Hardenize Organization API v1.125.0
Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.
Hardenize is a platform for continuous monitoring of network and security configuration. Hardenize supports individual accounts, intended for use by a single person, and organization accounts, which are shared among potentially many individuals. Whereas individual accounts are limited, organization accounts can have access to all Hardenize features. The Organization API, documented here, provides ability to manage and retrieve information from organization accounts.
Overview
Stability and Versioning
We aim to provide a stable API that will not break your code as we make new releases. However, this is a living API, which contains parts that are stable, as well as parts that are still under active development. As you read this documentation and adopt the API features, please observe the provided notices to understand what changes we may make in the future.
By default (in absence of any warnings), the API should be considered stable. That means that the future releases won't introduce incompatible changes. For example, we will not move or remove API endpoints, and we won't otherwise change the API structure. However, we may make forward-compatible changes even to the stable parts of the API to introduce new functionality. This means that we may add new API endpoints, new fields to existing objects, and in some cases even new field values where that makes sense (for some non-critical fields). To ensure that no breakage takes place, please ensure that your code ignores unknown fields and unknown field values in response objects.
Parts of this API that are not stable are marked with Under Development and can change without notice. The lifecycle of an API extension is roughly that we will release new parts early, polish them in response to your feedback, and declare them stable once they're considered mature.
Base Location
This specification shows the API endpoints relative to the API's base
location, which is shown below. Before you use the base URL, replace
the {org}
placeholder with your organization's label:
https://api.hardenize.com/v1/org/{org}/
The organization label is easy to find, just access your account and observe the URL in the browser. It's going to be the last segment of the URL when you navigate to your account's homepage. The URL may be in one of the two following formats:
https://www.hardenize.com/org/feistyduck/
https://app.redsift.cloud/sift/hardenize/org/red-sift-hardenize.feistyduck/
In the first URL, the label is feistyduck
. In the second, the label includes
prefix and is red-sift-hardenize.feistyduck
.
Request Methods
When it comes to how we use HTTP request methods, we try to follow the spirit of the HTTP specification. We use GET for requests that retrieve information without making any changes on the server. We use POST for requests that modify data. We use DELETE when data is being deleted.
Paths
We use path segments to group API endpoints with common functions, or endpoints that
manage the same type of entity (e.g., certificates). Wherever possible, we
use plural forms, for example hosts
and groups
.
We also use path segment parameters (Section 3.3 in the URI RFC) for types of requests that don't alter resource state but request an action to be performed. A nice way to think about this model is that some resources have buttons, and that you are able to push these buttons via actions. You could say that these endpoints are controllers, and they're common in RPC-style APIs.
The first action we implemented was for webhook testing; to test a webhook, you first
build a path that identifies a specific webhook, then append a path segment parameter to
indicate which action to perform. The complete path then looks like this: /eventHooks/b349dd;test
.
Although path segments are not very commonly seen in practice, we believe they're
very well suited for this particular use case.
HTTP Response Codes
HTTP doesn't provide a full range of useful response codes, but we try to use the status code that makes more sense. In most cases you'll only need to differentiate between 2xx (all good), 4xx (your fault), and 5xx (our fault) responses.
- 200 OK - successful operation; body contains response
- 201 Created - entity created
- 202 Accepted - entity exists, but we don't want to raise an error
- 204 No Content - successful operation; no further information in the body
- 206 Partial Content - partial resource delivered as requested
- 303 See Other - operation results not yet available
- 400 Bad Request - invalid request (your fault); body contains error messages
- 401 Not Authenticated - credentials not provided or invalid
- 403 Forbidden - you are not authorized to perform action
- 404 Not Found - entity not found or invalid URL
- 405 Method Not Allowed - endpoint doesn't support the attempted request method
- 409 Conflict - conflict with the current state of the target resource
- 416 Range Not Satisfiable - unable to provide the request range
- 422 Unprocessable Entity - request is valid, but cannot be processed, usually due to some business rule.
