NAV Navigation
HTTP

Hardenize Organization API v1.125.0

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

Hardenize is a platform for continuous monitoring of network and security configuration. Hardenize supports individual accounts, intended for use by a single person, and organization accounts, which are shared among potentially many individuals. Whereas individual accounts are limited, organization accounts can have access to all Hardenize features. The Organization API, documented here, provides ability to manage and retrieve information from organization accounts.

Overview

Stability and Versioning

We aim to provide a stable API that will not break your code as we make new releases. However, this is a living API, which contains parts that are stable, as well as parts that are still under active development. As you read this documentation and adopt the API features, please observe the provided notices to understand what changes we may make in the future.

By default (in absence of any warnings), the API should be considered stable. That means that the future releases won't introduce incompatible changes. For example, we will not move or remove API endpoints, and we won't otherwise change the API structure. However, we may make forward-compatible changes even to the stable parts of the API to introduce new functionality. This means that we may add new API endpoints, new fields to existing objects, and in some cases even new field values where that makes sense (for some non-critical fields). To ensure that no breakage takes place, please ensure that your code ignores unknown fields and unknown field values in response objects.

Parts of this API that are not stable are marked with Under Development and can change without notice. The lifecycle of an API extension is roughly that we will release new parts early, polish them in response to your feedback, and declare them stable once they're considered mature.

Base Location

This specification shows the API endpoints relative to the API's base location, which is shown below. Before you use the base URL, replace the {org} placeholder with your organization's label:

The organization label is easy to find, just access your account and observe the URL in the browser. It's going to be the last segment of the URL when you navigate to your account's homepage. The URL may be in one of the two following formats:

In the first URL, the label is feistyduck. In the second, the label includes prefix and is red-sift-hardenize.feistyduck.

Request Methods

When it comes to how we use HTTP request methods, we try to follow the spirit of the HTTP specification. We use GET for requests that retrieve information without making any changes on the server. We use POST for requests that modify data. We use DELETE when data is being deleted.

Paths

We use path segments to group API endpoints with common functions, or endpoints that manage the same type of entity (e.g., certificates). Wherever possible, we use plural forms, for example hosts and groups.

We also use path segment parameters (Section 3.3 in the URI RFC) for types of requests that don't alter resource state but request an action to be performed. A nice way to think about this model is that some resources have buttons, and that you are able to push these buttons via actions. You could say that these endpoints are controllers, and they're common in RPC-style APIs.

The first action we implemented was for webhook testing; to test a webhook, you first build a path that identifies a specific webhook, then append a path segment parameter to indicate which action to perform. The complete path then looks like this: /eventHooks/b349dd;test. Although path segments are not very commonly seen in practice, we believe they're very well suited for this particular use case.

HTTP Response Codes

HTTP doesn't provide a full range of useful response codes, but we try to use the status code that makes more sense. In most cases you'll only need to differentiate between 2xx (all good), 4xx (your fault), and 5xx (our fault) responses.

MIME Types

Most API endpoints in this specification respond with a JSON object and thus use the application/json MIME type. There are a couple of situations when one endpoint may return different objects depending on context; we use additional MIME types to help you to determine what the responses contain:

Errors

If an endpoint fails to complete successfully, the response body may include an ErrorResponse instance with one or more error messages. Messages can be associated with the entire transaction or, optionally, with a specific parameter.

{
  "errors": [
    {
      "message": "Operation failed, but we don't want why."
    },
    {
      "param": "firstName",
      "message": "Invalid field value, please try again."
    }
  ]
}

Error responses use a non-200 status code and the application/vnd.hardenize.v1.error-response+json MIME type.

Request Limits

We enforce API usage limits in order to preserve the integrity of our systems. For example, it's very easy to deploy a client that sends thousands of requests by mistake; we wish to defend against situations like that. At this time, we have two main mechanisms that can refuse a request. First, we monitor access rate using the token bucket algorithm, and, by default, allow approximately one request per second, with an allowance for short-term bursts. Second, we don't allow more than 5 concurrent requests. These parameters are enforced separately on individual user access and on all API requests for the same organization. If you're using multiple service accounts, they will share the same organization limits.

Every API response includes the X-Request-Allowance header that contains our view of how you're using the API. This is what the output may look like:

r: 57/60 (+1/1s); c: 1/5

The line begins with information about the request rate limits. The first value (57) shows your current request allowance, the second (60) the maximum value. In the brackets, we show that the allowance will be increased (up to the maximum) at the rate of one per second. The second part of the output shows concurrent requests; in this case one of out maximum five.

For best results, configure your client to submit requests at the same rate at which the tokens regenerate; by default, that's one per second. If you have a request refused (in this case we'll use the 429 response code), wait for a full minute, at which point your burst allowance will be fully restored.

Please get in touch if our default limits don't work for your use cases. We may be able to help by configuring different limits for your organization.

We have additional safety checks that may apply as well. If you're sending requests so fast that we come to believe our main application may be affected, we may reject them early, at the reverse proxy level. In this case you'll observe a 429 response but no X-Request-Allowance header. Limits at this level are designed to kick in only as last resort.

Suborganization Request Limits

The standard request limits described in the previous section apply to all organizations, but additional limits may apply to suborganizations. In this case, we check the individual organization limits as well as the parent limits that apply to all suborganizations in aggregate. There are no default settings for these limits, as different values make sense depending on the number of suborganizations used. If a request is rejected because of the parent restrictions, the X-Parent-Request-Allowance header will be included in the response. This header uses the same format as the X-Request-Allowance response header.

Resource Identifiers

In this API, every resource has an identifier that uniquely identifies within the parent collection. Wherever it makes sense we try to use natural identifiers, for example hostname for host entities. Where that's not possible we use a synthetic identifier and call it id. In this case, treat the identifier as opaque. Despite the fact that the identifier names can vary from entity to entity, they're easy to spot because they're always the first field listed in the documentation.

Data Formats

Pagination

Pagination is typically used with API endpoints that may return large amounts of data, where not all of it might be needed, or at least not straight away. If an endpoint supports pagination, clients can initially read only a portion of the response, then come later for the rest. With this approach, the amount of data that needs to be read is minimized, which reduces network traffic and the response latency of interactive operations. There are other benefits. For example potentially expensive operations are cached and don't have to be repeated. Similarly, the data set remains the same, even if the source of the data changes.

We support pagination by splitting operation results into pages of rows, with clients able to collect one, several, or all pages with a single request. Different API endpoints may differ in what they support, in the sense that some may force pagination and some may not allow it.

Clients should use the Range request header to request only one part of the entire resource. For example, the following will obtain only the first page:

Range: pages=1-1

If the server provided a partial response as requested, it will use the 206 Partial Content status code. In this case, the response will also include the Content-Range header that shows what pages have been provided, as well as indicate the total amount of pages available:

Content-Range: pages 1-1/10

We support only retrieval of a single continuous range of pages. If the server cannot fulfil the request, the 416 Not Satisfiable status code will be provided.

Changelog

v1.125.0 (20 December 2024)

v1.124.0 (26 November 2024)

v1.123.0 (21 November 2024)

v1.122.0 (29 October 2024)

v1.121.0 (22 October 2024)

v1.120.0 (3 October 2024)

v1.119.0 (26 September 2024)

v1.118.0 (26 July 2024)

v1.117.0 (25 July 2024)

v1.116.0 (25 July 2024)

v1.115.0 (25 July 2024)

v1.114.0 (16 July 2024)

v1.113.0 (11 July 2024)

v1.112.0 (09 July 2024)

v1.111.0 (08 July 2024)

v1.110.0 (08 July 2024)

v1.109.0 (28 June 2024)

v1.108.0 (19 June 2024)

v1.107.0 (13 June 2024)

v1.106.0 (07 June 2024)

The following new API endpoints have been added:

v1.105.0 (06 June 2024)

v1.104.0 (4 June 2024)

v1.103.0 (30 May 2024)

v1.102.0 (24 May 2024)

v1.101.0 (21 May 2024)

v1.100.0 (20 May 2024)

v1.099.0 (9 May 2024)

v1.098.0 (24 April 2024)

v1.097.0 (24 April 2024)

v1.096.0 (23 April 2024)

v1.095.0 (22 April 2024)

v1.094.0 (17 April 2024)

v1.093.2 (15 April 2024)

v1.093.1 (08 April 2024)

v1.092.4 (17 March 2024)

v1.092.3 (04 March 2024)

v1.092.2 (29 February 2024)

v1.092.1 (28 February 2024)

v1.092.0 (12 February 2024)

v1.091.0 (7 February 2024)

v1.090.1 (1 February 2024)

v1.090.0 (31 January 2024)

v1.089.0 (25 January 2024)

v1.088.0 (27 October 2023)

v1.087.0 (26 October 2023)

v1.086.2 (20 September 2023)

v1.086.1 (7 September 2023)

v1.086.0 (6 June 2023)

v1.085.0 (3 April 2023)

v1.084.0 (28 February 2023)

v1.083.0 (31 January 2023)

v1.082.0 (5 November 2022)

v1.081.0 (29 October 2022)

v1.080.0 (15 September 2022)

v1.079.0 (17 August 2022)

v1.078.0 (28 July 2022)

v1.077.0 (30 June 2022)

v1.076.0 (23 June 2022)

v1.075.0 (17 June 2022)

v1.074.0 (27 May 2022)

v1.073.0 (25 May 2022)

v1.072.0 (28 April 2022)

v1.071.0 (28 March 2022)

v1.070.0 (2 March 2022)

v1.069.0 (3 November 2021)

v1.068.0 (22 September 2021)

v1.067.0 (3 July 2021)

v1.066.0 (12 May 2021)

v1.065.0 (28 April 2021)

v1.064.0 (17 March 2021)

v1.063.0 (18 February 2021)

v1.062.0 (12 December 2020)

v1.061.0 (30 November 2020)

v1.060.0 (14 November 2020)

v1.059.0 (2 September 2020)

v1.058.0 (24 August 2020)

v1.057.0 (19 August 2020)

v1.056.0 (9 July 2020)

v1.055.0 (8 July 2020)

v1.054.0 (12 June 2020)

v1.053.0 (27 February 2020)

v1.052.0 (27 January 2020)

v1.050.0 (16 January 2020)

v1.049.0 (8 January 2020)

v1.048.0 (21 November 2019)

v1.047.0 (21 October 2019)

v1.046.0 (7 October 2019)

v1.045.0 (19 September 2019)

v1.044.0 (18 September 2019)

v1.043.0 (24 July 2019)

v1.042.0 (11 July 2019)

v1.041.0 (4 July 2019)

v1.040.0 (19 June 2019)

v1.039.0 (13 June 2019)

Authentication

Account

Maturity: Under Development

The API endpoints in this section allow you to retrieve account data

Request account statistics

Code samples

POST /v1/org/{org}/account/;stats HTTP/1.1
Host: api.hardenize.com

POST /account/;stats

Maturity: Under Development

Request general statistics about the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: AccountStatsResponse

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted. OperationStatus

Assessments

Maturity: Under Development

The API endpoints in this section allow you to create an assessment, as well as retrieve a status about your assessment.

Create assessment

Code samples

POST /v1/org/{org}/assessments HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /assessments

Maturity: Under Development

Creates an assessment.

Body parameter

{
  "hostname": "example.com",
  "clearCache": false
}

Parameters

Parameter In Type Description
body* body CreateAssessmentRequest The hostname for which the assessment is created.

Example responses

200 Response

{
  "assessment": {
    "id": "eaa6b8c0-5a12-4e5d-add0-fdafb4e89f5d",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "in_progress",
    "epochTime": 1710854089,
    "statTcpConnections": 0,
    "statTcpEndpointsCount": 0,
    "expectedDuration": 0
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetAssessmentStatusResponse
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Gets status of an assessment

Code samples

GET /v1/org/{org}/assessments/{hostname};status HTTP/1.1
Host: api.hardenize.com

GET /assessments/{hostname};status

Maturity: Under Development

Retrieves the status of an assessment based on the provided hostname.

Parameters

Parameter In Type Description
hostname* path string The hostname for which assessment status is to be retrieved.

Example responses

200 Response

{
  "assessment": {
    "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "available",
    "statusMessage": null,
    "epochTime": 1710773815,
    "statTcpConnections": 51,
    "statTcpEndpointsCount": 12,
    "expectedTcpConnections": 50,
    "expectedDuration": 0
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetAssessmentStatusResponse
400 Bad Request Bad request. The provided hostname is invalid. Inline

Response Schema

Status Code 400

Name Type Required Restrictions Description
» error string false none none

Audit Log

Maturity: Under Development

Audit logs represent a record of key events associated with an organization. They're designed to help with gaining and understanding of activity within an organization, document the associated changes and highlight relevant security events.

Please note that, whilst this feature is still in development, we may change the event schema as well as remove all events from time to time if necessary.

List audit events

Code samples

GET /v1/org/{org}/auditlog HTTP/1.1
Host: api.hardenize.com

GET /auditlog

Retrieves the audit events recorded within the requested time frame. This endpoint will change in due course, as this section matures, to add limits, and support for pagination and filtering.

Parameters

Parameter In Type Description
from query string(date-time) Timestamp of the earliest audit event to return, inclusive.
to query string(date-time) Timestamp of the latest audit event to return, inclusive.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListAuditEventsResponse

Configuration

Endpoints in this section provide access to the configuration of the current organization account, as well as make it possible to make configuration changes.

Get Access Control Configuration

Code samples

GET /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com

GET /config/accessControl

Retrieves the current configuration of network access controls. If there are no allowed network ranges in the configuration, that means that all IP addresses are allowed.

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Responses

Status Meaning Description Schema
200 OK Access Control Configuration GetAccessControlConfigResponse

Get Certificate Monitoring Configuration

Code samples

GET /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com

GET /config/certificateMonitoring

Retrieves the current configuration of certificate monitoring.

Example responses

200 Response

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Responses

Status Meaning Description Schema
200 OK Certificate Monitoring Configuration CertificateMonitoringResponse

Get Certificate Transparency Monitoring Configuration

Code samples

GET /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com

GET /config/ctMonitoring

Retrieves the current configuration of certificate transparency monitoring.

Example responses

200 Response

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

Responses

Status Meaning Description Schema
200 OK Certificate Transparency Monitoring Configuration CtMonitoringResponse

Get Host Defaults Configuration

Code samples

GET /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com

GET /config/hostDefaults

Retrieves the current configuration of host defaults.

Example responses

200 Response

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Responses

Status Meaning Description Schema
200 OK Host Defaults Configuration HostDefaultsResponse

Get Host Exclusions

Code samples

GET /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com

GET /config/hostExclusions

Retrieves the current host exclusions

Example responses

200 Response

{
  "hostExclusions": [
    "example.com"
  ]
}

Responses

Status Meaning Description Schema
200 OK Host Exclusions HostExclusionsResponse

Get MFA Configuration

Code samples

GET /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com

GET /config/mfa

Retrieves the current multi-factor authentication (MFA) configuration.

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status Meaning Description Schema
200 OK MFA Configuration GetMfaConfigResponse

Get Network Scanning Configuration

Code samples

GET /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com

GET /config/networkScanning

Retrieves the current network scanning configuration.

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status Meaning Description Schema
200 OK OK GetNetworkScanningConfigResponse

Get SAML Configuration

Code samples

GET /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com

GET /config/saml

Retrieves the current SAML configuration.

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status Meaning Description Schema
200 OK SAML Configuration GetSamlConfigResponse

Update Access Control Configuration

Code samples

POST /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/accessControl

Updates the configuration of network access controls. When making changes to the allowed network ranges, please take care to whitelist the IP address from which the request is being made. To allow access from any IP address, submit an empty list. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values.

Body parameter

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Parameters

Parameter In Type Description
body body UpdateAccessControlConfigRequest none

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Responses

Status Meaning Description Schema
200 OK OK UpdateAccessControlConfigResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update Certificate Monitoring Configuration

Code samples

POST /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/certificateMonitoring

Updates the configuration of certificate monitoring.

Body parameter

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom notification text",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": true,
  "certsDueDays": 45,
  "certsOverdueDays": 12,
  "certsCriticalDays": 6,
  "vendorCertsCriticalDays": 6,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Parameters

Parameter In Type Description
body body UpdateCertificateMonitoringRequest none

Example responses

200 Response

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

Responses

Status Meaning Description Schema
200 OK OK CertificateMonitoringResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update Certificate Transparency Monitoring Configuration

Code samples

POST /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/ctMonitoring

Updates the configuration of certificate transparency monitoring.

Body parameter

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": true,
  "closeCertExpired": false,
  "closeCertRevoked": true,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": true,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": false,
  "closeCaseInactiveDays": true,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": true,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": true,
  "escalateIssuerForbidden": false,
  "escalateForbiddenIssuerKeywords": [
    "string"
  ],
  "escalateCertMaxLifetimeExceeded": true
}

Parameters

Parameter In Type Description
body body UpdateCtMonitoringRequest none

Example responses

200 Response

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

Responses

Status Meaning Description Schema
200 OK OK CtMonitoringResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update Host Defaults Configuration

Code samples

POST /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/hostDefaults

Updates the configuration of host defaults.

Body parameter

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Parameters

Parameter In Type Description
body body UpdateHostDefaultsRequest none

Example responses

200 Response

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

Responses

Status Meaning Description Schema
200 OK OK HostDefaultsResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update Host Exclusions

Code samples

POST /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/hostExclusions

Updates the list of host exclusions

Body parameter

{
  "hostExclusions": [
    [
      "example.com"
    ]
  ]
}

Parameters

Parameter In Type Description
body body UpdateHostExclusionsRequest none

Example responses

200 Response

{
  "hostExclusions": [
    "example.com"
  ]
}

Responses

Status Meaning Description Schema
200 OK OK HostExclusionsResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update MFA Configuration

Code samples

POST /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/mfa

Updates the MFA configuration for this organization.

Body parameter

{
  "mfaRequired": true
}

Parameters

Parameter In Type Description
body body UpdateMfaConfigRequest none

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status Meaning Description Schema
200 OK OK UpdateMfaConfigResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation or MFA not enabled for this organization None

Update Network Scanning Configuration

Code samples

POST /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/networkScanning

Updates the network scanning configuration for this organisation. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values. Because we carry out network scanning as a slow operation stretched over the course of an entire day, it may take up to 24 hours for your changes to become active.

Body parameter

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Parameters

Parameter In Type Description
body body UpdateNetworkScanningConfigRequest none

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status Meaning Description Schema
200 OK OK GetNetworkScanningConfigResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation None

Update SAML Configuration

Code samples

POST /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/saml

Updates the SAML configuration for this organization.

Body parameter

{
  "enabled": true,
  "idpMetadata": "string"
}

Parameters

Parameter In Type Description
body body UpdateSamlConfigRequest none

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status Meaning Description Schema
200 OK OK UpdateSamlConfigResponse
400 Bad Request Invalid request parameters None
403 Forbidden Insufficient permissions to perform operation or MFA not enabled for this organization None

Certificates

The API endpoints in this section allow you to retrieve information about all your certificates, as well as upload your new certificates to us as they become available.

Create certificate

Code samples

POST /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/x-pem-file

POST /certs

Use this API endpoint to upload a new certificate to your account. For example, if you've automated certificate generation, we suggest that you also automatically submit all new certificates to Hardenize. That way, when we observe the same certificate via Certificate Transparency, we will know for sure that it belongs to you. We may be able to determine that in any case if we see that the certificate has been installed, but uploading it to us makes this more reliable.

For best results, we recommend that you upload the entire certificate chain received from your CA. That will ensure we also add the required intermediates to your list of certificates. The leaf certificate must be placed first.

Body parameter

-----BEGIN CERTIFICATE-----
MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qv
s6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCC
AfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsO
UClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
Y29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5o
YXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDe
bJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2
pkP4CxvriyrLQwpB6s2RFQM=
-----END CERTIFICATE-----

Parameters

Parameter In Type Description
body* body string PEM-encoded certificate or certificate chain. If a chain is provided, the leaf certificate must be placed first.

Example responses

201 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.559Z",
    "notAfter": "2024-12-20T16:02:26.559Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.559Z",
    "revokedOn": "2024-12-20T16:02:26.559Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.560Z",
    "lastSeen": "2024-12-20T16:02:26.560Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.560Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.560Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.560Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Responses

Status Meaning Description Schema
201 Created Certificate created. CreateCertResponse
202 Accepted Certificate already exists. CreateCertResponse
400 Bad Request Invalid certificate chain. None

Get certificate

Code samples

GET /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}

Returns the certificate with the given SHA256 hash, if available in the account.

Parameters

Parameter In Type Description
sha256* path string none
extended query boolean if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect.

Detailed descriptions

extended: if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect.

Example responses

200 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.563Z",
    "notAfter": "2024-12-20T16:02:26.563Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.563Z",
    "revokedOn": "2024-12-20T16:02:26.563Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.563Z",
    "lastSeen": "2024-12-20T16:02:26.563Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.563Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.563Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.563Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  },
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "precert": false
  }
}

Responses

Status Meaning Description Schema
200 OK Successfully retrieved certificate GetCertResponse
404 Not Found Certificate not found None

Get certificate statistics

Code samples

GET /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com

GET /certs/;stats

Maturity: Under Development

Returns certificate statistics from the cache if they exist. If not returns 404 status.

Parameters

Parameter In Type Description
group query string If set, returns only the statistics for certificates that belong to the specified group.

Detailed descriptions

group: If set, returns only the statistics for certificates that belong to the specified group.

Example responses

202 Response

{
  "certStats": {
    "totals": {
      "activeOrNonExpired": 0,
      "onlyOwn": 0,
      "onlyThirdParty": 0,
      "onlyActive": 0
    },
    "summary": {
      "total": 0,
      "unique": 0,
      "certs": 0,
      "precerts": 0,
      "duplicates": 0,
      "valid": 0,
      "notYetValid": 0,
      "expired": 0,
      "effectivelyExpired": 0,
      "revoked": 0,
      "revokedNotExpired": 0,
      "endEntity": 0,
      "ca": 0
    },
    "thirdParty": {
      "total": 0,
      "unique": 0,
      "endEntity": 0,
      "ca": 0
    },
    "usage": {
      "active": 0,
      "expired": 0,
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "analysis": {
      "issuerCa": {
        "property1": 0,
        "property2": 0
      },
      "keyAlg": {
        "property1": 0,
        "property2": 0
      },
      "keyAlgLen": {
        "property1": 0,
        "property2": 0
      },
      "keyStrength": {
        "property1": 0,
        "property2": 0
      },
      "sigAlg": {
        "property1": 0,
        "property2": 0
      },
      "validation": {
        "property1": 0,
        "property2": 0
      },
      "lifetimes": {
        "property1": 0,
        "property2": 0
      },
      "wildcards": 0,
      "nonWildcards": 0
    },
    "activity": {
      "issuanceTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "revocationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "timestamp": "2024-12-20T16:02:26.564Z"
  },
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Responses

Status Meaning Description Schema
202 Accepted Successfully retrieved certificate statistics CertsStatsResponse
404 Not Found Certificate statistics not found None

Get Certificate Trust Paths

Code samples

GET /v1/org/{org}/certs/{sha256}/trustPaths HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}/trustPaths

Maturity: Under Development

Generates the trust paths for the certificate with the given SHA256 hash.

Parameters

Parameter In Type Description
sha256* path string none
pathOptions query string Determines the filters for trust path result.

Detailed descriptions

pathOptions: Determines the filters for trust path result.

all: Include all trust paths, valid paths and paths with errors. Default!

validPreferred: Prefer valid paths, but include all paths if none are valid.

validOnly: Only valid trust paths are returned. Empty result if none is valid.

Enumerated Values

Parameter Value
pathOptions all
pathOptions validPreferred
pathOptions validOnly

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.566Z",
      "notAfter": "2024-12-20T16:02:26.566Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.566Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.566Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ],
  "paths": [
    {
      "chain": [
        "46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
        "1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
      ],
      "valid": true,
      "complete": true,
      "hasErrors": false,
      "depth": 3,
      "errors": []
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK Successfully found certificate and generated certificate trust paths CertificateTrustPaths
404 Not Found Certificate not found None

Get certificates calendar

Code samples

GET /v1/org/{org}/certs/;calendar HTTP/1.1
Host: api.hardenize.com

GET /certs/;calendar

Downloads the certificates calendar.

Parameters

Parameter In Type Description
groupId query string none

Example responses

200 Response

Responses

Status Meaning Description Schema
200 OK Successfully retrieved certificates calendar string

Get CT Log list

Code samples

GET /v1/org/{org}/certs/ctLogs HTTP/1.1
Host: api.hardenize.com

GET /certs/ctLogs

Retrieves the CT Log list.

Example responses

200 Response

{
  "ctLogs": [
    {
      "name": "Cloudflare 'Nimbus2023' Log",
      "url": "ct.cloudflare.com/logs/nimbus2023",
      "mmd": 86400,
      "lastIndex": 94000,
      "lastTimestamp": "2024-12-20T16:02:26.567Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK CT Log list CtLogsResponse
400 Bad Request Invalid request parameters None
403 Forbidden You don't have permission to perform this operation. None

Get DigiCert Order

Code samples

GET /v1/org/{org}/certs/{sha256}/digicert/order HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}/digicert/order

This endpoint can be used to retrieve a DigiCert Order associated with a certificate, provided there is a working DigiCert CertCentral integration in place. When invoked, we look for the order information using the CertCentral API. If we obtain a response, this endpoint will pass through the results back in its response. The full documentation for the response is available in DigiCert's API documentation.

Please note that, before invoking the CertCentral API, we can't tell if a certificate is the configured DigiCert account. If it's not, you will see a 404 response. We have also noticed that CertCentral sometimes responds with a 503 status code for a certificate that resides in someone else's account. That might happen if you attempt to fetch order information for a managed/third-party certificate issued by DigiCert. We try to detect this case early by checking the certificate before talking to CertCentral.

There is no caching of order information at present, but we anticipate that it will be added in a future release.

Parameters

Parameter In Type Description
sha256* path string none

Responses

Status Meaning Description Schema
200 OK Order information available None
400 Bad Request Invalid request or certificate not applicable None
404 Not Found Certificate or order not found None

List certificates

Code samples

GET /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com

GET /certs

By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter In Type Description
active query boolean If set, returns only active or inactive certificates
expired query boolean If set, returns only expired or non-expired certificates
expireInDays query integer If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host query string If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit query integer If set, returns only up to the specified number of certificates.
newSince query string(date-time) If set, returns only certificates added to the account since the specified date.
excludeDuplicates query boolean if set to true, will return non duplicate certificates.
activeOrNonExpired query boolean If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256 query string If set, returns only certificates whose public key (SPKI) matches the provided hash

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-12-20T16:02:26.568Z",
      "notAfter": "2024-12-20T16:02:26.568Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.568Z",
      "revokedOn": "2024-12-20T16:02:26.568Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-12-20T16:02:26.568Z",
      "lastSeen": "2024-12-20T16:02:26.568Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-12-20T16:02:26.568Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-12-20T16:02:26.568Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ],
            "tlsSupportedProtocols": [
              "TLSv1.2",
              "TLSv1.3"
            ],
            "tlsConfigurationLevel": "secure"
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-12-20T16:02:26.569Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListCertsResponse

List certificates summaries

Code samples

GET /v1/org/{org}/certs/summaries HTTP/1.1
Host: api.hardenize.com

GET /certs/summaries

By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter In Type Description
active query boolean If set, returns only active or inactive certificates
expired query boolean If set, returns only expired or non-expired certificates
expireInDays query integer If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host query string If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit query integer If set, returns only up to the specified number of certificates.
newSince query string(date-time) If set, returns only certificates added to the account since the specified date.
excludeDuplicates query boolean if set to true, will return non duplicate certificates.
activeOrNonExpired query boolean If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256 query string If set, returns only certificates whose public key (SPKI) matches the provided hash
ownership query string If set, returns only certificates whose ownership matches the value in the regex pattern

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.570Z",
      "notAfter": "2024-12-20T16:02:26.570Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.570Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.570Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK CertificateSummaryResponse

List expiring certificates

Code samples

GET /v1/org/{org}/certs/expiringCerts/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/expiringCerts/{groupLabel}

Maturity: Under Development

Retrieves expiring certificates.

Parameters

Parameter In Type Description
groupLabel path string If set, returns only the expiring certificates whose domain belongs to the specified group.
interval query integer If set, returns only the expiring certificates in the last days days.
ignoreExpiredDays query integer If set, returns certificates expired more than ignoreExpiredDays days ago.
limit query integer If set, returns only the first limit expiring certificates.

Detailed descriptions

groupLabel: If set, returns only the expiring certificates whose domain belongs to the specified group.

interval: If set, returns only the expiring certificates in the last days days.

ignoreExpiredDays: If set, returns certificates expired more than ignoreExpiredDays days ago.

limit: If set, returns only the first limit expiring certificates.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.571Z",
      "notAfter": "2024-12-20T16:02:26.571Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.571Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.571Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK CertificateSummaryResponse
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

List expiring endpoints

Code samples

GET /v1/org/{org}/certs/expiringEndpoints/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/expiringEndpoints/{groupLabel}

Maturity: Under Development

Retrieves a list of expiring endpoints, which are network locations where we're seeing certificates that are about to expire. When using this API endpoint, first you need to think whether you want to see certificates that have already expired. By default, you will get all expired certificates. If you want to see only a subset, use one of expiredSince, expiredForDays, or expiredForTier parameters. The second decision is about what still-valid certificates you want to see and for how long in the future. By default, we return the certificates that fall within the overdue tier, but you can use the expireBy, expireInDays, or expireInTier parameters to override this. It is sometimes useful to use tiers, because they are always translated to the correct time ranges based on your current settings.

Parameters

Parameter In Type Description
groupLabel path string If set, returns only the expiring endpoints whose domain belongs to the specified group.
expiredForDays query integer If set, returns only endpoints with certificates expired in the last expiredForDays days.
expiredSince query date-time If set, returns only endpoints with certificates that expired since the provided timestamp.
expiredForTier query string If set, converts the supplied tier to the correct expiredForDays value.
expireBy query date-time If set, returns only endpoints with certificates that will expire by the provided timestamp.
expireInDays query integer If set, returns only endpoints with certificates expiring in the next expireInDays days.
expireInTier query string If set, converts the supplied tier to the correct expireInTier value.
limit query integer If set, returns only the first limit expiring endpoints. The default limit is 1,000.
integration query string none

Detailed descriptions

groupLabel: If set, returns only the expiring endpoints whose domain belongs to the specified group.

expiredForDays: If set, returns only endpoints with certificates expired in the last expiredForDays days.

expiredSince: If set, returns only endpoints with certificates that expired since the provided timestamp.

expiredForTier: If set, converts the supplied tier to the correct expiredForDays value.

expireBy: If set, returns only endpoints with certificates that will expire by the provided timestamp.

expireInDays: If set, returns only endpoints with certificates expiring in the next expireInDays days.

expireInTier: If set, converts the supplied tier to the correct expireInTier value.

limit: If set, returns only the first limit expiring endpoints. The default limit is 1,000.

Example responses

200 Response

{
  "expiringEndpoints": [
    {
      "hostname": "example.net",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceAddress": "127.0.0.1",
      "servicePort": 443,
      "certNotAfter": "2024-12-20T16:02:26.572Z",
      "certEffectiveNotAfter": "2024-12-20T16:02:26.572Z",
      "serviceLastSeen": "2024-12-20T16:02:26.572Z",
      "certShortId": "572908a",
      "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "certIssuerCa": "Let's Encrypt",
      "certSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345",
      "hostClassificationStatus": "active",
      "hostClassificationTags": [
        [
          "signin"
        ]
      ],
      "tlsSupportedProtocols": [
        "TLSv1.2",
        "TLSv1.3"
      ],
      "tlsConfigurationLevel": "secure"
    }
  ],
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Responses

Status Meaning Description Schema
200 OK OK ExpiringEndpointsResponse
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

List issuance history

Code samples

GET /v1/org/{org}/certs/issuanceHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/issuanceHistory/{groupLabel}

Maturity: Under Development

Retrieves certificates issuance.

Parameters

Parameter In Type Description
groupLabel path string If set, returns only the certificates issuance whose domain belongs to the specified group.
interval query integer If set, returns only the certificates issuance in the last days days.
limit query integer If set, returns only the first limit certificates issuance.

Detailed descriptions

groupLabel: If set, returns only the certificates issuance whose domain belongs to the specified group.

interval: If set, returns only the certificates issuance in the last days days.

limit: If set, returns only the first limit certificates issuance.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.573Z",
      "notAfter": "2024-12-20T16:02:26.573Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.573Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.573Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK CertificateSummaryResponse
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

List revoked certificates

Code samples

GET /v1/org/{org}/certs/revocationHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com

GET /certs/revocationHistory/{groupLabel}

Maturity: Under Development

Retrieves revoked certificates.

Parameters

Parameter In Type Description
interval query integer If set, returns only the revoked certificates which were revoked in the last days days.
limit query integer If set, returns only the first limit revoked certificates.
groupLabel path string If set, returns only the revoked certificates whose domain belongs to the specified group.

Detailed descriptions

interval: If set, returns only the revoked certificates which were revoked in the last days days.

limit: If set, returns only the first limit revoked certificates.

groupLabel: If set, returns only the revoked certificates whose domain belongs to the specified group.

Example responses

200 Response

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.574Z",
      "notAfter": "2024-12-20T16:02:26.574Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.574Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.574Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK CertificateSummaryResponse
400 Bad Request Invalid parameters None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request certificates statistics

Code samples

POST /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com

POST /certs/;stats

Maturity: Under Development

Request statistics about certificates in the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertsStatsResponse

Parameters

Parameter In Type Description
group query string If set, returns only the statistics for certificates that belong to the specified group.

Detailed descriptions

group: If set, returns only the statistics for certificates that belong to the specified group.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted. OperationStatus

Request certificates, paginated

Code samples

POST /v1/org/{org}/certs/;listCerts HTTP/1.1
Host: api.hardenize.com

POST /certs/;listCerts

Maturity: Under Development

Request a list of all your certificates.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: ListCertsResponse

Parameters

Parameter In Type Description
active query boolean If set, returns only active or inactive certificates
expired query boolean If set, returns only expired or non-expired certificates
expireInDays query integer If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host query string If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit query integer If set, returns only up to the specified number of certificates.
newSince query string(date-time) If set, returns only certificates added to the account since the specified date.
excludeDuplicates query boolean if set to true, will return non duplicate certificates.
activeOrNonExpired query boolean If set to true, returns active or non-expired certificates. Setting to false has no effect.
spkiSha256 query string If set, returns only certificates whose public key (SPKI) matches the provided hash

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Update certificate

Code samples

POST /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /certs/{sha256}

Updates the certificate with the given SHA256. Most certificate fields are read-only as they are extracted from certificates themselves. The fields that can be changed are related to how certificates are managed.

Body parameter

{
  "muted": true
}

Parameters

Parameter In Type Description
sha256* path string none
body body UpdateCertRequest none

Example responses

200 Response

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.575Z",
    "notAfter": "2024-12-20T16:02:26.575Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.575Z",
    "revokedOn": "2024-12-20T16:02:26.575Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.575Z",
    "lastSeen": "2024-12-20T16:02:26.575Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.576Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.576Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.576Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK Certificate updated UpdateCertResponse
404 Not Found Certificate not found None

Certificate Discoveries

Maturity: Under Development

This section provides access to the certificate discoveries functionality. When Certificate Transparency (CT) monitoring is enabled in a Hardenize account, we monitor worldwide issuance of public certificates in real time. We further examine the hosts embedded in each certificate and import relevant certificates into the account. We further create an instance of certificate discovery, where we analyze the certificate for misissuance and conformance with organization policies.

Certificate discoveries are updated daily until they are closed, either manually or by one of the configured policy rules. Please note that the discovery fields preserve the last open state; they're not updated once the discovery is closed.

