrictions configuration, after the requested changes have been applied.

Properties

Name	Type	Description
apiNetworks*	[cidr]	Network address range from which access to the API is allowed.
apiNetworksCascade*	boolean	Indicator of whether the API network access configuration should cascade to all child organizations.
appNetworks*	[cidr]	Network address range from which access to the web application is allowed.
appNetworksCascade*	boolean	Indicator of whether the web application network access configuration should cascade to all child organizations.

UpdateNetworkScanningConfigRequest

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

All fields are optional. Supply only the fields that need updating.

Properties

Name	Type	Description
netscanStatic	boolean	If set to true, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic	boolean	If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps	boolean	If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions	[cidr]	Contains a list of network ranges that will be excluded from network scaning.

UpdateOrgRequest

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
name	string	Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value.
status	string	none
commercialStatus	string	none
generateApiCredentials	boolean	If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost.
hostDiscoveryAutoimportSubdomains	boolean	If provided, updates the corresponding organization setting.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled	boolean	If provided, enables or disables host discovery.
hostDiscoveryLimitHard	integer	If provided, updates the host discovery limit.
hostLimitHard	integer	If provided, updates the hard host limit.
featureHostDiscovery	boolean	If provided, updates the corresponding organization setting. The feature must be available in the parent organization to be enabled in a suborg.
featureMfa	boolean	If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml	boolean	If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

UpdateOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
suborg	Organization	none

UnpackedCert

{
  "label": "www.example.com",
  "subject": "CN=www.example.com",
  "commonNames": [
    "www.example.com"
  ],
  "san": [
    "mail.example.com"
  ],
  "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
  "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
  "issuer": "Let's Encrypt Authority X3",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
  "notBefore": "2024-11-21T14:12:47.694Z",
  "notAfter": "2024-11-21T14:12:47.694Z",
  "issuerUrls": [
    "http://cert.int-x3.letsencrypt.org/"
  ],
  "crlUrls": [
    "http://crl.pki.goog/GTS1O1.crl"
  ],
  "ocspUrls": [
    "http://ocsp.pki.goog/gts1o1"
  ],
  "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
  "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
  "keyUsage": [
    "keyEncipherment"
  ],
  "extendedKeyUsage": [
    "serverAuth"
  ],
  "scts": [
    {
      "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
      "logName": "DigiCert Yeti2020 Log",
      "timestamp": "2024-11-21T14:12:47.694Z"
    }
  ],
  "mustStaple": true,
  "sigAlg": {
    "oid": "1.2.840.113549.1.1.11",
    "name": "SHA256withRSA"
  },
  "subjectKey": {
    "algName": "RSA",
    "bits": 2048,
    "strength": 112,
    "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
  },
  "ca": true,
  "caPathLen": 1
}

Various information parsed from the certificate.

Properties

Name	Type	Description
label*	string	Summary of the cert
subject*	string	Certificate subject Distinguished Name in text format.
commonNames	[string]	Common names of the certificate
san	[string]	Hostnames from the SAN field
ski	string	Subject Key Identifier
issuerDn*	string	Certificate issuer Distinguished Name in text format.
issuer*	string	Certificate issuer
serial*	string	Hex-encoded serial number.
aki	string	Authority Key Identifier
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
issuerUrls	[string]	Issuer URLs
crlUrls	[string]	Certificate Revocation List URL
ocspUrls	[string]	OCSP URLs
fingerprintSha1*	string	SHA1 Fingerprint
fingerprintSha256*	string	SHA256 Fingerprint
keyUsage*	[string]	Allowed usages for the cert
extendedKeyUsage*	[string]	Further allowed usages for the cert
scts	[UnpackedCertSct]	CT Signed Certificate Timestamps
mustStaple	boolean	Has the must-staple feature
sigAlg*	UnpackedCertSigAlg	Signature Algorithm
subjectKey*	UnpackedCertSubjectKey	Subject Key
ca	boolean	If this cert is a CA cert
caPathLen	integer	If CA cert, how deep a certification path may exist through it

UnpackedCertSct

{
  "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
  "logName": "DigiCert Yeti2020 Log",
  "timestamp": "2024-11-21T14:12:47.695Z"
}

CT Signed Certificate Timestamp

Properties

Name	Type	Description
logId*	string	The log ID
logName*	string	The name of the log
timestamp*	string(date-time)	ISO 8601 timestamp.