- 429 Too Many Requests - too many requests, in succession or at the same time
- 500 Internal Server Error - request processing failed (our fault)
- 502 Bad Gateway - API not currently available, for example down for maintenance
- 503 Service Unavailable - Unable to respond, possibly due to being overloaded
MIME Types
Most API endpoints in this specification respond with a JSON object and thus use the application/json
MIME type. There are a couple of situations when one endpoint may return different objects depending
on context; we use additional MIME types to help you to determine what the responses contain:
-
Error responses - if an endpoint is unable to complete successfully, its response will use a non-200 status code and include an
ErrorResponse
object in the body. Theapplication/vnd.hardenize.v1.error-response+json
MIME type will be used. -
Operation statuses - API endpoints that return operation results may return operation status objects if called too early. When that happens, the response body will include an
OperationStatus
object and use theapplication/vnd.hardenize.v1.operation-status+json
MIME type.
Errors
If an endpoint fails to complete successfully, the response body may include an ErrorResponse
instance
with one or more error messages. Messages can be associated with the entire transaction or, optionally,
with a specific parameter.
{
"errors": [
{
"message": "Operation failed, but we don't want why."
},
{
"param": "firstName",
"message": "Invalid field value, please try again."
}
]
}
Error responses use a non-200 status code and the application/vnd.hardenize.v1.error-response+json
MIME type.
Request Limits
We enforce API usage limits in order to preserve the integrity of our systems. For example, it's very easy to deploy a client that sends thousands of requests by mistake; we wish to defend against situations like that. At this time, we have two main mechanisms that can refuse a request. First, we monitor access rate using the token bucket algorithm, and, by default, allow approximately one request per second, with an allowance for short-term bursts. Second, we don't allow more than 5 concurrent requests. These parameters are enforced separately on individual user access and on all API requests for the same organization. If you're using multiple service accounts, they will share the same organization limits.
Every API response includes the X-Request-Allowance
header that contains our view of how
you're using the API. This is what the output may look like:
r: 57/60 (+1/1s); c: 1/5
The line begins with information about the request rate limits. The first value (57) shows your current request allowance, the second (60) the maximum value. In the brackets, we show that the allowance will be increased (up to the maximum) at the rate of one per second. The second part of the output shows concurrent requests; in this case one of out maximum five.
For best results, configure your client to submit requests at the same rate at which the tokens regenerate; by default, that's one per second. If you have a request refused (in this case we'll use the 429 response code), wait for a full minute, at which point your burst allowance will be fully restored.
Please get in touch if our default limits don't work for your use cases. We may be able to help by configuring different limits for your organization.
We have additional safety checks that may apply as well. If you're sending requests so fast
that we come to believe our main application may be affected, we may reject them early,
at the reverse proxy level. In this case you'll observe a 429 response but no
X-Request-Allowance
header. Limits at this level are designed to kick in only as last
resort.
Suborganization Request Limits
The standard request limits described in the previous section apply to all organizations, but
additional limits may apply to suborganizations. In this case, we check the individual organization limits
as well as the parent limits that apply to all suborganizations in aggregate. There are
no default settings for these limits, as different values make sense depending on the number
of suborganizations used. If a request is rejected because of the parent restrictions,
the X-Parent-Request-Allowance
header will be included in the response. This header uses
the same format as the X-Request-Allowance
response header.
Resource Identifiers
In this API, every resource has an identifier that uniquely identifies within the
parent collection. Wherever it makes sense we try to use natural identifiers, for example
hostname
for host
entities. Where that's not possible we use a synthetic identifier and call
it id
. In this case, treat the identifier as opaque. Despite the fact that the identifier names
can vary from entity to entity, they're easy to spot because they're always the first field listed
in the documentation.
Data Formats
-
For dates, we use ISO8601, or, more specifically, the profile specified in RFC 3339, Section 5.6.
-
We typically use hexadecimal encoding for binary data, except in some cases where there are already well-established standards, for example for certificates, which use base64 encoding.
Pagination
Pagination is typically used with API endpoints that may return large amounts of data, where not all of it might be needed, or at least not straight away. If an endpoint supports pagination, clients can initially read only a portion of the response, then come later for the rest. With this approach, the amount of data that needs to be read is minimized, which reduces network traffic and the response latency of interactive operations. There are other benefits. For example potentially expensive operations are cached and don't have to be repeated. Similarly, the data set remains the same, even if the source of the data changes.