Get certificate discovery

Code samples

GET /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com

GET /certDiscoveries/{id}

Maturity: Under Development

Returns the requested certificate discovery.

Example responses

200 Response

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.577Z",
      "notAfter": "2024-12-20T16:02:26.577Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.577Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.577Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.577Z",
          "lastSeen": "2024-12-20T16:02:26.577Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.577Z",
          "lastSeen": "2024-12-20T16:02:26.577Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetCertDiscoveryResponse
404 Not Found Cert discovery doesn't exist None

List certificate discoveries

Code samples

GET /v1/org/{org}/certDiscoveries HTTP/1.1
Host: api.hardenize.com

GET /certDiscoveries

Maturity: Under Development

Returns a list of certificate discoveries matching the search criteria.

Parameters

Parameter In Type Description
status query string If set, returns only the certificate discoveries matching the status.
limit query integer If set, returns only the first limit certificate discoveries.
since query string(date-time) If set, returns only certificate discoveries created since the specified date.

Detailed descriptions

status: If set, returns only the certificate discoveries matching the status.

limit: If set, returns only the first limit certificate discoveries.

since: If set, returns only certificate discoveries created since the specified date.

Example responses

200 Response

{
  "certDiscoveries": [
    {
      "certDiscoveryId": 11766,
      "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
      "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "createdOn": "2022-06-17T00:00:00Z",
      "updatedOn": "2022-06-17T00:00:00Z",
      "closedOn": "2022-06-17T00:00:00Z",
      "escalated": false,
      "status": "open",
      "resolution": "undetermined",
      "certSummary": {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
        "keyAlg": "EC",
        "keyLen": 256,
        "keyStrength": 128,
        "sigAlg": "RSAwithMD2",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-12-20T16:02:26.579Z",
        "notAfter": "2024-12-20T16:02:26.579Z",
        "effectiveNotAfter": "2024-12-20T16:02:26.579Z",
        "lifetimeDays": 736,
        "lifetimeDaysLeft": 125,
        "revokedOn": "2024-12-20T16:02:26.579Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed",
          "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
          "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
          "ku": [
            "keyEncipherment",
            "digitalSignature"
          ],
          "eku": [
            "serverAuth",
            "clientAuth"
          ],
          "mustStaple": true,
          "crl": [
            "http://crl3.digicert.com/sha2-ev-server-g2.crl",
            "http://crl4.digicert.com/sha2-ev-server-g2.crl"
          ],
          "ocsp": [
            "http://ocsp.digicert.com"
          ],
          "precert": false
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      },
      "matchedHosts": [
        [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ]
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListCertDiscoveriesResponse

Update certificate discovery

Code samples

POST /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /certDiscoveries/{id}

Maturity: Under Development

Updates the requested certificate discovery.

Body parameter

{
  "status": "closed",
  "resolution": "reconciled"
}

Parameters

Parameter In Type Description
body* body UpdateCertDiscoveryRequest none

Example responses

200 Response

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.580Z",
      "notAfter": "2024-12-20T16:02:26.580Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.580Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.580Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.580Z",
          "lastSeen": "2024-12-20T16:02:26.580Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.580Z",
          "lastSeen": "2024-12-20T16:02:26.580Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK Certificate updated UpdateCertDiscoveryResponse
404 Not Found Certificate not found None

Dashboards

The API endpoints in this section allow you to retrieve information about your dashboards.

Request dashboard statistics

Code samples

POST /v1/org/{org}/dashboards/;stats HTTP/1.1
Host: api.hardenize.com

POST /dashboards/;stats

Maturity: Under Development

Request general statistics about the organization.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CreateDashboardResponse

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted. OperationStatus

DNS

DNS APIs can be used to synchronize your DNS configuration for Hardenize. Our first supported endpoint enables you to upload your DNS zone files, enabling Hardenize to discover new hosts.

Upload DNS zone

Code samples

POST /v1/org/{org}/dns/zones?root=example.com HTTP/1.1
Host: api.hardenize.com
Content-Type: text/plain

POST /dns/zones

Use this endpoint to upload your DNS zone file to Hardenize. The zone file will be parsed to find new hosts, which will then be added to the account.

Body parameter

$ORIGIN example.com.
$TTL 1h
@      IN  SOA   ns.example.com. admin.example.com. ( 2018081601 1d 2h 4w 1h )
@      IN  NS    ns
@      IN  MX    10 mx.example.com.
@      IN  A     192.0.2.1
       IN  AAAA  2001:db8:10::1
ns     IN  A     192.0.2.2
       IN  AAAA  2001:db8:10::2
www    IN  CNAME example.com.
mx     IN  A     192.0.2.3

Parameters

Parameter In Type Description
root* query string The root of the uploaded DNS zone, for example example.com.
body* body string DNS zone file

Responses

Status Meaning Description Schema
204 No Content Zone successfully processed None

Events

We use events to record various things of interest that happen in your account. For example, if we see a certificate that matches one of your domain names in Certificate Transparency (CT) logs, we can take that CT log entry and store it as an event. In this way, you can periodically retrieve the available events and stay up to date. Events are also used as basis for our event hooks, which provide real-time notifications.

We support the following event types:

Event Type Description Event Data
ct.entry One CT log entry matched to the account. The purpose of this event is to enable you to interface directly with the public CT logs while seeing only CT log entries that are relevant to you. One event of this type is generated for every appearance of precertificate and certificate in public CT logs. This usually means that there will be 2-5 events for every precertificate, depending on the certificate validity period. Certificates are also commonly seen in the logs, although that's not guaranteed. In most situations, the pki.cert.new is the more appropriate choice of you only care about new issuance events. We collect all information from your CT log entries even if this event is not enabled; within 24 hours of certificate issuance, the aggregated information will be stored in the appropriate Certificate record. MatchedCtEntry
issue.new New issue. Emitted whenever a new issue is created. Issue
issue.update Updated issue. Emitted every time an issue is updated. Issue
pki.cert.new New certificate or precertificate added to the account, from any source, including Certificate Transparency, network, or manual upload. The purpose of this event is to enable you to react, in real-time, when a new certificate becomes known. You should be aware that you will get potentially multiple objects for the same issuance. You can check for this using the tbsSha256 field, which has the same value in the precertificate/certificate combo. This event is generated for own and third-party certificates, including CA certificates. If the latter group is not of interest, check the event data fields to discard them. Certificate

Event Hooks

You can use event hooks to have your events pushed to you in real-time. We currently support two delivery mechanisms:

PubSub Event Delivery

PubSub event delivery is a message queue that's implemented on top of Google's PubSub service, which is highly available and stores events for up to 7 days. When we enable this event delivery type, we create one PubSub subscription for the entire account and enable the corresponding hook type. From that point onwards, you can use the API to control exactly which events are delivered to you.

PubSub messages transport event data in the main message body, with the metadata included via the message attributes. PubSub implements at-least-once delivery which means that you may get duplicate events. You can deal with this by designing your processing so that the duplicates don't matter, or by adding a deduplication layer (e.g., based on the unique event identifier). Another characteristic of PubSub is that it doesn't guarantee delivery of events in the chronological order. As such, PubSub may not be a good choice when the order matters.

If you're receiving issue updated via PubSub, make sure to check that the revision of the event you're processing is higher than the last known revision. Issues are typically updated once a day, meaning that you will not normally experience ordering issue if you're consuming events continuously.

Webhook Event Delivery

This mechanism submits events to an HTTPS endpoint that you control. This endpoint must be able to accept and process POST requests with event information. The events are transported in the request bodies, using the same format as the events obtained when you pull this information via this API.

When you successfully accept an event we send, you must respond with the 204 No Content status code and no data in the response body. We are particular about the response code because we want to be sure the webhook has been processed correctly. Seeing a 200 response is not really a guarantee of that, as it's common to see web servers configured to always respond with 200 status code, even on processing failure.

Generally speaking, it's always helpful to use meaningful status codes as that will help us understand the type of failure and modify our behavior accordingly. For example:

You should enable keep-alives on your server and use a long timeout value so that we can efficiently send you events in bulk.

It is important that you verify that you are receiving webhooks from us, and not from someone else. There are a couple of ways in which this can be archived. First, you could generate a long random string and embed it in the webhook URL, making it difficult for anyone to just guess the destination you're using. Second, you should check the event metadata to ensure that it matches your expectations. The metadata, which is transported in the request headers, includes a signature based on a per-hook secret.

If a webhook fails, we will continue to attempt delivery over the next 24 hours. Overall, we will attempt delivery of every event to you for about 10 times, backing off exponentially from the first attempt. We may disable webhooks that stay broken for an extended period of time.

Event Hook Metadata

We deliver events along with their associated metadata, as follows:

Event Signatures

We use HMAC-256 to sign a timestamped event body. The X-Hardenize-Signature metadata field will therefore include both the timestamp and the actual signature.

X-Hardenize-Signature: t=1539185809044;
  hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8

To verify the signature, first locate the secret corresponding to the event hook, using the combination of X-Hardenize-Org and X-Hardenize-EventHookId fields. After that, parse the X-Hardenize-Signature field to extract the timestamp and signature values. To do this, split the value at the semicolon, then extract the key-value pairs. Next, create a new data buffer by appending the timestamp (e.g., 1539185809044), followed by a semicolon (i.e., ;), followed by the verbatim request body. Finally, calculate the HMAC-SHA256 of the data buffer and compare your result with our signature. Please note that our signature is hex-encoded for transport. To do a correct comparison you'll have to either hex-decode it first, or hex-encode your calculation.

If you're worried about replay attacks, you will also need to check that the timestamp doesn't deviate significantly from the time you have. For this to work correctly you need to ensure that you always have the correct time on your server. Additionally, you'll need to be processing the events in near-real time or otherwise account for the processing delay on your end.

If you are unable to validate the event metadata, you must refuse to process the event. If in a webhook, respond with the 400 status code.

Event Collection Best Practices

Even though event hooks are not difficult to set up initially, getting them to work reliably and unattended over an extended period of time will require some effort. Things break. Use event hooks only if there aren't better ways to access the information. For example, if you're interested in the ct.entry and pki.cert.* hooks, consider that we process all the events ourselves, and that information stored in them is always available to you via this API. For example, if you want to keep a copy of all your certificates, it's usually easier to retrieve new and updated certificates daily.

Further, consider these best practices for event hook implementation:

Create event hook

Code samples

POST /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks

Creates a new event hook. Every new event hook starts off as disabled, which means that it's not going to receive events straight away. The expected workflow is to first create an event hook, configure the receiving end, run tests to ensure correct operation, and then finally enable the hook.

Body parameter

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Parameters

Parameter In Type Description
body body CreateEventHookRequest none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status Meaning Description Schema
200 OK Event hook created CreateEventHookResponse
403 Forbidden Insufficient permissions to perform operation None

Delete event hook

Code samples

DELETE /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /eventHooks/{id}

Deletes the event hook with the specified identifier.

Parameters

Parameter In Type Description
id* path string Event hook identifier.

Responses

Status Meaning Description Schema
204 No Content Event hook deleted None
403 Forbidden Insufficient permissions to perform operation None
404 Not Found Event hook not found None

Get event

Code samples

GET /v1/org/{org}/events/{id} HTTP/1.1
Host: api.hardenize.com

GET /events/{id}

Returns the event with the specified identifier.

Parameters

Parameter In Type Description
id* path integer Event identifier.

Example responses

200 Response

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2024-12-20T16:02:26.582Z",
    "apiVersion": "0.14.0",
    "data": {
      "field": "value"
    }
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetEventResponse
404 Not Found Event doesn't exist None

List event destinations

Code samples

GET /v1/org/{org}/eventDestinations HTTP/1.1
Host: api.hardenize.com

GET /eventDestinations

Lists all managed event destinations. Managed destinations are those that we control, for example PubSub topics.

Example responses

200 Response

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListEventDestinationsResponse

List event hooks

Code samples

GET /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com

GET /eventHooks

Lists event hooks that are configured in the account.

Example responses

200 Response

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListEventHooksResponse

List event types

Code samples

GET /v1/org/{org}/eventTypes HTTP/1.1
Host: api.hardenize.com

GET /eventTypes

Lists all available event types, showing how they're configured for the account.

Example responses

200 Response

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListEventTypesResponse

List events

Code samples

GET /v1/org/{org}/events HTTP/1.1
Host: api.hardenize.com

GET /events

Lists events available in the account. By default, all events are listed, with the earliest first. Because there is a forced limit of 100 events per invocation, to iterate over more than 100 events you will need to submit multiple requests, remember the timestamp of the last retrieved event, and use it as the since parameter in the subsequent invocation. If you provide one of the optional parameters, only the events matching the specified filters will be listed. If you provide multiple parameters, only the events matching all the specified filters will be listed.

Parameters

Parameter In Type Description
since query string(date-time) Returns only events that ocurred after the supplied time.
type query string Returns only events that match the supplied type.
limit query integer Limits the number of events in the response. The limit can range between 1 and 100. The default is 100.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2024-12-20T16:02:26.583Z",
      "apiVersion": "0.14.0",
      "data": {
        "field": "value"
      }
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListEventsResponse

Test event hook

Code samples

POST /v1/org/{org}/eventHooks/{id};test HTTP/1.1
Host: api.hardenize.com

POST /eventHooks/{id};test

Tests the event hook with the specified identifier. By default, we send a test event, but it's possible to request mock events of other types using the eventType parameter. This API endpoint executes synchronously and may take longer than other API calls (especially in case of unresponsive receiving servers).

By default, we submit valid and syntactically events. During the configuration phase, it's useful to test how the receiver behaves with invalid data. We use the invalid parameter for this purpose. Set to any value except none, it instructs the API to intentionally break one element of the submission. In this case, the success criteria also changes. By default, we expect a 204 response, except when we're sending you a broken submission, in which case we expect a 400 in return.

Please note that, when testing deliveries via intermediaries, we're not able to detect processing failures of the final recipient, only of the intermediary. For example, when testing PubSub delivery, this endpoint will return success after successfully publishing to the message queue. Testing with broken events is still useful, but you'll need to detect the failures on the receiving end.

Parameters

Parameter In Type Description
id* path string Event hook identifier.
invalid query string Instructs the API to intentionally break one of the elements of the test submission. Default: none
eventType query string Determines the event type that will be sent to the event hook.

Enumerated Values

Parameter Value
invalid none
invalid hookId
invalid org
invalid payload
invalid signature
eventType ct.entry
eventType issue.new
eventType issue.update
eventType pki.cert.new
eventType test

Example responses

200 Response

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Responses

Status Meaning Description Schema
200 OK Event hook test completed TestEventHookResponse
403 Forbidden Insufficient permissions to perform operation None
404 Not Found Event hook not found None

Update event hook

Code samples

POST /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks/{id}

Updates the event hook with the specified identifier.

Body parameter

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Parameters

Parameter In Type Description
id* path string Event hook identifier.
body body UpdateEventHookRequest none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status Meaning Description Schema
200 OK Event hook updated UpdateEventHookResponse
403 Forbidden Insufficient permissions to perform operation None
404 Not Found Event hook not found None

Update event type

Code samples

POST /v1/org/{org}/eventTypes/{name} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventTypes/{name}

Updates one event type, changing the enabled property to the specified value. When an event type is enabled, events of that type will be generated and stored in the database. Associated notifications will be dispatched. This operation will fail if the event type is not available in the account.

Body parameter

{
  "enabled": true
}

Parameters

Parameter In Type Description
name* path string Event type name.
body body UpdateEventTypeRequest none

Example responses

200 Response

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateEventTypeResponse
403 Forbidden Not allowed to change status of event that's not available None
404 Not Found Event type doesn't exist None

Groups

We support groups as a general-purpose mechanism for categorization. For example, a host can be assigned zero, one, or more groups.

Create group

Code samples

POST /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups

Creates a new group. The name you choose should be short (especially if you're planning to assign multiple tags to individual entities) and must not already exist, using case-insensitive comparison.

Body parameter

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter In Type Description
body body CreateGroupRequest none

Example responses

201 Response

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Responses

Status Meaning Description Schema
201 Created Group created CreateGroupResponse
400 Bad Request Invalid parameters None

Delete group

Code samples

DELETE /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /groups/{id}

Deletes a group. By default, only unused groups can be deleted, but you can specify the force parameter to override this behavior.

Parameters

Parameter In Type Description
id* path string The name of the group to delete.
force query boolean If this parameter is provided and set to true, the specified group will be deleted even if it's still in use.

Responses

Status Meaning Description Schema
204 No Content Group deleted None
400 Bad Request Invalid input None
403 Forbidden Forbidden None
404 Not Found Group not found None

Get group

Code samples

GET /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

GET /groups/{id}

Retrieves group information.

Parameters

Parameter In Type Description
id* path string Group identifier.

Responses

Status Meaning Description Schema
200 OK OK None
400 Bad Request Bad Request None
403 Forbidden Forbidden None
404 Not Found Not found None

List groups

Code samples

GET /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com

GET /groups

Returns a complete list of all groups used by the organization.

Example responses

200 Response

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListGroupsResponse

Update group

Code samples

POST /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups/{id}

Updates a group.

Body parameter

{
  "tags": [
    "production"
  ]
}

Parameters

Parameter In Type Description
id* path string Group identifier.
body body UpdateGroupRequest none

Responses

Status Meaning Description Schema
204 No Content Group updated None
400 Bad Request Invalid input None
403 Forbidden Forbidden None
404 Not Found Group not found None

Host Discovery

Host discovery is a feature of Hardenize designed to make it easier for organizations to build their host inventories and keep them up to date. Having a good inventory is key to having good visibility, so we aim to automate the maintenance tasks wherever possible. Where full automation is not possible, we do as much work as we can and present the information for manual review.

There are three principal ways in which new hosts are discovered. The first is the use of authoritative sources. For example, new hosts could be added manually (e.g., from a list of organization's domain names) or could be imported via an integration with existing systems (e.g., authoritative name servers). All accounts are initially populated with data in this way.

Once an account is bootstrapped, our automated discovery features kick in. An important source of information is our monitoring of public infrastructure. We maintain both historical databases and also follow new information that appears on the network. We then inspect these sources to import information that's connected to the account. A good example of this approach is import of new certificates via Certificate Transparency monitoring.

Finally, the third approach is the analysis and import from the data obtained from our own active monitoring of the hosts that are already in an account's host inventory. Because in this case we know that we're dealing with the data that belongs to the account owner, we're able to further refine our understanding and apply heuristics to make even more useful conclusions. For example, as we can your web sites we record and extract useful information from them.

How Host Discovery Works

To support host discovery, we monitor all hosts we come across (as part of both public and private monitoring). When we encounter a relevant host, we import it into the account and add it to the list od discovered hosts.

In some cases (e.g., suffix matching), our discovery is 100% accurate, and then we are able to add thew newly discovered host directly to the inventory. When that's not possible, the new host sits on the discovery list until a decision about it can be made.

If a host is not classified as belonging to the organization, the decision about it stays in the account so that it can be reused in the future.

Delete host discoveries

Code samples

DELETE /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hostDiscoveries/*

Deletes a list of host discoveries.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true
}

Parameters

Parameter In Type Description
body body DeleteHostDiscoveriesRequest none

Example responses

200 Response

{
  "ids": [
    1
  ],
  "preview": true
}

Responses

Status Meaning Description Schema
200 OK OK DeleteHostDiscoveriesResponse
400 Bad Request Invalid request None

Get host discovery

Code samples

GET /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries/{id}

Returns the specified host discovery.

Parameters

Parameter In Type Description
id* path integer The ID of the host discovery to be fetched.

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-12-20T16:02:26.586Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-12-20T16:02:26.586Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetHostDiscoveryResponse
404 Not Found Host discovery doesn't exist None

List host discoveries

Code samples

GET /v1/org/{org}/hostDiscoveries HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries

Returns a list of all host discoveries in the account. Optionally, use one of the supported filtering parameters to retrieve only the discoveries that match specific criteria.

Parameters

Parameter In Type Description
resolution query string If set, returns only the host discoveries with this particular resolution set.
discoveredSince query string(date-time) If set, returns only the hosts discoveries that have happened since the supplied date.
origin query string If set, returns only the host discoveries found with this match location.
limit query integer If set, returns only up to the specified number of hosts.

Enumerated Values

Parameter Value
resolution pending
resolution own
resolution supplier
resolution unrelated
resolution infringing
resolution phishing
origin hdb

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-12-20T16:02:26.587Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-12-20T16:02:26.587Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListHostDiscoveriesResponse

Update host discoveries

Code samples

POST /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/*

Updates a list of host discoveries.

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter In Type Description
body body UpdateHostDiscoveriesRequest none

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-12-20T16:02:26.588Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-12-20T16:02:26.588Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK UpdateHostDiscoveriesResponse
400 Bad Request Invalid request None

Update host discovery

Code samples

POST /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/{id}

Updates the specified host discovery. Setting the effective hostname is optional, but if a value is provided, it must be the same as the discovered hostname or one of its parents, and must not be a TLD (on the public suffix list). E.g if the discovered hostname is "www.test.example.com", you may set the effective hostname to "test.example.com" or "example.com", but not "com" and not "example.org".

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Parameters

Parameter In Type Description
id* path integer The ID of the host discovery to be updated.
body body UpdateHostDiscoveryRequest none

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-12-20T16:02:26.589Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-12-20T16:02:26.589Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateHostDiscoveryResponse
404 Not Found Host discovery doesn't exist None

Host Discovery Nameservers

Nameserver monitoring is one of our favourite discovery techniques. We monitor the world's domain names to determine what nameservers they are delegated to and use that information to build a special discovery database. This subsequently enables us to quickly find all domain names delegated to a particular nameserver.

This discovery technique can be used only with an organization's private DNS nameservers, meaning that they host only domain names that belong to the same organization. They can be managed and provided by a third-party, but the name itself must not be shared.

We like this technique because it requires virtually no effort to identify new domains that belong to the organization. Once the private nameservers are identified, the discoveries happen automatically via continuous monitoring of new domains that appear in the name servers. Further, we help discover the private nameservers by monitoring all nameservers used by an account and looking for ones that appear to be used exclusively by the organization's domain names.

Create host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers

Creates one or more nameservers to for discovery purposes. Only private nameservers can be added to monitoring. As a way of enforcing this requirement, we check that the nameserver hostname matches a domain name that's in the host inventory. For example, if example.com is an organization domain name, then ns1.example.com nameserver can be added but ns1.example.org cannot.

Public servers must not be submitted for monitoring, even if they're under a domain name that is in the inventory.

Body parameter

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Parameters

Parameter In Type Description
body body CreateHostDiscoveryNameserverRequest none

Example responses

204 Response

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
204 No Content OK CreateHostDiscoveryNameserverResponse
400 Bad Request Invalid request None

Delete host discovery nameserver

Code samples

DELETE /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryNameservers/{hostname}

Deletes a host discovery nameserver.

Parameters

Parameter In Type Description
hostname* path string A fully-qualified domain name.

Responses

Status Meaning Description Schema
204 No Content Nameserver deleted None
404 Not Found Nameserver not found None

Get host discovery nameserver

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/{hostname}

Retrieves a host discovery nameserver.

Parameters

Parameter In Type Description
hostname* path string A fully-qualified domain name.

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetHostDiscoveryNameserverResponse
404 Not Found Nameserver not found None

List host discovery nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers

Returns a list of all host discovery nameservers in the account.

Example responses

200 Response

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListHostDiscoveryNameserversResponse

List not-monitored private nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/privateNotMonitored HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/privateNotMonitored

Returns a list of all private nameservers that are not already monitored. Our ability to discover your private nameservers depends on active monitored of the host inventory. As part of a host assessment, we check the nameservers and store them in the database. This endpoint builds a list of all nameservers we are aware of, keeps only those that are potentially private (based on the hostnames matching), and removes those that are already monitored.

Example responses

200 Response

[
  "example.com"
]

Responses

Status Meaning Description Schema
200 OK OK Inline

Response Schema

Update host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers/{hostname}

Updates one host discovery nameserver.

Body parameter

{
  "enabled": true
}

Parameters

Parameter In Type Description
hostname* path string A fully-qualified domain name.
body body UpdateHostDiscoveryNameserverRequest none

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
200 OK Nameserver updated GetHostDiscoveryNameserverResponse
400 Bad Request Invalid parameters None
404 Not Found Nameserver not found None

Host Discovery Keywords

Hardenize supports discovery of new hosts based on keyword matching. To support this type of discovery we maintain a database of all domains and subdomains globally. When a keyword is added to an account, we schedule continuous monitoring of this database to discover all hostnames that match it.

Our keyword matching discovery is different from subdomain matching because keywords can match anywhere in the hostname. Additionally, we implement additional advanced matching techniques that look for variations. Our fuzzy matching starts with a keyword and generates many similar phrases using techniques designed to catch, for example, typosquatting. Separately, we have detection of confusables, where we detect phrases that are visually similar or identical to the configured keyword. We detect simple character substitution (e.g., tw1tter instead of twitter), as well as advanced obfuscation attempts using Unicode look-alike characters (also known as homoglyphs or homographs). If you'd like to see some examples, we maintain a public project where we showcase our detection of confusables for some popular keywords.

Using Keyword Discovery

To use keyword discovery, specify one or more keywords, configuring them according to what you wish to be discovered. We recommend that you initially start with stricter keywords, for example only domains that match a keyword exactly. With this approach, you will initially have fewer matches to deal with. As you settle on a discovery review workflow that works for you, you can then then pursue less strict matching, which will generate more useful matches (e.g., entire labels anywhere in the hostname), but is also likely produce false positives.

When a new keyword is added (or a keyword configured), we need to scan our entire database, which is a slow operation. Especially in the case of fuzzy and confusables matching, one keyword may result in hundreds of variations that we search for. The results of the first scan are therefore made available over night. Once that first scan is complete, we continue with real-time monitoring of newly observed domains and subdomains.

Match Limits

Because we have hundreds of millions in our database, keyword matching can result in too many matches when using with a phrase that's not specific enough. In order to deal with this problem, there is a limit to how many matches can be imported at any one time. This limit is designed to kick in when the keyword is used the first time. By default, this limit is set to 10,000 matches. If a keyword reaches this limit, it is disabled with an appropriate error message.

Availability

Keyword discovery features vary across account tiers. If keywords are enabled on an account, there are separate limits for standard and advanced keywords. The advanced keyword allowance can be used to create standard keywords, but the reverse is not possible. Advanced keywords (that support fuzzy matching and confusables) are an add-on and can be added to any package.

Create host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords

Creates a new keyword to be used for host discovery. It's important to choose a good keyword that will not produce many false positives. For example, if you specified the word com, we would match on millions of hostnames.

Keyword matching never returns any hostnames that are considered to belong to the account organization. The exclusion happens automatically because those hostnames should have already been added to the account via suffix matching.

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter In Type Description
body body CreateHostDiscoveryKeywordRequest none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK CreateHostDiscoveryKeywordResponse
400 Bad Request Invalid request None

Delete host discovery keyword

Code samples

DELETE /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryKeywords/{keyword}

Deletes a host discovery keyword.

Parameters

Parameter In Type Description
keyword* path string The name of the keyword to delete.

Responses

Status Meaning Description Schema
204 No Content Keyword deleted None
404 Not Found Keyword not found None

Get host discovery keyword

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords/{keyword}

Retrieves a host discovery keyword.

Parameters

Parameter In Type Description
keyword* path string The name of the keyword to fetch.

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetHostDiscoveryKeywordResponse
404 Not Found Keyword not found None

List host discovery keywords

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords

Returns a list of all host discovery keywords in the account.

Example responses

200 Response

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListHostDiscoveryKeywordsResponse

Update host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords/{keyword}

Updates host discovery keyword

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter In Type Description
keyword* path string The name of the keyword to update.
body body UpdateHostDiscoveryKeywordRequest none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateHostDiscoveryKeywordResponse
400 Bad Request Invalid request None

Hosts

Host management, which provides abilities to create and delete your hosts, as well as configure how they're monitored. You are also able to manage how hosts are discovered in this section.

In this section and elsewhere in the API, wherever we accept hostnames, we validate them and perform canonicalization: we convert them to lowercase, and strip the trailing dot if present. This means that the hosts we keep in the database will potentially be different at the character level from the hosts you input. However, they will be semantically the same.

Bulk create hosts

Code samples

POST /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts

Adds one or more hosts to the account. No errors will be reported if the list includes one or more hosts that already exist. In that situation, the existing hosts will be treated in the same way as the new hosts when it comes to their status and group membership. New groups are added if required, but existing group memberships won't be affected. If the status field is not provided then the initial host status will be automatically decided following the account rules for newly discovered hosts. By default, if a hostname with the www prefix is submitted, we strip the prefix and store only the parent domain. Our assessments always check both hostname variants. This behavior doesn't apply to special wholesale accounts.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Parameters

Parameter In Type Description
body body CreateHostsRequest Names of the hosts that are to be created, along with their initial status.

Responses

Status Meaning Description Schema
204 No Content Hosts added to the account None
400 Bad Request Invalid request None

Bulk delete hosts

Code samples

DELETE /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hosts

Deletes one or more hosts from the account. This operation will delete all the data exclusively associated with the specified hosts, as well as all their history. The subdomains are also deleted if the subdomains option is enabled. Use the delete operation only on the hosts that have been added to your account by mistake, in other words on the hosts that don't belong to you. For hosts that do belong to you but you wish to ignore, set their status to archived. Please note that not all host data may be immediately deleted; for some data that may be shared among different hosts we use reference counting via a garbage collection process that runs from time to time. Role: Admin.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Parameters

Parameter In Type Description
body body DeleteHostsRequest none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status Meaning Description Schema
200 OK Hosts successfully deleted DeleteHostsResponse
400 Bad Request Invalid request None

Bulk update hosts

Code samples

POST /v1/org/{org}/hosts/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts/*

Updates one or more hosts that are already stored in the account.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter In Type Description
body body UpdateHostsRequest none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status Meaning Description Schema
200 OK Hosts successfully updated UpdateHostsResponse
400 Bad Request Invalid request None

Get host

Code samples

GET /v1/org/{org}/hosts/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}

Returns the host with the specified name.

Parameters

Parameter In Type Description
hostname* path string The name of the host whose data you wish to retrieve.

Example responses

200 Response

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.594Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.594Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.594Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.594Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.594Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.595Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.595Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.595Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.595Z",
      "domainExpireTime": "2024-12-20T16:02:26.595Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK GetHostResponse
400 Bad Request Invalid request None
404 Not Found Host not found None

Get Host Screenshot

Code samples

GET /v1/org/{org}/hosts/{hostname}/screenshot HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}/screenshot

Returns screenshot for the specified host

Parameters

Parameter In Type Description
hostname* path string The name of the host whose screenshot you wish to retrieve.

Example responses

200 Response

Responses

Status Meaning Description Schema
200 OK OK string
400 Bad Request Invalid request None
404 Not Found Host not found None

Get host services

Code samples

GET /v1/org/{org}/hosts/{hostname}/services HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}/services

Returns the services, endpoints and certificates for a host with the specified name.

Parameters

Parameter In Type Description
hostname* path string The name of the host whose data you wish to retrieve.
extended query boolean if set, returns host with extras field. Setting to false has no effect.

Detailed descriptions

extended: if set, returns host with extras field. Setting to false has no effect.

Example responses

200 Response

{
  "hostServices": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-12-20T16:02:26.596Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-12-20T16:02:26.596Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ],
        "tlsSupportedProtocols": [
          "TLSv1.2",
          "TLSv1.3"
        ],
        "tlsConfigurationLevel": "secure"
      }
    ],
    "certificates": [
      {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
        "keyAlg": "EC",
        "keyLen": 256,
        "keyStrength": 128,
        "sigAlg": "RSAwithMD2",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-12-20T16:02:26.596Z",
        "notAfter": "2024-12-20T16:02:26.596Z",
        "effectiveNotAfter": "2024-12-20T16:02:26.596Z",
        "lifetimeDays": 736,
        "lifetimeDaysLeft": 125,
        "revokedOn": "2024-12-20T16:02:26.596Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed",
          "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
          "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
          "ku": [
            "keyEncipherment",
            "digitalSignature"
          ],
          "eku": [
            "serverAuth",
            "clientAuth"
          ],
          "mustStaple": true,
          "crl": [
            "http://crl3.digicert.com/sha2-ev-server-g2.crl",
            "http://crl4.digicert.com/sha2-ev-server-g2.crl"
          ],
          "ocsp": [
            "http://ocsp.digicert.com"
          ],
          "precert": false
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      }
    ],
    "extras": {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.596Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.596Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.596Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.596Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.596Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.596Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.596Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.596Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.596Z",
      "domainExpireTime": "2024-12-20T16:02:26.596Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetHostServicesResponse
400 Bad Request Invalid request None
404 Not Found Host not found None

Get host stats

Code samples

GET /v1/org/{org}/hosts/;stats HTTP/1.1
Host: api.hardenize.com

GET /hosts/;stats

Returns host statistics from the database. If not returns 404 status.

Example responses

200 Response

{
  "monitored": 0,
  "archived": 0,
  "idle": 0,
  "total": 0,
  "domains": 0,
  "subdomains": 0
}

Responses

Status Meaning Description Schema
200 OK OK GetHostStatsResponse
404 Not Found Host stats not found None

List hosts

Code samples

GET /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com

GET /hosts

Returns a list of all hosts in the account. If you provide one of the optional parameters, only the hosts matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter In Type Description
group query string If set, returns only the hosts that belong to the specified group.
hostname query string If set, returns only the hosts whose names match the parameter. One or more hosts may be returned, depending on whether subdomains are being included.
limit query integer If set, returns only up to the specified number of hosts.
nx query boolean If set, returns only the hosts with nx matching this value
origin query string If set, returns only the hosts whose origin matches the parameter.
status query string If set, returns only the hosts whose statuses match the parameter.
subdomains query boolean If set, extends the host matching to include all subdomains of the specified name. Default: true.
regRegistry query boolean If set, extends the host matching to include all domains immediately under a registry suffix.
regPublic query boolean If set, extends the host matching to include all domains immediately under a public suffix.

Enumerated Values

Parameter Value
origin cert
origin ct
origin hdb
origin manual
status monitored
status idle
status archived

Example responses

200 Response

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.598Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.598Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.598Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.598Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.598Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.598Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.598Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.598Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.598Z",
      "domainExpireTime": "2024-12-20T16:02:26.598Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListHostsResponse
400 Bad Request Invalid request None

Request hosts PDF report

Code samples

POST /v1/org/{org}/hosts/{hostname}/pdfReport HTTP/1.1
Host: api.hardenize.com

POST /hosts/{hostname}/pdfReport

Requests a PDF of a report for the specified host. The PDF will be generated asynchronously from the latest assessment results, and it wont trigger an assessment it's self.

Successful response file: PdfFile

Parameters

Parameter In Type Description
hostname path undefined The name of the host

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus

Request zone transfer

Code samples

POST /v1/org/{org}/hosts/{hostname};zoneTransfer HTTP/1.1
Host: api.hardenize.com

POST /hosts/{hostname};zoneTransfer

Asynchronous operation. Requests a zone transfer for this name, using the configured settings. This endpoint is useful if you wish to test if a zone transfer can be successfully completed, or if you wish to inspect the state of a particular zone in real time.

DNS zone transfers are usually not allowed from public IP addresses. For this reason we perform this type of zone transfer from a separate set static IP addresses, also known as our integrations outbound addresses. You'll find them documented in your Hardenize account. However, even though these IP addresses uniquely identify us, they shouldn't be trusted as such, given that we use them for all our integrations traffic and all our customers.

Successful response data schema: ZoneTransferResponse

Parameters

Parameter In Type Description
hostname* path string The name of the host.

Detailed descriptions

hostname: The name of the host.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Identities

To find related domain names, we monitor all configuration aspects of your known domain names and hosts to extract your unique identities. With those in hand, we then continuously monitor global databases to discover new domain names associated with those identities.