UnpackedCertSigAlg

{
  "oid": "1.2.840.113549.1.1.11",
  "name": "SHA256withRSA"
}

Signature Algorithm

Properties

Name	Type	Description
oid*	string	Signature algorithm OID
name*	string	String representation of signature algorithm

UnpackedCertSubjectKey

{
  "algName": "RSA",
  "bits": 2048,
  "strength": 112,
  "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
}

Subject Key

Properties

Name	Type	Description
algName*	string	none
bits*	integer	none
strength*	integer	none
spkiSha256*	string	none

GetUserResponse

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-11-21T14:12:47.695Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Properties

Name	Type	Description
user*	User	The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

ListUsersResponse

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2024-11-21T14:12:47.695Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Properties

Name	Type	Description
users*	[User]	[The User object represents one of your users that are members of the organization. They can be actual users, or service accounts. ]

CreateServiceAccountRequest

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2024-11-21T14:12:47.696Z"
}

Properties

Name	Type	Description
name*	string	Name of the service account
role*	string	Role of the service account
expirationTime	string(date-time)	Service accounts may have expiration times

Enumerated Values

Property	Value
role	owner
role	admin
role	member
role	observer

InviteUserRequest

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Properties

Name	Type	Description
name*	string	The users name
email*	string	The users email address
role*	string	The users role

Enumerated Values

Property	Value
role	owner
role	admin
role	member
role	observer

User

{
  "userId": 10001,
  "email": "postmaster@example.com",
  "name": "Bob",
  "status": "active",
  "serviceAccount": true,
  "expirationTime": "2024-11-21T14:12:47.696Z",
  "password": "61cec76600adc8b7aa522a5078f7c837",
  "mfaEnabled": false,
  "role": "observer"
}

The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

Properties

Name	Type	Description
userId*	integer	Unique user identifier
email*	string	The user's email address. In case of service accounts, we generate a special email address on Hardenize's own domain name.
name*	string	The name of the user or service account.
status*	string	User status. Normal user accounts begin with invitationSent status, which later changes to active, after the invitation is accepted. If an invitation is cancelled, the user object is deleted. Later on, an account's status may change to retired and possibly back to active.
serviceAccount*	boolean	Indicates if this user is a service account.
expirationTime	string(date-time)	Indicates the account's expiration time, if any.
password	string	When creating service accounts, or resetting their passwords, the auto generated password will be returned in plain text. This is the only time it will be available.
mfaEnabled	boolean	Whether or not multi-factor authentication is enabled for an account. This field is not present for service accounts, as MFA is not available in that context.
role*	string	The users role

Enumerated Values

Property	Value
status	active
status	retired
status	invitationSent
role	owner
role	admin
role	member
role	observer

CertsStatsResponse

{
  "certStats": {
    "totals": {
      "activeOrNonExpired": 0,
      "onlyOwn": 0,
      "onlyThirdParty": 0,
      "onlyActive": 0
    },
    "summary": {
      "total": 0,
      "unique": 0,
      "certs": 0,
      "precerts": 0,
      "duplicates": 0,
      "valid": 0,
      "notYetValid": 0,
      "expired": 0,
      "effectivelyExpired": 0,
      "revoked": 0,
      "revokedNotExpired": 0,
      "endEntity": 0,
      "ca": 0
    },
    "thirdParty": {
      "total": 0,
      "unique": 0,
      "endEntity": 0,
      "ca": 0
    },
    "usage": {
      "active": 0,
      "expired": 0,
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "analysis": {
      "issuerCa": {
        "property1": 0,
        "property2": 0
      },
      "keyAlg": {
        "property1": 0,
        "property2": 0
      },
      "keyAlgLen": {
        "property1": 0,
        "property2": 0
      },
      "keyStrength": {
        "property1": 0,
        "property2": 0
      },
      "sigAlg": {
        "property1": 0,
        "property2": 0
      },
      "validation": {
        "property1": 0,
        "property2": 0
      },
      "lifetimes": {
        "property1": 0,
        "property2": 0
      },
      "wildcards": 0,
      "nonWildcards": 0
    },
    "activity": {
      "issuanceTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "revocationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "timestamp": "2024-11-21T14:12:47.696Z"
  },
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Properties