We support pagination by splitting operation results into pages of rows, with clients able to collect one, several, or all pages with a single request. Different API endpoints may differ in what they support, in the sense that some may force pagination and some may not allow it.
Clients should use the Range
request header to request only one part of the entire resource. For example, the
following will obtain only the first page:
Range: pages=1-1
If the server provided a partial response as requested, it will use the 206 Partial Content
status code. In this
case, the response will also include the Content-Range
header that shows what pages have been provided, as well as
indicate the total amount of pages available:
Content-Range: pages 1-1/10
We support only retrieval of a single continuous range of pages. If the server cannot fulfil the request,
the 416 Not Satisfiable
status code will be provided.
Changelog
v1.125.0 (20 December 2024)
-
Extended the
OrgDashboardStats
object with TLS protocol stats fieldshttpsTls13Present
,httpsTls12Present
,httpsTls11Present
,httpsTls10Present
,httpsSsl3Present
,httpsSsl2Present
,httpsPostQuantumEncryption
-
Extended the
ServiceData
object with fieldstlsSupportedProtocols
andtlsConfigurationLevel
-
Extended the
ExpiringEndpoint
object with fieldstlsSupportedProtocols
andtlsConfigurationLevel
-
Extended the
Host
-config
object with fieldstlsSupportedProtocols
andtlsConfigurationLevel
v1.124.0 (26 November 2024)
-
Added
/certs/{sha256}/trustPaths
API endpoint -
Extended the
CertificateSummary
object with fieldsspkiSha256
,keyAlg
,keyLen
,keyStrength
,sigAlg
. -
Extended the
CertExtras
object with fieldsski
,aki
,ku
,eku
,mustStaple
,crl
,ocsp
,precert
-
Added
CertificateTrustPaths
,TrustPath
andTrustPathError
objects
v1.123.0 (21 November 2024)
-
Added
/certs/;calendar
endpoint -
Added
/account/;stats
endpoint -
Experimental: Certificate expiration can now be tracked via issues.
-
Improved Issues documentation.
-
Added the
Get Host Exclusions
endpoint.
v1.122.0 (29 October 2024)
- Added
domains
andsubdomains
fields to GetHostStatsResponse
v1.121.0 (22 October 2024)
- Added
/hosts/;stats
endpoint
v1.120.0 (3 October 2024)
-
Extended
DmarcReport
object with fieldpolicy
-
Extended
SpfReport
object with fieldlookups
v1.119.0 (26 September 2024)
-
Extended
List certificate summaries
with new parameter:nameDigestNewer
. -
Extended
CertificateSummary
object with fieldnameDigestNewer
.
v1.118.0 (26 July 2024)
-
Extended
List certificate summaries
with new parameter:ownership
. -
Extended the
CertificateSummary
object with fieldsactive
andcaPathLen
. -
Extended
List expiring endpoints
with new parameters:expiredSince
,expiredForTier
,expiredForDays
,expireBy
, andexpireInTier
. -
Extended the
CertStats
object withTotalsStats
v1.117.0 (25 July 2024)
- Added
extras
field to CertificateSummary
v1.116.0 (25 July 2024)
-
Added new
certsLabels
field to GetCert that will return a list of CertLabel -
Added
extras
field to the output CreateCertStats -
Renamed GetCertExtras to CertExtras
v1.115.0 (25 July 2024)
- Added
integration
parameter to theList Hosts
endpoint.
v1.114.0 (16 July 2024)
- Added
hostClassificationStatus
andhostClassificationTags
to ExpiringEndpoint
v1.113.0 (11 July 2024)
- Added
definitionIds
parameter toListIssues
endpoint.
v1.112.0 (09 July 2024)
- Added
classificationStatus
andclassificationTags
to Host
v1.111.0 (08 July 2024)
-
Added
extended
request field to/hosts/{hostname}/services
-
Added additional
extras
field to the output of/hosts/{hostname}/services
whenextended
is true
v1.110.0 (08 July 2024)
- Added the same request parameters from the GET /certs endpoint to the POST /certs/listCerts endpoint.