Identities are automatically discovered, but need to be manually verified and enabled. This is because the process of finding associated domains is not exact. Some identities, although correct, can be considered to be weak because they will result in false positives. For example, an identity digicert may find DigiCert, Inc. but also DigiCert Sdn. Bhd. These are two different companies. At the end of the day, it's up to you to determine if a particular identity is useful. False positives create more work for you because they beed to be manually reviewed and excluded, but sometimes there may not be a better way to discover everything that needs to be discovered.

Delete identity

Code samples

DELETE /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /identities/{id}

Delete an existing identity. This endpoints should be used to remove identities that were mistakenly considered to be unique, after they are reviewed.

Parameters

Parameter In Type Description
id* path integer The ID of the identity to be deleted.

Responses

Status Meaning Description Schema
204 No Content OK None
403 Forbidden Forbidden None
404 Not Found Not Found None

Get identity

Code samples

GET /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

GET /identities/{id}

Returns the specified identity.

Parameters

Parameter In Type Description
id* path integer The ID of the identity to be fetched.

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-12-20T16:02:26.600Z",
    "lastSeen": "2024-12-20T16:02:26.600Z",
    "lastCheck": "2024-12-20T16:02:26.600Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-12-20T16:02:26.600Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetIdentityResponse
404 Not Found Identity doesn't exist None

List identities

Code samples

GET /v1/org/{org}/identities HTTP/1.1
Host: api.hardenize.com

GET /identities

Returns a list of all identities in the account.

Example responses

200 Response

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2024-12-20T16:02:26.600Z",
      "lastSeen": "2024-12-20T16:02:26.600Z",
      "lastCheck": "2024-12-20T16:02:26.600Z",
      "error": "Not a unique identity.",
      "errorTime": "2024-12-20T16:02:26.600Z"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListIdentitiesResponse

Update identity

Code samples

POST /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /identities/{id}

Updates the specified identity. The only supported operation is control of whether an identity is enabled, meaning it's actively used to discover associated assets. Only unique identities can be enabled. Normally, only unique identities will be added, but it's possible that an identity is identified as shared after the fact. Such identities will be automatically disabled and should be removed.

Body parameter

{
  "enabled": true
}

Parameters

Parameter In Type Description
id* path integer The ID of the identity to be updated.
body body UpdateIdentityRequest none

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-12-20T16:02:26.601Z",
    "lastSeen": "2024-12-20T16:02:26.601Z",
    "lastCheck": "2024-12-20T16:02:26.601Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-12-20T16:02:26.601Z"
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateIdentityResponse
400 Bad Request Invalid request; details in the response None
404 Not Found Identity doesn't exist None

Integrations

The API endpoints in this section allow you to configure Hardenize to access information in third party systems that contain information about your infrastructure. For example, if you use AWS Route 53, we can pull information about your registered domains as well as the configured DNS zones.

Different types of integrations require different workflows. For example, some integrations (for example, Azure) require only parameters that can be obtained from the other vendor. In other cases (for example, AWS and GCP) you will need to get some data from us, submit it to the third-party, and finally come back to us again to finalize the integration. Please refer to the documentation for more information.

AWS: Setup integrations

Code samples

POST /v1/org/{org}/integrations/aws/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/aws/;setup

Prepares your Hardenize account to support AWS integrations and returns the parameters that will need to be used on the AWS side.

Example responses

200 Response

{
  "externalId": "hardenize-1uspdz"
}

Responses

Status Meaning Description Schema
200 OK OK SetupAwsIntegrationsResponse
403 Forbidden Forbidden None

Create integration

Code samples

POST /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations

Creates a new integration in your account.

Body parameter

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

Parameters

Parameter In Type Description
body body CreateIntegrationRequest none

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.603Z",
    "nextRunTime": "2024-12-20T16:02:26.603Z",
    "lastRunTime": "2024-12-20T16:02:26.603Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status Meaning Description Schema
200 OK OK CreateIntegrationResponse
400 Bad Request Invalid request None
403 Forbidden Forbidden None

Delete integration

Code samples

DELETE /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

DELETE /integrations/{integrationId}

Delete an existing integration.

Parameters

Parameter In Type Description
integrationId* path string The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status Meaning Description Schema
204 No Content OK None
403 Forbidden Forbidden None
404 Not Found Not Found None

GCP: Setup integrations

Code samples

POST /v1/org/{org}/integrations/gcp/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/gcp/;setup

Prepares your Hardenize account to support GCP integrations and returns the parameters that will need to be used on the GCP side.

Example responses

200 Response

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Responses

Status Meaning Description Schema
200 OK OK SetupGcpIntegrationsResponse
403 Forbidden Forbidden None

Get integration

Code samples

GET /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

GET /integrations/{integrationId}

Retrieves one integration

Parameters

Parameter In Type Description
integrationId* path string The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.604Z",
    "nextRunTime": "2024-12-20T16:02:26.604Z",
    "lastRunTime": "2024-12-20T16:02:26.604Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetIntegrationResponse
403 Forbidden Forbidden None
404 Not Found Not Found None

List integrations

Code samples

GET /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com

GET /integrations

Returns a list of currently configured integrations.

Example responses

200 Response

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2024-12-20T16:02:26.605Z",
      "nextRunTime": "2024-12-20T16:02:26.605Z",
      "lastRunTime": "2024-12-20T16:02:26.605Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListIntegrationsResponse
403 Forbidden Forbidden None

Request integration run

Code samples

POST /v1/org/{org}/integrations/{integrationId};run HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};run

Request integration to run as soon as possible. This endpoint will scheduled the integration, updating the nextRunTime field. A background process will pick up the change and the integration should run within a few minutes. After the integration has run, the lastRunTime field will be updated.

Parameters

Parameter In Type Description
integrationId* path string The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status Meaning Description Schema
204 No Content OK None
400 Bad Request Invalid request (integration disabled) None
403 Forbidden Forbidden None
404 Not Found Not Found None

Test integration connectivity

Code samples

POST /v1/org/{org}/integrations/{integrationId};test HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};test

Tests if the integration is correctly configured and we are able to successfully connect to the third-party system. If you're interested in the operation of an integration beyond authentication, use the run option, which will authenticate but also attempt to exercise all the configured functionality.

Parameters

Parameter In Type Description
integrationId* path string The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "success": false,
  "error": "Failed to authenticate"
}

Responses

Status Meaning Description Schema
200 OK OK TestIntegrationResponse
403 Forbidden Forbidden None
404 Not Found Not Found None

Update integration

Code samples

POST /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations/{integrationId}

Update an existing integration

Body parameter

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

Parameters

Parameter In Type Description
body body UpdateIntegrationRequest none
integrationId* path string The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.606Z",
    "nextRunTime": "2024-12-20T16:02:26.606Z",
    "lastRunTime": "2024-12-20T16:02:26.606Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateIntegrationResponse
400 Bad Request Invalid request None
403 Forbidden Forbidden None
404 Not Found Not Found None

Issues

Maturity: Under Development

The Issues subsystem is where we track actionable insights for aspects of network infrastructure that need to be worked on. At this time, for example, we generate issues for a variety of problems related to DNS configuration, domain name registration, CT monitoring, and certificate expiration.

An issue is given a unique identifier for tracking purposes. Their title and description will explain the basics. Look at the subject, subjectDomain, and severity fields to understand the potential impact. Additional metadata fields are available to help you make sense of the problem and its severity. Issue fields are documented in the Issue schema.

Conceptually, issues are simple. We create them when we encounter problems we think you might want to know about it. After that, you can choose to act on them. We automatically close issues when we detect that they are no longer manifesting.

Issue Lifecycle

At the most basic level, we track issues based on whether they are open or closed. This is done via the open field. An open issue points to something that needs to be worked on. Once the work is complete, the issue is considered closed.

When nuance is required, the status field is used to provide a more granular description of issue status, describing, for example, how it will be dealt with or how it's been resolved.

Most issues will have one of the two main statuses:

Issues can have one of the following statuses if they are ignored or if dealing with them is postponed:

Finally, there are several status that we use when issues are no longer relevant:

Open issues can only be active or snoozed. Closed issues can take any of the other statuses.

In our current implementation, we support only issues that are created automatically from infrastructure monitoring. They are also automatically closed. Until that happens, it's possible to override the active status and change it to one of ignored, snoozed, or bogus.

There is a periodic background process that looks for issues that are no longer relevant and assigns them one of abandoned, deprecated, or orphaned.

Get issue

Code samples

GET /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com

GET /issues/{issueId}

Returns the issue that matches the supplied identifier.

Parameters

Parameter In Type Description
issueId* path integer The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetIssueResponse
400 Bad Request Invalid request None
404 Not Found Issue not found None

List issues

Code samples

GET /v1/org/{org}/issues HTTP/1.1
Host: api.hardenize.com

GET /issues

Returns a list of issues. This endpoint provides partial issue information intended for lists and summaries. For example, issue details are not returned. Complete issue information can be retrieved by fetching an issue directly or by requesting a bulk transfer.

Parameters

Parameter In Type Description
open query boolean If set, returns only issues that are open or closed as requested.
status query string If set, returns only issues that match the requested status.
updatedSince query string(date-time) If set, returns only issues created or updated since the provided timestamp.
group query array[string] If set, returns only issues that match ALL the requested groups.
definitionIds query string If set, should contain a comma separated list of definition ids to filter on

Example responses

200 Response

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListIssuesResponse
400 Bad Request Invalid request None
403 Forbidden Forbidden None

Transfer issues

Code samples

POST /v1/org/{org}/issues/;transfer HTTP/1.1
Host: api.hardenize.com

POST /issues/;transfer

Initiates an issue transfer, which is an asynchronous operation. This operation is intended for transfer of complete issue information, which may involve a great number of issues as well as large amount of data.

Successful response data schema: ListIssuesResponse

Parameters

Parameter In Type Description
open query boolean If set, returns only issues that are open or closed as requested.
status query string If set, returns only issues that match the requested status.
updatedSince query string(date-time) If set, returns only issues created or updated since the provided timestamp.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request None
403 Forbidden Forbidden None

Update issue

Code samples

POST /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /issues/{issueId}

Updates an issue. At this time we support setting issue status to one of bogus, ignored, or snoozed. Setting status to bogus and ignored causes the issue to be permanently dismissed and thus closed. The use of the snooze status requires that snoozeTimestamp is set.

Body parameter

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Parameters

Parameter In Type Description
body body UpdateIssueRequest none
issueId* path integer The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetIssueResponse
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
404 Not Found Issue not found None

Network Ranges

Add, remove, and update your network ranges. If your organization has access to network scanning in Hardenize, you can also optionally enable scanning for a network range. At this time, scanning is available immediately for IPv4 ranges up to a /22. We manually enable scanning of larger ranges, usually after discussing the requirements with the customer. We don't scan IPv6 ranges.

Create network range

Code samples

POST /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges

Creates a new network range. The range can not overlap any existing range. The label you choose should be short. "scan" is optional and will only be allowed if your organization has that feature enabled and the range is suitably small: /24 for IPv4 and /128 for IPv6.

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter In Type Description
body body NetworkRange none

Responses

Status Meaning Description Schema
201 Created Network range created None
400 Bad Request Invalid parameters None
403 Forbidden Insufficient permissions to perform operation None

Delete network range

Code samples

DELETE /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com

DELETE /networkRanges/{range}

Deletes a network range if it exists

Parameters

Parameter In Type Description
range* path string The network range to delete.

Responses

Status Meaning Description Schema
204 No Content Network range deleted None
403 Forbidden Insufficient permissions to perform operation None
404 Not Found Network range not found None

List network ranges

Code samples

GET /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com

GET /networkRanges

Returns all configured network ranges.

Example responses

200 Response

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListNetworkRangesResponse

Update network range

Code samples

POST /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges/{range}

Update the label/description/scan of a network range

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter In Type Description
range* path string The network range to update.
body body UpdateNetworkRangeRequest none

Responses

Status Meaning Description Schema
204 No Content Network range updated None
400 Bad Request Invalid parameters None
403 Forbidden Insufficient permissions to perform operation None
404 Not Found Network range not found None

Operations

For activities that may take a long time, we support asynchronous operations that enable you to submit a request and disconnect while our servers continue to work on the requested task. The documentation for each API endpoint will indicate if asynchronous operation is supported and whether it's required or optional.

When a request to do some work asynchronously is submitted, we respond with the 202 Accepted response, indicating that work is being scheduled but that it is not yet completed. This is in contrast to the standard 200 OK response that you get when a request is immediately completed. When you see a 202 response, the body of the response will include an OperationStatus object that tracks the status of the requested work. For example:

HTTP/1.1 202 Accepted
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8
Location: /v1/org/{org}/operations/6e7b190fa8d4ba14f707

{
    "id": "6e7b190fa8d4ba14f707",
    "done": false,
    "statusCode": 202
}

The best way to think about asynchronous work is that your initial request creates a task which, when complete, produces some results. The task status and its results are two separate resources.

We also provide a set of endpoints that enable you to monitor operation progress. When an operation is created it is assigned a unique identifier, which is part of the operation status. Once you know this identifier you can use it to look up the updated operation status. In addition, the 202 response includes a Location header that contains a link to the operation status.

From this point, the expected workflow is that you will periodically poll the Get Operation endpoint and monitor the value in the done field, which will start as false and change to true when the work is completed. At this point the statusCode field will contain the final value, which should be interpreted as the HTTP status code you would have received had the operation been invoked synchronously. Additionally, the status object main contain further information about the results, for example the number of pages and rows per page. For example:

HTTP/1.1 200 OK
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8

{
    "id": "6e7b190fa8d4ba14f707",
    "done": true,
    "statusCode": 200,
    "pages": 100,
    "rows": 99754,
    "rowsPerPage": 1000
}

If the status code is 200 OK, then the operation has been successful and you can retrieve the results with a further GET method to the Get Operation Results endpoint. Depending on the operation, results may be available on failure as well. In that situation, for example, the results may include further error information.

If you attempt to access operation results before they're ready, you will be redirected to the Get Operation endpoint with a 303 See Other response. In this case, the response body will also include the operation status. If you observe a 404 Not Found response, that means that the operation has expired and should be submitted again if desired. The server will make a best-effort attempt to preserve operation results for as long as possible, but the expectation is that the results will be consumed immediately as they become available. In case of partial (paginated) access, it is recommended that the results are collected in under one hour.

Cancel Operation

Code samples

DELETE /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /operations/{id}

Requests cancellation of the operation with the supplied identifier. The server will attempt to carry out the request, but there are no guarantees that the operation will be successful. Clients that request operations that take a long time (and thus probably require significant resources) should always cancel if they give up waiting.

Parameters

Parameter In Type Description
id* path string Operation identifier

Responses

Status Meaning Description Schema
202 Accepted Cancellation request accepted None
400 Bad Request Invalid parameters None
404 Not Found Operation not found None

Get Operation Results

Code samples

GET /v1/org/{org}/operations/{id}/results HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}/results

Retrieves the results generated by the operation with the supplied identifier. If the operation completed, this endpoint will deliver the same data as if the operation were invoked directly and completed in the same HTTP request. The original operation HTTP status code will be placed in the X-Operation-Status-Code response header. This is done to distinguish failures of the API from operation failures.

If this endpoint is called while the operation is still in progress, this endpoint will respond with the 303 status code and include the operation status information in the response body.

Parameters

Parameter In Type Description
id* path string Operation identifier

Example responses

303 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status Meaning Description Schema
200 OK Operation results are in the response body None
206 Partial Content Partial results are in the response body None
303 See Other Operation not yet completed OperationStatus
400 Bad Request Invalid request None
404 Not Found Operation not found None

Get Operation Status

Code samples

GET /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}

Retrieves the status of the operation with the supplied identifier.

Parameters

Parameter In Type Description
id* path string Operation identifier

Example responses

200 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status Meaning Description Schema
200 OK Request successful OperationStatus
400 Bad Request Invalid parameters None
404 Not Found Operation not found None

Reports

Maturity: Under Development

In the Report section of the API we provide summaries of the reports done for your monitored hosts. This is the same information that's available in the web application under the Hosts navigation. This section of the API is transient and will be replaced with a more comprehensive implementation in the near future. That's why we have the zero ("0") in the endpoint path.

List reports

Code samples

GET /v1/org/{org}/reports0 HTTP/1.1
Host: api.hardenize.com

GET /reports0

Returns all available reports. If you provide one of the optional parameters, only the reports matching the specified filters will be listed. If you provide multiple parameters, only the reports matching all the specified filters will be listed.

Parameters

Parameter In Type Description
format query string Response format. Default: json.
name query string The name of the host whose report summary you wish to retrieve.
subdomains query boolean If set, extends the host matching to include all subdomains of the specified name. Default: false.
group query string If set, returns only the summaries for hosts that belong to the specified group.

Enumerated Values

Parameter Value
format csv
format json

Example responses

200 Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "wwwXcto": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListReports0Response

Request Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates

Maturity: Under Development

Request certificates report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertificateReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Parameters

Parameter In Type Description
body body CertificateReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request DMARC Report

Code samples

POST /v1/org/{org}/reports/dmarc HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/dmarc

Maturity: Under Development

Request DMARC report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DmarcReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter In Type Description
body body DmarcReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Domains Report

Code samples

POST /v1/org/{org}/reports/domains HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/domains

Maturity: Under Development

Request domains report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DomainsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body DomainsReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Expiring Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates/expiringEndpoints HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates/expiringEndpoints

Maturity: Under Development

Request expiring certificates report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: CertificateExpiringEndpointsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Parameters

Parameter In Type Description
body body CertificateExpiringEndpointsReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Host Discoveries Report

Code samples

POST /v1/org/{org}/reports/hostDiscoveries HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hostDiscoveries

Maturity: Under Development

Request host discoveries report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: DiscoveryHostReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body DiscoveryHostReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Hosts Report

Code samples

POST /v1/org/{org}/reports/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hosts

Maturity: Under Development

Request host discoveries report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: HostsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body HostsReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Ip Addresses Report

Code samples

POST /v1/org/{org}/reports/ipAddresses HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/ipAddresses

Maturity: Under Development

Request ip addresses report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: IpAddressReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body IpAddressReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Issues Report

Code samples

POST /v1/org/{org}/reports/issues HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/issues

Maturity: Under Development

Request issues report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: IssuesReportResponse

Body parameter

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body IssuesReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Network Ranges Report

Code samples

POST /v1/org/{org}/reports/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/networkRanges

Maturity: Under Development

Request network ranges report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: NetworkRangesReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter In Type Description
body body NetworkRangesReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Open Ports Report

Code samples

POST /v1/org/{org}/reports/openPorts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/openPorts

Maturity: Under Development

Request open ports report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: OpenPortsReportResponse

Body parameter

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter In Type Description
body body OpenPortsReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Request Spf Report

Code samples

POST /v1/org/{org}/reports/spf HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/spf

Maturity: Under Development

Request spf report.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: SpfReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter In Type Description
body body SpfReportRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Report Cards

Maturity: Under Development

In the Report section of the API we provide summaries of the report cards done for your monitored hosts.

List report cards

Code samples

GET /v1/org/{org}/reportCards HTTP/1.1
Host: api.hardenize.com

GET /reportCards

Maturity: Under Development

Retrieves all report cards.

Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.

Parameters

Parameter In Type Description
group query string If set, returns only the report cards that belong to the specified group.
newSince query string(date-time) If set, returns only report cards added to the account since the specified date.

Detailed descriptions

group: If set, returns only the report cards that belong to the specified group.

Example responses

200 Response

{
  "reportCards": [
    {
      "reportVersion": 1,
      "domainPunycode": "example.com",
      "domainUnicode": "example.com",
      "available": true,
      "hardenizeVersion": "v1.1603.1",
      "timestamp": "2024-12-20T16:02:26.619Z",
      "sections": [
        {
          "id": "SECTION_DOMAIN",
          "name": "Domain",
          "items": [
            {
              "id": "ITEM_DOMAIN_REGISTRATION",
              "name": "Domain Registration",
              "status": "good",
              "remarks": [
                {
                  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                  "title": "Nameserver is not operational",
                  "content": "Good. The private key associated with this certificate is secure.",
                  "severity": "good",
                  "data": {
                    "Name": "dns1.registrar-servers.com.",
                    "Address": "2610:a1:1024::200",
                    "Reverse name": "dns1.registrar-servers.com."
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListReportCardsResponse
400 Bad Request Invalid parameters None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Retrieves a report card for a specified hostname

Code samples

GET /v1/org/{org}/reportCards/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /reportCards/{hostname}

Maturity: Under DevelopmentRetrieves a report card for the specified hostname.

Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.

Parameters

Parameter In Type Description
hostname* path string If set, returns only the report card for the specified hostname.

Detailed descriptions

hostname: If set, returns only the report card for the specified hostname.

Example responses

200 Response

{
  "reportCard": {
    "reportVersion": 1,
    "domainPunycode": "example.com",
    "domainUnicode": "example.com",
    "available": true,
    "hardenizeVersion": "v1.1603.1",
    "timestamp": "2024-12-20T16:02:26.619Z",
    "sections": [
      {
        "id": "SECTION_DOMAIN",
        "name": "Domain",
        "items": [
          {
            "id": "ITEM_DOMAIN_REGISTRATION",
            "name": "Domain Registration",
            "status": "good",
            "remarks": [
              {
                "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                "title": "Nameserver is not operational",
                "content": "Good. The private key associated with this certificate is secure.",
                "severity": "good",
                "data": {
                  "Name": "dns1.registrar-servers.com.",
                  "Address": "2610:a1:1024::200",
                  "Reverse name": "dns1.registrar-servers.com."
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetReportCardResponse
400 Bad Request Invalid parameters None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Suborganizations

Depending on the type of subscription, organization accounts can be configured to allow creation of nested organizations. These suborganizations are designed to be fully independent, although it's possible to retain some level of control over them via the parent account.

New suborganizations support the same API endpoints, although the capabilities will typically be different to that of the parent account. To access a suborganization via this API, first use the parent account to create a new set of master API credentials. Subsequently, use the new credentials to access the suborganization directly. Do note that the suborganization identifiers exposed by this API are relative to that of the parent account. When accessing suborganization APIs directly you need to use the complete account identifier, which will be in the form of parent.child. Attempting to use an incorrect identifier will result in a 404 response.

Create Organization

Code samples

POST /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs

Creates a new suborganization under this account. If successful, this endpoint returns full information about the newly-created organization.

Body parameter

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter In Type Description
body body CreateOrgRequest none

Example responses

200 Response

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status Meaning Description Schema
200 OK Organization created CreateOrgResponse
400 Bad Request Invalid parameters or organization with the supplied id or name already exists. None
403 Forbidden Account doesn't support suborganizations None

Delete Organization

Code samples

DELETE /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /suborgs/{id}

Permanently deletes one nested organization. Because this operation is irreversible and thus quite dangerous, this endpoint is typically disabled by default, and may be enabled on sandbox accounts only. The recommended way to delete organizations is to set the status to deleted.

Parameters

Parameter In Type Description
id* path string Organization identifier.

Responses

Status Meaning Description Schema
204 No Content Organization deleted None
403 Forbidden Account doesn't support suborganizations, or the delete operation not permitted None
404 Not Found Organization doesn't exist None

Get Organization

Code samples

GET /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

GET /suborgs/{id}

Returns the specified nested organization.

Parameters

Parameter In Type Description
id* path string Organization identifier.

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status Meaning Description Schema
200 OK OK GetOrgResponse
403 Forbidden Account doesn't support suborganizations None
404 Not Found Organization doesn't exist None

List Organizations

Code samples

GET /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com

GET /suborgs

Returns a complete list of all organizations nested under this account.

Example responses

200 Response

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK OK ListOrgsResponse
403 Forbidden Account doesn't support suborganizations None

Update Organization

Code samples

POST /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs/{id}

Updates the desired nested organization.

Body parameter

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter In Type Description
id* path string Organization identifier.
body body UpdateOrgRequest none

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status Meaning Description Schema
200 OK OK UpdateOrgResponse
403 Forbidden Account doesn't support suborganizations None
404 Not Found Organization doesn't exist None

Search

Maturity: Under Development

At the Business tier and higher, Hardenize accounts include a search engine that's updated in real time whenever new data becomes available. The search engine contains multiple indexes, each tracking a different type of data. At this time, we support the network and certificates indexes. Our search engine is based on Elasticsearch, a de-facto standard.

Code samples

POST /v1/org/{org}/search HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /search

Request a search to the search engine. The index parameter should contain the desired index and the query parameter should contain the desired query in the Elasticsearch query format. By default, the results will be in JSON format. If you wish CSV output instead, supply a list of field names in the columns parameter. Please note that, as a limitation of Elasticsearch, array fields cannot be placed in CSV output in their entirety; only the first value will be.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Body parameter

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Parameters

Parameter In Type Description
body body CreateSearchRequest none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status Meaning Description Schema
202 Accepted Operation accepted OperationStatus
400 Bad Request Invalid request; details in the response None
403 Forbidden Not allowed to access this endpoint None
503 Service Unavailable Service not able to process request None

Users

This section provides support for user management, covering both accounts with access to the application as well as service accounts, a special type of account that's designed for API access.

Cancel invite

Code samples

POST /v1/org/{org}/users/{id};cancelInvite HTTP/1.1
Host: api.hardenize.com

POST /users/{id};cancelInvite

Cancels invitation for this user, if it has not already been accepted. Role: Admin.

Parameters

Parameter In Type Description
id* path integer User identifier

Responses

Status Meaning Description Schema
204 No Content User invite cancelled None
400 Bad Request Invalid parameters None
403 Forbidden You don't have permission to perform this operation. None
404 Not Found User with given email doesn't exist within organization None

Create service account

Code samples

POST /v1/org/{org}/users;serviceAccount HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;serviceAccount

Creates a new service account. Role: Admin.

Body parameter

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2024-12-20T16:02:26.623Z"
}

Parameters

Parameter In Type Description
body body CreateServiceAccountRequest none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-12-20T16:02:26.623Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status Meaning Description Schema
201 Created Service account created GetUserResponse
400 Bad Request Invalid parameters None
403 Forbidden You don't have permission to perform this operation. None

Get user

Code samples

GET /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com

GET /users/{id}

Retrieves the available information for the requested user account.

Parameters

Parameter In Type Description
id* path integer User identifier

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-12-20T16:02:26.624Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status Meaning Description Schema
200 OK User GetUserResponse
404 Not Found User with given email doesn't exist within organization None

Invite new user

Code samples

POST /v1/org/{org}/users;invite HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;invite

Invites a new user to the organization. When this endpoint is used, an email is sent to the provided email address, asking the user to join the organization.

Body parameter

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Parameters

Parameter In Type Description
body body InviteUserRequest none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-12-20T16:02:26.624Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status Meaning Description Schema
201 Created User invited GetUserResponse
400 Bad Request Invalid parameters None
403 Forbidden You don't have permission to perform this operation. None

List users

Code samples

GET /v1/org/{org}/users HTTP/1.1
Host: api.hardenize.com

GET /users

Lists users that belong to the organization. We don't store user passwords raw in our database and so they will not be provided. Use the password reset function instead.

Example responses

200 Response

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2024-12-20T16:02:26.625Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Responses

Status Meaning Description Schema
200 OK Users ListUsersResponse

Update user

Code samples

POST /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users/{id}

Updates the specified user. Role: Admin.

Body parameter

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2024-12-20T16:02:26.625Z",
  "status": "retired",
  "role": "observer"
}

Parameters

Parameter In Type Description
id* path integer User identifier
body body UpdateUserRequest none

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-12-20T16:02:26.625Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status Meaning Description Schema
200 OK User updated GetUserResponse
400 Bad Request Invalid parameters None
403 Forbidden You don't have permission to perform this operation. None
404 Not Found User with given email doesn't exist within organization None

Schemas

cidr

"127.0.0.1/32"

IP address range in CIDR notation.

Properties

Name Type Description
anonymous string IP address range in CIDR notation.

GetAssessmentStatusResponse

{
  "assessment": {
    "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
    "host": "example.com",
    "path": "/",
    "unicodeHost": "example.com",
    "status": "available",
    "statusMessage": null,
    "epochTime": 1710773815,
    "statTcpConnections": 51,
    "statTcpEndpointsCount": 12,
    "expectedTcpConnections": 50,
    "expectedDuration": 0
  }
}

Properties

Name Type Description
assessment AssessmentStatus Contains information about the status of an assessment.

CreateAssessmentRequest

{
  "hostname": "example.com",
  "clearCache": false
}

Contains information needed to create new assessment

Properties

Name Type Description
hostname string none
clearCache boolean none

AssessmentStatus

{
  "id": "81763d1c-3722-4e66-89ef-b811844bc46c",
  "host": "example.com",
  "path": "/",
  "unicodeHost": "example.com",
  "status": "available",
  "statusMessage": null,
  "epochTime": 1710773815,
  "statTcpConnections": 51,
  "statTcpEndpointsCount": 12,
  "expectedTcpConnections": 50,
  "expectedDuration": 0
}

Contains information about the status of an assessment.

Properties

Name Type Description
id string none
host string Name of the host for which the assessment is done.
path string Denotes if it is a root assessment.
unicodeHost string Hostname converted to unicode.
status string Status of the assessment.
statusMessage string none
epochTime integer .
statTcpConnections integer Total number of TCP connections created during the assessment.
statTcpEndpointsCount integer Total number of IP addresses communicated with.
expectedTcpConnections integer Total number of TCP connections we are expecting, available only for repeated assessments.
expectedDuration integer Expected duration of the assessment.

Enumerated Values

Property Value
status not_available
status queued
status in_progress
status failed
status completed
status available

AuditEvent

{
  "id": 10001,
  "actorType": "u",
  "actorId": "userId:12090749",
  "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
  "timestamp": "2018-09-03T14:09:59.000Z",
  "remoteAddr": "18.233.176.231",
  "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
  "resourceType": "user",
  "resourceId": "12090749",
  "action": "user.auth.succeeded",
  "status": 200,
  "details": {
    "method": "password"
  }
}

Contains information about one audit log event.

Properties

Name Type Description
id* integer none
actorType* string Indicates whether the action was carried by an anonymous actor before authentication (a), the system (s), or by an authenticated user or organization (u).
actorId string Contains a unique identifier associated with the actor. This value will typically contain a reference to a user, with a prefix userId or to an organization, with a prefix orgId:. The value is stable over the long term.
actorName string Contains further information that describes the actor. For users it may contain the name and email address. For organizations, the name. The value here may should not be considered stable as it may change over time, if users or organizations are renamed.
timestamp* string(date-time) The UTC timestamp of the event.
remoteAddr string The remote IP address of the actor. Not available for system events.
sessionId string The actor's unique session identifier. Not available for system events. Please note that we regenerate session IDs after each successful authentication. As a result, you may see one ID at the point when authentication takes place, then another ID immediately after, when we record the sign-in event.
userAgent string The user agent associated with the event. Not all events will have this field, but key events associated with user activity will.
resourceType* string Indicates resource type.
resourceId* string The unique identifier associated with the resource.
action* string The unique action identifier.
status* integer Status of the event as a HTTP status code.
details object Contains additional information specific to the audit event. This field should be considered informational at this point in time.

Enumerated Values

Property Value
actorType a
actorType s
actorType u
action org.user.deleted
action org.user.disabled
action org.user.enabled
action org.user.invited
action org.user.uninvited
action org.user.joined
action org.user.profile_changed
action org.user.session_started
action user.created
action user.deleted
action user.email_changed
action user.profile_changed
action user.auth.mfa_removed_by_admin
action user.auth.password_changed
action user.auth.password_reset_requested
action user.auth.password_reset
action user.auth.password_reset_by_admin
action user.auth.failed
action user.auth.forbidden
action user.auth.signed_in
action user.auth.signed_out
action user.auth.succeeded

CertDiscoverySummary

{
  "certDiscoveryId": 11766,
  "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "createdOn": "2022-06-17T00:00:00Z",
  "updatedOn": "2022-06-17T00:00:00Z",
  "closedOn": "2022-06-17T00:00:00Z",
  "escalated": false,
  "status": "open",
  "resolution": "undetermined",
  "certSummary": {
    "shortId": "572908a",
    "label": "ssl760680.cloudflaressl.com",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "ownership": "own",
    "notBefore": "2024-12-20T16:02:26.627Z",
    "notAfter": "2024-12-20T16:02:26.627Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.627Z",
    "lifetimeDays": 736,
    "lifetimeDaysLeft": 125,
    "revokedOn": "2024-12-20T16:02:26.627Z",
    "hosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "extras": {
      "status": "ok",
      "certsDueDays": 60,
      "certsOverdueDays": 13,
      "certsCriticalDays": 4,
      "certsLabels": "managed",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "precert": false
    },
    "active": true,
    "caPathLen": -1,
    "nameDigestNewer": true
  },
  "matchedHosts": [
    [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ]
  ]
}

Contains complete information about a certificate discovered in one of the monitored CT logs.

Properties

Name Type Description
certDiscoveryId integer(int64) Unique identifier.
certSha256 string The SHA256 hash of the associated certificate, if any.
precertSha256 string The SHA256 hash of the associated precertificate, if any.
tbsSha256 string The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination.
createdOn string(date-time) Indicates when this certificate discovery was created.
updatedOn string(date-time) Indicates when this certificate discovery was last updated.
closedOn string(date-time) Indicates when this certificate discovery was last closed.
escalated boolean Indicates when this certificate discovery was escalated.
status string Indicates the status of this certificate discovery.
resolution string Indicates the discovery resolution.
certSummary CertificateSummary Contains summary information about one certificate.
matchedHosts [string] List of organization hosts that were observed in the certificate.

Enumerated Values

Property Value
status triage
status open
status closed
resolution undetermined
resolution reconciled
resolution policyViolation
resolution fraudulent

CertDiscovery

{
  "certDiscoveryId": 11766,
  "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "createdOn": "2022-06-17T00:00:00Z",
  "updatedOn": "2022-06-17T00:00:00Z",
  "closedOn": "2022-06-17T00:00:00Z",
  "escalated": false,
  "status": "open",
  "resolution": "undetermined",
  "certSummary": {
    "shortId": "572908a",
    "label": "ssl760680.cloudflaressl.com",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "ownership": "own",
    "notBefore": "2024-12-20T16:02:26.628Z",
    "notAfter": "2024-12-20T16:02:26.628Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.628Z",
    "lifetimeDays": 736,
    "lifetimeDaysLeft": 125,
    "revokedOn": "2024-12-20T16:02:26.628Z",
    "hosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "extras": {
      "status": "ok",
      "certsDueDays": 60,
      "certsOverdueDays": 13,
      "certsCriticalDays": 4,
      "certsLabels": "managed",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "precert": false
    },
    "active": true,
    "caPathLen": -1,
    "nameDigestNewer": true
  },
  "certKnown": false,
  "certInstalled": true,
  "certExpired": false,
  "certRevoked": false,
  "issuerAllowed": true,
  "issuerAllowedKeyword": "GlobalSign",
  "issuerNotAllowed": false,
  "issuerForbidden": false,
  "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
  "caaMismatch": false,
  "caaMatchFull": false,
  "notCtCompliant": false,
  "maxLifetimeExceeded": false,
  "timeoutCaseInactive": false,
  "timeoutCertNotInstalled": false,
  "matchedHosts": [
    [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ]
  ],
  "matchedHostsInfo": {
    "property1": {
      "wildcard": false,
      "caa": {
        "records": [
          "string"
        ],
        "source": "string",
        "time": "2022-06-17T00:00:00Z",
        "allowed": true,
        "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
      }
    },
    "property2": {
      "wildcard": false,
      "caa": {
        "records": [
          "string"
        ],
        "source": "string",
        "time": "2022-06-17T00:00:00Z",
        "allowed": true,
        "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
      }
    }
  },
  "matchedHostsCaaHistory": {
    "property1": [
      {
        "policyHostname": "string",
        "status": "present",
        "statusMessage": "string",
        "firstSeen": "2024-12-20T16:02:26.628Z",
        "lastSeen": "2024-12-20T16:02:26.628Z",
        "records": [
          "string"
        ]
      }
    ],
    "property2": [
      {
        "policyHostname": "string",
        "status": "present",
        "statusMessage": "string",
        "firstSeen": "2024-12-20T16:02:26.628Z",
        "lastSeen": "2024-12-20T16:02:26.628Z",
        "records": [
          "string"
        ]
      }
    ]
  },
  "matchedWildcardHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "ctLogs": [
    {
      "name": "rocketeer",
      "log": "ct.googleapis.com/rocketeer",
      "timestamp": 1533791245857,
      "index": 232455,
      "type": "cert",
      "sources": [
        "log",
        "tls"
      ]
    }
  ]
}

Contains complete information about a certificate discovered in one of the monitored CT logs.