Name	Type	Description
certStats*	CertStats	none
extras	CertStatsExtras	none

CertStats

{
  "totals": {
    "activeOrNonExpired": 0,
    "onlyOwn": 0,
    "onlyThirdParty": 0,
    "onlyActive": 0
  },
  "summary": {
    "total": 0,
    "unique": 0,
    "certs": 0,
    "precerts": 0,
    "duplicates": 0,
    "valid": 0,
    "notYetValid": 0,
    "expired": 0,
    "effectivelyExpired": 0,
    "revoked": 0,
    "revokedNotExpired": 0,
    "endEntity": 0,
    "ca": 0
  },
  "thirdParty": {
    "total": 0,
    "unique": 0,
    "endEntity": 0,
    "ca": 0
  },
  "usage": {
    "active": 0,
    "expired": 0,
    "expirationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    }
  },
  "analysis": {
    "issuerCa": {
      "property1": 0,
      "property2": 0
    },
    "keyAlg": {
      "property1": 0,
      "property2": 0
    },
    "keyAlgLen": {
      "property1": 0,
      "property2": 0
    },
    "keyStrength": {
      "property1": 0,
      "property2": 0
    },
    "sigAlg": {
      "property1": 0,
      "property2": 0
    },
    "validation": {
      "property1": 0,
      "property2": 0
    },
    "lifetimes": {
      "property1": 0,
      "property2": 0
    },
    "wildcards": 0,
    "nonWildcards": 0
  },
  "activity": {
    "issuanceTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    },
    "revocationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    },
    "expirationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    }
  },
  "timestamp": "2024-11-21T14:12:47.697Z"
}

Properties

Name	Type	Description
totals	TotalsStats	none
summary	SummaryStats	Own certificates statistics.
thirdParty	ThirdPartyStats	Third-party certificates statistics.
usage	UsageStats	Usage statistics.
analysis	AnalysisStats	Certificate corpus analysis.
activity	ActivityStats	Activity stats.
timestamp	string(date-time)	Statistics creation time

TotalsStats

{
  "activeOrNonExpired": 0,
  "onlyOwn": 0,
  "onlyThirdParty": 0,
  "onlyActive": 0
}

Properties

Name	Type	Description
activeOrNonExpired	integer	Total active or non-expired certificates.
onlyOwn	integer	Total certificates that are not third-party.
onlyThirdParty	integer	Total third-party certificates.
onlyActive	integer	Total active certificates.

CertStatsExtras

{
  "certsDueDays": 0,
  "certsOverdueDays": 0,
  "certsCriticalDays": 0
}

Properties

Name	Type	Description
certsDueDays	integer	none
certsOverdueDays	integer	none
certsCriticalDays	integer	none

SummaryStats

{
  "total": 0,
  "unique": 0,
  "certs": 0,
  "precerts": 0,
  "duplicates": 0,
  "valid": 0,
  "notYetValid": 0,
  "expired": 0,
  "effectivelyExpired": 0,
  "revoked": 0,
  "revokedNotExpired": 0,
  "endEntity": 0,
  "ca": 0
}

Own certificates statistics.

Properties

Name	Type	Description
total	integer	Total certificate objects.
unique	integer	Total unique certificate objects.
certs	integer	Total certificates.
precerts	integer	Total precertificates.
duplicates	integer	Total duplicate certificates.
valid	integer	Total valid non-duplicate certificates.
notYetValid	integer	Total not yet valid certificates.
expired	integer	Total expired certificates.
effectivelyExpired	integer	Total effectively expired certificates.
revoked	integer	Total revoked certificates.
revokedNotExpired	integer	Total revoked but not expired certificates.
endEntity	integer	Total unique leaf certificates.
ca	integer	Total unique intermediates and roots.