v1.109.0 (28 June 2024)
-
Added new endpoint
/hosts/{hostname}/services
-
Added new field
certs
toServiceData
schema
v1.108.0 (19 June 2024)
-
removed
notificationsRecipients
from Certificate Monitoring API -
Removed
notificationsAdditionalEmailAddress
from Certificate Monitoring API -
Added
notificationsEmailAddresses
to Certificate Monitoring API
v1.107.0 (13 June 2024)
-
Added new field
revokedNotExpired
toSummaryStats
schema. -
Added new fields
v1.106.0 (07 June 2024)
The following new API endpoints have been added:
- /config/hostDefaults
- /config/certificateMonitoring
- /config/ctMonitoring
v1.105.0 (06 June 2024)
-
Extend CertDiscovery object with ctLog field
-
Extend CertCtLog object with name field
v1.104.0 (4 June 2024)
- Updated array type for field
records
ofHostCaaHistory
schema from array of bytes to array of strings.
v1.103.0 (30 May 2024)
-
Experimental: Certificate discoveries can now create issues.
-
Experimental: Issues can now be dispatched as two events:
issue.new
andissue.update
.
v1.102.0 (24 May 2024)
- New query param called "since" added to Get Cert Discoveries endpoint that's applied to the creation time
v1.101.0 (21 May 2024)
- These new fields have been added to the Certificate schema:
- lifetime
- lifetimeDays
- ku
- eku
- mustStaple
- aki
- ski
- caIssuers
- crl
- ocsp
- ctInfos shown only in extended mode
- Added extras section which contains the following attributes: a. status b. certsDueDays c. certsOverdueDays d. certsCriticalDays
v1.100.0 (20 May 2024)
- Fixed incorrect status value for CertDiscovery
v1.099.0 (9 May 2024)
- Added new API endpoints:
- List Certificate Discoveries
- Get Cert Discovery
- Update Cert Discovery
v1.098.0 (24 April 2024)
- Fixed API inconsistencies for expiring endpoints
v1.097.0 (24 April 2024)
-
Added new get certificate statistics endpoint
-
Added 'lifetimes' field to AnalysisStats
v1.096.0 (23 April 2024)
-
Added two more query parameters:
- regRegistry
- regPublic
-
Extended List Hosts with new fields in the response
v1.095.0 (22 April 2024)
- Added new endpoint for expiring endpoints retrieval
v1.094.0 (17 April 2024)
- Extended DomainsReportResponse and HostReportResponse with two more attributes
- groups
- tags
v1.093.2 (15 April 2024)
- Added "Maturity: Under Development" for every experimental API endpoint.
v1.093.1 (08 April 2024)
-
Added
shortId
to theCertificate
object. -
Added API docs for /certs/revocationHistory endpoint
-
Added API docs for /certs/ctLogList endpoint
-
Added API docs for /certs/issuanceHistory endpoint
-
Added API docs for /certs/expiringCerts endpoint
v1.092.4 (17 March 2024)
- Added API docs for /assessments/ and /reportCards/ endpoints
v1.092.3 (04 March 2024)
- Changed the type of the Group identifier from integer to string. Modified relevant JSON response examples
v1.092.2 (29 February 2024)
- Fixed example value of the
Event.data
property.
v1.092.1 (28 February 2024)
- Added description to most of OrgDashboardStats properties.
v1.092.0 (12 February 2024)
-
Added group parameter to
/certs/;stats
to return group-related statistics. -
Added
/dashboards/;stats
to return dashboard statistics.
v1.091.0 (7 February 2024)
- Modified
/certs/;stats
to return more detailed statistics.
v1.090.1 (1 February 2024)
- Modified
/certs/;stats
endpoint to be an async operation and marked as experimental.
v1.090.0 (31 January 2024)
- Added
/certs/;stats
endpoint to retrieve certificate statistics.
v1.089.0 (25 January 2024)
- Added
/hosts/{hostname}/pdfReport
endpoint to request a PDF report for a host.