Properties

Name Type Description
certDiscoveryId integer(int64) Unique identifier.
certSha256 string The SHA256 hash of the associated certificate, if any.
precertSha256 string The SHA256 hash of the associated precertificate, if any.
tbsSha256 string The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination.
createdOn string(date-time) Indicates when this certificate discovery was created.
updatedOn string(date-time) Indicates when this certificate discovery was last updated.
closedOn string(date-time) Indicates when this certificate discovery was last closed.
escalated boolean Indicates when this certificate discovery was escalated.
status string Indicates the status of this certificate discovery.
resolution string Indicates the discovery resolution.
certSummary CertificateSummary Contains summary information about one certificate.
certKnown boolean True if the certificate is confirmed as known. This may happen if the certificate is explicitly uploaded via the API, or if we observe the certificate in one of your CA accounts (via an integration).
certInstalled boolean True if the certificate has been installed.
certExpired boolean True if the certificate has expired.
certRevoked boolean True if the certificate has been revoked.
issuerAllowed boolean True if the certificate issuer matched one of the configured keywords.
issuerAllowedKeyword string If issuerAllowed is true, this field contains the keyword that matched.
issuerNotAllowed boolean True if the certificate issuer didn't match any configured keywords.
issuerForbidden boolean True if certificate issuer contains a keyword that is forbidden.
issuerForbiddenKeyword string If issuerForbiddenKeyword is true, this field contains the keyword that matched.
caaMismatch boolean True if the certificate doesn't match the CAA configuration observed immediately after the issuance has been retrieved from a CT log.
caaMatchFull boolean True if all hosts in the certificate matched the CAA configuration observed immediately after the issuance has been retrieved from a CT log.
notCtCompliant boolean True if the certificate is not CT compliant with one or more major vendors, such as Apple, Google, and Microsoft.
maxLifetimeExceeded boolean True if the certificate lifetime is longer than the currently allowed maximum.
timeoutCaseInactive boolean True when a certificate discovery is closed due to inactivity.
timeoutCertNotInstalled boolean True on a certificate discovery that's closed because the certificate has not been seen installed.
matchedHosts [string] List of organization hosts that were observed in the certificate.
matchedHostsInfo object A map containing information about matched hosts, where the keys are hostnames and the values are objects of type DiscoveryHostInfo.
» additionalProperties DiscoveryHostInfo Contains information about the host in the cert discovery
matchedHostsCaaHistory object A map containing the history of Certification Authority Authorization (CAA) records for the matched hosts, where the keys are hostnames and the values are arrays of type HostCaaHistory.
» additionalProperties [HostCaaHistory] none
matchedWildcardHosts [string] List of organization hosts that match wildcard domains in the certificate, if any.
ctLogs [CertCtLog] One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain.

Enumerated Values

Property Value
status triage
status open
status closed
resolution undetermined
resolution reconciled
resolution policyViolation
resolution fraudulent

DiscoveryHostInfo

{
  "wildcard": false,
  "caa": {
    "records": [
      "string"
    ],
    "source": "string",
    "time": "2022-06-17T00:00:00Z",
    "allowed": true,
    "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
  }
}

Contains information about the host in the cert discovery

Properties

Name Type Description
wildcard boolean Indicates whether the host was matched using wildcard.
caa DiscoveryCaaHostInfo Contains information about the certificate authority authorization host in the cert discovery

DiscoveryCaaHostInfo

{
  "records": [
    "string"
  ],
  "source": "string",
  "time": "2022-06-17T00:00:00Z",
  "allowed": true,
  "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}

Contains information about the certificate authority authorization host in the cert discovery

Properties

Name Type Description
records [string] none
source string none
time string(date-time) none
allowed boolean none
error string none

HostCaaHistory

{
  "policyHostname": "string",
  "status": "present",
  "statusMessage": "string",
  "firstSeen": "2024-12-20T16:02:26.629Z",
  "lastSeen": "2024-12-20T16:02:26.629Z",
  "records": [
    "string"
  ]
}

Properties

Name Type Description
policyHostname string The hostname of the CAA policy.
status string The status of the CAA policy.
statusMessage string A message describing the status of the CAA policy.
firstSeen string(date-time) The date and time when the CAA policy was first seen.
lastSeen string(date-time) The date and time when the CAA policy was last seen.
records [string] A list of DNS records.

Enumerated Values

Property Value
status dnsError,
status none,
status present,

SigAlg

"RSAwithMD2"

Certificate signature algorithm.

Properties

Name Type Description
anonymous string Certificate signature algorithm.

Enumerated Values

Property Value
anonymous RSAwithMD2
anonymous RSAwithMD5
anonymous RSAwithSHA1
anonymous RSAwithSHA256
anonymous RSAwithSHA384
anonymous RSAwithSHA512
anonymous RSAPSS
anonymous DSAwithSHA1
anonymous DSAwithSHA256
anonymous ECDSAwithSHA1
anonymous ECDSAwithSHA256
anonymous ECDSAwithSHA384
anonymous ECDSAwithSHA512

Certificate

{
  "shortId": "572908a",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "validation": "dv",
  "notBefore": "2024-12-20T16:02:26.630Z",
  "notAfter": "2024-12-20T16:02:26.630Z",
  "effectiveNotAfter": "2024-12-20T16:02:26.630Z",
  "revokedOn": "2024-12-20T16:02:26.630Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "RSAwithMD2",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "sanCount": 1,
  "caPathLen": -1,
  "wildcard": true,
  "selfSigned": false,
  "firstSeen": "2024-12-20T16:02:26.630Z",
  "lastSeen": "2024-12-20T16:02:26.630Z",
  "seenInstalled": true,
  "active": true,
  "precert": false,
  "duplicate": false,
  "managed": true,
  "ownership": "own",
  "label": "ssl760680.cloudflaressl.com",
  "matchesOrgHost": true,
  "symantecStatus": "symantecExcluded",
  "ctRequired": true,
  "ctCompliant": true,
  "ctLogs": [
    {
      "name": "rocketeer",
      "log": "ct.googleapis.com/rocketeer",
      "timestamp": 1533791245857,
      "index": 232455,
      "type": "cert",
      "sources": [
        "log",
        "tls"
      ]
    }
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "origin": "ct",
  "originTitle": "CT",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "parentHashes": [
    "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
    "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
  ],
  "parentHashesSource": "ct",
  "parentHashesComplete": true,
  "analysis": {
    "id": "ITEM_DOMAIN_REGISTRATION",
    "name": "Domain Registration",
    "status": "good",
    "remarks": [
      {
        "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
        "title": "Nameserver is not operational",
        "content": "Good. The private key associated with this certificate is secure.",
        "severity": "good",
        "data": {
          "Name": "dns1.registrar-servers.com.",
          "Address": "2610:a1:1024::200",
          "Reverse name": "dns1.registrar-servers.com."
        }
      }
    ]
  },
  "matchedHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "matchedWildcardHosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "thirdPartyHosts": [
    "hardenize.com"
  ],
  "deployments": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-12-20T16:02:26.630Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-12-20T16:02:26.630Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ],
        "tlsSupportedProtocols": [
          "TLSv1.2",
          "TLSv1.3"
        ],
        "tlsConfigurationLevel": "secure"
      }
    ]
  },
  "lifetime": "PT17652H",
  "lifetimeDays": 736,
  "ku": [
    "keyEncipherment",
    "digitalSignature"
  ],
  "eku": [
    "serverAuth",
    "clientAuth"
  ],
  "mustStaple": true,
  "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
  "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
  "caIssuers": [
    "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
  ],
  "crl": [
    "http://crl3.digicert.com/sha2-ev-server-g2.crl",
    "http://crl4.digicert.com/sha2-ev-server-g2.crl"
  ],
  "ocsp": [
    "http://ocsp.digicert.com"
  ],
  "ctInfos": [
    {
      "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
      "timestamp": "2024-12-20T16:02:26.630Z",
      "name": "Google 'Xenon2024' log",
      "status": "Qualified"
    }
  ]
}

Contains information about one certificate.

Properties

Name Type Description
shortId string Short identifier for the certificate. This value is not unique.
sha256* string Hex-encoded SHA256 hash of the certificate in DER format.
tbsSha256 string Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo.
subject* string Subject distinguished name.
serial* string Hex-encoded serial number.
issuer* string Issuer distinguished name.
issuerCa string The name of the issuing CA, according to CCADB.
validation string Certificate validation type.
notBefore* string(date-time) ISO 8601 timestamp.
notAfter* string(date-time) ISO 8601 timestamp.
effectiveNotAfter* string(date-time) ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2).
revokedOn* string(date-time) Revocation timestamp, if available.
keyAlg* string Private key algorithm, for example RSA or EC.
keyLen* integer Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength* integer Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg* SigAlg Certificate signature algorithm.
spkiSha256* string Hex-encoded SHA256 of the certificate's SPKI component.
hosts* [string] All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
sanCount integer The number of hostnames in the SAN field of the certificate.
caPathLen* integer Indicates if this is a CA certificate. Leaf certificates will have -1 in this field, indicating that they cannot issue further certificates. CA certificates will have 0 or a positive number. CA certificates without path length limit will have 2,147,483,647.
wildcard* boolean Set to true if at least one of the allowed hosts is a wildcard.
selfSigned* boolean Set to true if this is a self-signed certificate.
firstSeen* string(date-time) The first time this certificate was seen, which could be a variety of sources for example, CT, manual upload, or installed on a server.
lastSeen* string(date-time) The last time this certificate was seen installed on a server.
seenInstalled* boolean Indicates if this certificate has been seen installed on a server.
active* boolean Indicates if this certificate has been seen installed recently.
precert* boolean Indicates if the returned certificate is, in fact, a precertificate.
duplicate* boolean Set to true on a precertificate for which the certificate is known.
managed* boolean Indicates if this certificate is managed, i.e. provided by a third-party service that will also automatically renew the certificate when it becomes due.
ownership* string Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false.
label string The label is a human-readable string that can be used to identify the certificate.
matchesOrgHost* boolean Indicates if at least one of the host listed in the certificates matches a hosts that belongs to the organisation.
symantecStatus string Indicates if this certificate was issued from Symantec's PKI infrastructure. This field is not set when it's not necessary, as absence of value indicates that the certificate did not come from Symantec. This field is also never set on CA intermediates and roots.
ctRequired boolean Indicates whether certificate is required to be logged to CT for use on public sites. This is a requirement for all certificates issued from May 2018 onwards, as well for some earlier Symantec certificates.
ctCompliant boolean Indicates whether certificate embeds sufficient SCTs to satisfy CT policies of major platforms.
ctLogs* [CertCtLog] One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain.
pem* string Base64-encoded certificate in DER format.
origin* string Indication of where this certificate came from. This field will contain ct if the certificate was found via real-time monitoring of Certificate Transparency logs, hdb if we imported it from our historical certificate database, net if the certificate was found installed on the network, or manual if the certificate was provided to us (e.g., if it was uploaded via the API).
originTitle string Human readable version of the origin enum value
originInfo OriginInfo Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
parentHashes [string] Contains the SHA256 fingerprints of parent certificates, if they are known. We currently populate this field only using the information obtained from CT log entries. When the object is a precertificate, the parent hashes may include a special precertificate signer CA certificate.
parentHashesSource string Indicates the source of the parent hashes provided in the parentHashes field. If the field contains ct, that means that the parent hashes are exactly as seen in CT. CT entries are not guaranteed to include the root; if we're able to find the right root, we'll use the value ctPlusRoot to indicate that the bulk of the chain is from CT, but that we appended a root to it. The value hardenize is reserved for future use, when we implement path building to identify the hashes for certificates only seen online (and not in CT).
parentHashesComplete boolean True if the parent hashes are available and form a complete chain, false if parent hashes are available but the chain is not complete. This field is not available when parent hashes are not available.
analysis ReportCardItem Describes the item in each report card section.
matchedHosts [string] none
matchedWildcardHosts [string] none
thirdPartyHosts [string] none
deployments Deployment none
lifetime string Contains the ISO-8601 formatted duration of the validity of the certificate
lifetimeDays integer Contains the number of days the certificate is valid.
ku [string] Key Usage extension values.
eku [string] Extended Key Usage extension values.
mustStaple boolean Indicates whether the certificate must support OCSP Stapling.
aki string Authority Key Identifier extension value.
ski string Subject Key Identifier extension value.
caIssuers [string] List of URLs where the certificate issuer's CA certificates can be obtained.
crl [string] List of URLs where the Certificate Revocation Lists (CRLs) for the certificate can be obtained.
ocsp [string] List of URLs where the OCSP responses for the certificate can be obtained.
ctInfos [CtInfo] none

Enumerated Values

Property Value
validation dv
validation ev
validation iv
validation ov
validation s
validation u
validation na
ownership own
ownership thirdParty
symantecStatus phaseOneAffected
symantecStatus phaseOneNotAffected
symantecStatus phaseTwoAffected
symantecStatus phaseTwoNotAffected
symantecStatus symantecExcluded
origin ct
origin hdb
origin manual
origin net
parentHashesSource ct
parentHashesSource ctPlusRoot
parentHashesSource hardenize

CertExtras

{
  "status": "ok",
  "certsDueDays": 60,
  "certsOverdueDays": 13,
  "certsCriticalDays": 4,
  "certsLabels": "managed",
  "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
  "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
  "ku": [
    "keyEncipherment",
    "digitalSignature"
  ],
  "eku": [
    "serverAuth",
    "clientAuth"
  ],
  "mustStaple": true,
  "crl": [
    "http://crl3.digicert.com/sha2-ev-server-g2.crl",
    "http://crl4.digicert.com/sha2-ev-server-g2.crl"
  ],
  "ocsp": [
    "http://ocsp.digicert.com"
  ],
  "precert": false
}

Properties

Name Type Description
status string none
certsDueDays integer When certificates become due. Certificates that expire in fewer days
certsOverdueDays integer When certificates become overdue. Certificates not renewed by this time are considered overdue
certsCriticalDays integer When certificates become critical. Certificates not replaced by this time are considered critical
certsLabels any List of certificate labels, indicating the type and management source of each certificate.
ski string Subject Key Identifier extension value.
aki string Authority Key Identifier extension value.
ku [string] Key Usage extension values.
eku [string] Extended Key Usage extension values.
mustStaple boolean Indicates whether the certificate must support OCSP Stapling.
crl [string] List of URLs where the Certificate Revocation Lists (CRLs) for the certificate can be obtained.
ocsp [string] List of URLs where the OCSP responses for the certificate can be obtained.
precert boolean Indicates whether this is a pre-certificate

Enumerated Values

Property Value
status ok
status warning
status error
status neutral
certsLabels precert
certsLabels managed
certsLabels thirdParty
certsLabels thirdPartyOwnHost
certsLabels intermediate
certsLabels root
certsLabels selfSigned

CtInfo

{
  "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
  "timestamp": "2024-12-20T16:02:26.632Z",
  "name": "Google 'Xenon2024' log",
  "status": "Qualified"
}

Properties

Name Type Description
id string This field contains a HEX encoded SHA256 value of the unique identifier for the CT log server that created the Signed Certificate Timestamp
timestamp string(date-time) ISO 8601 timestamp. This field contains the timestamp indicating when the SCT was created. The timestamp is typically represented in milliseconds since the Unix epoch (January 1, 1970, 00:00:00 UTC)
name string A human-readable description of the CT log
status string The status of the CT log

Deployment

{
  "hosts": [
    {
      "hostname": "string",
      "service": "dns",
      "serviceHostname": "string",
      "lastSeen": "2024-12-20T16:02:26.632Z"
    }
  ],
  "services": [
    {
      "hostname": "string",
      "address": "string",
      "port": 0,
      "asNumber": 0,
      "asName": "string",
      "cloudProvider": "string",
      "cloudRegion": "string",
      "lastSeen": "2024-12-20T16:02:26.632Z",
      "certs": [
        "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
        "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
      ],
      "tlsSupportedProtocols": [
        "TLSv1.2",
        "TLSv1.3"
      ],
      "tlsConfigurationLevel": "secure"
    }
  ]
}

Properties

Name Type Description
hosts [HostData] none
services [ServiceData] none

HostService

{
  "hosts": [
    {
      "hostname": "string",
      "service": "dns",
      "serviceHostname": "string",
      "lastSeen": "2024-12-20T16:02:26.632Z"
    }
  ],
  "services": [
    {
      "hostname": "string",
      "address": "string",
      "port": 0,
      "asNumber": 0,
      "asName": "string",
      "cloudProvider": "string",
      "cloudRegion": "string",
      "lastSeen": "2024-12-20T16:02:26.632Z",
      "certs": [
        "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
        "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
      ],
      "tlsSupportedProtocols": [
        "TLSv1.2",
        "TLSv1.3"
      ],
      "tlsConfigurationLevel": "secure"
    }
  ],
  "certificates": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.632Z",
      "notAfter": "2024-12-20T16:02:26.632Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.632Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.632Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ],
  "extras": {
    "hostname": "🔥.hardenize.com",
    "punyHostname": "xn--4v8h.hardenize.com",
    "createdOn": "2024-12-20T16:02:26.632Z",
    "status": "archived",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "name": "thename"
    },
    "lastAxfrTime": "2024-12-20T16:02:26.632Z",
    "axfrError": "string",
    "lastAxfrErrorTime": "2024-12-20T16:02:26.632Z",
    "lastRegLookupTime": "2024-12-20T16:02:26.632Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "nx": true,
    "nxTime": "2024-12-20T16:02:26.632Z",
    "regRegistry": true,
    "regPublic": true,
    "regNx": false,
    "regNxTime": "2024-12-20T16:02:26.632Z",
    "lastAssessmentTime": "2024-12-20T16:02:26.632Z",
    "assessmentError": "Host not found",
    "lastAssessmentAttemptTime": "2024-12-20T16:02:26.632Z",
    "groups": [
      "mygroup"
    ],
    "tags": [
      "production"
    ],
    "domainRegistrant": "string",
    "domainRegistrarName": "string",
    "domainStatuses": [
      "string"
    ],
    "domainCreationTime": "2024-12-20T16:02:26.632Z",
    "domainExpireTime": "2024-12-20T16:02:26.632Z",
    "domainRegistryLock": false,
    "domainRegistrarLock": false,
    "domainLookupStatus": "string",
    "config": {},
    "classificationStatus": "active",
    "classificationTags": [
      "signin"
    ]
  }
}

Properties

Name Type Description
hosts [HostData] none
services [ServiceData] none
certificates [CertificateSummary] [Contains summary information about one certificate. ]
extras Host The Host object represents one of your hosts that resides in our database.

HostData

{
  "hostname": "string",
  "service": "dns",
  "serviceHostname": "string",
  "lastSeen": "2024-12-20T16:02:26.633Z"
}

Properties

Name Type Description
hostname string none
service string none
serviceHostname string none
lastSeen string(date-time) none

Enumerated Values

Property Value
service dns
service ftp
service html
service http
service https
service imap
service ldap
service mongodb
service mysql
service nntp
service other
service pop3
service postgres
service rdp
service redis
service sip
service smtp
service ssh
service telnet
service tls
service xmpp

ServiceData

{
  "hostname": "string",
  "address": "string",
  "port": 0,
  "asNumber": 0,
  "asName": "string",
  "cloudProvider": "string",
  "cloudRegion": "string",
  "lastSeen": "2024-12-20T16:02:26.634Z",
  "certs": [
    "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
    "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
  ],
  "tlsSupportedProtocols": [
    "TLSv1.2",
    "TLSv1.3"
  ],
  "tlsConfigurationLevel": "secure"
}

Properties

Name Type Description
hostname string none
address string none
port integer none
asNumber integer none
asName string none
cloudProvider string none
cloudRegion string none
lastSeen string(date-time) none
certs [string] none
tlsSupportedProtocols string List of supported TLS protocols
tlsConfigurationLevel string Indicates the security level of the TLS configuration

Enumerated Values

Property Value
tlsSupportedProtocols TLSv1.3
tlsSupportedProtocols TLSv1.2
tlsSupportedProtocols TLSv1.0
tlsSupportedProtocols SSLv3
tlsSupportedProtocols SSLv2
tlsConfigurationLevel secureWithPostQuantumEncryption
tlsConfigurationLevel secure
tlsConfigurationLevel insecure
tlsConfigurationLevel unknown

CertificateSummaryResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.634Z",
      "notAfter": "2024-12-20T16:02:26.634Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.634Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.634Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ]
}

Contains information about summaries of certificates.

Properties

Name Type Description
certs [CertificateSummary] List of certificate summaries

CertificateSummary

{
  "shortId": "572908a",
  "label": "ssl760680.cloudflaressl.com",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "RSAwithMD2",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "ownership": "own",
  "notBefore": "2024-12-20T16:02:26.635Z",
  "notAfter": "2024-12-20T16:02:26.635Z",
  "effectiveNotAfter": "2024-12-20T16:02:26.635Z",
  "lifetimeDays": 736,
  "lifetimeDaysLeft": 125,
  "revokedOn": "2024-12-20T16:02:26.635Z",
  "hosts": [
    "bonn-06.qlued.net",
    "www.bonn-06.qlued.net"
  ],
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "precert": false
  },
  "active": true,
  "caPathLen": -1,
  "nameDigestNewer": true
}

Contains summary information about one certificate.

Properties

Name Type Description
shortId string Short identifier for the certificate. This value is not unique. It is used in the Hardenize UI to refer to the certificate.
label string The label is a human-readable string that can be used to identify the certificate.
sha256* string Hex-encoded SHA256 hash of the certificate in DER format.
spkiSha256 string Hex-encoded SHA256 of the certificate's SPKI component.
keyAlg string Private key algorithm, for example RSA or EC.
keyLen integer Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength integer Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg SigAlg Certificate signature algorithm.
subject* string Subject distinguished name.
serial* string Hex-encoded serial number.
issuer* string Issuer distinguished name.
issuerCa string The name of the issuing CA, according to CCADB.
ownership string Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false.
notBefore* string(date-time) The date+time before which the certificate is not valid
notAfter* string(date-time) The date+time after which the certificate is not valid.
effectiveNotAfter* string(date-time) ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2).
lifetimeDays integer Contains the number of days the certificate is valid.
lifetimeDaysLeft integer Contains the number of days left until the certificate will expire.
revokedOn* string(date-time) Revocation timestamp, if available.
hosts* [string] All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
extras CertExtras none
active boolean True if the certificate has been seen installed recently.
caPathLen integer Indicates if the certificate is a leaf or a CA certificate. Leaves will have this value set to -1, CA certificates will have a 0 or some other non-zero value.
nameDigestNewer boolean True if a certificate with the same set of names but a later effective_not_after has been seen.

Enumerated Values

Property Value
ownership own
ownership thirdParty

TrustPath

{
  "chain": [
    "46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
    "1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
  ],
  "valid": true,
  "complete": true,
  "hasErrors": false,
  "depth": 3,
  "errors": []
}

Represents a certificate trust path

Properties

Name Type Description
chain* [string] List of sha256 identifiers of the certificates in the trust path chain
valid* boolean Indicates if the certificate path is valid
complete* boolean Indicates if the certificate path is complete from leaf to root
hasErrors* boolean Indicates if there are any validation errors in the path
depth* integer The depth of the certificate chain from leaf to root
errors* [TrustPathError] List of validation errors encountered in the certificate path

TrustPathError

{
  "node": "d073b38943b36bd970ec8f61b3a1aea66e58eff160daee143bcb9d9967867813",
  "code": "invalidTime",
  "message": "Time not valid: NotAfter: Wed Aug 08 21:17:05 UTC 2018"
}

Represents an error in the certificate trust path

Properties

Name Type Description
node string The sha256 identifier of the certificate node where the error occurred
code* string Error code identifying the type of validation failure
message* string Human-readable description of the error

CertificateTrustPaths

{
  "certs": [
    {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.636Z",
      "notAfter": "2024-12-20T16:02:26.636Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.636Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.636Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    }
  ],
  "paths": [
    {
      "chain": [
        "46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
        "1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
      ],
      "valid": true,
      "complete": true,
      "hasErrors": false,
      "depth": 3,
      "errors": []
    }
  ]
}

Contains information about certificate trust paths

Properties

Name Type Description
certs* [CertificateSummary] List of certificate summaries of certificates which are part of the trust paths
paths* [TrustPath] List of certificate trust paths

ExpiringEndpointsResponse

{
  "expiringEndpoints": [
    {
      "hostname": "example.net",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceAddress": "127.0.0.1",
      "servicePort": 443,
      "certNotAfter": "2024-12-20T16:02:26.636Z",
      "certEffectiveNotAfter": "2024-12-20T16:02:26.636Z",
      "serviceLastSeen": "2024-12-20T16:02:26.636Z",
      "certShortId": "572908a",
      "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "certIssuerCa": "Let's Encrypt",
      "certSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345",
      "hostClassificationStatus": "active",
      "hostClassificationTags": [
        [
          "signin"
        ]
      ],
      "tlsSupportedProtocols": [
        "TLSv1.2",
        "TLSv1.3"
      ],
      "tlsConfigurationLevel": "secure"
    }
  ],
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Contains information about expiring endpoints.

Properties

Name Type Description
expiringEndpoints [ExpiringEndpoint] List of certificate summaries
extras CertStatsExtras none

ExpiringEndpoint

{
  "hostname": "example.net",
  "serviceHostname": "service.example.com",
  "serviceDomain": "example.com",
  "serviceAddress": "127.0.0.1",
  "servicePort": 443,
  "certNotAfter": "2024-12-20T16:02:26.637Z",
  "certEffectiveNotAfter": "2024-12-20T16:02:26.637Z",
  "serviceLastSeen": "2024-12-20T16:02:26.637Z",
  "certShortId": "572908a",
  "certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "certIssuerCa": "Let's Encrypt",
  "certSan": "*.hardenize.com",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "asNumber": "12345",
  "hostClassificationStatus": "active",
  "hostClassificationTags": [
    [
      "signin"
    ]
  ],
  "tlsSupportedProtocols": [
    "TLSv1.2",
    "TLSv1.3"
  ],
  "tlsConfigurationLevel": "secure"
}

Contains summary information about one expiring endpoint.

Properties

Name Type Description
hostname string The name of the host.
serviceHostname string The hostname of the service associated with the endpoint.
serviceDomain string The domain of the service associated with the endpoint.
serviceAddress string The IP address of service associated with the endpoint.
servicePort integer port number.
certNotAfter string(date-time) ISO 8601 timestamp indicating when the certificate for the endpoint expires.
certEffectiveNotAfter string(date-time) ISO 8601 timestamp indicating when the certificate for the endpoint expires.
serviceLastSeen string(date-time) ISO 8601 timestamp indicating when the service was last seen.
certShortId string First 7 characters of a hex-encoded SHA256 hash of the certificate in DER format.
certSha256 string Hex-encoded SHA256 hash of the certificate in DER format.
certDn string Distinguished name of the endpoint's certificate.
certSerial string Hex-encoded serial number of the endpoint's certificate.
certIssuer string Issuer distinguished name.
certIssuerCa string The name of the issuing CA, according to CCADB.
certSan string All hosts specified in the endpoint's certificate's SAN extension, as Unicode.
asName string The name of the Autonomous System (AS).
asNumber string The number of the Autonomous System (AS).
hostClassificationStatus string Represents the status of content classification
hostClassificationTags [string] A list of content classification tags
tlsSupportedProtocols string List of supported TLS protocols
tlsConfigurationLevel string Indicates the security level of the TLS configuration

Enumerated Values

Property Value
hostClassificationStatus active
hostClassificationStatus inactive
hostClassificationStatus parked
tlsSupportedProtocols TLSv1.3
tlsSupportedProtocols TLSv1.2
tlsSupportedProtocols TLSv1.0
tlsSupportedProtocols SSLv3
tlsSupportedProtocols SSLv2
tlsConfigurationLevel secureWithPostQuantumEncryption
tlsConfigurationLevel secure
tlsConfigurationLevel insecure
tlsConfigurationLevel unknown

CertCtLog

{
  "name": "rocketeer",
  "log": "ct.googleapis.com/rocketeer",
  "timestamp": 1533791245857,
  "index": 232455,
  "type": "cert",
  "sources": [
    "log",
    "tls"
  ]
}

Properties

Name Type Description
name string The name is formed from the log field extracting the string after the last '/' or the same string if no '/' characters are present in the string
log* string CT log URL, with scheme omitted.
timestamp* integer(int64) Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
index integer(int64) This certificate's index in the referenced CT log. This field is available only when the matching objects are observed directly in CT logs.
type* string Indicates whether a CT log entry belongs to a certificate or precertificate. Normally, precertificate objects will include only precertificate CT log entries. However, certificate objects can include entries of either type. For example, if a certificate has been logged to CT via a precertificate, it will typically include CT log entries pertaining to both the precertificate as well as its own subsequent appearance in the CT logs.
sources* [string] Hardenize collects CT information from multiple sources. This set indicates all the places where we've collected the information we have on a certificate.

Enumerated Values

Property Value
type cert
type precert

CtLogsResponse

{
  "ctLogs": [
    {
      "name": "Cloudflare 'Nimbus2023' Log",
      "url": "ct.cloudflare.com/logs/nimbus2023",
      "mmd": 86400,
      "lastIndex": 94000,
      "lastTimestamp": "2024-12-20T16:02:26.637Z"
    }
  ]
}

Properties

Name Type Description
ctLogs [CtLog] List of CT log objects

CtLog

{
  "name": "Cloudflare 'Nimbus2023' Log",
  "url": "ct.cloudflare.com/logs/nimbus2023",
  "mmd": 86400,
  "lastIndex": 94000,
  "lastTimestamp": "2024-12-20T16:02:26.641Z"
}

Properties

Name Type Description
name string The description of the log entry
url string The network endpoint
mmd integer The maximum merge delay value
lastIndex integer The last directly observed index in this log, if available
lastTimestamp string(date-time) ISO 8601 timestamp of the last observed index, if available

CreateIntegrationRequest

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

This object should contain all the information required to create a new integration in your account. Some of the information is generic and used for all integration types. Integration-specific information should be placed in the config field, whilst ensuring the the provided data matches the integration type.

Properties

Name Type Description
type* string Integration type that indicates which integration is being created.
name* string Name to assign to integration. Must be unique.
ref string Integration reference; this is an optional utility field intended to carry information that uniquely identifies the account we're connecting to.
tags [string] A list of tags. Tags are added to resources fetched from your configured integration and propagated to hosts. Tag names can use only letters and digits.
enabled* boolean Whether or not the integration should be enabled immediately.
config* any Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name Type Description
» anonymous CreateAwsIntegrationConfig AWS integration parameters.

xor

Name Type Description
» anonymous CreateAzureIntegrationConfig Azure integration parameters.

xor

Name Type Description
» anonymous CreateCloudflareIntegrationConfig Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

xor

Name Type Description
» anonymous CreateCscIntegrationConfig CSC integration parameters.

xor

Name Type Description
» anonymous CreateDigiCertIntegrationConfig DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted.

xor

Name Type Description
» anonymous CreateGcpIntegrationConfig GCP integration parameters.

xor

Name Type Description
» anonymous CreateMarkMonitorIntegrationConfig MarkMonitor integration parameters.

xor

Name Type Description
» anonymous CreateNs1IntegrationConfig NS1 integration parameters.

xor

Name Type Description
» anonymous CreateSafenamesIntegrationConfig Safenames integration parameters.

Enumerated Values

Property Value
type aws
type azure
type cloudflare
type csc
type digicert
type gcp
type markmonitor
type ns1
type safenames

AwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name Type Description
accountId* string AWS account ID.

CreateAwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name Type Description
accountId* string AWS account ID.

AzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43"
}

Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

Properties

Name Type Description
clientId* string Azure client identifier.
tenantId* string Azure tenant identifier.

CreateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Azure integration parameters.

Properties

Name Type Description
clientId* string Azure client identifier.
tenantId* string Azure tenant identifier.
secret* string Azure secret token.

DigiCertIntegrationConfig

{}

DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted.

Properties

Name Type Description
apiKey* string none

GcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name Type Description
project* string The GCP project name

CreateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name Type Description
project* string The GCP project name

CloudflareIntegrationConfig

{}

Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "27761d57fd9035185dfc45eb1275ecacd",
  "email": "postmaster@example.com"
}

Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

Properties

Name Type Description
apiKey string none
authKey string none
email string none

CscIntegrationConfig

{}

CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

Properties

None

CreateCscIntegrationConfig

{
  "apiKey": "23g78h23rgheriuh2r8h2rg8h2rgiuh23g",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

CSC integration parameters.

Properties

Name Type Description
apiKey* string none
bearerToken* string none

Ns1IntegrationConfig

{}

NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

NS1 integration parameters.

Properties

Name Type Description
apiKey* string none

MarkMonitorIntegrationConfig

{
  "username": "user"
}

MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name Type Description
username* string The MarkMonitor api username

CreateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

MarkMonitor integration parameters.

Properties

Name Type Description
username* string none
password* string none

SafenamesIntegrationConfig

{
  "username": "user"
}

Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name Type Description
username* string The Safenames username

CreateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Safenames integration parameters.

Properties

Name Type Description
username* string none
password* string none

CreateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.644Z",
    "nextRunTime": "2024-12-20T16:02:26.644Z",
    "lastRunTime": "2024-12-20T16:02:26.644Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name Type Description
integration* Integration Represents a third-party integration.

CreateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Properties

Name Type Description
hostnames* [string] List of hosts to create. Each host in this array must be a valid registrable domain (according to the Public Suffix List) or a subdomain of a registrable domain.
status string Desired host status. If the status is not specified, the initial status is determined based on the account's default status for new hosts as well as the status of parent hosts (depending on the configuration).
axfr string If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled. For more information about how zone transfers are made, refer to the Request zone transfer endpoint.
axfrHost string Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig CreateHostsRequestAxfrTsig none
groups [string] List of groups to which the new hosts should be added. If the account is configured to inherit group membership from parent hosts, those groups are added in addition to the ones explicitly specified here.

Enumerated Values

Property Value
status monitored
status idle
status archived
axfr auto
axfr enabled
axfr disabled

CreateHostsRequestAxfrTsig

{
  "name": "thename",
  "algorithm": "HMAC_MD5",
  "key": "base64key="
}

Properties

Name Type Description
name* string TSIG key name.
algorithm* string TSIG algorithm.
key* string TSIG key, Base64-encoded.

Enumerated Values

Property Value
algorithm HMAC_MD5
algorithm HMAC_SHA1
algorithm HMAC_SHA224
algorithm HMAC_SHA256
algorithm HMAC_SHA384
algorithm HMAC_SHA512

CreateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name Type Description
keyword* string The text to match with. Must consist of only lowercase letters, digits, and dashes. Periods can also be used, but only when keyword is matched across DNS labels. To avoid too many matches, we require that keywords have at least 5 characters, and up to 32.
enabled* boolean Indicates if the keyword is currently active.
matchScope* string Determines if the keyword will match domains and subdomains (all) or only domains.
matchPosition* string Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact* boolean If set, enables exact matching.
matchFuzzy* boolean If set, enables fuzzy matching.
matchConfusables* boolean If set, enables matching of confusable characters and homographes.
exclusions* [string] Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property Value
matchScope all
matchScope domains
matchPosition anywhere
matchPosition label
matchPosition labelStart
matchPosition labelEnd
matchPosition labelStartOrEnd

CreateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name Type Description
hostDiscoveryKeyword* HostDiscoveryKeyword A keyword used for host discovery.