ThirdPartyStats

{
  "total": 0,
  "unique": 0,
  "endEntity": 0,
  "ca": 0
}

Third-party certificates statistics.

Properties

Name	Type	Description
total	integer	none
unique	integer	Total unique certificate objects.
endEntity	integer	Total unique leaves.
ca	integer	Total unique intermediates and roots.

UsageStats

{
  "active": 0,
  "expired": 0,
  "expirationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  }
}

Usage statistics.

Properties

Name	Type	Description
active	integer	Total active/installed; may include certificates that are no longer valid.
expired	integer	Total expired.
expirationTimelines	Timeline	none

ActivityStats

{
  "issuanceTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  },
  "revocationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  },
  "expirationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  }
}

Activity stats.

Properties

Name	Type	Description
issuanceTimelines	Timeline	none
revocationTimelines	Timeline	none
expirationTimelines	Timeline	none

AnalysisStats

{
  "issuerCa": {
    "property1": 0,
    "property2": 0
  },
  "keyAlg": {
    "property1": 0,
    "property2": 0
  },
  "keyAlgLen": {
    "property1": 0,
    "property2": 0
  },
  "keyStrength": {
    "property1": 0,
    "property2": 0
  },
  "sigAlg": {
    "property1": 0,
    "property2": 0
  },
  "validation": {
    "property1": 0,
    "property2": 0
  },
  "lifetimes": {
    "property1": 0,
    "property2": 0
  },
  "wildcards": 0,
  "nonWildcards": 0
}

Certificate corpus analysis.

Properties

Name	Type	Description
issuerCa	object	CA issuers
» additionalProperties	integer	none
keyAlg	object	Private key algorithm
» additionalProperties	integer	none
keyAlgLen	object	Private key algorithm with length
» additionalProperties	integer	none
keyStrength	object	Private key strength
» additionalProperties	integer	none
sigAlg	object	Signature algorithm
» additionalProperties	integer	none
validation	object	none
» additionalProperties	integer	none
lifetimes	object	Count of the certificates with the same lifetimes
» additionalProperties	integer	none
wildcards	integer	Total wildcards
nonWildcards	integer	Total non-wildcards

Timeline

{
  "days": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  },
  "weeks": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  },
  "months": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  }
}

Properties

Name	Type	Description
days	TimelineData	none
weeks	TimelineData	none
months	TimelineData	none

TimelineData

{
  "data": [
    {
      "offset": 0,
      "count": 0
    }
  ],
  "firstOffset": 0,
  "lastOffset": 0,
  "count": 0,
  "min": 0,
  "max": 0
}

Properties

Name	Type	Description
data*	[OffsetCount]	none
firstOffset*	integer	none
lastOffset*	integer	none
count*	integer	none
min*	integer	none
max*	integer	none