v1.088.0 (27 October 2023)
-
Added
groups
parameter to the response of theList Issues
endpoint. -
Added
groups
parameter to theList Issues
endpoint. This parameter can be used to filter issues by group names.
v1.087.0 (26 October 2023)
- Added optional "nx" request param to "List hosts" endpoint
v1.086.2 (20 September 2023)
- Added HTTP status 409 to the list of possible responses.
v1.086.1 (7 September 2023)
- The OpenApi schema was cleaned and various syntax issues were fixed.
v1.086.0 (6 June 2023)
- The names of several audit log events have been changed to improve the name consistency. The audit log API may see further changes until we declare it stable.
v1.085.0 (3 April 2023)
-
Audit log API endpoints are now available in preview. The goal of this initial release is to requested feedback from our customers, helping us finalize the API and the data model. In subsequent releases, we will focus on completing the taxonomy of events.
-
The HDB and Monitor Network API endpoints have been removed. These two sections were experimental and used only internally within our development team.
v1.084.0 (28 February 2023)
- We reviewed our APIs for stability and removed the "Under Development" indicators from a variety sections. There are two section that continue to be under development at this time: Issues and Search.
v1.083.0 (31 January 2023)
- Issues: Added new "Update issue" endpoint
v1.082.0 (5 November 2022)
- Organizations have been extended to support a separate
label
field. Labels are used in the user interfaces as well as in the URLs exposed to end users. Previously, organization ID also served as a label. Now it's possible to select a nicer, user friendly, label when an organization is created.
v1.081.0 (29 October 2022)
- The Update Organization endpoint has been extended to support modification of organization name.
v1.080.0 (15 September 2022)
- New integrations: CSC and Safenames.
v1.079.0 (17 August 2022)
-
Issues: Renamed
fixed
status tocompleted
, which is more neutral and can be used in a variety of situations. -
Issues: Added a variety of additional statuses, including
abandoned
,bogus
,deprecated
,ignored
,orphaned
, andsnoozed
. -
Issues: New field:
snoozedUntil
. -
Issues: New fields:
autoOpen
andautoPreservedStatus
.
v1.078.0 (28 July 2022)
-
Added support for programmatic user management, via the new Users section.
-
Added support for service accounts, which are special user accounts that can only access the API.
-
Modified the
UpdateUser
endpoint to return aUser
object and the 200 status code instead of 204 previously. -
Removed the Findings endpoints as they have been replaced by Issues.
v1.077.0 (30 June 2022)
- Extended Issues with the
details
field. This new field is populated in theGet issue
andTransfer issues
endpoints and provides additional issue-specific information.
v1.076.0 (23 June 2022)
- Added lastRegLookupTime field to Host
v1.075.0 (17 June 2022)
-
Added Issues section.
-
Deprecated Findings, which will be removed as soon as all detections are migrated to Issues.
v1.074.0 (27 May 2022)
- Added Identities section.
v1.073.0 (25 May 2022)
- Added support for zone transfers. Hosts whose names match a DNS zone can be configured to perform a zone transfer once a way, either with the primary indicated in the corresponding SOA record, or with an explicitly configured host. There is also a new endpoint to perform a zone transfer on demand, which is useful for testing or to obtain the zone data as needed.
v1.072.0 (28 April 2022)
- Added Findings section.
v1.071.0 (28 March 2022)
- Extended the
Host
object with new fields:regNx
,regNxTime
,regRegistry
, andregPublic
.
v1.070.0 (2 March 2022)
-
New Search API endpoint to give direct access to the search functionality.