CreateHostDiscoveryNameserverRequest

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Properties

Name Type Description
hostnames* [string] none

UpdateHostDiscoveryNameserverRequest

{
  "enabled": true
}

Properties

Name Type Description
enabled boolean Controls whether a nameserver is actively monitored. A nameserver could be disabled if it's responsible for too many matches, which usually indicates a misconfigured. Alternatively, a nameserver may be disabled if it no longer matches any of the organization's domains.

CreateHostDiscoveryNameserverResponse

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name Type Description
hostDiscoveryKeyword* HostDiscoveryNameserver A keyword used for host discovery.

DiscoveryHostReportRequest

{
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
limit integer If set, returns only up to the specified number of host discoveries.
format string If set, returns host discoveries in the format specified. Default: JSON

Enumerated Values

Property Value
format json
format csv
format xlsx

DiscoveryHostReportResponse

{
  "discoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-12-20T16:02:26.646Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-12-20T16:02:26.647Z"
    }
  ]
}

Properties

Name Type Description
discoveries [HostDiscovery] [This object represents our discovery of a host which might be relevant to your organization.]

CreateCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.647Z",
    "notAfter": "2024-12-20T16:02:26.647Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.647Z",
    "revokedOn": "2024-12-20T16:02:26.647Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.648Z",
    "lastSeen": "2024-12-20T16:02:26.648Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.648Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.648Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.648Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Properties

Name Type Description
cert Certificate Contains information about one certificate.

CreateEventHookRequest

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Properties

Name Type Description
hookType* string Desired event hook type.
eventTypes* [string] A list of event types to send to this event hook.
status string Initial status for this hook. Default: disabled.
destination* string Event hook destination; for webhooks, this must be an HTTPS URL. For deliveries via PubSub, you must supply here a valid destination obtained via the List Event Destinations API endpoint.

Enumerated Values

Property Value
hookType pubsub
hookType webhook

CreateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Properties

Name Type Description
eventHook* EventHook Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

CreateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

None

CreateOrgRequest

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name Type Description
id* string Unique ID that should be used to refer to the new organization. This value should be unique across all organizations that belong to the same parent. The syntax must match that of a DNS host label, using only lowercase characters. This field can be set, but cannot be updated.
name string Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value.
label string Organization label is a user-friendly identifier and also has to be unique across the organizations belonging to the same parent. Labels are shown in the application UI and URLs. This field is optional; if it is not provided, the id parameter will be used instead. This field can be set, but cannot be updated.
status string The initial status the organization should have. Default: active.
certLimitHard integer Hard limit on the number of certificates in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
commercialStatus string The initial commercial status for the new organization. Default: internal.
generateApiCredentials boolean If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost. Default: false.
hostDiscoveryAutoimportSubdomains boolean If set, newly discovered host that are subdomain of known hosts will be automatically added to the host inventory. Requires featureHostDiscovery to be enabled. Default: false.
hostDiscoveryExcludeSuffixes [string] If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled boolean Indicates if host discovery is enabled.
hostDiscoveryLimitHard integer Hard limit on the number of host discoveries in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
hostLimitHard integer Hard limit on the number of hosts in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
featureHostDiscovery boolean If set, enables the host discovery feature. The feature must be available in the parent organization. Default: false.
featureMfa boolean If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml boolean If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property Value
status active
status dormant
status suspended
status deleted
commercialStatus free
commercialStatus internal
commercialStatus paying
commercialStatus trial

CreateOrgResponse

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name Type Description
org* Organization none

CreateGroupRequest

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Properties

Name Type Description
name* string Display name, typically used for human interaction. Groups also have an identifier, which we automatically generate from the names. Group identifiers and names must be unique, after whitespace is trimmed and text converted to lowercase.
auto boolean Indicates if this group is an auto-group, meaning that hosts are added to it and removed from based on whether they have matching tags. Hosts added to a group if they have at least one matching tag. Hosts are removed from a group if they have no matching tags.
tags [string] Tags associated with this group. Auto-groups only.

UpdateGroupRequest

{
  "tags": [
    "production"
  ]
}

Properties

Name Type Description
tags [string] Tags associated with this group. Auto-tags only.

CreateGroupResponse

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Properties

Name Type Description
group* Group The Group object represents one account group.

CreateSearchRequest

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Encapsulates parameters required to submit a search. At minimum, provide the index and query fields. If you wish to get the data back in CSV format, supply the desired field names in the columns field. To know what field names are available, it's usually best to examine the JSON output of a limited number of results, then re-run the query to get CSV output.

Properties

Name Type Description
index* string The index against which the supplied query will be executed.
query* string The desired query, using the Elasticsearch query language.
limit integer When provided, the output will be limited to the requested number of results. This parameter can be useful when you're experimenting with a complex query and don't wish to incur the overhead of fetching, downloading, and processing the entire result set. Default: no limit.
columns [string] When this field is provided in the requests, search results will be provided in CSV format with the fields as specified.

Enumerated Values

Property Value
index certificates
index network

CreateTlsCheckRequest

{
  "host": "hardenize.com",
  "port": 443,
  "location": "london",
  "resolverStrategy": "all"
}

TLS check parameters.

Properties

Name Type Description
host* string Endpoint hostname, which must be one of the names in the asset inventory. IP addresses are currently not supported.
port* integer Endpoint port, for example 443.
location* string Location from which the check should be performed.
resolverStrategy string DNS resolver strategy to use to convert hostname to IP addresses for testing. Default: all.

Enumerated Values

Property Value
resolverStrategy all
resolverStrategy all4
resolverStrategy all6
resolverStrategy one4
resolverStrategy one46
resolverStrategy one6
resolverStrategy one64

DeleteHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Properties

Name Type Description
hostnames* [string] List of hosts to delete.
subdomains boolean If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
preview boolean If set, this parameter enables preview mode, which means that no hosts will be deleted. Instead, the response will include the list of hosts that would have been deleted. Default: false.

DeleteHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name Type Description
hostnames* [string] List of hosts that have been deleted (or would have been deleted, in preview mode).
preview* boolean Indicates if the action was executed or only previewed.

Event

{
  "id": 10001,
  "type": "ct",
  "createdOn": "2024-12-20T16:02:26.652Z",
  "apiVersion": "0.14.0",
  "data": {
    "field": "value"
  }
}

Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled.

Properties

Name Type Description
id* integer none
type* string none
createdOn* string(date-time) none
apiVersion* string none
data* string none

EventDestination

{
  "destinationId": "pubsub://events/1/1005",
  "type": "pubsub",
  "project": "hz-events-pubsub",
  "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
  "subscription": "ep-1-1005",
  "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}

Contains information about one destination that can be used to receive events.

Properties

Name Type Description
destinationId* string Unique system-generated identifier.
type* string Destination type. Different fields may be available depending on this value.
project string PubSub project name.
topic string PubSub topic name.
subscription string PubSub subscription name.
subscriberCredentials string Contains raw Google GCP service account file that should be used to authenticate when retrieving from the subscription associated with this destination.

Enumerated Values

Property Value
type pubsub

EventHook

{
  "id": "bfc384726b6447a4b70a171de49e466f",
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive",
  "secret": "3685c06a966e4d0ea625d0b475719661"
}

Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

Properties

Name Type Description
id* string Contains the system-generated event hook identifier. This value is strongly random and, because it's provided with every event, can be used for an easy security check on the receiving end.
hookType* string Contains hook type.
eventTypes* [string] Contains the list of event types that will be sent to this hook.
status* string Indicates the current status of the event hook. The normal states are enabled and disabled. If a hook is determine to be inoperational, we will automatically disable it and change its state to failed.
destination string Contains the destination where events will be sent.
secret* string Contains a strongly random secret value unique to this hook. Used to sign events on delivery.

Enumerated Values

Property Value
hookType pubsub
hookType webhook
status enabled
status disabled
status failed

EventType

{
  "name": "ct",
  "available": true,
  "enabled": true
}

Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

Properties

Name Type Description
name* string none
available* boolean Specifies whether the account supports generation of this type of event.
enabled* boolean Specifies whether events of this type are currently being generated.

ErrorMessage

{
  "param": "string",
  "message": "string"
}

One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole.

Properties

Name Type Description
param string none
message* string none

ErrorResponse

{
  "errors": [
    {
      "param": "string",
      "message": "string"
    }
  ]
}

This object is returned whenever a processing error occurs. It contains a list of error messages, some of which may be attributed to specific request parameters.

Properties

Name Type Description
errors* [ErrorMessage] [One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole. ]

GetCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.654Z",
    "notAfter": "2024-12-20T16:02:26.654Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.654Z",
    "revokedOn": "2024-12-20T16:02:26.654Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.654Z",
    "lastSeen": "2024-12-20T16:02:26.654Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.663Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.663Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.663Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  },
  "extras": {
    "status": "ok",
    "certsDueDays": 60,
    "certsOverdueDays": 13,
    "certsCriticalDays": 4,
    "certsLabels": "managed",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "precert": false
  }
}

Properties

Name Type Description
cert* Certificate Contains information about one certificate.
extras CertExtras none

GetEventResponse

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2024-12-20T16:02:26.664Z",
    "apiVersion": "0.14.0",
    "data": {
      "field": "value"
    }
  }
}

Properties

Name Type Description
event* Event Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled.

GetHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-12-20T16:02:26.664Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-12-20T16:02:26.665Z"
  }
}

Properties

Name Type Description
hostDiscovery* HostDiscovery This object represents our discovery of a host which might be relevant to your organization.

GetHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name Type Description
hostDiscoveryKeyword* HostDiscoveryKeyword A keyword used for host discovery.

GetHostDiscoveryNameserverResponse

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name Type Description
hostDiscoveryNameserver* HostDiscoveryNameserver A keyword used for host discovery.

GetAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Current network access configuration.

Properties

Name Type Description
apiNetworks* [string] List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade* string If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks* [string] List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade* string If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property Value
apiNetworksCascade disabled
apiNetworksCascade enabled
appNetworksCascade disabled
appNetworksCascade enabled

GetIssueResponse

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    },
    "groups": [
      "Product"
    ]
  }
}

Properties

Name Type Description
integration Issue none

SetupAwsIntegrationsResponse

{
  "externalId": "hardenize-1uspdz"
}

Information needed to set up an AWS integration.

Properties

Name Type Description
externalId* string The externalId parameter to use when creating the integration AWS role.

SetupGcpIntegrationsResponse

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Information needed to set up a GCP integration.

Properties

Name Type Description
serviceAccount* string Email address of the service account you need to grant access for

HostExclusionsResponse

{
  "hostExclusions": [
    "example.com"
  ]
}

The current list of host exclusions.

Properties

Name Type Description
hostExclusions [string] none

HostDefaultsResponse

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

The current host defaults configuration.

Properties

Name Type Description
newHostStatus string The new host status.
newHostInheritStatus boolean The new host inherit status.
newHostInheritGroup boolean The new host inherit group.

Enumerated Values

Property Value
newHostStatus archived
newHostStatus monitored
newHostStatus idle

UpdateHostDefaultsRequest

{
  "newHostStatus": "archived",
  "newHostInheritStatus": true,
  "newHostInheritGroup": false
}

When set default host configuration is overwritten.

Properties

Name Type Description
newHostStatus string The new host status.
newHostInheritStatus boolean The new host inherit status.
newHostInheritGroup boolean The new host inherit group.

Enumerated Values

Property Value
newHostStatus archived
newHostStatus monitored
newHostStatus idle

UpdateHostExclusionsRequest

{
  "hostExclusions": [
    [
      "example.com"
    ]
  ]
}

List of hosts to exclude

Properties

Name Type Description
hostExclusions [string] none

CertificateMonitoringResponse

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom text message",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": false,
  "certsDueDays": 45,
  "certsOverdueDays": 6,
  "certsCriticalDays": 2,
  "vendorCertsCriticalDays": 2,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

The current certificate monitoring configuration.

Properties

Name Type Description
notificationsEmailAddresses [string] none
notificationsCustomText string none
pkiTeamId string none
notificationsSendOverdue boolean none
notificationsSendCritical boolean none
certsDueDays integer(int32) none
certsOverdueDays integer(int32) none
certsCriticalDays integer(int32) none
vendorCertsCriticalDays integer(int32) none
monitorNetworks boolean none
includeNetworks [cidr] Contains a list of network ranges that are included in certificate monitoring.
excludeNetworks [cidr] Contains a list of network ranges that are excluded from certificate monitoring.

UpdateCertificateMonitoringRequest

{
  "notificationsEmailAddresses": [
    "dev@hardenize.com"
  ],
  "notificationsCustomText": "This is a custom notification text",
  "pkiTeamId": "devteam",
  "notificationsSendOverdue": false,
  "notificationsSendCritical": true,
  "certsDueDays": 45,
  "certsOverdueDays": 12,
  "certsCriticalDays": 6,
  "vendorCertsCriticalDays": 6,
  "monitorNetworks": true,
  "includeNetworks": [
    "127.0.0.1/32"
  ],
  "excludeNetworks": [
    "127.0.0.1/32"
  ]
}

When set the default certificate monitoring configuration is overwritten.

Properties

Name Type Description
notificationsEmailAddresses [string] none
notificationsCustomText string none
pkiTeamId string If not supplied, the value remains the same as before. To delete, use an empty string
notificationsSendOverdue boolean none
notificationsSendCritical boolean none
certsDueDays integer(int32) none
certsOverdueDays integer(int32) none
certsCriticalDays integer(int32) none
vendorCertsCriticalDays integer(int32) none
monitorNetworks boolean none
includeNetworks [cidr] Contains a list of IP address range in CIDR notation that are included in certificate monitoring
excludeNetworks [cidr] Contains a list of IP address range in CIDR notation that are excluded from certificate monitoring

CtMonitoringResponse

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": false,
  "closeCertExpired": false,
  "closeCertRevoked": false,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": false,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": true,
  "closeCaseInactiveDays": 60,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": 120,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": false,
  "escalateIssuerForbidden": true,
  "escalateForbiddenIssuerKeywords": [
    "forbidden"
  ],
  "escalateCertMaxLifetimeExceeded": false
}

The current certificate transparency monitoring configuration.

Properties

Name Type Description
discoveryEmailNotifications string The discovery email notification recipients.
closeCertKnown boolean none
closeCertInstalled boolean none
closeCertExpired boolean none
closeCertRevoked boolean none
closeCaaMatchFull boolean none
closeIssuerAllowed boolean none
closeAllowedIssuerKeywords [string] none
closeAllowedIssuerKeywordsOverrides [CloseAllowedIssuerKeywordsOverride] [Allowed issuer keywords to override ]
closeCaseInactive boolean none
closeCaseInactiveDays integer(int32) none
escalateCertNotInstalled boolean none
escalateCertNotInstalledDays integer(int32) none
escalateCaaMismatch boolean none
escalateCertNotCtCompliant boolean none
escalateIssuerNotAllowed boolean none
escalateIssuerForbidden boolean none
escalateForbiddenIssuerKeywords [string] none
escalateCertMaxLifetimeExceeded boolean none

Enumerated Values

Property Value
discoveryEmailNotifications all
discoveryEmailNotifications escalations
discoveryEmailNotifications none

CloseAllowedIssuerKeywordsOverride

{
  "pattern": "string",
  "keywords": [
    "string"
  ]
}

Allowed issuer keywords to override

Properties

Name Type Description
pattern string none
keywords [string] none

UpdateCtMonitoringRequest

{
  "discoveryEmailNotifications": "escalations",
  "closeCertKnown": false,
  "closeCertInstalled": true,
  "closeCertExpired": false,
  "closeCertRevoked": true,
  "closeCaaMatchFull": false,
  "closeIssuerAllowed": true,
  "closeAllowedIssuerKeywords": [
    "string"
  ],
  "closeAllowedIssuerKeywordsOverrides": [
    {
      "pattern": "string",
      "keywords": [
        "string"
      ]
    }
  ],
  "closeCaseInactive": false,
  "closeCaseInactiveDays": true,
  "escalateCertNotInstalled": false,
  "escalateCertNotInstalledDays": true,
  "escalateCaaMismatch": true,
  "escalateCertNotCtCompliant": false,
  "escalateIssuerNotAllowed": true,
  "escalateIssuerForbidden": false,
  "escalateForbiddenIssuerKeywords": [
    "string"
  ],
  "escalateCertMaxLifetimeExceeded": true
}

New CT monitoring configuration

Properties

Name Type Description
discoveryEmailNotifications string The discovery email notification recipients.
closeCertKnown boolean none
closeCertInstalled boolean none
closeCertExpired boolean none
closeCertRevoked boolean none
closeCaaMatchFull boolean none
closeIssuerAllowed boolean none
closeAllowedIssuerKeywords [string] none
closeAllowedIssuerKeywordsOverrides [CloseAllowedIssuerKeywordsOverride] [Allowed issuer keywords to override ]
closeCaseInactive boolean none
closeCaseInactiveDays integer(int32) none
escalateCertNotInstalled boolean none
escalateCertNotInstalledDays integer(int32) none
escalateCaaMismatch boolean none
escalateCertNotCtCompliant boolean none
escalateIssuerNotAllowed boolean none
escalateIssuerForbidden boolean none
escalateForbiddenIssuerKeywords [string] none
escalateCertMaxLifetimeExceeded boolean none

Enumerated Values

Property Value
discoveryEmailNotifications all
discoveryEmailNotifications escalations
discoveryEmailNotifications none

GetMfaConfigResponse

{
  "mfaRequired": true
}

The current multi-factor authentication (MFA) configuration.

Properties

Name Type Description
mfaRequired* boolean If set, all users must have multi-factor enabled in order to access this organization.

UpdateAwsIntegrationConfig

{
  "accountId": "123456789012"
}

Properties

Name Type Description
accountId string The account identifier of the AWS Role created for this integration. The identifier is just the number part of the entire Amazon Role Number (ARN) string.

UpdateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Properties

Name Type Description
clientId string Azure client identifier.
tenantId string Azure tenant identifier.
secret string Azure secret token.

UpdateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "a986c4a2d345acd9663018742f3600bf9edba",
  "email": "postmaster@example.com"
}

Properties

Name Type Description
apiKey string The Cloudflare API key
authKey string Cloudflare global api key (legacy auth)
email string none

UpdateCscIntegrationConfig

{
  "apiKey": "23g923guh3uh2gj2dokd",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

Properties

Name Type Description
apiKey string The CSC API key
bearerToken string The CSC API bearer token

UpdateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

Properties

Name Type Description
apiKey string The DigiCert API key

UpdateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

Properties

Name Type Description
project string The GCP project name

UpdateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name Type Description
username string The MarkMonitor API username
password string The MarkMonitor API password

UpdateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name Type Description
username string The Safenames username
password string The Safenames password

UpdateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

Properties

Name Type Description
apiKey string The DigiCert API key

UpdateIntegrationRequest

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

This object is designed to carry the information you wish to use to update a particular integration. Include only the fields you wish to change; all other fields will remain unchanged. The data in the config field must be appropriate for the integration type.

Properties

Name Type Description
name string Name to assign to integration. Must be unique.
ref string Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
tags [string] A list of tags. Tags are added to resources fetched from your configured integration. Tag names can use only letters and digits.
enabled boolean Whether or not the integration should be enabled immediately.
config any Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name Type Description
» anonymous UpdateAwsIntegrationConfig none

xor

Name Type Description
» anonymous UpdateAzureIntegrationConfig none

xor

Name Type Description
» anonymous UpdateCloudflareIntegrationConfig none

xor

Name Type Description
» anonymous UpdateCscIntegrationConfig none

xor

Name Type Description
» anonymous UpdateDigiCertIntegrationConfig none

xor

Name Type Description
» anonymous UpdateGcpIntegrationConfig none

xor

Name Type Description
» anonymous UpdateNs1IntegrationConfig none

GetIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-12-20T16:02:26.670Z",
    "lastSeen": "2024-12-20T16:02:26.670Z",
    "lastCheck": "2024-12-20T16:02:26.670Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-12-20T16:02:26.670Z"
  }
}

Properties

Name Type Description
identity* Identity This object represents an identity.

Identity

{
  "identityId": 11113,
  "type": "dns_soa_rname",
  "enabled": true,
  "identity": "postmaster@example.com",
  "createdOn": "2024-12-20T16:02:26.670Z",
  "lastSeen": "2024-12-20T16:02:26.670Z",
  "lastCheck": "2024-12-20T16:02:26.670Z",
  "error": "Not a unique identity.",
  "errorTime": "2024-12-20T16:02:26.670Z"
}

This object represents an identity.

Properties

Name Type Description
identityId* integer A unique identifier which you can use to refer to a particular identity when updating.
type* string The type of identity, for example WHOIS registrant or email address.
enabled* boolean If this identity is enabled for discovery
identity* string The identity text.
createdOn* string(date-time) Indicates when was the first time we observed this identity.
lastSeen* string(date-time) Indicates the last time we observed this identity.
lastCheck string(date-time) Indicates the last time we looked for new assets connected to this identity.
error string The text of the error message. If an error occurs, the identity may be disabled. This may happen if a shared identity is initially added as unique, but later determined to actually be shared.
errorTime string(date-time) Contains the time of the most recent error related to this identity.

Enumerated Values

Property Value
type cert_dn_o
type dns_mx
type dns_soa_rname
type whois_email
type whois_registrant

GetIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.671Z",
    "nextRunTime": "2024-12-20T16:02:26.671Z",
    "lastRunTime": "2024-12-20T16:02:26.671Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name Type Description
integration* Integration Represents a third-party integration.

UpdateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2024-12-20T16:02:26.671Z",
    "nextRunTime": "2024-12-20T16:02:26.671Z",
    "lastRunTime": "2024-12-20T16:02:26.671Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name Type Description
integration* Integration Represents a third-party integration.

UpdateMfaConfigRequest

{
  "mfaRequired": true
}

Desired changes to the multi-factor authentication configuration.

Properties

Name Type Description
mfaRequired boolean If set, all users must have multi-factor enabled in order to access this organization.

UpdateMfaConfigResponse

{
  "mfaRequired": true
}

The multi-factor authentication (MFA) configuration after a successful update operation.

Properties

Name Type Description
mfaRequired* boolean If set, all users must have multi-factor enabled in order to access this organization.

GetNetworkScanningConfigResponse

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

The current network scanning configuration.

Properties

Name Type Description
netscanStatic* boolean If set, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic* boolean If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps* boolean If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions* [cidr] Contains a list of network ranges that will be excluded from network scanning.

GetSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The current SAML configuration.

Properties

Name Type Description
enabled* boolean If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata string Identity Provider (IdP) metadata XML.

UpdateSamlConfigRequest

{
  "enabled": true,
  "idpMetadata": "string"
}

Encapsulates desired changes to the SAML cofiguration.

Properties

Name Type Description
enabled boolean If set, enables SAML for this organization. Requires correctly configured IdP metadata.
idpMetadata string Identity Provider (IdP) metadata XML. To remove existing metadata, set this value to an empty string. This will be detected and the field will be set to null.

UpdateSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The SAML configuration after a successful update operation.

Properties

Name Type Description
enabled* boolean If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata string Identity Provider (IdP) metadata XML.

OperationStatus

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Properties

Name Type Description
id* string Unique operation identifier.
done* boolean If false, indicates that the operation is still in progress. If true, indicates that all processing ended.
statusCode integer HTTP status code of the operation, typically 200 (completed), 400 (bad request), 404 (requested data not found), 410 (operation cancelled), 500 (internal server error), 502 (remote server or service malfunctioned), and 503 (remote server or service not available). This field is available only after operation completes.
contentType string The content type associated with operation results.
pages integer How many pages there there in the operation result.
rows integer Total number of rows in the operation result.
rowsPerPage integer How many rows there are in each result page.

FetchDigiCertOrderRequest

{}

This object is currently only a placeholder that's used to support adding additional fetch parameters in the future. For now, only an empty object is required to be included in the request body.

Properties

None

GetOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name Type Description
suborg Organization none

Group

{
  "id": "production",
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

The Group object represents one account group.

Properties

Name Type Description
id* string none
name* string none
auto* boolean True if this group is an auto-group.
tags [string] Tags associated with this group. Auto-groups only.

HdbCertsByHostSuffixRequest

{
  "host": "example.com",
  "includeExactMatch": true,
  "includeWildcardMatch": true,
  "includeSubDomains": true,
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by host suffix. You must supply at least one of includeExactMatch, includeWildcardMatch or includeSubDomains.

Properties

Name Type Description
host* string Host suffix to search by (e.g., example.com).
includeExactMatch boolean Include certificates containing the exact hostname. Default: false.
includeWildcardMatch boolean Include certificates that match the host suffix due to containing a wildcard in them. For example, for www.example.com, a wildcard match would include certificates with *.example.com. Default: false.
includeSubDomains boolean Include certificates containing any subdomain of the supplied host suffix. Default: false.
includePem boolean Include the raw certificate in PEM format. Default: false.
limit integer Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsByKeywordRequest

{
  "keyword": "example",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by keyword.

Properties

Name Type Description
keyword* string The keyword to be used in the search.
includePem boolean Include the raw certificate in PEM format. Default: false.
limit integer Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsBySpkiRequest

{
  "spki": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by SPKI.

Properties

Name Type Description
spki* string SHA256 hash of the requested SPKI.
includePem boolean Include the raw certificate in PEM format. Default: false.
limit integer Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertResponse

{
  "cert": {
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "unpacked": {
      "label": "www.example.com",
      "subject": "CN=www.example.com",
      "commonNames": [
        "www.example.com"
      ],
      "san": [
        "mail.example.com"
      ],
      "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
      "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
      "issuer": "Let's Encrypt Authority X3",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
      "notBefore": "2024-12-20T16:02:26.675Z",
      "notAfter": "2024-12-20T16:02:26.675Z",
      "issuerUrls": [
        "http://cert.int-x3.letsencrypt.org/"
      ],
      "crlUrls": [
        "http://crl.pki.goog/GTS1O1.crl"
      ],
      "ocspUrls": [
        "http://ocsp.pki.goog/gts1o1"
      ],
      "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
      "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
      "keyUsage": [
        "keyEncipherment"
      ],
      "extendedKeyUsage": [
        "serverAuth"
      ],
      "scts": [
        {
          "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
          "logName": "DigiCert Yeti2020 Log",
          "timestamp": "2024-12-20T16:02:26.675Z"
        }
      ],
      "mustStaple": true,
      "sigAlg": {
        "oid": "1.2.840.113549.1.1.11",
        "name": "SHA256withRSA"
      },
      "subjectKey": {
        "algName": "RSA",
        "bits": 2048,
        "strength": 112,
        "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
      },
      "ca": true,
      "caPathLen": 1
    }
  }
}

A single certificate returned by a HDB search.

Properties

Name Type Description
cert* HdbCert A certificate as returned by a HDB search.

HdbCertsListResponse

{
  "certs": [
    {
      "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "subject": "CN=www.example.com",
      "notAfter": "2024-12-20T16:02:26.676Z",
      "names": [
        "example.com"
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
    }
  ]
}

A list of certificates as returned by a HDB search.

Properties

Name Type Description
certs* [HdbCertsListCert] [A certificate as returned by a HDB search.]

HdbCertsListCert

{
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "subject": "CN=www.example.com",
  "notAfter": "2024-12-20T16:02:26.676Z",
  "names": [
    "example.com"
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
}

A certificate as returned by a HDB search.

Properties

Name Type Description
sha256* string SHA256 hash of the certificate.
spkiSha256* string Hex-encoded SHA256 of the certificate's SPKI component.
subject* string Certificate subject Distinguished Name in text format.
notAfter* string(date-time) ISO 8601 timestamp.
names [string] none
pem string Base64-encoded certificate in DER format.

HdbCert

{
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "unpacked": {
    "label": "www.example.com",
    "subject": "CN=www.example.com",
    "commonNames": [
      "www.example.com"
    ],
    "san": [
      "mail.example.com"
    ],
    "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
    "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
    "issuer": "Let's Encrypt Authority X3",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
    "notBefore": "2024-12-20T16:02:26.676Z",
    "notAfter": "2024-12-20T16:02:26.676Z",
    "issuerUrls": [
      "http://cert.int-x3.letsencrypt.org/"
    ],
    "crlUrls": [
      "http://crl.pki.goog/GTS1O1.crl"
    ],
    "ocspUrls": [
      "http://ocsp.pki.goog/gts1o1"
    ],
    "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
    "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
    "keyUsage": [
      "keyEncipherment"
    ],
    "extendedKeyUsage": [
      "serverAuth"
    ],
    "scts": [
      {
        "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
        "logName": "DigiCert Yeti2020 Log",
        "timestamp": "2024-12-20T16:02:26.676Z"
      }
    ],
    "mustStaple": true,
    "sigAlg": {
      "oid": "1.2.840.113549.1.1.11",
      "name": "SHA256withRSA"
    },
    "subjectKey": {
      "algName": "RSA",
      "bits": 2048,
      "strength": 112,
      "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
    },
    "ca": true,
    "caPathLen": 1
  }
}

A certificate as returned by a HDB search.

Properties

Name Type Description
pem* string Base64-encoded certificate in DER format.
unpacked UnpackedCert Various information parsed from the certificate.

Host

{
  "hostname": "🔥.hardenize.com",
  "punyHostname": "xn--4v8h.hardenize.com",
  "createdOn": "2024-12-20T16:02:26.677Z",
  "status": "archived",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "name": "thename"
  },
  "lastAxfrTime": "2024-12-20T16:02:26.677Z",
  "axfrError": "string",
  "lastAxfrErrorTime": "2024-12-20T16:02:26.677Z",
  "lastRegLookupTime": "2024-12-20T16:02:26.677Z",
  "origin": "hdb",
  "originTitle": "HDB",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "nx": true,
  "nxTime": "2024-12-20T16:02:26.677Z",
  "regRegistry": true,
  "regPublic": true,
  "regNx": false,
  "regNxTime": "2024-12-20T16:02:26.677Z",
  "lastAssessmentTime": "2024-12-20T16:02:26.677Z",
  "assessmentError": "Host not found",
  "lastAssessmentAttemptTime": "2024-12-20T16:02:26.677Z",
  "groups": [
    "mygroup"
  ],
  "tags": [
    "production"
  ],
  "domainRegistrant": "string",
  "domainRegistrarName": "string",
  "domainStatuses": [
    "string"
  ],
  "domainCreationTime": "2024-12-20T16:02:26.677Z",
  "domainExpireTime": "2024-12-20T16:02:26.677Z",
  "domainRegistryLock": false,
  "domainRegistrarLock": false,
  "domainLookupStatus": "string",
  "config": {},
  "classificationStatus": "active",
  "classificationTags": [
    "signin"
  ]
}

The Host object represents one of your hosts that resides in our database.

Properties

Name Type Description
hostname* string A fully-qualified domain name.
punyHostname string A fully-qualified domain name, as Punycode.
createdOn* string(date-time) none
status* string This host's monitoring status. If the status is monitored, we're going to use all account features to monitor this host, including active network monitoring. If the status is idle, we're going to use only passive information gathering (e.g., via Certificate Transparency). If the status is archived, we're not going to perform any host-related activity, but existing data will be preserved. This status is intended for use with hosts that are no longer of interest, but whose history should be preserved.
axfr string If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled.
axfrHost string Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig HostAxfrTsig none
lastAxfrTime string(date-time) The time of the last successful zone transfer.
axfrError string The error message associated with the last unsuccessful zone transfer.
lastAxfrErrorTime string(date-time) The time of the last unsuccessful zone transfer.
lastRegLookupTime string(date-time) The time of the last successful domain registration lookup
origin* string Indication of where this host came from.
originTitle string Human readable version of the origin enum value
originInfo OriginInfo Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
nx* boolean If true, this host effectively doesn't exist in the DNS.
nxTime string(date-time) When nx is true, this field contains the timestamp of when we first detected that it no longer exists in the DNS.
regRegistry* boolean True if this host is a registrable domain name under a registry (IANA) suffix. If this field is true then regPublic will also be true. Updated based on the latest Public Suffix List information.
regPublic* boolean True if this host is a registrable domain name under any public suffix. This field can be true when regRegistry is not. Updated based on the latest Public Suffix List information.
regNx boolean If true, this field indicates that the registrable domain doesn't exist. Absent if the host is not a registrable domain name.
regNxTime string(date-time) When regNx is true, this field contains the timestamp of when we first detected that the registrable domain name no longer exists.
lastAssessmentTime string(date-time) The time of the last successful assessment.
assessmentError string Error message, which is available only if the last assessment resulted in an error.
lastAssessmentAttemptTime string(date-time) When was the last assessment attempted?
groups* [string] Under Development: Identifiers of all groups this host belongs to.
tags* [string] none
domainRegistrant string The individual or entity who registers a domain name.
domainRegistrarName string The name of the domain registrar with whom the domain name is registered.
domainStatuses [string] The statuses of the domain name within the domain registry.
domainCreationTime string(date-time) The date and time when the domain name was initially registered or create.
domainExpireTime string(date-time) The date and time when the domain registration is set to expire.
domainRegistryLock boolean This field indicates whether the domain name has a registry lock applied to it.
domainRegistrarLock boolean This field indicates whether the domain name has a registrar lock applied to it.
domainLookupStatus string Represents the status of the domain ok, if present otherwise unknown
config object Under Development: This field is an object that contains detailed host configuration. It's not fully documented at this time because we're still working on the data model. You can use the data in this field if it's useful to you, but do note that the format is very likely to change.
classificationStatus string Represents the status of content classification
classificationTags [string] A list of content classification tags

Enumerated Values

Property Value
status archived
status idle
status monitored
axfr auto
axfr enabled
axfr disabled
origin cert
origin ct
origin hdb
origin manual
classificationStatus active
classificationStatus inactive
classificationStatus parked

HostAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "name": "thename"
}

Properties

Name Type Description
algorithm* string Axfr transfer algorithm
name* string Axfr transfer name

Enumerated Values

Property Value
algorithm HMAC_MD5
algorithm HMAC_SHA1
algorithm HMAC_SHA224
algorithm HMAC_SHA256
algorithm HMAC_SHA384
algorithm HMAC_SHA512

HostDiscovery

{
  "discoveryId": 11113,
  "autoResolved": false,
  "hostname": "www.🔥.hardenize.com",
  "discoveredTime": "2024-12-20T16:02:26.678Z",
  "origin": "hdb",
  "originTitle": "HDB",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "matchInfo": {
    "certdno": {
      "o": "Cloudflare, Inc."
    },
    "integration": {
      "name": "AWS Production",
      "type": "aws",
      "ref": "string"
    },
    "keyword": {
      "matches": [
        {
          "encoding": "ascii",
          "keyword": "string",
          "matchPosition": "anywhere",
          "matchScope": "all",
          "search": "bitSquatting"
        }
      ]
    },
    "mx": {
      "mx": "mail.example.com"
    },
    "nameserver": {
      "matches": [
        {
          "name": "ns1.hardenize.com",
          "firstSeen": "2021-09-21T15:32:02.322Z"
        }
      ]
    },
    "rname": {
      "email": "postmaster@example.com"
    },
    "whois": {
      "keywords": [
        "example.com"
      ]
    }
  },
  "matchCertDNO": false,
  "matchIntegration": true,
  "matchKeyword": false,
  "matchMx": false,
  "matchNameserver": false,
  "matchSubdomain": false,
  "matchRname": false,
  "matchWhois": false,
  "resolution": "pending",
  "updatedTime": "2024-12-20T16:02:26.678Z"
}

This object represents our discovery of a host which might be relevant to your organization.