OffsetCount

{
  "offset": 0,
  "count": 0
}

Properties

Name	Type	Description
offset*	integer	none
count*	integer	none

CreateDashboardResponse

{
  "orgDashboardStats": {
    "orgId": 0,
    "overallSummary": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0
    },
    "groups": [
      {
        "groupId": 0,
        "name": "string",
        "label": "string",
        "auto": true,
        "tags": [
          "string"
        ]
      }
    ],
    "monitoredHostCount": 0,
    "monitoredDomainCount": 0,
    "nonArchivedHostCount": 0,
    "nonArchivedDomainCount": 0,
    "ipCount": 0,
    "activeCertCount": 0,
    "buildTime": "2019-08-24T14:15:22Z",
    "groupSummaries": {
      "property1": {
        "totalHosts": 0,
        "dnssecHosts": 0,
        "dnssecPresent": 0,
        "dnssecNone": 0,
        "dnssecUnknown": 0,
        "smtpHosts": 0,
        "smtpQualityGood": 0,
        "smtpQualityWarning": 0,
        "smtpQualityError": 0,
        "smtpQualityOther": 0,
        "smtpStartTlsPresent": 0,
        "smtpStartTlsNone": 0,
        "smtpStartTlsUnknown": 0,
        "smtpSpfPresent": 0,
        "smtpSpfNone": 0,
        "smtpSpfUnknown": 0,
        "smtpDmarcPresent": 0,
        "smtpDmarcNone": 0,
        "smtpDmarcUnknown": 0,
        "smtpDanePresent": 0,
        "smtpDaneNone": 0,
        "smtpDaneUnknown": 0,
        "httpHosts": 0,
        "httpsHosts": 0,
        "httpsQualityGood": 0,
        "httpsQualityWarning": 0,
        "httpsQualityError": 0,
        "httpsQualityOther": 0,
        "httpsHostsPresent": 0,
        "httpsHostsNone": 0,
        "httpsHostsUnknown": 0,
        "httpsRedirectionPresent": 0,
        "httpsRedirectionNone": 0,
        "httpsRedirectionNotApplicable": 0,
        "httpsRedirectionUnknown": 0,
        "httpsHstsPresent": 0,
        "httpsHstsNone": 0,
        "httpsHstsNotApplicable": 0,
        "httpsHstsUnknown": 0,
        "httpsHstsPreloadedPresent": 0,
        "httpsHstsPreloadedNone": 0,
        "httpsHstsPreloadedNotApplicable": 0,
        "httpsHstsPreloadedUnknown": 0
      },
      "property2": {
        "totalHosts": 0,
        "dnssecHosts": 0,
        "dnssecPresent": 0,
        "dnssecNone": 0,
        "dnssecUnknown": 0,
        "smtpHosts": 0,
        "smtpQualityGood": 0,
        "smtpQualityWarning": 0,
        "smtpQualityError": 0,
        "smtpQualityOther": 0,
        "smtpStartTlsPresent": 0,
        "smtpStartTlsNone": 0,
        "smtpStartTlsUnknown": 0,
        "smtpSpfPresent": 0,
        "smtpSpfNone": 0,
        "smtpSpfUnknown": 0,
        "smtpDmarcPresent": 0,
        "smtpDmarcNone": 0,
        "smtpDmarcUnknown": 0,
        "smtpDanePresent": 0,
        "smtpDaneNone": 0,
        "smtpDaneUnknown": 0,
        "httpHosts": 0,
        "httpsHosts": 0,
        "httpsQualityGood": 0,
        "httpsQualityWarning": 0,
        "httpsQualityError": 0,
        "httpsQualityOther": 0,
        "httpsHostsPresent": 0,
        "httpsHostsNone": 0,
        "httpsHostsUnknown": 0,
        "httpsRedirectionPresent": 0,
        "httpsRedirectionNone": 0,
        "httpsRedirectionNotApplicable": 0,
        "httpsRedirectionUnknown": 0,
        "httpsHstsPresent": 0,
        "httpsHstsNone": 0,
        "httpsHstsNotApplicable": 0,
        "httpsHstsUnknown": 0,
        "httpsHstsPreloadedPresent": 0,
        "httpsHstsPreloadedNone": 0,
        "httpsHstsPreloadedNotApplicable": 0,
        "httpsHstsPreloadedUnknown": 0
      }
    }
  }
}