-
Added
sanCount
field toCertificate
.
v1.069.0 (3 November 2021)
- Added
tags
field to the various Integrations end-points.
v1.068.0 (22 September 2021)
-
Added
matchIntegration
toHostDiscovery
. This field is set to true for all discoveries made via an integration with third-party platforms (e.g., cloud accounts). -
Added
matchNameserver
toHostDiscovery
. This field is set to true for discoveries made via nameserver monitoring. -
Added
matchInfo
object toHostDiscovery
. This field contains further information that describe the discovery origin, for example the name of the nameserver or integration details.
v1.067.0 (3 July 2021)
-
Added field
hostDiscoveryExcludeSuffixes
toOrganization
. This new field can be used to specify multiple host suffixes that will be ignored during discovery. -
Renamed two fields belonging to the
Organization
object: 1)limitTotalHostsHard
is nowhostLimitHard
; 2)hostsAutoimportSubdomains
is nowhostDiscoveryAutoimportSubdomains
. The old names are no longer documented but will remain supported for at least three months following the update. -
New fields related to certificate discovery and limits added to
Organization
:certLimitHard
,certDiscoveryEnabled
,certDiscoveryError
, andcertDiscoveryErrorTime
. -
New fields related to host discovery limits added to
Organization
:hostDiscoveryEnabled
,hostDiscoveryLimitHard
,hostDiscoveryError
, andhostDiscoveryErrorTime
.
v1.066.0 (12 May 2021)
- Complete overhaul of the Nameserver Monitoring section. All endpoints have been reviewed, tweaked, refactored, and documented. New endpoints have been added. This section of the API has progressed from experimental to beta.
v1.065.0 (28 April 2021)
-
New endpoint
Get DigiCert Order
is now available to fetch DigiCert order information when there is a configured DigiCert integration. -
A new API endpoint was introduced to support uniform fetching of results of asynchronous operations. Prior to this API revision, every operation defined its own results endpoint. The existing endpoints are now deprecated, but will continue to be supported.
-
The
X-Operation-Status-Code
status code is now used byGet Response Results
to communicate the operation status code, keeping it separate from the status code of the API endpoint itself. -
Endpoints that return operation results now use the
application/vnd.hardenize.v1.operation-status+json
MIME type when anOperationStatus
object is in the response body. -
The
OperationStatus
object now includes thecontentType
field. -
Added a new section to better document the MIME types and the format of error responses.
v1.064.0 (17 March 2021)
- Added support for third-party integrations. In this first release, we support integration with AWS, Azure, and GCP cloud accounts.
v1.063.0 (18 February 2021)
-
Added tags to Hosts.
-
Added tags to Network Ranges.
-
Extended groups with new endpoints to get and update a group.
-
Added ability to change group name. Group identifiers are now automatically generated from the names, rather than explicitly specified.
-
Added support auto groups, which are managed. Unlike groups that are manually maintained, hosts are added to and removed from auto-groups based on the assigned tags. A host that shares a tag with a group will be added to the group. A host that no longer shares any tags with the group will be removed.
v1.062.0 (12 December 2020)
-
The Host object has been extended with an experimental
config
property that contains host configuration. We are initially exposing DMARC settings, but will proceed to add all other aspects of host configuraiton. -
Added new API endpoints for third party integrations
v1.061.0 (30 November 2020)
- Added new API endpoints to deal with SAML configuration.
v1.060.0 (14 November 2020)
- Added new API endpoints to support configuring multi-factor configuration.
v1.059.0 (2 September 2020)
- Extended the Host Discovery Keywords section to support exact matching
v1.058.0 (24 August 2020)
- Added new API endpoints to support configuring network scanning.
v1.057.0 (19 August 2020)
- Added new API endpoint to update certificate data. At this time, we support setting of the
muted
field, which controls if a certificate will be ignored for expiration notification purposes.
v1.056.0 (9 July 2020)
- Extended the Host Discovery Keywords section to support fine-grained control over what types of matching should be used on a per-keyword basis.
v1.055.0 (8 July 2020)
- Replaced discovered_hostname and effective_hostname fields in the Host Discovery API end-points, with a single hostname field. The Update operation no longer has the ability to change the hostname.
v1.054.0 (12 June 2020)
- New API endpoints to support host discovery via nameserver monitoring.
v1.053.0 (27 February 2020)
-
Extended the API with a new section called "Monitor Network", which provides access to our distributed network of monitors that are available to run various network operations. This initial release includes two API endpoints: one that provides a list of available monitor locations and another to run a TLS check from one of the locations.
-
Added another layer of request limit allowances that apply to all suborganizations created by the same parent.