Properties

Name Type Description
discoveryId* integer A unique identifier which you can use to refer to a particular host discovery when updating
autoResolved* boolean We may have automatically resolved your discovery. If we have, this will be set to true
hostname* string The hostname that we discovered, that we think might be relevant to you
discoveredTime string(date-time) The date and time that we made this particular discovery
origin* string The location at which we discovered the hostname.
originTitle string Human readable version of the origin enum value
originInfo OriginInfo Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.
matchInfo MatchInfo Information describing how the discovery came about.
matchCertDNO boolean True if discovery matched a certificates DN O field
matchIntegration boolean True if discovery was via a configured integration.
matchKeyword boolean True if discovery matched a keyword.
matchMx boolean True if discovery was via our DNS MX lookup.
matchNameserver boolean True if discovery was via our nameserver lookup.
matchSubdomain boolean True if discovery is a subdomain of a known host.
matchRname boolean True if discovery was via our DNS SOA RNAME lookup.
matchWhois boolean True if discovery was via our whois lookup.
resolution* string The current resolution state of the discovery. This is usually set to "pending" to indicate that you should resolve the discovery in some manner.
updatedTime string(date-time) The date and time that this discovery was last updated

Enumerated Values

Property Value
origin cert
origin ct
origin hdb
origin manual
resolution pending
resolution own
resolution supplier
resolution unrelated
resolution infringing
resolution phishing

HostDiscoveryKeyword

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ],
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name Type Description
keyword* string The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled* boolean Indicates if the keyword is currently active.
matchScope* string Determines what type of results the keyword will look for.
matchPosition* string Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact* boolean If set, enables exact matching.
matchFuzzy* boolean If set, enables fuzzy matching.
matchConfusables* boolean If set, enables mathing of confusable characters and homographes.
exclusions* [string] Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.
error string If keyword had been disabled because of an error, this field contains the error message.
errorTime string(date-time) If keyword had been disabled because of an error, this field contains the time the disabling took place.

Enumerated Values

Property Value
matchScope all
matchScope domains
matchPosition anywhere
matchPosition label,
matchPosition labelStart
matchPosition labelEnd
matchPosition labelStartOrEnd

HostDiscoveryNameserver

{
  "hostname": "ns1.hardenize.com",
  "punyHostname": "ns1.hardenize.com",
  "createdOn": "2020-06-10T15:36:49.044Z",
  "enabled": false,
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name Type Description
hostname string A fully-qualified domain name.
punyHostname string A fully-qualified domain name, as Punycode.
createdOn string(date-time) Holds nameserver creation timestamp.
enabled boolean Indicates whether this nameserver is used for discovery. Nameservers are enabled by default and this field set to true. Nameservers that return too many matches (typically an indication of shared nameservers) will be disabled with an error message and timestamp provided.
error string When nameserver is disabled by the system, this field contains the error message that explains the problem.
errorTime string(date-time) Holds error timestamp; this is typically when the server had been disabled.

Integration

{
  "integrationId": 1,
  "name": "My Test Integration",
  "ref": "348394209898",
  "type": "aws",
  "enabled": true,
  "tags": [
    "production"
  ],
  "error": "Invalid credentials for logging in to integration",
  "errorTime": "2024-12-20T16:02:26.680Z",
  "nextRunTime": "2024-12-20T16:02:26.680Z",
  "lastRunTime": "2024-12-20T16:02:26.680Z",
  "lastRunErrors": [
    "Unable to obtain list of registered domain names."
  ],
  "config": {
    "accountId": "string"
  }
}

Represents a third-party integration.

Properties

Name Type Description
integrationId* integer(int64) Unique integration identifier.
name* string Integration name.
ref string Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
type* string Integration type
enabled* boolean Indicates if the integration is enabled.
tags* [string] none
error string If a fatal error occurs when we attempt to connect to the other party, the integration will be disabled; this field contains the error message.
errorTime string(date-time) The time when the error occured.
nextRunTime string(date-time) When an integration is enabled, this field indicates the next time it is scheduled to run.
lastRunTime string(date-time) If present, the last time the integration was attempted.
lastRunErrors [string] If any non-fatal errors are encountered, this field will contain the corresponding error messages. For example, if permissions are incorrectly configured, we may be able to connect to the third-party account but not perform all desired operations.
config* any Integration-specific configuration parameters, matching the selected integration as specified in the type parameter.

oneOf

Name Type Description
» anonymous AwsIntegrationConfig AWS integration parameters.

xor

Name Type Description
» anonymous AzureIntegrationConfig Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

xor

Name Type Description
» anonymous CloudflareIntegrationConfig Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name Type Description
» anonymous CscIntegrationConfig CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

xor

Name Type Description
» anonymous DigiCertIntegrationConfig DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name Type Description
» anonymous GcpIntegrationConfig GCP integration parameters.

xor

Name Type Description
» anonymous MarkMonitorIntegrationConfig MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

xor

Name Type Description
» anonymous Ns1IntegrationConfig NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name Type Description
» anonymous SafenamesIntegrationConfig Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Enumerated Values

Property Value
type aws
type azure
type cloudflare
type csc
type digicert
type gcp
type markmonitor
type ns1
type safenames

Issue

{
  "issueId": 10001,
  "revision": 1,
  "definitionId": "DNS1001",
  "subject": "OPAQUE",
  "subjectDomain": "example.com",
  "title": "Dangling Resource Record",
  "category": "DNS",
  "severity": "high",
  "cause": "OPAQUE",
  "causeDomain": "nxdomain.example.com",
  "causeIp": "192.168.1.1",
  "open": true,
  "status": "active",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": "2022-06-17T00:00:00Z",
  "lastClosed": "2022-06-17T00:00:00Z",
  "lastUpdated": "2022-06-17T00:00:00Z",
  "lastChecked": "2022-06-17T00:00:00Z",
  "lastConfirmed": "2022-06-17T00:00:00Z",
  "snoozedUntil": "2022-06-17T00:00:00Z",
  "details": {
    "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
    "rrDomain": "example.com",
    "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
    "rrType": "SRV",
    "danglingType": "nxdomain",
    "causeDomain": "nxdomain.example.com"
  },
  "groups": [
    "Product"
  ]
}

Properties

Name Type Description
issueId* integer Unique issue identifier.
revision* integer Issue revision. Starts at 1 and increments every time the issue is updated.
definitionId string Unique identifier of the definition from which this issue was created. Automatically created issues will always have this field set.
subject string Opaque value that identifies the subject of the issue. The subject describes the infrastructure element affected by the issue, for example a domain name. Provided for grouping and sorting purposes.
subjectDomain string If applicable, the domain name associated with the subject. Provided for grouping and sorting purposes.
title* string Descriptive issue title. Copied from the definition, if the issue has one.
category* string Issue category. Copied from the definition, if the issue has one, otherwise assigned at creation.
severity* string Issue severity.
cause string Opaque value that identifies the root cause of the issue. Provided for grouping and sorting purposes.
causeDomain string If applicable, the domain name associated with the cause. Provided for grouping and sorting purposes.
causeIp string If applicable, the IP address associated with the cause. Provided for grouping and sorting purposes.
open* boolean Indicates if this issue is open or closed.
status* string Describes the current issue status. Issues that are automatically created will use the active and completed statuses. An issue may become orphaned of the subject disappears or monitoring ceases.
auto* boolean If true, this issue was automatically created from a network observation, and will be automatically resolved once the problem has been addressed.
autoOpen boolean This field is used only with auto issue and tracks the status of the detected problem. Unlike issues themselves, which can be manually closed, this field always reflects what is observed at network level.
autoPreservedStatus string This field is used to preserve the status of an issue that is auto-closed. If we need to reopen the issue later, we will restore the correct status.
createdOn* string(date-time) Indicates when this issue was created.
lastClosed string(date-time) Indicates when this issue was last closed. An issue may have more than one timestamp in this field if it's closed then reopened.
lastUpdated* string(date-time) Indicates when this issue was last updated. This field will also be set immediately after an issue is created and the timestamp will be the same as in createdOn.
lastChecked string(date-time) Indicates when this issue was last checked. Always set for automatic issues.
lastConfirmed string(date-time) Indicates when this issue was last confirmed. Always set for automatic issues.
snoozedUntil string(date-time) If an issue is snoozed, this field contains an optional timestamp after which the issue will automatically be restored back to active status.
details object Contains issue-specific information. Issues are designed to track a variety of problems as well as notifications and other event types. For this reason, the main fields are generic in nature, but that's where this field comes in, to carry additiona data custom-tailored for the problem at hand. To interpret this object, examine the @type property and process it accordingly.
groups [string] List of all groups this issue belongs to.

Enumerated Values

Property Value
severity info
severity low
severity medium
severity high
severity critical
severity urgent
status abandoned
status active
status bogus
status completed
status deprecated
status ignored
status orphaned
status snoozed

ListAuditEventsResponse

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Properties

Name Type Description
events [AuditEvent] [Contains information about one audit log event. ]

ListCertDiscoveriesResponse

{
  "certDiscoveries": [
    {
      "certDiscoveryId": 11766,
      "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
      "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "createdOn": "2022-06-17T00:00:00Z",
      "updatedOn": "2022-06-17T00:00:00Z",
      "closedOn": "2022-06-17T00:00:00Z",
      "escalated": false,
      "status": "open",
      "resolution": "undetermined",
      "certSummary": {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
        "keyAlg": "EC",
        "keyLen": 256,
        "keyStrength": 128,
        "sigAlg": "RSAwithMD2",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-12-20T16:02:26.681Z",
        "notAfter": "2024-12-20T16:02:26.681Z",
        "effectiveNotAfter": "2024-12-20T16:02:26.681Z",
        "lifetimeDays": 736,
        "lifetimeDaysLeft": 125,
        "revokedOn": "2024-12-20T16:02:26.682Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed",
          "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
          "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
          "ku": [
            "keyEncipherment",
            "digitalSignature"
          ],
          "eku": [
            "serverAuth",
            "clientAuth"
          ],
          "mustStaple": true,
          "crl": [
            "http://crl3.digicert.com/sha2-ev-server-g2.crl",
            "http://crl4.digicert.com/sha2-ev-server-g2.crl"
          ],
          "ocsp": [
            "http://ocsp.digicert.com"
          ],
          "precert": false
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      },
      "matchedHosts": [
        [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ]
      ]
    }
  ]
}

Properties

Name Type Description
certDiscoveries* [CertDiscoverySummary] [Contains complete information about a certificate discovered in one of the monitored CT logs. ]

GetCertDiscoveryResponse

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.682Z",
      "notAfter": "2024-12-20T16:02:26.682Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.682Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.682Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.683Z",
          "lastSeen": "2024-12-20T16:02:26.683Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.683Z",
          "lastSeen": "2024-12-20T16:02:26.683Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Properties

Name Type Description
certDiscovery* CertDiscovery Contains complete information about a certificate discovered in one of the monitored CT logs.

ListCertsResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-12-20T16:02:26.683Z",
      "notAfter": "2024-12-20T16:02:26.683Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.683Z",
      "revokedOn": "2024-12-20T16:02:26.683Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-12-20T16:02:26.684Z",
      "lastSeen": "2024-12-20T16:02:26.684Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-12-20T16:02:26.684Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-12-20T16:02:26.684Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ],
            "tlsSupportedProtocols": [
              "TLSv1.2",
              "TLSv1.3"
            ],
            "tlsConfigurationLevel": "secure"
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-12-20T16:02:26.684Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name Type Description
certs* [Certificate] [Contains information about one certificate. ]

ListCertSummariesResponse

{
  "certs": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-12-20T16:02:26.685Z",
      "notAfter": "2024-12-20T16:02:26.685Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.685Z",
      "revokedOn": "2024-12-20T16:02:26.685Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-12-20T16:02:26.685Z",
      "lastSeen": "2024-12-20T16:02:26.685Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-12-20T16:02:26.685Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-12-20T16:02:26.685Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ],
            "tlsSupportedProtocols": [
              "TLSv1.2",
              "TLSv1.3"
            ],
            "tlsConfigurationLevel": "secure"
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-12-20T16:02:26.685Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name Type Description
certs* [Certificate] [Contains information about one certificate. ]

ListEventDestinationsResponse

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Properties

Name Type Description
eventDestinations* [EventDestination] [Contains information about one destination that can be used to receive events. ]

ListEventHooksResponse

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Properties

Name Type Description
eventHooks* [EventHook] [Event hook objects contain information pertaining to a destination to which events are delivered (pushed). ]

ListEventsResponse

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2024-12-20T16:02:26.686Z",
      "apiVersion": "0.14.0",
      "data": {
        "field": "value"
      }
    }
  ]
}

Properties

Name Type Description
events* [Event] [Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled. ]

ListEventTypesResponse

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Properties

Name Type Description
eventTypes* [EventType] [Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them. ]

GetHostResponse

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.686Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.686Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.686Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.686Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.686Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.686Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.686Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.686Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.686Z",
      "domainExpireTime": "2024-12-20T16:02:26.686Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Properties

Name Type Description
host* [Host] [The Host object represents one of your hosts that resides in our database.]

GetHostStatsResponse

{
  "monitored": 0,
  "archived": 0,
  "idle": 0,
  "total": 0,
  "domains": 0,
  "subdomains": 0
}

Properties

Name Type Description
monitored integer none
archived integer none
idle integer none
total integer none
domains integer none
subdomains integer none

ListHostsResponse

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.686Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.686Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.686Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.686Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.687Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.687Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.687Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.687Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.687Z",
      "domainExpireTime": "2024-12-20T16:02:26.687Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  ]
}

Properties

Name Type Description
hosts* [Host] [The Host object represents one of your hosts that resides in our database.]

GetHostServicesResponse

{
  "hostServices": {
    "hosts": [
      {
        "hostname": "string",
        "service": "dns",
        "serviceHostname": "string",
        "lastSeen": "2024-12-20T16:02:26.687Z"
      }
    ],
    "services": [
      {
        "hostname": "string",
        "address": "string",
        "port": 0,
        "asNumber": 0,
        "asName": "string",
        "cloudProvider": "string",
        "cloudRegion": "string",
        "lastSeen": "2024-12-20T16:02:26.687Z",
        "certs": [
          "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
          "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
        ],
        "tlsSupportedProtocols": [
          "TLSv1.2",
          "TLSv1.3"
        ],
        "tlsConfigurationLevel": "secure"
      }
    ],
    "certificates": [
      {
        "shortId": "572908a",
        "label": "ssl760680.cloudflaressl.com",
        "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
        "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
        "keyAlg": "EC",
        "keyLen": 256,
        "keyStrength": 128,
        "sigAlg": "RSAwithMD2",
        "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
        "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
        "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
        "issuerCa": "Let's Encrypt",
        "ownership": "own",
        "notBefore": "2024-12-20T16:02:26.687Z",
        "notAfter": "2024-12-20T16:02:26.687Z",
        "effectiveNotAfter": "2024-12-20T16:02:26.687Z",
        "lifetimeDays": 736,
        "lifetimeDaysLeft": 125,
        "revokedOn": "2024-12-20T16:02:26.687Z",
        "hosts": [
          "bonn-06.qlued.net",
          "www.bonn-06.qlued.net"
        ],
        "extras": {
          "status": "ok",
          "certsDueDays": 60,
          "certsOverdueDays": 13,
          "certsCriticalDays": 4,
          "certsLabels": "managed",
          "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
          "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
          "ku": [
            "keyEncipherment",
            "digitalSignature"
          ],
          "eku": [
            "serverAuth",
            "clientAuth"
          ],
          "mustStaple": true,
          "crl": [
            "http://crl3.digicert.com/sha2-ev-server-g2.crl",
            "http://crl4.digicert.com/sha2-ev-server-g2.crl"
          ],
          "ocsp": [
            "http://ocsp.digicert.com"
          ],
          "precert": false
        },
        "active": true,
        "caPathLen": -1,
        "nameDigestNewer": true
      }
    ],
    "extras": {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2024-12-20T16:02:26.687Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2024-12-20T16:02:26.687Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2024-12-20T16:02:26.687Z",
      "lastRegLookupTime": "2024-12-20T16:02:26.687Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2024-12-20T16:02:26.687Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2024-12-20T16:02:26.687Z",
      "lastAssessmentTime": "2024-12-20T16:02:26.687Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2024-12-20T16:02:26.687Z",
      "groups": [
        "mygroup"
      ],
      "tags": [
        "production"
      ],
      "domainRegistrant": "string",
      "domainRegistrarName": "string",
      "domainStatuses": [
        "string"
      ],
      "domainCreationTime": "2024-12-20T16:02:26.687Z",
      "domainExpireTime": "2024-12-20T16:02:26.687Z",
      "domainRegistryLock": false,
      "domainRegistrarLock": false,
      "domainLookupStatus": "string",
      "config": {},
      "classificationStatus": "active",
      "classificationTags": [
        "signin"
      ]
    }
  }
}

Properties

Name Type Description
hostServices* HostService none

ListHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-12-20T16:02:26.688Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-12-20T16:02:26.688Z"
    }
  ]
}

Properties

Name Type Description
hostDiscoveries* [HostDiscovery] [This object represents our discovery of a host which might be relevant to your organization.]

ListHostDiscoveryKeywordsResponse

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name Type Description
hostDiscoveryKeywords* [HostDiscoveryKeyword] [A keyword used for host discovery.]

ListHostDiscoveryNameserversResponse

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name Type Description
hostDiscoveryNameservers* [HostDiscoveryNameserver] [A keyword used for host discovery.]

ListIdentitiesResponse

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2024-12-20T16:02:26.689Z",
      "lastSeen": "2024-12-20T16:02:26.689Z",
      "lastCheck": "2024-12-20T16:02:26.689Z",
      "error": "Not a unique identity.",
      "errorTime": "2024-12-20T16:02:26.689Z"
    }
  ]
}

Properties

Name Type Description
identities* [Identity] [This object represents an identity.]

ListIntegrationsResponse

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2024-12-20T16:02:26.689Z",
      "nextRunTime": "2024-12-20T16:02:26.689Z",
      "lastRunTime": "2024-12-20T16:02:26.689Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Properties

Name Type Description
integrations* [Integration] [Represents a third-party integration. ]

ListIssuesResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Properties

Name Type Description
issues [Issue] none

ListOrgsResponse

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Properties

Name Type Description
orgs* [Organization] none

ZoneTransferResponse

"string"

Zone data in plain text format.

Properties

Name Type Description
anonymous string Zone data in plain text format.

ListMonitorLocationsResponse

{
  "locations": [
    "atlanta",
    "frankfurt",
    "london",
    "miami",
    "sanjose",
    "saopaulo",
    "singapore",
    "sydney",
    "tokyo"
  ]
}

Properties

Name Type Description
locations* [string] none

ListNetworkRangesResponse

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name Type Description
networkRanges* [NetworkRange] none

ListReports0Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "wwwXcto": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Properties

Name Type Description
reports* [Report0] [Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error, warning, and good. The complete explanation of the possible values is available in the Report0Quality component. It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report. ]

GetReportCardResponse

{
  "reportCard": {
    "reportVersion": 1,
    "domainPunycode": "example.com",
    "domainUnicode": "example.com",
    "available": true,
    "hardenizeVersion": "v1.1603.1",
    "timestamp": "2024-12-20T16:02:26.691Z",
    "sections": [
      {
        "id": "SECTION_DOMAIN",
        "name": "Domain",
        "items": [
          {
            "id": "ITEM_DOMAIN_REGISTRATION",
            "name": "Domain Registration",
            "status": "good",
            "remarks": [
              {
                "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                "title": "Nameserver is not operational",
                "content": "Good. The private key associated with this certificate is secure.",
                "severity": "good",
                "data": {
                  "Name": "dns1.registrar-servers.com.",
                  "Address": "2610:a1:1024::200",
                  "Reverse name": "dns1.registrar-servers.com."
                }
              }
            ]
          }
        ]
      }
    ]
  }
}

Properties

Name Type Description
reportCard* ReportCard Contains a summary of report card.

ListReportCardsResponse

{
  "reportCards": [
    {
      "reportVersion": 1,
      "domainPunycode": "example.com",
      "domainUnicode": "example.com",
      "available": true,
      "hardenizeVersion": "v1.1603.1",
      "timestamp": "2024-12-20T16:02:26.691Z",
      "sections": [
        {
          "id": "SECTION_DOMAIN",
          "name": "Domain",
          "items": [
            {
              "id": "ITEM_DOMAIN_REGISTRATION",
              "name": "Domain Registration",
              "status": "good",
              "remarks": [
                {
                  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
                  "title": "Nameserver is not operational",
                  "content": "Good. The private key associated with this certificate is secure.",
                  "severity": "good",
                  "data": {
                    "Name": "dns1.registrar-servers.com.",
                    "Address": "2610:a1:1024::200",
                    "Reverse name": "dns1.registrar-servers.com."
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  ]
}

Properties

Name Type Description
reportCards* [ReportCard] [Contains a summary of report card. ]

ListGroupsResponse

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name Type Description
groups* [Group] [The Group object represents one account group.]

MatchedCtEntry

{
  "log": "ct.googleapis.com/icarus",
  "index": 251676662,
  "timestamp": 1538747492396,
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "3b5893340f0b241c599b27a8e74a13177d5ba6e87f30f6fc5ddc2c3f069e6546",
  "precert": false,
  "subject": "CN=www.example.com",
  "issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
  "hosts": [
    "example.com"
  ],
  "chain": [
    "MIIGJTCCBQ2gAwIBAgISA9CTYlAcEi7o1Cyk3RM9D6/JMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MDIxMTA2NTdaFw0xODA3MzExMTA2NTdaMBwxGjAYBgNVBAMTEWJvbm4tMDYucWx1ZWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+muYgsZOUD2epeJwP6ToDmE6YeO9T+gsf9ACuLbrQqC5JZPy+AmREuo3dU3dkmBRoU9Brpmo/KMQavKueGVW3DpAIJKemGBC0yWNFgTho4+DAOvSM4odcB96HPFIh0vp13LH5og/wsNZwt+n56mrUTrcqnZYbUwugBghb0QCptwCnHnKOk2/YdRRraasgmiFWYeNjCqBUR5iKqmubgBoCqqkBYzWUhjWc7aySKYQFpSlZ2d3t0IilJp5sZq5pDiHa58G6fGZSh9TIAZvuvozW762cghBZgEF3wlvKy1joSAWLalPYQcsd0v2G9F7vJOu6Rf9HAbmdKqnu0i8TExjwIDAQABo4IDMTCCAy0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQlgfnFoFLAegwCUrKiuz+Nu61SCDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDMGA1UdEQQsMCqCEWJvbm4tMDYucWx1ZWQubmV0ghV3d3cuYm9ubi0wNi5xbHVlZC5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYyC/mssAAAQDAEgwRgIhAMnyq3/kzpvp7LcXm3JqeCjh1dMB0fZTv9pIvpPCS4GPAiEA9f+JLP1KKuaXnwr3rin4Y8tBG8a10YGaKT3RnJOs7wIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWMgv5reAAAEAwBHMEUCIA1jzhkoel+MFmVIdspCwyKVdzZZsBwx8WiJixPju9ELAiEA4Xw2ABUkt3IK67G+GrABu1Ik+R/7BVFjo3GvMIRBJ+AwDQYJKoZIhvcNAQELBQADggEBAHKPt1cq8LEy0wmtmBoThNL6AevJz2WM/KRKBYvEHiXcLN3Z9a1eQ6c8g4A84AARBDgXUfkc3W29AIW0A5wTLVazUE5H7bIoiQJXT2Z6KMXxFqwx5pRu8f1oXUx3xLhJoHkDEGrbD5uy7j9bI25pI9g5obAY88es8ZFJz25PEozA2R/NpXZEnHVbvyOHx4Pr6z3ctuH+WWpK96jWEMBP5pAx5qXBYI5g9bHGy2nYuuq0ZIuOPVK1k7SlctBrrBJx2q1ANUaEfIyPjd2qsjfoI5//6Jn+jHDM1XrdvZ+7S60SDqXktwHS98o5jRZnGWLu1S6nVcHWQzjPBhiSvAukuJw=",
    "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=="
  ],
  "matchedHosts": [
    "example.com"
  ]
}

Contains information extracted from a CT log entry that had been matched against an account and imported.

Properties

Name Type Description
log* string CT log URL, with the scheme omitted.
index* integer(int64) Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
timestamp* integer(int64) This certificate's index in the referenced CT log.
sha256* string SHA256 hash of the leaf certificate/precertificate.
tbsSha256* string Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo.
precert* boolean Indicator of whether the leaf is a precertificate.
subject* string Certificate subject Distinguished Name in text format.
issuer* string Certificate issuer Distinguished Name in text format.
hosts* [string] Hostnames and IP addresses extracted from the leaf certificate.
chain* [string] Certificate chain stored in the matched CT log entry.
matchedHosts* [string] List of account hosts that were matched against the CT log entry.

MatchInfo

{
  "certdno": {
    "o": "Cloudflare, Inc."
  },
  "integration": {
    "name": "AWS Production",
    "type": "aws",
    "ref": "string"
  },
  "keyword": {
    "matches": [
      {
        "encoding": "ascii",
        "keyword": "string",
        "matchPosition": "anywhere",
        "matchScope": "all",
        "search": "bitSquatting"
      }
    ]
  },
  "mx": {
    "mx": "mail.example.com"
  },
  "nameserver": {
    "matches": [
      {
        "name": "ns1.hardenize.com",
        "firstSeen": "2021-09-21T15:32:02.322Z"
      }
    ]
  },
  "rname": {
    "email": "postmaster@example.com"
  },
  "whois": {
    "keywords": [
      "example.com"
    ]
  }
}

Information describing how the discovery came about.

Properties

Name Type Description
certdno MatchInfoCertDNO none
integration MatchInfoIntegration none
keyword MatchInfoKeyword none
mx MatchInfoMx none
nameserver MatchInfoNameserver none
rname MatchInfoRname none
whois MatchInfoWhois none

MatchInfoCertDNO

{
  "o": "Cloudflare, Inc."
}

Properties

Name Type Description
o string Certificate DN, O field to use when searching for matching certs

MatchInfoIntegration

{
  "name": "AWS Production",
  "type": "aws",
  "ref": "string"
}

Properties

Name Type Description
name string Integration name, copied from the configuration.
type string Integration type.
ref string Integration reference (e.g., account ID), copied from the configuration.

MatchInfoKeyword

{
  "matches": [
    {
      "encoding": "ascii",
      "keyword": "string",
      "matchPosition": "anywhere",
      "matchScope": "all",
      "search": "bitSquatting"
    }
  ]
}

Properties

Name Type Description
matches [MatchInfoKeywordMatch] none

MatchInfoKeywordMatch

{
  "encoding": "ascii",
  "keyword": "string",
  "matchPosition": "anywhere",
  "matchScope": "all",
  "search": "bitSquatting"
}

Properties

Name Type Description
encoding string Whether match was made against an ASCII version of the name or the Unicode version.
keyword string The keyword that matched.
matchPosition string Where in the name the keyword matched.
matchScope string Keyword scope.
search string Indication of which algorithm caused the match.

Enumerated Values

Property Value
encoding ascii
encoding unicode
matchPosition anywhere
matchPosition label
matchPosition labelStart
matchPosition labelEnd
matchPosition labelStartOrEnd
matchScope all
matchScope domains
search bitSquatting
search confusables
search hyphenation
search insertion
search omission
search repetition
search replacement
search substring
search transposition
search vowelSwap

MatchInfoMx

{
  "mx": "mail.example.com"
}

Properties

Name Type Description
mx string MX hostname to use when searching for matching MX records

MatchInfoNameserver

{
  "matches": [
    {
      "name": "ns1.hardenize.com",
      "firstSeen": "2021-09-21T15:32:02.322Z"
    }
  ]
}

Properties

Name Type Description
matches [MatchInfoNameserverMatch] none

MatchInfoNameserverMatch

{
  "name": "ns1.hardenize.com",
  "firstSeen": "2021-09-21T15:32:02.322Z"
}

Properties

Name Type Description
name string Nameserver name.
firstSeen string(date-time) Timestamp of the first observation of this name.

MatchInfoRname

{
  "email": "postmaster@example.com"
}

Properties

Name Type Description
email string Email to use when searching for matching DNS SOA records

MatchInfoWhois

{
  "keywords": [
    "example.com"
  ]
}

Properties

Name Type Description
keywords [string] List of keywords used when search the whois

OriginInfo

{
  "net": {
    "host": "aspmx.l.google.com",
    "address": "2a00:1450:400c:c00:0:0:0:1b",
    "port": 25,
    "protocol": "smtp"
  }
}

Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.

Properties

Name Type Description
net OriginInfoNet none

OriginInfoNet

{
  "host": "aspmx.l.google.com",
  "address": "2a00:1450:400c:c00:0:0:0:1b",
  "port": 25,
  "protocol": "smtp"
}

Properties

Name Type Description
host string Network hostname, when available.
address* string Network IPv4 or IPv6 address.
port* integer Network port.
protocol* string Network protocol.

Organization

{
  "id": "hardenize",
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
  "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryEnabled": true,
  "hostDiscoveryError": "string",
  "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostLimitHard": 10000,
  "hostDiscoveryLimitHard": 10000,
  "certLimitHard": 75000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name Type Description
id* string Unique ID of an organization. The value stored in this field is always relative to that of the parent organization. For example, if the parent's ID is hardenize and you created a new nested organization called prod, you will observe this shorter identifier in the API responses. If you wish to access the nested organization via the API, you will need to specify its full identifier, which would be hardenize.prod.
name* string Human-readable organization name.
status* string By default, an organization will be active immediately after it is created. If the status is changed to dormant, all operations and features in the account will be disabled, however the users will still be able to access the organization and the data in the account. If the status is changed to suspended, the organization will effectively become deleted from an external perspective. The deleted status is made available to enable delayed deletion of accounts. An organization with this status is expected to be deleted in the near future; for example, there could be a weekly process that obtains a list of all organizations scheduled for deletion and actually deletes them.
commercialStatus* string The commercialStatus field is used to track how a suborganization is used, for accounting and billing purposes. When creating a suborganization, select the value that's the most appropriate. Update the value as the status changes (e.g., from trial to paying).
apiUsername string The username that can be used to access this organization's API.
apiPassword string The password that can be used to access this organization's API. Because we don't store plaintext in our database, this field is available only immediately after the organization is created.
hostDiscoveryAutoimportSubdomains* boolean Determines if newly discovered subdomains (of known organization hosts) will be automatically added to the inventory.
hostDiscoveryEnabled* boolean Indicates if host discovery is enabled.
hostDiscoveryError string When host discovery is disabled because of an error (e.g., too many hosts discovered), this field contains the error message.
hostDiscoveryErrorTime string(date-time) Indicates the time of error.
hostDiscoveryExcludeSuffixes [string] If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostLimitHard* integer Determines if there is a limit on the number of monitored hosts in the account. Set to -1 when there is no limit.
hostDiscoveryLimitHard* integer Hard limit on the number of host discoveries in the organization. Default: -1 (unlimited).
certLimitHard* integer Hard limit on the number of certificates in the organization.
featureHostDiscovery* boolean If set, host discovery is enabled for this organization.
featureMfa* boolean If set, multi-factor authentication is enabled for this organization.
featureSaml* boolean If set, SAML is enabled for this organization.

Enumerated Values

Property Value
status active
status dormant
status suspended
status deleted
commercialStatus free
commercialStatus internal
commercialStatus paying
commercialStatus trial

NetworkRange

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

Name Type Description
label* string A short label to identify the network range.
description string A longer description of the purposes of the network range.
range* string The network range in CIDR format.
scan boolean Whether or not this network should be scanned.
tags [string] none

Report0

{
  "hostname": "example.com",
  "status": "completed",
  "reportTime": "2018-10-10T15:36:49.044Z",
  "hasDnssec": true,
  "hasSmtp": true,
  "hasSmtpTls": true,
  "hasSmtpDane": true,
  "hasSpf": true,
  "hasDmarc": true,
  "hasHttp": true,
  "hasHttps": true,
  "hasHttpsDane": true,
  "hasHttpsRedirection": true,
  "hasHttpsTls12OrBetter": true,
  "hasSsl2": true,
  "hasSsl3": true,
  "hasTls10": true,
  "hasTls11": true,
  "hasTls12": true,
  "hasTls13": true,
  "supportsSsl2": true,
  "supportsSsl3": true,
  "supportsTls10": true,
  "supportsTls11": true,
  "supportsTls12": true,
  "supportsTls13": true,
  "hasHsts": true,
  "hasHstsPreloaded": true,
  "nameServers": "string",
  "dnssec": "string",
  "emailTls": "string",
  "emailDane": "string",
  "spf": "string",
  "dmarc": "string",
  "wwwTls": "string",
  "wwwDane": "string",
  "wwwXssProtection": "string",
  "wwwXssProtectionEnabled": true,
  "wwwXcto": true,
  "hsts": "string",
  "hpkp": "string",
  "cookies": "string",
  "mixedContent": "string",
  "securityHeaders": "string",
  "csp": "string"
}

Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error, warning, and good. The complete explanation of the possible values is available in the Report0Quality component.

It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report.

Properties

Name Type Description
hostname* string none
status* string none
reportTime string(date-time) none
hasDnssec boolean none
hasSmtp boolean none
hasSmtpTls boolean none
hasSmtpDane boolean none
hasSpf boolean none
hasDmarc boolean none
hasHttp boolean none
hasHttps boolean none
hasHttpsDane boolean none
hasHttpsRedirection boolean none
hasHttpsTls12OrBetter boolean none
hasSsl2 boolean none
hasSsl3 boolean none
hasTls10 boolean none
hasTls11 boolean none
hasTls12 boolean none
hasTls13 boolean none
supportsSsl2 boolean none
supportsSsl3 boolean none
supportsTls10 boolean none
supportsTls11 boolean none
supportsTls12 boolean none
supportsTls13 boolean none
hasHsts boolean none
hasHstsPreloaded boolean none
nameServers string(v0quality) none
dnssec string(v0quality) none
emailTls string(v0quality) none
emailDane string(v0quality) none
spf string(v0quality) none
dmarc string(v0quality) none
wwwTls string(v0quality) none
wwwDane string(v0quality) none
wwwXssProtection string(v0quality) none
wwwXssProtectionEnabled boolean none
wwwXcto boolean none
hsts string(v0quality) none
hpkp string(v0quality) none
cookies string(v0quality) none
mixedContent string(v0quality) none
securityHeaders string(v0quality) none
csp string(v0quality) none

Enumerated Values

Property Value
status completed
status failed
status notAvailable

ReportCard

{
  "reportVersion": 1,
  "domainPunycode": "example.com",
  "domainUnicode": "example.com",
  "available": true,
  "hardenizeVersion": "v1.1603.1",
  "timestamp": "2024-12-20T16:02:26.693Z",
  "sections": [
    {
      "id": "SECTION_DOMAIN",
      "name": "Domain",
      "items": [
        {
          "id": "ITEM_DOMAIN_REGISTRATION",
          "name": "Domain Registration",
          "status": "good",
          "remarks": [
            {
              "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
              "title": "Nameserver is not operational",
              "content": "Good. The private key associated with this certificate is secure.",
              "severity": "good",
              "data": {
                "Name": "dns1.registrar-servers.com.",
                "Address": "2610:a1:1024::200",
                "Reverse name": "dns1.registrar-servers.com."
              }
            }
          ]
        }
      ]
    }
  ]
}

Contains a summary of report card.

Properties

Name Type Description
reportVersion integer none
domainPunycode string none
domainUnicode string none
available boolean none
hardenizeVersion string Hardenize application version that produced the report card data
timestamp string(date-time) none
sections [ReportCardSection] [Contains details about different section of the report card. ]

ReportCardSection

{
  "id": "SECTION_DOMAIN",
  "name": "Domain",
  "items": [
    {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    }
  ]
}

Contains details about different section of the report card.