Properties

Name	Type	Description
orgDashboardStats*	OrgDashboardStats	none

OrgDashboardStats

{
  "orgId": 0,
  "overallSummary": {
    "totalHosts": 0,
    "dnssecHosts": 0,
    "dnssecPresent": 0,
    "dnssecNone": 0,
    "dnssecUnknown": 0,
    "smtpHosts": 0,
    "smtpQualityGood": 0,
    "smtpQualityWarning": 0,
    "smtpQualityError": 0,
    "smtpQualityOther": 0,
    "smtpStartTlsPresent": 0,
    "smtpStartTlsNone": 0,
    "smtpStartTlsUnknown": 0,
    "smtpSpfPresent": 0,
    "smtpSpfNone": 0,
    "smtpSpfUnknown": 0,
    "smtpDmarcPresent": 0,
    "smtpDmarcNone": 0,
    "smtpDmarcUnknown": 0,
    "smtpDanePresent": 0,
    "smtpDaneNone": 0,
    "smtpDaneUnknown": 0,
    "httpHosts": 0,
    "httpsHosts": 0,
    "httpsQualityGood": 0,
    "httpsQualityWarning": 0,
    "httpsQualityError": 0,
    "httpsQualityOther": 0,
    "httpsHostsPresent": 0,
    "httpsHostsNone": 0,
    "httpsHostsUnknown": 0,
    "httpsRedirectionPresent": 0,
    "httpsRedirectionNone": 0,
    "httpsRedirectionNotApplicable": 0,
    "httpsRedirectionUnknown": 0,
    "httpsHstsPresent": 0,
    "httpsHstsNone": 0,
    "httpsHstsNotApplicable": 0,
    "httpsHstsUnknown": 0,
    "httpsHstsPreloadedPresent": 0,
    "httpsHstsPreloadedNone": 0,
    "httpsHstsPreloadedNotApplicable": 0,
    "httpsHstsPreloadedUnknown": 0
  },
  "groups": [
    {
      "groupId": 0,
      "name": "string",
      "label": "string",
      "auto": true,
      "tags": [
        "string"
      ]
    }
  ],
  "monitoredHostCount": 0,
  "monitoredDomainCount": 0,
  "nonArchivedHostCount": 0,
  "nonArchivedDomainCount": 0,
  "ipCount": 0,
  "activeCertCount": 0,
  "buildTime": "2019-08-24T14:15:22Z",
  "groupSummaries": {
    "property1": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0
    },
    "property2": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0
    }
  }
}