Properties

Name Type Description
id string none
name string none
items [ReportCardItem] [Describes the item in each report card section. ]

ReportCardItem

{
  "id": "ITEM_DOMAIN_REGISTRATION",
  "name": "Domain Registration",
  "status": "good",
  "remarks": [
    {
      "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
      "title": "Nameserver is not operational",
      "content": "Good. The private key associated with this certificate is secure.",
      "severity": "good",
      "data": {
        "Name": "dns1.registrar-servers.com.",
        "Address": "2610:a1:1024::200",
        "Reverse name": "dns1.registrar-servers.com."
      }
    }
  ]
}

Describes the item in each report card section.

Properties

Name Type Description
id string none
name string none
status string none
remarks [ReportCardRemark] [Describes the remarks of a report card item. ]

Enumerated Values

Property Value
status none
status good
status warning
status error
status unknown

ReportCardRemark

{
  "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
  "title": "Nameserver is not operational",
  "content": "Good. The private key associated with this certificate is secure.",
  "severity": "good",
  "data": {
    "Name": "dns1.registrar-servers.com.",
    "Address": "2610:a1:1024::200",
    "Reverse name": "dns1.registrar-servers.com."
  }
}

Describes the remarks of a report card item.

Properties

Name Type Description
id string none
title string none
content string none
severity string none
data object Additional data associated with the report remark
» additionalProperties any none

Enumerated Values

Property Value
severity good
severity info
severity neutral
severity notice
severity powerup
severity warning
severity unknown
severity error

DmarcReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of results.
format string If set, returns results in the format specified. Default: JSON
tags [string] If set, returns results which contain at least one of the specified tags.

Enumerated Values

Property Value
format json
format csv
format xlsx

DmarcReportResponse

{
  "dmarc": [
    {
      "key": "example.com",
      "policy": "reject",
      "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
    }
  ]
}

Properties

Name Type Description
dmarc [DmarcReport] none

DmarcReport

{
  "key": "example.com",
  "policy": "reject",
  "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
}

Properties

Name Type Description
key* string The domain name.
policy string DMARC receiver policy
policyText* string The text of the DMARC policy.

Enumerated Values

Property Value
policy none
policy reject
policy quarantine

DomainsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of domains.
format string If set, returns domains in the format specified. Default: JSON

Enumerated Values

Property Value
format json
format csv
format xlsx

DomainsReportResponse

{
  "domains": [
    {
      "name": "example.com",
      "punyName": "example.com",
      "dnsNx": false,
      "regNx": false,
      "lookupStatus": "OK",
      "registrant": "Privacy service provided by Withheld for Privacy ehf",
      "registrar": "NameCheap, Inc.",
      "statuses": [
        "clientTransferProhibited"
      ],
      "statusGood": true,
      "registrarLock": true,
      "registryLock": false,
      "registration": "2019-04-16T09:13:56Z",
      "expiration": "2024-04-16T09:13:56Z",
      "contactAbuse": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactAdmin": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrar": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrant": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactTechnical": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "groups": [
        "hardenize",
        "feistyduck"
      ],
      "tags": [
        "tag1",
        "tag2"
      ]
    }
  ]
}

Properties

Name Type Description
domains [DomainsReport] none

DomainsReport

{
  "name": "example.com",
  "punyName": "example.com",
  "dnsNx": false,
  "regNx": false,
  "lookupStatus": "OK",
  "registrant": "Privacy service provided by Withheld for Privacy ehf",
  "registrar": "NameCheap, Inc.",
  "statuses": [
    "clientTransferProhibited"
  ],
  "statusGood": true,
  "registrarLock": true,
  "registryLock": false,
  "registration": "2019-04-16T09:13:56Z",
  "expiration": "2024-04-16T09:13:56Z",
  "contactAbuse": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactAdmin": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrar": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrant": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactTechnical": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "groups": [
    "hardenize",
    "feistyduck"
  ],
  "tags": [
    "tag1",
    "tag2"
  ]
}

Properties

Name Type Description
name* string The domain name.
punyName* string The punycode representation of the domain name.
dnsNx* boolean Indicates whether the domain has DNSNX.
regNx* boolean Indicates whether the domain has RegNX.
lookupStatus string The lookup status of the domain.
registrant string The registrant of the domain.
registrar string The registrar of the domain.
statuses [string] The statuses associated with the domain.
statusGood boolean Status indicator (Good).
registrarLock boolean Registrar lock indicator.
registryLock boolean Registry lock indicator.
registration string(date-time) Domain registration date and time.
expiration string(date-time) Domain expiration date and time.
contactAbuse Contact none
contactAdmin Contact none
contactRegistrar Contact none
contactRegistrant Contact none
contactTechnical Contact none
groups [string] The groups associated with the domain.
tags [string] The tags associated with the domain.

Contact

{
  "type": "CONTACT_ABUSE",
  "firstName": "Redacted for Privacy",
  "organization": "Privacy service provided by Withheld for Privacy ehf",
  "street1": "Kalkofnsvegur 2",
  "city": "Reykjavik",
  "state": "Capital Region",
  "postcode": "101",
  "country": "IS",
  "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
  "phone": "+354.4212434"
}

Properties

Name Type Description
type string Type of contact.
firstName string First name of the contact.
organization string Organization of the contact.
street1 string Street address of the contact.
city string City of the contact.
state string State or region of the contact.
postcode string Postal code of the contact.
country string Country of the contact.
email string Email address of the contact.
phone string Phone number of the contact.

IssuesReportRequest

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
type string if set, will filter the results with the specified type. Default: all
limit integer If set, returns only up to the specified number of issues.
format string If set, returns issues in the format specified. Default: JSON

Enumerated Values

Property Value
type all
type active
type orphaned
type completed
type ignored
type snoozed
type bogus
type abandoned
type deprecated
format json
format csv
format xlsx

IssuesReportResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      },
      "groups": [
        "Product"
      ]
    }
  ]
}

Properties

Name Type Description
issues [Issue] none

IssuesReport

{
  "issueId": 0,
  "revision": 0,
  "definitionId": "string",
  "subject": "string",
  "subjectDomain": "string",
  "title": "string",
  "category": "string",
  "severity": "string",
  "cause": "string",
  "causeDomain": "string",
  "causeIp": {
    "holder": {
      "originalHostName": "string",
      "hostName": "string",
      "address": 0,
      "family": 0
    },
    "canonicalHostName": "string"
  },
  "open": true,
  "status": "string",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": 0,
  "lastClosed": 0,
  "lastUpdated": 0,
  "lastChecked": 0,
  "lastConfirmed": 0,
  "snoozedUntil": 0,
  "details": {}
}

Properties

Name Type Description
issueId integer none
revision integer none
definitionId string none
subject string none
subjectDomain string none
title string none
category string none
severity string none
cause string none
causeDomain string none
causeIp object none
» holder object none
»» originalHostName string none
»» hostName string none
»» address integer none
»» family integer none
» canonicalHostName string none
open boolean none
status string none
auto boolean none
autoOpen boolean none
autoPreservedStatus string none
createdOn integer none
lastClosed integer none
lastUpdated integer none
lastChecked integer none
lastConfirmed integer none
snoozedUntil integer none
details object none

IpAddressReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of results.
format string If set, returns results in the format specified. Default: JSON

Enumerated Values

Property Value
format json
format csv
format xlsx

IpAddressReportResponse

{
  "ipAddresses": [
    {
      "ip": "123.101.73.30",
      "cloudIntegrationAccountId": "1234567890",
      "cloudResourceType": "Virtual Machine",
      "cloudResourceId": "vm-12345",
      "cloudIntegrationName": "Azure Integration",
      "cloudIntegrationRef": "azure://subscription/123456",
      "cloudResourceName": "MyVM",
      "cloudResourceZone": "Zone-1",
      "cloudProvider": "Azure",
      "asNumber": "8075",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "locCountryCode": "NL",
      "cloudRegion": "East US"
    }
  ]
}

Properties

Name Type Description
ipAddresses [IpAddressReport] none

IpAddressReport

{
  "ip": "123.101.73.30",
  "cloudIntegrationAccountId": "1234567890",
  "cloudResourceType": "Virtual Machine",
  "cloudResourceId": "vm-12345",
  "cloudIntegrationName": "Azure Integration",
  "cloudIntegrationRef": "azure://subscription/123456",
  "cloudResourceName": "MyVM",
  "cloudResourceZone": "Zone-1",
  "cloudProvider": "Azure",
  "asNumber": "8075",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "locCountryCode": "NL",
  "cloudRegion": "East US"
}

Properties

Name Type Description
ip* string The IP address.
cloudIntegrationAccountId string The ID of the cloud integration account.
cloudResourceType string The type of cloud resource.
cloudResourceId string The ID of the cloud resource.
cloudIntegrationName string The name of the cloud integration.
cloudIntegrationRef string The reference to the cloud integration.
cloudResourceName string The name of the cloud resource.
cloudResourceZone string The availability zone of the cloud resource.
cloudProvider string The cloud provider (e.g., Azure, AWS).
asNumber string The Autonomous System (AS) number.
asName string The name of the Autonomous System (AS).
locCountryCode string The country code of the location.
cloudRegion string The cloud region where the resource is located.

NetworkRangesReportRequest

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name Type Description
limit integer If set, returns only up to the specified number of results.
format string If set, returns results in the format specified. Default: JSON
tags [string] If set, returns results with the specified tags.

Enumerated Values

Property Value
format json
format csv
format xlsx

NetworkRangesReportResponse

{
  "network-ranges": [
    {
      "range": "52.0.205.39/32",
      "label": "Lab DNS1",
      "description": "dns1-production-lab.hardenize.net"
    }
  ]
}

Properties

Name Type Description
network-ranges [NetworkRangesReport] none

NetworkRangesReport

{
  "range": "52.0.205.39/32",
  "label": "Lab DNS1",
  "description": "dns1-production-lab.hardenize.net"
}

Properties

Name Type Description
range* string The IP range in CIDR notation.
label* string A label or name for the IP range.
description string A description of the IP range.

OpenPortsReportRequest

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
address string If set, filters the response by the provided address. Address can be supplied as a network range in CIDR (192.168.10.1/24) form or as an individual IP address (192.168.10.1)
port integer If set, filters the response by the provided port.
transport string If set, filters the response by the provided transport.
service string If set, filters the response by the provided service.
hostname string If set, searching for "example.com" would find any open ports with a hostname being the same as "example.com" or a subdomain of it
limit integer If set, returns only up to the specified number of results.
format string If set, returns results in the format specified. Default: JSON

Enumerated Values

Property Value
transport tcp
transport udp
format json
format csv
format xlsx

OpenPortsReportResponse

{
  "open-ports": [
    {
      "address": "123.234.73.24",
      "port": 25,
      "transport": "tcp",
      "service": "smtp",
      "hostname": "example-com.mail.protection.outlook.com"
    }
  ]
}

Properties

Name Type Description
open-ports [OpenPortsReport] none

OpenPortsReport

{
  "address": "123.234.73.24",
  "port": 25,
  "transport": "tcp",
  "service": "smtp",
  "hostname": "example-com.mail.protection.outlook.com"
}

Properties

Name Type Description
address* string The IP address.
port* integer The port number.
transport* string The transport protocol (e.g., tcp, udp).
service* string The service name.
hostname string The hostname associated with the address.

SpfReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of results.
format string If set, returns results in the format specified. Default: JSON
tags [string] If set, returns results with the specified tags.

Enumerated Values

Property Value
format json
format csv
format xlsx

SpfReportResponse

{
  "spf": [
    {
      "key": "example.com",
      "policyText": "v=spf1 include:spf.protection.outlook.com -all",
      "lookups": 8
    }
  ]
}

Properties

Name Type Description
spf [SpfReport] none

SpfReport

{
  "key": "example.com",
  "policyText": "v=spf1 include:spf.protection.outlook.com -all",
  "lookups": 8
}

Properties

Name Type Description
key* string The domain name.
policyText* string The SPF policy text.
lookups integer The number of SPF lookups

CertificateReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of certificates.
format string If set, returns certificates in the format specified. Default: JSON
active boolean If set, returns only active certificates.
revoked boolean If set, returns only revoked certificates.
expiring boolean If set, returns both expired certificates and the ones which expire in N days, where N is configurable at Settings -> Certificate Notifications -> When Certificates Become Overdue
expiringDays integer If set, overrides the default number of expiring days when 'expiring' is set to true.

Enumerated Values

Property Value
format json
format csv
format xlsx

CertificateReportResponse

{
  "certificates": [
    {
      "shortId": "572908a",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2024-12-20T16:02:26.698Z",
      "notAfter": "2024-12-20T16:02:26.698Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.698Z",
      "revokedOn": "2024-12-20T16:02:26.698Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2024-12-20T16:02:26.698Z",
      "lastSeen": "2024-12-20T16:02:26.698Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "label": "ssl760680.cloudflaressl.com",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "name": "rocketeer",
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originTitle": "CT",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true,
      "analysis": {
        "id": "ITEM_DOMAIN_REGISTRATION",
        "name": "Domain Registration",
        "status": "good",
        "remarks": [
          {
            "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
            "title": "Nameserver is not operational",
            "content": "Good. The private key associated with this certificate is secure.",
            "severity": "good",
            "data": {
              "Name": "dns1.registrar-servers.com.",
              "Address": "2610:a1:1024::200",
              "Reverse name": "dns1.registrar-servers.com."
            }
          }
        ]
      },
      "matchedHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "matchedWildcardHosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "thirdPartyHosts": [
        "hardenize.com"
      ],
      "deployments": {
        "hosts": [
          {
            "hostname": "string",
            "service": "dns",
            "serviceHostname": "string",
            "lastSeen": "2024-12-20T16:02:26.698Z"
          }
        ],
        "services": [
          {
            "hostname": "string",
            "address": "string",
            "port": 0,
            "asNumber": 0,
            "asName": "string",
            "cloudProvider": "string",
            "cloudRegion": "string",
            "lastSeen": "2024-12-20T16:02:26.698Z",
            "certs": [
              "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
              "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
            ],
            "tlsSupportedProtocols": [
              "TLSv1.2",
              "TLSv1.3"
            ],
            "tlsConfigurationLevel": "secure"
          }
        ]
      },
      "lifetime": "PT17652H",
      "lifetimeDays": 736,
      "ku": [
        "keyEncipherment",
        "digitalSignature"
      ],
      "eku": [
        "serverAuth",
        "clientAuth"
      ],
      "mustStaple": true,
      "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
      "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
      "caIssuers": [
        "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
      ],
      "crl": [
        "http://crl3.digicert.com/sha2-ev-server-g2.crl",
        "http://crl4.digicert.com/sha2-ev-server-g2.crl"
      ],
      "ocsp": [
        "http://ocsp.digicert.com"
      ],
      "ctInfos": [
        {
          "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
          "timestamp": "2024-12-20T16:02:26.699Z",
          "name": "Google 'Xenon2024' log",
          "status": "Qualified"
        }
      ]
    }
  ]
}

Properties

Name Type Description
certificates [Certificate] [Contains information about one certificate. ]

PdfFile

"string"

PDF file content

Properties

Name Type Description
anonymous string(binary) PDF file content

CertificateExpiringEndpointsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of expired certificates.
integration string If set, filters the response with expired certificates which belong to an integration.
format string If set, returns expired certificates in the format specified. Default: JSON

Enumerated Values

Property Value
format json
format csv
format xlsx

CertificateExpiringEndpointsReportResponse

{
  "expiringEndpoints": [
    {
      "host": "example.com",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceLocation": "US-West",
      "port": 443,
      "certificateExpires": "2024-12-20T16:02:26.699Z",
      "serviceLastSeen": "2024-12-20T16:02:26.699Z",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "certificateSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345"
    }
  ]
}

Properties

Name Type Description
expiringEndpoints [CertificateExpiringEndpointsReport] none

CertificateExpiringEndpointsReport

{
  "host": "example.com",
  "serviceHostname": "service.example.com",
  "serviceDomain": "example.com",
  "serviceLocation": "US-West",
  "port": 443,
  "certificateExpires": "2024-12-20T16:02:26.700Z",
  "serviceLastSeen": "2024-12-20T16:02:26.700Z",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "certificateSan": "*.hardenize.com",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "asNumber": "12345"
}

Properties

Name Type Description
host string The hostname of the endpoint.
serviceHostname string The hostname of the service associated with the endpoint.
serviceDomain string The domain of the service associated with the endpoint.
serviceLocation string The location or region where the service is located.
port integer The port number of the endpoint.
certificateExpires string(date-time) ISO 8601 timestamp indicating when the certificate for the endpoint expires.
serviceLastSeen string(date-time) ISO 8601 timestamp indicating when the service was last seen.
sha256* string Hex-encoded SHA256 hash of the endpoint's certificate in DER format.
certificateDn string Distinguished name of the endpoint's certificate.
certificateSerial string Hex-encoded serial number of the endpoint's certificate.
issuer* string Distinguished name of the certificate issuer.
issuerCa string The name of the issuing CA for the endpoint's certificate, according to CCADB.
certificateSan string All hosts specified in the endpoint's certificate's SAN extension, as Unicode.
asName string The name of the Autonomous System (AS).
asNumber string The number of the Autonomous System (AS).

HostsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name Type Description
group string If set, filters the response with the provided group label.
limit integer If set, returns only up to the specified number of domains.
format string If set, returns hosts in the format specified. Default: JSON

Enumerated Values

Property Value
format json
format csv
format xlsx

HostsReportResponse

{
  "hosts": [
    {
      "assetId": 11117,
      "hostname": "example.com",
      "creationTime": "2023-09-14T12:59:25Z",
      "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
      "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
      "groups": [
        "feistyduck",
        "hardenize"
      ],
      "tags": [
        "test"
      ],
      "errorMessage": "Hostname not found",
      "errorTime": "2023-09-15T08:47:45Z",
      "nxTime": "2023-09-15T08:47:00Z"
    }
  ]
}

Properties

Name Type Description
hosts [HostReport] none

HostReport

{
  "assetId": 11117,
  "hostname": "example.com",
  "creationTime": "2023-09-14T12:59:25Z",
  "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
  "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
  "groups": [
    "feistyduck",
    "hardenize"
  ],
  "tags": [
    "test"
  ],
  "errorMessage": "Hostname not found",
  "errorTime": "2023-09-15T08:47:45Z",
  "nxTime": "2023-09-15T08:47:00Z"
}

Properties

Name Type Description
assetId* integer The unique identifier for the asset.
hostname* string The hostname associated with the asset.
creationTime* string(date-time) The timestamp indicating when the asset was created.
summary string A summary of the host information in JSON format.
reportCard string A report card containing sections and items related to the asset.
groups [string] Groups which the asset belongs to, if any.
tags [string] Tags associated with the asset, if any.
errorMessage string An error message associated with the asset (if applicable).
errorTime string(date-time) The timestamp indicating when the error occurred (if applicable).
nxTime string(date-time) The timestamp indicating when the asset became non-existent (if applicable).

Report0Quality

{
  "quality": "good"
}

This field describes the quality of configuration of particular element. The four most commonly seen values here are good, warning, error, and neutral. Out of these, the best is cleary good, but neutral is all right, depending on your policies (e.g., you might not want to deploy a particular security technology). Hardenize uses warnings and errors only when something is broken, misconfigured, or has a negative security implication. Neither of these qualities is used if you don't have a particular security feature. We use unknown if we don't have enough information to make a judgement. Finally, warningAbsent and errorAbsent are special statuses that we use to indicate when warnings and errors are indicated due to absence of feature. This might happen, for example, if a site supports plaintext HTTP but not encrypted HTTPS.

Properties

Name Type Description
quality string none

Enumerated Values

Property Value
quality good
quality error
quality errorAbsent
quality neutral
quality unknown
quality warning
quality warningAbsent

TestEventHookResponse

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Embeds a transcript of an event hook test, providing request and response information, as well as an indication of whether the hook is operating correctly.

Properties

Name Type Description
successful boolean Indication of whether the event hook test was successful. If the HTTP request itself is successful, the status code must be in the 2xx range. If the test is not successful, the errorMessage field will contain an explanation.
errorMessage string Error message, in case of test failure only.
durationMillis integer(int64) Duration of the HTTP request submitted to the hook, in milliseconds.
pubsub object Webhook-specific diagnostic information.
» destination string PubSub destination.
» message string Message body.
» attributes object Message attributes.
» messageId string PubSub message ID.
webook object Webhook-specific diagnostic information.
» request object Information about the submitted HTTP request, including some selected request headers.
»» method string Request method; always POST.
»» url string Webhook URL used for the test.
»» headers object Selected HTTP request headers.
»» body string Raw request body, as a string.
» response object Information about the HTTP response received from the remote server.
»» statusCode integer HTTP response status code obtained from the remote server.
»» headers object Complete HTTP response headers received from the remote server.
»» body string Raw response body, as a string.

UpdateCertRequest

{
  "muted": true
}

Updates one certificate. All fields are optional, but at least one field must be provided.

Properties

Name Type Description
muted boolean If set to true, certificate notifications will be disabled for this certificate, even if it's observed on the network near its expiration.

UpdateCertResponse

{
  "cert": {
    "shortId": "572908a",
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2024-12-20T16:02:26.701Z",
    "notAfter": "2024-12-20T16:02:26.701Z",
    "effectiveNotAfter": "2024-12-20T16:02:26.701Z",
    "revokedOn": "2024-12-20T16:02:26.701Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "RSAwithMD2",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2024-12-20T16:02:26.701Z",
    "lastSeen": "2024-12-20T16:02:26.701Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "label": "ssl760680.cloudflaressl.com",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originTitle": "CT",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true,
    "analysis": {
      "id": "ITEM_DOMAIN_REGISTRATION",
      "name": "Domain Registration",
      "status": "good",
      "remarks": [
        {
          "id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
          "title": "Nameserver is not operational",
          "content": "Good. The private key associated with this certificate is secure.",
          "severity": "good",
          "data": {
            "Name": "dns1.registrar-servers.com.",
            "Address": "2610:a1:1024::200",
            "Reverse name": "dns1.registrar-servers.com."
          }
        }
      ]
    },
    "matchedHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "thirdPartyHosts": [
      "hardenize.com"
    ],
    "deployments": {
      "hosts": [
        {
          "hostname": "string",
          "service": "dns",
          "serviceHostname": "string",
          "lastSeen": "2024-12-20T16:02:26.701Z"
        }
      ],
      "services": [
        {
          "hostname": "string",
          "address": "string",
          "port": 0,
          "asNumber": 0,
          "asName": "string",
          "cloudProvider": "string",
          "cloudRegion": "string",
          "lastSeen": "2024-12-20T16:02:26.701Z",
          "certs": [
            "93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
            "c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
          ],
          "tlsSupportedProtocols": [
            "TLSv1.2",
            "TLSv1.3"
          ],
          "tlsConfigurationLevel": "secure"
        }
      ]
    },
    "lifetime": "PT17652H",
    "lifetimeDays": 736,
    "ku": [
      "keyEncipherment",
      "digitalSignature"
    ],
    "eku": [
      "serverAuth",
      "clientAuth"
    ],
    "mustStaple": true,
    "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
    "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
    "caIssuers": [
      "http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
    ],
    "crl": [
      "http://crl3.digicert.com/sha2-ev-server-g2.crl",
      "http://crl4.digicert.com/sha2-ev-server-g2.crl"
    ],
    "ocsp": [
      "http://ocsp.digicert.com"
    ],
    "ctInfos": [
      {
        "id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
        "timestamp": "2024-12-20T16:02:26.701Z",
        "name": "Google 'Xenon2024' log",
        "status": "Qualified"
      }
    ]
  }
}

Properties

Name Type Description
cert* Certificate Contains information about one certificate.

UpdateCertDiscoveryRequest

{
  "status": "closed",
  "resolution": "reconciled"
}

Contains parameters of a Cert Discovery which can be updated.

Properties

Name Type Description
status string If set, updates the certificate discovery status. Reopening a discovery will automatically clear the resolution.
resolution string If set, updates the certificate discovery resolution

Enumerated Values

Property Value
status open
status closed
resolution undetermined
resolution reconciled
resolution policyViolation
resolution fraudulent

UpdateCertDiscoveryResponse

{
  "certDiscovery": {
    "certDiscoveryId": 11766,
    "certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "createdOn": "2022-06-17T00:00:00Z",
    "updatedOn": "2022-06-17T00:00:00Z",
    "closedOn": "2022-06-17T00:00:00Z",
    "escalated": false,
    "status": "open",
    "resolution": "undetermined",
    "certSummary": {
      "shortId": "572908a",
      "label": "ssl760680.cloudflaressl.com",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "RSAwithMD2",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "ownership": "own",
      "notBefore": "2024-12-20T16:02:26.702Z",
      "notAfter": "2024-12-20T16:02:26.702Z",
      "effectiveNotAfter": "2024-12-20T16:02:26.702Z",
      "lifetimeDays": 736,
      "lifetimeDaysLeft": 125,
      "revokedOn": "2024-12-20T16:02:26.702Z",
      "hosts": [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ],
      "extras": {
        "status": "ok",
        "certsDueDays": 60,
        "certsOverdueDays": 13,
        "certsCriticalDays": 4,
        "certsLabels": "managed",
        "ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
        "aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
        "ku": [
          "keyEncipherment",
          "digitalSignature"
        ],
        "eku": [
          "serverAuth",
          "clientAuth"
        ],
        "mustStaple": true,
        "crl": [
          "http://crl3.digicert.com/sha2-ev-server-g2.crl",
          "http://crl4.digicert.com/sha2-ev-server-g2.crl"
        ],
        "ocsp": [
          "http://ocsp.digicert.com"
        ],
        "precert": false
      },
      "active": true,
      "caPathLen": -1,
      "nameDigestNewer": true
    },
    "certKnown": false,
    "certInstalled": true,
    "certExpired": false,
    "certRevoked": false,
    "issuerAllowed": true,
    "issuerAllowedKeyword": "GlobalSign",
    "issuerNotAllowed": false,
    "issuerForbidden": false,
    "issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
    "caaMismatch": false,
    "caaMatchFull": false,
    "notCtCompliant": false,
    "maxLifetimeExceeded": false,
    "timeoutCaseInactive": false,
    "timeoutCertNotInstalled": false,
    "matchedHosts": [
      [
        "bonn-06.qlued.net",
        "www.bonn-06.qlued.net"
      ]
    ],
    "matchedHostsInfo": {
      "property1": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      },
      "property2": {
        "wildcard": false,
        "caa": {
          "records": [
            "string"
          ],
          "source": "string",
          "time": "2022-06-17T00:00:00Z",
          "allowed": true,
          "error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
        }
      }
    },
    "matchedHostsCaaHistory": {
      "property1": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.702Z",
          "lastSeen": "2024-12-20T16:02:26.702Z",
          "records": [
            "string"
          ]
        }
      ],
      "property2": [
        {
          "policyHostname": "string",
          "status": "present",
          "statusMessage": "string",
          "firstSeen": "2024-12-20T16:02:26.702Z",
          "lastSeen": "2024-12-20T16:02:26.702Z",
          "records": [
            "string"
          ]
        }
      ]
    },
    "matchedWildcardHosts": [
      "bonn-06.qlued.net",
      "www.bonn-06.qlued.net"
    ],
    "ctLogs": [
      {
        "name": "rocketeer",
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ]
  }
}

Properties

Name Type Description
certDiscovery* CertDiscovery Contains complete information about a certificate discovered in one of the monitored CT logs.

UpdateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Update the network range information. You must supply one or more of these values. The range itself can't be changed with this operation. Instead, delete the range and create it again.

Properties

Name Type Description
label string A short label to identify the network range
description string A longer description of the purposes of the network range
scan boolean Whether or not this network should be scanned
tags [string] none

UpdateIssueRequest

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Updates an issue

Properties

Name Type Description
status string Set a new status.
snoozedUntil string(date-time) Set status back to active automatically after this time.

Enumerated Values

Property Value
status active
status bogus
status ignored
status snoozed

UpdateUserRequest

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2024-12-20T16:02:26.703Z",
  "status": "retired",
  "role": "observer"
}

Updates attributes for a user. All fields are optional, but at least one field must be provided.

Properties

Name Type Description
name string Change the users name or service account's description
deleteMfa boolean Will delete MFA for a user if it is enabled. Allowing them to log in using only their email address and password. Not for service accounts.
resetPassword boolean Changes the password to a new random one. For service accounts only
expirationTime string(date-time) Update expiration time. For service accounts only
status string Update user status
role string Update user role

Enumerated Values

Property Value
status active
status retired
role owner
role admin
role member
role observer

UpdateEventHookRequest

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Provides new field values to update an existing event hook. No fields are required, but you need to provide at least of the supported fields.

Properties

Name Type Description
eventTypes [string] An updated list of event types to send to this event hook.
destination string Event hook destination; for webhooks, this must be a HTTPS URL.
status string New event hook status.

Enumerated Values

Property Value
status enabled
status disabled
status failed

UpdateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Returned after a successful event hook update operation.

Properties

Name Type Description
eventHook* EventHook Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

UpdateEventTypeRequest

{
  "enabled": true
}

Properties

Name Type Description
enabled* boolean New setting for whether event type is enabled.

UpdateEventTypeResponse

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Properties

Name Type Description
eventType* EventType Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

UpdateHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2024-12-20T16:02:26.703Z",
    "origin": "hdb",
    "originTitle": "HDB",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2024-12-20T16:02:26.704Z"
  }
}

Properties

Name Type Description
hostDiscovery* HostDiscovery This object represents our discovery of a host which might be relevant to your organization.

UpdateHostsChanges

{
  "status": "monitored",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "key": "base64key=",
    "name": "thename"
  },
  "groupOp": "add",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name Type Description
status string Desired host status.
axfr string If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled.
axfrHost string Instead of doing AXFRs from the primary nameserver as per the zones SOA record, use this hostname or IP address instead. Set to a blank string to remove.
axfrTsig UpdateHostsChangesAxfrTsig none
groupOp string This parameter selects one of three operations. The add operation will add the specified groups to the hosts. The remove operation will remove the specified groups from the hosts. The set operation will first remove all existing tags from the hosts, then apply the specified groups. This field is mandatory when at least one group is specified.
groups [string] List of tags that should be used in the requested tag operation.

Enumerated Values

Property Value
status monitored
status idle
status archived
axfr auto
axfr enabled
axfr disabled
groupOp add
groupOp remove
groupOp set

UpdateHostDiscoveryRequest

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name Type Description
resolution* string If set, updates the discoveries resolution.
groups [string] When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property Value
resolution pending
resolution own
resolution supplier
resolution unrelated
resolution infringing
resolution phishing

UpdateHostsChangesAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "key": "base64key=",
  "name": "thename"
}

Properties

Name Type Description
algorithm string Axfr transfer algorithm
key string Axfr transfer key
name string Axfr transfer name

Enumerated Values

Property Value
algorithm HMAC_MD5
algorithm HMAC_SHA1
algorithm HMAC_SHA224
algorithm HMAC_SHA256
algorithm HMAC_SHA384
algorithm HMAC_SHA512

UpdateHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name Type Description
ids* [integer] List of discovery ids to update.
preview boolean If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false
changes UpdateHostDiscoveriesChanges none

UpdateHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2024-12-20T16:02:26.704Z",
      "origin": "hdb",
      "originTitle": "HDB",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2024-12-20T16:02:26.705Z"
    }
  ]
}

Properties

Name Type Description
hostDiscoveries* [HostDiscovery] [This object represents our discovery of a host which might be relevant to your organization.]

UpdateHostDiscoveriesChanges

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name Type Description
resolution string If set, updates the discoveries resolution.
groups [string] When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property Value
resolution pending
resolution own
resolution supplier
resolution unrelated
resolution infringing
resolution phishing

DeleteHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name Type Description
ids* [integer] List of discovery ids to delete.
preview boolean If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false

DeleteHostDiscoveriesResponse

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name Type Description
ids* [integer] List of affected discovery ids.
preview* boolean Whether or not we ran in preview mode.

UpdateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name Type Description
keyword* string The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled* boolean Indicates if the keyword is currently active.
matchScope* string Determines what type of results the keyword will look for.
matchPosition* string Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact* boolean If set, enables exact matching.
matchFuzzy* boolean If set, enables fuzzy matching.
matchConfusables* boolean If set, enables matching of confusable characters and homographes.
exclusions* [string] Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property Value
matchScope all
matchScope domains
matchPosition anywhere
matchPosition label,
matchPosition labelStart
matchPosition labelEnd
matchPosition labelStartOrEnd

UpdateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name Type Description
hostDiscoveryKeyword* HostDiscoveryKeyword A keyword used for host discovery.

UpdateIdentityRequest

{
  "enabled": true
}

Properties

Name Type Description
enabled boolean Enable/disable an identity.

UpdateIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2024-12-20T16:02:26.706Z",
    "lastSeen": "2024-12-20T16:02:26.706Z",
    "lastCheck": "2024-12-20T16:02:26.706Z",
    "error": "Not a unique identity.",
    "errorTime": "2024-12-20T16:02:26.706Z"
  }
}

Properties

Name Type Description
identity* Identity This object represents an identity.

TlsCheck

{
  "request": {
    "host": "hardenize.com",
    "port": 443,
    "location": "london",
    "resolverStrategy": "all"
  },
  "responses": [
    {
      "endpoint": {
        "host": "hardenize.com",
        "address": "104.17.158.13",
        "port": 443,
        "location": "london"
      },
      "status": "success",
      "connections": [
        {
          "remoteAddress": "104.17.158.13",
          "remotePort": 443,
          "tls": {
            "protocol": "TLSv1.3",
            "suite": "TLS_AES_256_GCM_SHA384",
            "certificates": [
              "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
              "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
              "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
            ]
          }
        }
      ]
    }
  ],
  "certificates": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "notBefore": "2024-12-20T16:02:26.706Z",
      "notAfter": "2024-12-20T16:02:26.706Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
    }
  ]
}

Properties

Name Type Description
request* CreateTlsCheckRequest TLS check parameters.
responses* [TlsCheckResponse] none
certificates* [NetworkCertificate] Certificates observed across all network operations.

TlsCheckResponse

{
  "endpoint": {
    "host": "hardenize.com",
    "address": "104.17.158.13",
    "port": 443,
    "location": "london"
  },
  "status": "success",
  "connections": [
    {
      "remoteAddress": "104.17.158.13",
      "remotePort": 443,
      "tls": {
        "protocol": "TLSv1.3",
        "suite": "TLS_AES_256_GCM_SHA384",
        "certificates": [
          "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
          "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
          "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
        ]
      }
    }
  ]
}

Properties

Name Type Description
endpoint NetworkEndpoint none
status string none
connections [NetworkConnection] none

Enumerated Values

Property Value
status success
status failure

NetworkCertificate

{
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "notBefore": "2024-12-20T16:02:26.706Z",
  "notAfter": "2024-12-20T16:02:26.707Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "ECDSAwithSHA256",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
}

Properties

Name Type Description
sha256* string Hex-encoded SHA256 hash of the certificate in DER format.
subject* string Subject distinguished name.
issuer* string Issuer distinguished name.
serial* string Hex-encoded serial number.
notBefore* string(date-time) ISO 8601 timestamp.
notAfter* string(date-time) ISO 8601 timestamp.
keyAlg* string Private key algorithm, for example RSA or EC.
keyLen* integer Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength* integer Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg* string Certificate signature algorithm.
spkiSha256* string Hex-encoded SHA256 of the certificate's SPKI component.
hosts* [string] All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
pem* string none

Enumerated Values

Property Value
sigAlg RSAwithMD2
sigAlg RSAwithMD5
sigAlg RSAwithSHA1
sigAlg RSAwithSHA256
sigAlg RSAwithSHA384
sigAlg RSAwithSHA512
sigAlg RSAPSS
sigAlg DSAwithSHA1
sigAlg DSAwithSHA256
sigAlg ECDSAwithSHA1
sigAlg ECDSAwithSHA256
sigAlg ECDSAwithSHA384
sigAlg ECDSAwithSHA512

NetworkConnection

{
  "remoteAddress": "104.17.158.13",
  "remotePort": 443,
  "tls": {
    "protocol": "TLSv1.3",
    "suite": "TLS_AES_256_GCM_SHA384",
    "certificates": [
      "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
      "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
      "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
    ]
  }
}

Properties

Name Type Description
remoteAddress* string none
remotePort* integer none
tls TlsConnection none

TlsConnection

{
  "protocol": "TLSv1.3",
  "suite": "TLS_AES_256_GCM_SHA384",
  "certificates": [
    "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
    "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
    "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
  ]
}

Properties

Name Type Description
protocol string none
suite string none
certificates [string] none

Enumerated Values

Property Value
protocol TLSv1.3
protocol TLSv1.2
protocol TLSv1.0
protocol SSLv3
protocol SSLv2

NetworkEndpoint

{
  "host": "hardenize.com",
  "address": "104.17.158.13",
  "port": 443,
  "location": "london"
}

Properties

Name Type Description
host string none
address string none
port integer none
location string none

TestIntegrationResponse

{
  "success": false,
  "error": "Failed to authenticate"
}

Properties

Name Type Description
success* boolean Whether or not the test succeeded
error string If the test failed, a suitable error message

UpdateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name Type Description
hostnames* [string] List of hosts to update.
preview boolean If set, doesn't carry out the operation, but returns a list of hosts that would have been affected. Default: false
subdomains boolean If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
changes UpdateHostsChanges none

UpdateHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name Type Description
hostnames* [string] List of hosts that have been updated (or would have been updated, in preview mode).
preview* boolean Indicates if the action was executed or only previewed.

UpdateAccessControlConfigRequest

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

All fields are optional. Supply only the fields that need updating.

Properties

Name Type Description
apiNetworks [cidr] List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade string If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks [cidr] List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade string If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property Value
apiNetworksCascade disabled
apiNetworksCascade enabled
appNetworksCascade disabled
appNetworksCascade enabled

UpdateAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Management access restrictions configuration, after the requested changes have been applied.

Properties

Name Type Description
apiNetworks* [cidr] Network address range from which access to the API is allowed.
apiNetworksCascade* boolean Indicator of whether the API network access configuration should cascade to all child organizations.
appNetworks* [cidr] Network address range from which access to the web application is allowed.
appNetworksCascade* boolean Indicator of whether the web application network access configuration should cascade to all child organizations.

UpdateNetworkScanningConfigRequest

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

All fields are optional. Supply only the fields that need updating.

Properties

Name Type Description
netscanStatic boolean If set to true, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic boolean If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps boolean If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions [cidr] Contains a list of network ranges that will be excluded from network scaning.

UpdateOrgRequest

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name Type Description
name string Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value.
status string none
commercialStatus string none
generateApiCredentials boolean If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost.
hostDiscoveryAutoimportSubdomains boolean If provided, updates the corresponding organization setting.
hostDiscoveryExcludeSuffixes [string] If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled boolean If provided, enables or disables host discovery.
hostDiscoveryLimitHard integer If provided, updates the host discovery limit.
hostLimitHard integer If provided, updates the hard host limit.
featureHostDiscovery boolean If provided, updates the corresponding organization setting. The feature must be available in the parent organization to be enabled in a suborg.
featureMfa boolean If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml boolean If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property Value
status active
status dormant
status suspended
status deleted
commercialStatus free
commercialStatus internal
commercialStatus paying
commercialStatus trial

UpdateOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name Type Description
suborg Organization none

UnpackedCert

{
  "label": "www.example.com",
  "subject": "CN=www.example.com",
  "commonNames": [
    "www.example.com"
  ],
  "san": [
    "mail.example.com"
  ],
  "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
  "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
  "issuer": "Let's Encrypt Authority X3",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
  "notBefore": "2024-12-20T16:02:26.708Z",
  "notAfter": "2024-12-20T16:02:26.708Z",
  "issuerUrls": [
    "http://cert.int-x3.letsencrypt.org/"
  ],
  "crlUrls": [
    "http://crl.pki.goog/GTS1O1.crl"
  ],
  "ocspUrls": [
    "http://ocsp.pki.goog/gts1o1"
  ],
  "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
  "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
  "keyUsage": [
    "keyEncipherment"
  ],
  "extendedKeyUsage": [
    "serverAuth"
  ],
  "scts": [
    {
      "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
      "logName": "DigiCert Yeti2020 Log",
      "timestamp": "2024-12-20T16:02:26.708Z"
    }
  ],
  "mustStaple": true,
  "sigAlg": {
    "oid": "1.2.840.113549.1.1.11",
    "name": "SHA256withRSA"
  },
  "subjectKey": {
    "algName": "RSA",
    "bits": 2048,
    "strength": 112,
    "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
  },
  "ca": true,
  "caPathLen": 1
}

Various information parsed from the certificate.

Properties

Name Type Description
label* string Summary of the cert
subject* string Certificate subject Distinguished Name in text format.
commonNames [string] Common names of the certificate
san [string] Hostnames from the SAN field
ski string Subject Key Identifier
issuerDn* string Certificate issuer Distinguished Name in text format.
issuer* string Certificate issuer
serial* string Hex-encoded serial number.
aki string Authority Key Identifier
notBefore* string(date-time) ISO 8601 timestamp.
notAfter* string(date-time) ISO 8601 timestamp.
issuerUrls [string] Issuer URLs
crlUrls [string] Certificate Revocation List URL
ocspUrls [string] OCSP URLs
fingerprintSha1* string SHA1 Fingerprint
fingerprintSha256* string SHA256 Fingerprint
keyUsage* [string] Allowed usages for the cert
extendedKeyUsage* [string] Further allowed usages for the cert
scts [UnpackedCertSct] CT Signed Certificate Timestamps
mustStaple boolean Has the must-staple feature
sigAlg* UnpackedCertSigAlg Signature Algorithm
subjectKey* UnpackedCertSubjectKey Subject Key
ca boolean If this cert is a CA cert
caPathLen integer If CA cert, how deep a certification path may exist through it

UnpackedCertSct

{
  "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
  "logName": "DigiCert Yeti2020 Log",
  "timestamp": "2024-12-20T16:02:26.709Z"
}

CT Signed Certificate Timestamp

Properties

Name Type Description
logId* string The log ID
logName* string The name of the log
timestamp* string(date-time) ISO 8601 timestamp.

UnpackedCertSigAlg

{
  "oid": "1.2.840.113549.1.1.11",
  "name": "SHA256withRSA"
}

Signature Algorithm

Properties

Name Type Description
oid* string Signature algorithm OID
name* string String representation of signature algorithm

UnpackedCertSubjectKey

{
  "algName": "RSA",
  "bits": 2048,
  "strength": 112,
  "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
}

Subject Key

Properties

Name Type Description
algName* string none
bits* integer none
strength* integer none
spkiSha256* string none

GetUserResponse

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2024-12-20T16:02:26.709Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Properties

Name Type Description
user* User The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

ListUsersResponse

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2024-12-20T16:02:26.709Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Properties

Name Type Description
users* [User] [The User object represents one of your users that are members of the organization. They can be actual users, or service accounts. ]

CreateServiceAccountRequest

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2024-12-20T16:02:26.709Z"
}

Properties

Name Type Description
name* string Name of the service account
role* string Role of the service account
expirationTime string(date-time) Service accounts may have expiration times

Enumerated Values

Property Value
role owner
role admin
role member
role observer

InviteUserRequest

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Properties

Name Type Description
name* string The users name
email* string The users email address
role* string The users role

Enumerated Values

Property Value
role owner
role admin
role member
role observer

User

{
  "userId": 10001,
  "email": "postmaster@example.com",
  "name": "Bob",
  "status": "active",
  "serviceAccount": true,
  "expirationTime": "2024-12-20T16:02:26.709Z",
  "password": "61cec76600adc8b7aa522a5078f7c837",
  "mfaEnabled": false,
  "role": "observer"
}

The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

Properties

Name Type Description
userId* integer Unique user identifier
email* string The user's email address. In case of service accounts, we generate a special email address on Hardenize's own domain name.
name* string The name of the user or service account.
status* string User status. Normal user accounts begin with invitationSent status, which later changes to active, after the invitation is accepted. If an invitation is cancelled, the user object is deleted. Later on, an account's status may change to retired and possibly back to active.
serviceAccount* boolean Indicates if this user is a service account.
expirationTime string(date-time) Indicates the account's expiration time, if any.
password string When creating service accounts, or resetting their passwords, the auto generated password will be returned in plain text. This is the only time it will be available.
mfaEnabled boolean Whether or not multi-factor authentication is enabled for an account. This field is not present for service accounts, as MFA is not available in that context.
role* string The users role

Enumerated Values

Property Value
status active
status retired
status invitationSent
role owner
role admin
role member
role observer

CertsStatsResponse

{
  "certStats": {
    "totals": {
      "activeOrNonExpired": 0,
      "onlyOwn": 0,
      "onlyThirdParty": 0,
      "onlyActive": 0
    },
    "summary": {
      "total": 0,
      "unique": 0,
      "certs": 0,
      "precerts": 0,
      "duplicates": 0,
      "valid": 0,
      "notYetValid": 0,
      "expired": 0,
      "effectivelyExpired": 0,
      "revoked": 0,
      "revokedNotExpired": 0,
      "endEntity": 0,
      "ca": 0
    },
    "thirdParty": {
      "total": 0,
      "unique": 0,
      "endEntity": 0,
      "ca": 0
    },
    "usage": {
      "active": 0,
      "expired": 0,
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "analysis": {
      "issuerCa": {
        "property1": 0,
        "property2": 0
      },
      "keyAlg": {
        "property1": 0,
        "property2": 0
      },
      "keyAlgLen": {
        "property1": 0,
        "property2": 0
      },
      "keyStrength": {
        "property1": 0,
        "property2": 0
      },
      "sigAlg": {
        "property1": 0,
        "property2": 0
      },
      "validation": {
        "property1": 0,
        "property2": 0
      },
      "lifetimes": {
        "property1": 0,
        "property2": 0
      },
      "wildcards": 0,
      "nonWildcards": 0
    },
    "activity": {
      "issuanceTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "revocationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      },
      "expirationTimelines": {
        "days": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "weeks": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        },
        "months": {
          "data": [
            {
              "offset": 0,
              "count": 0
            }
          ],
          "firstOffset": 0,
          "lastOffset": 0,
          "count": 0,
          "min": 0,
          "max": 0
        }
      }
    },
    "timestamp": "2024-12-20T16:02:26.710Z"
  },
  "extras": {
    "certsDueDays": 0,
    "certsOverdueDays": 0,
    "certsCriticalDays": 0
  }
}

Properties

Name Type Description
certStats* CertStats none
extras CertStatsExtras none

CertStats

{
  "totals": {
    "activeOrNonExpired": 0,
    "onlyOwn": 0,
    "onlyThirdParty": 0,
    "onlyActive": 0
  },
  "summary": {
    "total": 0,
    "unique": 0,
    "certs": 0,
    "precerts": 0,
    "duplicates": 0,
    "valid": 0,
    "notYetValid": 0,
    "expired": 0,
    "effectivelyExpired": 0,
    "revoked": 0,
    "revokedNotExpired": 0,
    "endEntity": 0,
    "ca": 0
  },
  "thirdParty": {
    "total": 0,
    "unique": 0,
    "endEntity": 0,
    "ca": 0
  },
  "usage": {
    "active": 0,
    "expired": 0,
    "expirationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    }
  },
  "analysis": {
    "issuerCa": {
      "property1": 0,
      "property2": 0
    },
    "keyAlg": {
      "property1": 0,
      "property2": 0
    },
    "keyAlgLen": {
      "property1": 0,
      "property2": 0
    },
    "keyStrength": {
      "property1": 0,
      "property2": 0
    },
    "sigAlg": {
      "property1": 0,
      "property2": 0
    },
    "validation": {
      "property1": 0,
      "property2": 0
    },
    "lifetimes": {
      "property1": 0,
      "property2": 0
    },
    "wildcards": 0,
    "nonWildcards": 0
  },
  "activity": {
    "issuanceTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    },
    "revocationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    },
    "expirationTimelines": {
      "days": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "weeks": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      },
      "months": {
        "data": [
          {
            "offset": 0,
            "count": 0
          }
        ],
        "firstOffset": 0,
        "lastOffset": 0,
        "count": 0,
        "min": 0,
        "max": 0
      }
    }
  },
  "timestamp": "2024-12-20T16:02:26.711Z"
}

Properties

Name Type Description
totals TotalsStats none
summary SummaryStats Own certificates statistics.
thirdParty ThirdPartyStats Third-party certificates statistics.
usage UsageStats Usage statistics.
analysis AnalysisStats Certificate corpus analysis.
activity ActivityStats Activity stats.
timestamp string(date-time) Statistics creation time

TotalsStats

{
  "activeOrNonExpired": 0,
  "onlyOwn": 0,
  "onlyThirdParty": 0,
  "onlyActive": 0
}

Properties

Name Type Description
activeOrNonExpired integer Total active or non-expired certificates.
onlyOwn integer Total certificates that are not third-party.
onlyThirdParty integer Total third-party certificates.
onlyActive integer Total active certificates.

CertStatsExtras

{
  "certsDueDays": 0,
  "certsOverdueDays": 0,
  "certsCriticalDays": 0
}

Properties

Name Type Description
certsDueDays integer none
certsOverdueDays integer none
certsCriticalDays integer none

SummaryStats

{
  "total": 0,
  "unique": 0,
  "certs": 0,
  "precerts": 0,
  "duplicates": 0,
  "valid": 0,
  "notYetValid": 0,
  "expired": 0,
  "effectivelyExpired": 0,
  "revoked": 0,
  "revokedNotExpired": 0,
  "endEntity": 0,
  "ca": 0
}

Own certificates statistics.

Properties

Name Type Description
total integer Total certificate objects.
unique integer Total unique certificate objects.
certs integer Total certificates.
precerts integer Total precertificates.
duplicates integer Total duplicate certificates.
valid integer Total valid non-duplicate certificates.
notYetValid integer Total not yet valid certificates.
expired integer Total expired certificates.
effectivelyExpired integer Total effectively expired certificates.
revoked integer Total revoked certificates.
revokedNotExpired integer Total revoked but not expired certificates.
endEntity integer Total unique leaf certificates.
ca integer Total unique intermediates and roots.

ThirdPartyStats

{
  "total": 0,
  "unique": 0,
  "endEntity": 0,
  "ca": 0
}

Third-party certificates statistics.

Properties

Name Type Description
total integer none
unique integer Total unique certificate objects.
endEntity integer Total unique leaves.
ca integer Total unique intermediates and roots.

UsageStats

{
  "active": 0,
  "expired": 0,
  "expirationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  }
}

Usage statistics.

Properties

Name Type Description
active integer Total active/installed; may include certificates that are no longer valid.
expired integer Total expired.
expirationTimelines Timeline none

ActivityStats

{
  "issuanceTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  },
  "revocationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  },
  "expirationTimelines": {
    "days": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "weeks": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    },
    "months": {
      "data": [
        {
          "offset": 0,
          "count": 0
        }
      ],
      "firstOffset": 0,
      "lastOffset": 0,
      "count": 0,
      "min": 0,
      "max": 0
    }
  }
}

Activity stats.

Properties

Name Type Description
issuanceTimelines Timeline none
revocationTimelines Timeline none
expirationTimelines Timeline none

AnalysisStats

{
  "issuerCa": {
    "property1": 0,
    "property2": 0
  },
  "keyAlg": {
    "property1": 0,
    "property2": 0
  },
  "keyAlgLen": {
    "property1": 0,
    "property2": 0
  },
  "keyStrength": {
    "property1": 0,
    "property2": 0
  },
  "sigAlg": {
    "property1": 0,
    "property2": 0
  },
  "validation": {
    "property1": 0,
    "property2": 0
  },
  "lifetimes": {
    "property1": 0,
    "property2": 0
  },
  "wildcards": 0,
  "nonWildcards": 0
}

Certificate corpus analysis.

Properties

Name Type Description
issuerCa object CA issuers
» additionalProperties integer none
keyAlg object Private key algorithm
» additionalProperties integer none
keyAlgLen object Private key algorithm with length
» additionalProperties integer none
keyStrength object Private key strength
» additionalProperties integer none
sigAlg object Signature algorithm
» additionalProperties integer none
validation object none
» additionalProperties integer none
lifetimes object Count of the certificates with the same lifetimes
» additionalProperties integer none
wildcards integer Total wildcards
nonWildcards integer Total non-wildcards

Timeline

{
  "days": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  },
  "weeks": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  },
  "months": {
    "data": [
      {
        "offset": 0,
        "count": 0
      }
    ],
    "firstOffset": 0,
    "lastOffset": 0,
    "count": 0,
    "min": 0,
    "max": 0
  }
}

Properties

Name Type Description
days TimelineData none
weeks TimelineData none
months TimelineData none

TimelineData

{
  "data": [
    {
      "offset": 0,
      "count": 0
    }
  ],
  "firstOffset": 0,
  "lastOffset": 0,
  "count": 0,
  "min": 0,
  "max": 0
}

Properties

Name Type Description
data* [OffsetCount] none
firstOffset* integer none
lastOffset* integer none
count* integer none
min* integer none
max* integer none

OffsetCount

{
  "offset": 0,
  "count": 0
}

Properties

Name Type Description
offset* integer none
count* integer none

CreateDashboardResponse

{
  "orgDashboardStats": {
    "orgId": 0,
    "overallSummary": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0,
      "httpsTls13Present": 0,
      "httpsTls12Present": 0,
      "httpsTls11Present": 0,
      "httpsTls10Present": 0,
      "httpsSsl3Present": 0,
      "httpsSsl2Present": 0,
      "httpsPostQuantumEncryption": 0
    },
    "groups": [
      {
        "groupId": 0,
        "name": "string",
        "label": "string",
        "auto": true,
        "tags": [
          "string"
        ]
      }
    ],
    "monitoredHostCount": 0,
    "monitoredDomainCount": 0,
    "nonArchivedHostCount": 0,
    "nonArchivedDomainCount": 0,
    "ipCount": 0,
    "activeCertCount": 0,
    "buildTime": "2019-08-24T14:15:22Z",
    "groupSummaries": {
      "property1": {
        "totalHosts": 0,
        "dnssecHosts": 0,
        "dnssecPresent": 0,
        "dnssecNone": 0,
        "dnssecUnknown": 0,
        "smtpHosts": 0,
        "smtpQualityGood": 0,
        "smtpQualityWarning": 0,
        "smtpQualityError": 0,
        "smtpQualityOther": 0,
        "smtpStartTlsPresent": 0,
        "smtpStartTlsNone": 0,
        "smtpStartTlsUnknown": 0,
        "smtpSpfPresent": 0,
        "smtpSpfNone": 0,
        "smtpSpfUnknown": 0,
        "smtpDmarcPresent": 0,
        "smtpDmarcNone": 0,
        "smtpDmarcUnknown": 0,
        "smtpDanePresent": 0,
        "smtpDaneNone": 0,
        "smtpDaneUnknown": 0,
        "httpHosts": 0,
        "httpsHosts": 0,
        "httpsQualityGood": 0,
        "httpsQualityWarning": 0,
        "httpsQualityError": 0,
        "httpsQualityOther": 0,
        "httpsHostsPresent": 0,
        "httpsHostsNone": 0,
        "httpsHostsUnknown": 0,
        "httpsRedirectionPresent": 0,
        "httpsRedirectionNone": 0,
        "httpsRedirectionNotApplicable": 0,
        "httpsRedirectionUnknown": 0,
        "httpsHstsPresent": 0,
        "httpsHstsNone": 0,
        "httpsHstsNotApplicable": 0,
        "httpsHstsUnknown": 0,
        "httpsHstsPreloadedPresent": 0,
        "httpsHstsPreloadedNone": 0,
        "httpsHstsPreloadedNotApplicable": 0,
        "httpsHstsPreloadedUnknown": 0
      },
      "property2": {
        "totalHosts": 0,
        "dnssecHosts": 0,
        "dnssecPresent": 0,
        "dnssecNone": 0,
        "dnssecUnknown": 0,
        "smtpHosts": 0,
        "smtpQualityGood": 0,
        "smtpQualityWarning": 0,
        "smtpQualityError": 0,
        "smtpQualityOther": 0,
        "smtpStartTlsPresent": 0,
        "smtpStartTlsNone": 0,
        "smtpStartTlsUnknown": 0,
        "smtpSpfPresent": 0,
        "smtpSpfNone": 0,
        "smtpSpfUnknown": 0,
        "smtpDmarcPresent": 0,
        "smtpDmarcNone": 0,
        "smtpDmarcUnknown": 0,
        "smtpDanePresent": 0,
        "smtpDaneNone": 0,
        "smtpDaneUnknown": 0,
        "httpHosts": 0,
        "httpsHosts": 0,
        "httpsQualityGood": 0,
        "httpsQualityWarning": 0,
        "httpsQualityError": 0,
        "httpsQualityOther": 0,
        "httpsHostsPresent": 0,
        "httpsHostsNone": 0,
        "httpsHostsUnknown": 0,
        "httpsRedirectionPresent": 0,
        "httpsRedirectionNone": 0,
        "httpsRedirectionNotApplicable": 0,
        "httpsRedirectionUnknown": 0,
        "httpsHstsPresent": 0,
        "httpsHstsNone": 0,
        "httpsHstsNotApplicable": 0,
        "httpsHstsUnknown": 0,
        "httpsHstsPreloadedPresent": 0,
        "httpsHstsPreloadedNone": 0,
        "httpsHstsPreloadedNotApplicable": 0,
        "httpsHstsPreloadedUnknown": 0
      }
    }
  }
}

Properties

Name Type Description
orgDashboardStats* OrgDashboardStats none

OrgDashboardStats

{
  "orgId": 0,
  "overallSummary": {
    "totalHosts": 0,
    "dnssecHosts": 0,
    "dnssecPresent": 0,
    "dnssecNone": 0,
    "dnssecUnknown": 0,
    "smtpHosts": 0,
    "smtpQualityGood": 0,
    "smtpQualityWarning": 0,
    "smtpQualityError": 0,
    "smtpQualityOther": 0,
    "smtpStartTlsPresent": 0,
    "smtpStartTlsNone": 0,
    "smtpStartTlsUnknown": 0,
    "smtpSpfPresent": 0,
    "smtpSpfNone": 0,
    "smtpSpfUnknown": 0,
    "smtpDmarcPresent": 0,
    "smtpDmarcNone": 0,
    "smtpDmarcUnknown": 0,
    "smtpDanePresent": 0,
    "smtpDaneNone": 0,
    "smtpDaneUnknown": 0,
    "httpHosts": 0,
    "httpsHosts": 0,
    "httpsQualityGood": 0,
    "httpsQualityWarning": 0,
    "httpsQualityError": 0,
    "httpsQualityOther": 0,
    "httpsHostsPresent": 0,
    "httpsHostsNone": 0,
    "httpsHostsUnknown": 0,
    "httpsRedirectionPresent": 0,
    "httpsRedirectionNone": 0,
    "httpsRedirectionNotApplicable": 0,
    "httpsRedirectionUnknown": 0,
    "httpsHstsPresent": 0,
    "httpsHstsNone": 0,
    "httpsHstsNotApplicable": 0,
    "httpsHstsUnknown": 0,
    "httpsHstsPreloadedPresent": 0,
    "httpsHstsPreloadedNone": 0,
    "httpsHstsPreloadedNotApplicable": 0,
    "httpsHstsPreloadedUnknown": 0,
    "httpsTls13Present": 0,
    "httpsTls12Present": 0,
    "httpsTls11Present": 0,
    "httpsTls10Present": 0,
    "httpsSsl3Present": 0,
    "httpsSsl2Present": 0,
    "httpsPostQuantumEncryption": 0
  },
  "groups": [
    {
      "groupId": 0,
      "name": "string",
      "label": "string",
      "auto": true,
      "tags": [
        "string"
      ]
    }
  ],
  "monitoredHostCount": 0,
  "monitoredDomainCount": 0,
  "nonArchivedHostCount": 0,
  "nonArchivedDomainCount": 0,
  "ipCount": 0,
  "activeCertCount": 0,
  "buildTime": "2019-08-24T14:15:22Z",
  "groupSummaries": {
    "property1": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0
    },
    "property2": {
      "totalHosts": 0,
      "dnssecHosts": 0,
      "dnssecPresent": 0,
      "dnssecNone": 0,
      "dnssecUnknown": 0,
      "smtpHosts": 0,
      "smtpQualityGood": 0,
      "smtpQualityWarning": 0,
      "smtpQualityError": 0,
      "smtpQualityOther": 0,
      "smtpStartTlsPresent": 0,
      "smtpStartTlsNone": 0,
      "smtpStartTlsUnknown": 0,
      "smtpSpfPresent": 0,
      "smtpSpfNone": 0,
      "smtpSpfUnknown": 0,
      "smtpDmarcPresent": 0,
      "smtpDmarcNone": 0,
      "smtpDmarcUnknown": 0,
      "smtpDanePresent": 0,
      "smtpDaneNone": 0,
      "smtpDaneUnknown": 0,
      "httpHosts": 0,
      "httpsHosts": 0,
      "httpsQualityGood": 0,
      "httpsQualityWarning": 0,
      "httpsQualityError": 0,
      "httpsQualityOther": 0,
      "httpsHostsPresent": 0,
      "httpsHostsNone": 0,
      "httpsHostsUnknown": 0,
      "httpsRedirectionPresent": 0,
      "httpsRedirectionNone": 0,
      "httpsRedirectionNotApplicable": 0,
      "httpsRedirectionUnknown": 0,
      "httpsHstsPresent": 0,
      "httpsHstsNone": 0,
      "httpsHstsNotApplicable": 0,
      "httpsHstsUnknown": 0,
      "httpsHstsPreloadedPresent": 0,
      "httpsHstsPreloadedNone": 0,
      "httpsHstsPreloadedNotApplicable": 0,
      "httpsHstsPreloadedUnknown": 0
    }
  }
}

Properties

Name Type Description
orgId integer Organization ID
overallSummary object none
» totalHosts integer none
» dnssecHosts integer none
» dnssecPresent integer Hosts that use DNSSEC
» dnssecNone integer Hosts that don't use DNSSEC
» dnssecUnknown integer Hosts whose DNSSEC configuration we weren't able to evaluate reliably
» smtpHosts integer none
» smtpQualityGood integer Hosts that have correct and reasonably secure SMTP configuration
» smtpQualityWarning integer Hosts whose SMTP configuration has small problems or it's missing important features
» smtpQualityError integer Hosts whose SMTP configuration has errors or it's missing critical features
» smtpQualityOther integer Hosts whose SMTP configuration we weren't able to evaluate reliably
» smtpStartTlsPresent integer Hosts that support email encryption via STARTTLS
» smtpStartTlsNone integer Hosts that don't support email encryption via STARTTLS
» smtpStartTlsUnknown integer Hosts whose STARTTLS support we weren't able to evaluate reliably
» smtpSpfPresent integer Hosts that use SPF to control which servers are allowed to send email for them
» smtpSpfNone integer Hosts that don't use SPF to control which servers are allowed to send email for them
» smtpSpfUnknown integer Hosts whose SPF configuration we weren't able to evaluate reliably
» smtpDmarcPresent integer Hosts that have an enforcing DMARC policy
» smtpDmarcNone integer Hosts that don't have an enforcing DMARC policy
» smtpDmarcUnknown integer Hosts whose DMARC configuration we weren't able to evaluate reliably
» smtpDanePresent integer Hosts that use DNSSEC and DANE for SMTP
» smtpDaneNone integer Hosts that don't use DNSSEC and DANE for SMTP
» smtpDaneUnknown integer Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably
» httpHosts integer none
» httpsHosts integer none
» httpsQualityGood integer Sites with well-configured HTTPS
» httpsQualityWarning integer Sites whose HTTPS configuration has smaller problems or lacks important features
» httpsQualityError integer Sites whose HTTPS configuration has errors or lacks critical features
» httpsQualityOther integer Sites whose HTTPS configuration we weren't able to evaluate reliably
» httpsHostsPresent integer Sites that deploy HTTPS with a certificate valid for public consumption
» httpsHostsNone integer Sites with HTTP but without HTTPS
» httpsHostsUnknown integer Sites whose HTTP and HTTPS status we weren't able to evaluate reliably
» httpsRedirectionPresent integer Sites that have an unconditional redirection from HTTP to HTTPS
» httpsRedirectionNone integer Sites that don't enforce HTTPS with a redirection
» httpsRedirectionNotApplicable integer Not applicable; these sites don't have HTTPS
» httpsRedirectionUnknown integer Sites whose HTTPS redirection status we weren't able to evaluate reliably
» httpsHstsPresent integer Sites that deploy HTTP Strict Transport Security (HSTS)
» httpsHstsNone integer Sites that don't deploy HTTP Strict Transport Security (HSTS)
» httpsHstsNotApplicable integer Not applicable; these sites don't have HTTPS
» httpsHstsUnknown integer Sites whose HSTS status we weren't able to evaluate reliably
» httpsHstsPreloadedPresent integer Sites that have preloaded (or pending) HSTS
» httpsHstsPreloadedNone integer Sites that don't have preloaded HSTS
» httpsHstsPreloadedNotApplicable integer Not applicable; these sites don't have HTTPS and/or HSTS
» httpsHstsPreloadedUnknown integer Sites whose HSTS preload status we weren't able to evaluate reliably
» httpsTls13Present integer Sites that support TLS 1.3
» httpsTls12Present integer Sites that support TLS 1.2
» httpsTls11Present integer Sites that support TLS 1.1
» httpsTls10Present integer Sites that support TLS 1.0
» httpsSsl3Present integer Sites that support SSL 3.0
» httpsSsl2Present integer Sites that support SSL 2.0
» httpsPostQuantumEncryption integer Sites that support TLS with post-quantum encryption (using X25519MLKEM768 hybrid key exchange). Post-quantum TLS is still in the process of being standardized and deployed.
groups [object] none
» groupId integer none
» name string none
» label string none
» auto boolean none
» tags [string] none
monitoredHostCount integer none
monitoredDomainCount integer none
nonArchivedHostCount integer none
nonArchivedDomainCount integer none
ipCount integer none
activeCertCount integer none
buildTime string(date-time) none
groupSummaries object none
» additionalProperties object none
»» totalHosts integer none
»» dnssecHosts integer none
»» dnssecPresent integer Hosts that use DNSSEC
»» dnssecNone integer Hosts that don't use DNSSEC
»» dnssecUnknown integer Hosts whose DNSSEC configuration we weren't able to evaluate reliably
»» smtpHosts integer none
»» smtpQualityGood integer Hosts that have correct and reasonably secure SMTP configuration
»» smtpQualityWarning integer Hosts whose SMTP configuration has small problems or it's missing important features
»» smtpQualityError integer Hosts whose SMTP configuration has errors or it's missing critical features
»» smtpQualityOther integer Hosts whose SMTP configuration we weren't able to evaluate reliably
»» smtpStartTlsPresent integer Hosts that support email encryption via STARTTLS
»» smtpStartTlsNone integer Hosts that don't support email encryption via STARTTLS
»» smtpStartTlsUnknown integer Hosts whose STARTTLS support we weren't able to evaluate reliably
»» smtpSpfPresent integer Hosts that use SPF to control which servers are allowed to send email for them
»» smtpSpfNone integer Hosts that don't use SPF to control which servers are allowed to send email for them
»» smtpSpfUnknown integer Hosts whose SPF configuration we weren't able to evaluate reliably
»» smtpDmarcPresent integer Hosts that have an enforcing DMARC policy
»» smtpDmarcNone integer Hosts that don't have an enforcing DMARC policy
»» smtpDmarcUnknown integer Hosts whose DMARC configuration we weren't able to evaluate reliably
»» smtpDanePresent integer Hosts that use DNSSEC and DANE for SMTP
»» smtpDaneNone integer Hosts that don't use DNSSEC and DANE for SMTP
»» smtpDaneUnknown integer Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably
»» httpHosts integer none
»» httpsHosts integer none
»» httpsQualityGood integer Sites with well-configured HTTPS
»» httpsQualityWarning integer Sites whose HTTPS configuration has smaller problems or lacks important features
»» httpsQualityError integer Sites whose HTTPS configuration has errors or lacks critical features
»» httpsQualityOther integer Sites whose HTTPS configuration we weren't able to evaluate reliably
»» httpsHostsPresent integer Sites that deploy HTTPS with a certificate valid for public consumption
»» httpsHostsNone integer Sites with HTTP but without HTTPS
»» httpsHostsUnknown integer Sites whose HTTP and HTTPS status we weren't able to evaluate reliably
»» httpsRedirectionPresent integer Sites that have an unconditional redirection from HTTP to HTTPS
»» httpsRedirectionNone integer Sites that don't enforce HTTPS with a redirection
»» httpsRedirectionNotApplicable integer Not applicable; these sites don't have HTTPS
»» httpsRedirectionUnknown integer Sites whose HTTPS redirection status we weren't able to evaluate reliably
»» httpsHstsPresent integer Sites that deploy HTTP Strict Transport Security (HSTS)
»» httpsHstsNone integer Sites that don't deploy HTTP Strict Transport Security (HSTS)
»» httpsHstsNotApplicable integer Not applicable; these sites don't have HTTPS
»» httpsHstsUnknown integer Sites whose HSTS status we weren't able to evaluate reliably
»» httpsHstsPreloadedPresent integer Sites that have preloaded (or pending) HSTS
»» httpsHstsPreloadedNone integer Sites that don't have preloaded HSTS
»» httpsHstsPreloadedNotApplicable integer Not applicable; these sites don't have HTTPS and/or HSTS
»» httpsHstsPreloadedUnknown integer Sites whose HSTS preload status we weren't able to evaluate reliably

AccountStatsResponse

{
  "users": {
    "active": 7
  },
  "hosts": {
    "total": 8,
    "active": 8,
    "monitored": 4,
    "monitoredWithServices": 3,
    "idle": 3,
    "archived": 4
  },
  "certificates": {
    "totalCerts": 15,
    "duplicateCerts": 8,
    "expiredCerts": 0,
    "revokedCerts": 8,
    "thirdPartyCerts": 13,
    "activeCerts": 8
  },
  "networkEndpoints": {
    "total": 8,
    "smtp": 8,
    "https": 4
  },
  "ipv6Addresses": {
    "total": 0,
    "monitored": 0
  },
  "ipv4Addresses": {
    "total": 3,
    "monitored": 3
  }
}

Properties

Name Type Description
users AccountUsersStats none
hosts AccountHostsStats none
certificates AccountCertificatesStats none
networkEndpoints AccountNetworkEndpointsStats none
ipv6Addresses AccountIpv6AddressesStats none
ipv4Addresses AccountIpv4AddressesStats none

AccountHostsStats

{
  "total": 8,
  "active": 8,
  "monitored": 4,
  "monitoredWithServices": 3,
  "idle": 3,
  "archived": 4
}

Properties

Name Type Description
total integer none
active integer none
monitored integer none
monitoredWithServices integer none
idle integer none
archived integer none

AccountCertificatesStats

{
  "totalCerts": 15,
  "duplicateCerts": 8,
  "expiredCerts": 0,
  "revokedCerts": 8,
  "thirdPartyCerts": 13,
  "activeCerts": 8
}

Properties

Name Type Description
totalCerts integer none
duplicateCerts integer none
expiredCerts integer none
revokedCerts integer none
thirdPartyCerts integer none
activeCerts integer none

AccountUsersStats

{
  "active": 7
}

Properties

Name Type Description
active integer none

AccountNetworkEndpointsStats

{
  "total": 8,
  "smtp": 8,
  "https": 4
}

Properties

Name Type Description
total integer none
smtp integer none
https integer none

AccountIpv4AddressesStats

{
  "total": 3,
  "monitored": 3
}

Properties

Name Type Description
total integer none
monitored integer none

AccountIpv6AddressesStats

{
  "total": 0,
  "monitored": 0
}

Properties

Name Type Description
total integer none
monitored integer none