Properties

Name	Type	Description
orgId	integer	Organization ID
overallSummary	object	none
» totalHosts	integer	none
» dnssecHosts	integer	none
» dnssecPresent	integer	Hosts that use DNSSEC
» dnssecNone	integer	Hosts that don't use DNSSEC
» dnssecUnknown	integer	Hosts whose DNSSEC configuration we weren't able to evaluate reliably
» smtpHosts	integer	none
» smtpQualityGood	integer	Hosts that have correct and reasonably secure SMTP configuration
» smtpQualityWarning	integer	Hosts whose SMTP configuration has small problems or it's missing important features
» smtpQualityError	integer	Hosts whose SMTP configuration has errors or it's missing critical features
» smtpQualityOther	integer	Hosts whose SMTP configuration we weren't able to evaluate reliably
» smtpStartTlsPresent	integer	Hosts that support email encryption via STARTTLS
» smtpStartTlsNone	integer	Hosts that don't support email encryption via STARTTLS
» smtpStartTlsUnknown	integer	Hosts whose STARTTLS support we weren't able to evaluate reliably
» smtpSpfPresent	integer	Hosts that use SPF to control which servers are allowed to send email for them
» smtpSpfNone	integer	Hosts that don't use SPF to control which servers are allowed to send email for them
» smtpSpfUnknown	integer	Hosts whose SPF configuration we weren't able to evaluate reliably
» smtpDmarcPresent	integer	Hosts that have an enforcing DMARC policy
» smtpDmarcNone	integer	Hosts that don't have an enforcing DMARC policy
» smtpDmarcUnknown	integer	Hosts whose DMARC configuration we weren't able to evaluate reliably
» smtpDanePresent	integer	Hosts that use DNSSEC and DANE for SMTP
» smtpDaneNone	integer	Hosts that don't use DNSSEC and DANE for SMTP
» smtpDaneUnknown	integer	Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably
» httpHosts	integer	none
» httpsHosts	integer	none
» httpsQualityGood	integer	Sites with well-configured HTTPS
» httpsQualityWarning	integer	Sites whose HTTPS configuration has smaller problems or lacks important features
» httpsQualityError	integer	Sites whose HTTPS configuration has errors or lacks critical features
» httpsQualityOther	integer	Sites whose HTTPS configuration we weren't able to evaluate reliably
» httpsHostsPresent	integer	Sites that deploy HTTPS with a certificate valid for public consumption
» httpsHostsNone	integer	Sites with HTTP but without HTTPS
» httpsHostsUnknown	integer	Sites whose HTTP and HTTPS status we weren't able to evaluate reliably
» httpsRedirectionPresent	integer	Sites that have an unconditional redirection from HTTP to HTTPS
» httpsRedirectionNone	integer	Sites that don't enforce HTTPS with a redirection
» httpsRedirectionNotApplicable	integer	Not applicable; these sites don't have HTTPS
» httpsRedirectionUnknown	integer	Sites whose HTTPS redirection status we weren't able to evaluate reliably
» httpsHstsPresent	integer	Sites that deploy HTTP Strict Transport Security (HSTS)
» httpsHstsNone	integer	Sites that don't deploy HTTP Strict Transport Security (HSTS)
» httpsHstsNotApplicable	integer	Not applicable; these sites don't have HTTPS
» httpsHstsUnknown	integer	Sites whose HSTS status we weren't able to evaluate reliably
» httpsHstsPreloadedPresent	integer	Sites that have preloaded (or pending) HSTS
» httpsHstsPreloadedNone	integer	Sites that don't have preloaded HSTS
» httpsHstsPreloadedNotApplicable	integer	Not applicable; these sites don't have HTTPS and/or HSTS
» httpsHstsPreloadedUnknown	integer	Sites whose HSTS preload status we weren't able to evaluate reliably
groups	[object]	none
» groupId	integer	none
» name	string	none
» label	string	none
» auto	boolean	none
» tags	[string]	none
monitoredHostCount	integer	none
monitoredDomainCount	integer	none
nonArchivedHostCount	integer	none
nonArchivedDomainCount	integer	none
ipCount	integer	none
activeCertCount	integer	none
buildTime	string(date-time)	none
groupSummaries	object	none
» additionalProperties	object	none
»» totalHosts	integer	none
»» dnssecHosts	integer	none
»» dnssecPresent	integer	Hosts that use DNSSEC
»» dnssecNone	integer	Hosts that don't use DNSSEC
»» dnssecUnknown	integer	Hosts whose DNSSEC configuration we weren't able to evaluate reliably
»» smtpHosts	integer	none
»» smtpQualityGood	integer	Hosts that have correct and reasonably secure SMTP configuration
»» smtpQualityWarning	integer	Hosts whose SMTP configuration has small problems or it's missing important features
»» smtpQualityError	integer	Hosts whose SMTP configuration has errors or it's missing critical features
»» smtpQualityOther	integer	Hosts whose SMTP configuration we weren't able to evaluate reliably
»» smtpStartTlsPresent	integer	Hosts that support email encryption via STARTTLS
»» smtpStartTlsNone	integer	Hosts that don't support email encryption via STARTTLS
»» smtpStartTlsUnknown	integer	Hosts whose STARTTLS support we weren't able to evaluate reliably
»» smtpSpfPresent	integer	Hosts that use SPF to control which servers are allowed to send email for them
»» smtpSpfNone	integer	Hosts that don't use SPF to control which servers are allowed to send email for them
»» smtpSpfUnknown	integer	Hosts whose SPF configuration we weren't able to evaluate reliably
»» smtpDmarcPresent	integer	Hosts that have an enforcing DMARC policy
»» smtpDmarcNone	integer	Hosts that don't have an enforcing DMARC policy
»» smtpDmarcUnknown	integer	Hosts whose DMARC configuration we weren't able to evaluate reliably
»» smtpDanePresent	integer	Hosts that use DNSSEC and DANE for SMTP
»» smtpDaneNone	integer	Hosts that don't use DNSSEC and DANE for SMTP
»» smtpDaneUnknown	integer	Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably
»» httpHosts	integer	none
»» httpsHosts	integer	none
»» httpsQualityGood	integer	Sites with well-configured HTTPS
»» httpsQualityWarning	integer	Sites whose HTTPS configuration has smaller problems or lacks important features
»» httpsQualityError	integer	Sites whose HTTPS configuration has errors or lacks critical features
»» httpsQualityOther	integer	Sites whose HTTPS configuration we weren't able to evaluate reliably
»» httpsHostsPresent	integer	Sites that deploy HTTPS with a certificate valid for public consumption
»» httpsHostsNone	integer	Sites with HTTP but without HTTPS
»» httpsHostsUnknown	integer	Sites whose HTTP and HTTPS status we weren't able to evaluate reliably
»» httpsRedirectionPresent	integer	Sites that have an unconditional redirection from HTTP to HTTPS
»» httpsRedirectionNone	integer	Sites that don't enforce HTTPS with a redirection
»» httpsRedirectionNotApplicable	integer	Not applicable; these sites don't have HTTPS
»» httpsRedirectionUnknown	integer	Sites whose HTTPS redirection status we weren't able to evaluate reliably
»» httpsHstsPresent	integer	Sites that deploy HTTP Strict Transport Security (HSTS)
»» httpsHstsNone	integer	Sites that don't deploy HTTP Strict Transport Security (HSTS)
»» httpsHstsNotApplicable	integer	Not applicable; these sites don't have HTTPS
»» httpsHstsUnknown	integer	Sites whose HSTS status we weren't able to evaluate reliably
»» httpsHstsPreloadedPresent	integer	Sites that have preloaded (or pending) HSTS
»» httpsHstsPreloadedNone	integer	Sites that don't have preloaded HSTS
»» httpsHstsPreloadedNotApplicable	integer	Not applicable; these sites don't have HTTPS and/or HSTS
»» httpsHstsPreloadedUnknown	integer	Sites whose HSTS preload status we weren't able to evaluate reliably

AccountStatsResponse

{
  "users": {
    "active": 7
  },
  "hosts": {
    "total": 8,
    "active": 8,
    "monitored": 4,
    "monitoredWithServices": 3,
    "idle": 3,
    "archived": 4
  },
  "certificates": {
    "totalCerts": 15,
    "duplicateCerts": 8,
    "expiredCerts": 0,
    "revokedCerts": 8,
    "thirdPartyCerts": 13,
    "activeCerts": 8
  },
  "networkEndpoints": {
    "total": 8,
    "smtp": 8,
    "https": 4
  },
  "ipv6Addresses": {
    "total": 0,
    "monitored": 0
  },
  "ipv4Addresses": {
    "total": 3,
    "monitored": 3
  }
}

Properties

Name	Type	Description
users	AccountUsersStats	none
hosts	AccountHostsStats	none
certificates	AccountCertificatesStats	none
networkEndpoints	AccountNetworkEndpointsStats	none
ipv6Addresses	AccountIpv6AddressesStats	none
ipv4Addresses	AccountIpv4AddressesStats	none

AccountHostsStats

{
  "total": 8,
  "active": 8,
  "monitored": 4,
  "monitoredWithServices": 3,
  "idle": 3,
  "archived": 4
}

Properties

Name	Type	Description
total	integer	none
active	integer	none
monitored	integer	none
monitoredWithServices	integer	none
idle	integer	none
archived	integer	none

AccountCertificatesStats

{
  "totalCerts": 15,
  "duplicateCerts": 8,
  "expiredCerts": 0,
  "revokedCerts": 8,
  "thirdPartyCerts": 13,
  "activeCerts": 8
}

Properties

Name	Type	Description
totalCerts	integer	none
duplicateCerts	integer	none
expiredCerts	integer	none
revokedCerts	integer	none
thirdPartyCerts	integer	none
activeCerts	integer	none

AccountUsersStats

{
  "active": 7
}

Properties

Name	Type	Description
active	integer	none

AccountNetworkEndpointsStats

{
  "total": 8,
  "smtp": 8,
  "https": 4
}

Properties

Name	Type	Description
total	integer	none
smtp	integer	none
https	integer	none

AccountIpv4AddressesStats

{
  "total": 3,
  "monitored": 3
}

Properties

Name	Type	Description
total	integer	none
monitored	integer	none

AccountIpv6AddressesStats

{
  "total": 0,
  "monitored": 0
}

Properties

Name	Type	Description
total	integer	none
monitored	integer	none