-
Certificates imported from our historical database now set the
origin
field tohdb
(previouslyct
). This change makes it possible to distinguish certificates observed in real-time from those that are imported.
v1.052.0 (27 January 2020)
- Introduced several new API endpoints that provide search capabilities of our database of active (non-expired) public certificates. It is possible to search by hostname (exact match, wildcard certificate match, suffix match), keyword (which covers the Subject DN and SAN fields), SHA256, and SPKI.
v1.050.0 (16 January 2020)
-
Added support for asynchronous operations. Clients are now able to request operations that will continue to be processed after they disconnect. This feature is typically used with operations that may take a long time and produce a large amount of data.
-
Added support for result pagination. When an endpoint supports this feature (this will typically be true in the case of operations that may produce large amounts of data), clients can request the partial results, one page at a time.
v1.049.0 (8 January 2020)
-
Extended the
Host
object with thegroups
field, which contains the identifiers of all groups the host belongs to. -
Added
GetNetworkAccessConfig
andUpdateNetworkAccessConfig
endpoints that support retrieval and updating of network access restrictions configuration for the API and web UI components.
v1.048.0 (21 November 2019)
- Added
CreateNetworkRange
,DeleteNetworkRange
,UpdateNetworkRange
andListNetworkRanges
API endpoints.
v1.047.0 (21 October 2019)
- Added several fields to the
Report0
object to indicate full and partial support for various SSL and TLS protocols. The fields that begin with the word "has" (e.g.,hasSsl2
) indicate that at least one endpoint behind hostname supports a particular protocol. The fields that begin with the word "supports" (e.g.,supportsSsl2
) indicate that all endpoints behind hostname support a particular protocol.
v1.046.0 (7 October 2019)
- Added field
hasHttpsTls12OrBetter
to theReport0
object.
v1.045.0 (19 September 2019)
- Added
DeleteHostDiscoveries
API endpoint.
v1.044.0 (18 September 2019)
- Added
UpdateHostDiscoveries
API endpoint.
v1.043.0 (24 July 2019)
-
Added
featureHostDiscovery
to suborgs, making it possible to control host discovery on a per-suborg basis. -
Changed the default setting of
hostsAutoimportSubdomains
to false.
v1.042.0 (11 July 2019)
-
Extended the
MatchedCtEntry
object by adding thetbsSha256
field. -
Extended the
pki.cert.new
event to always send newly-discovered precertificates, even when their certificate counterparts are already known. With this change consumers have more data and can decide what to keep and what to discard. The semantics of this event effectively haven't changed because any endpoints consuming the events would have had to differentiate between precertificates and certificates prior to this change.
v1.041.0 (4 July 2019)
-
Extended the
CertCtLog
object by adding thetype
field to indicate CT log entry type (precertificate or certificate). -
Extended the
Certificate
object withissuerCa
andvalidation
fields.
v1.040.0 (19 June 2019)
- Added
parentHashesComplete
to theCertificate
object. Added new valuectPlusRoot
for theparentHashesSource
field.
v1.039.0 (13 June 2019)
-
Two fields added to the
Certificate
object:parentHashes
andparentHashesSource
. -
The
Delete hosts
operation no longer automatically removes all subdomains. Instead, only the explicitly-listed hosts are deleted. The newsubdomains
parameter can be used to enable the previous behaviour. -
Deprecated the
notSymantec
value of thesymantecStatus
field in theCertificate
object. Previously, this field was not provided for CA certificates. Going forward, this field also won't be available on certificates that had not been issued from from Symantec's old infrastructure.
Authentication
- HTTP Authentication, scheme: Basic To begin to use the Hardenize Organization API, sign in into your organization and create a new service account, noting the automatically generated credentials. If you're working with suborganizations, request that master API credentials are generated when a new suborganization is created.
Account
Maturity: Under Development
The API endpoints in this section allow you to retrieve account data
Request account statistics
Code samples
POST /v1/org/{org}/account/;stats HTTP/1.1
Host: api.hardenize.com
POST /account/;stats
Maturity: Under Development
Request general statistics about the organization.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: AccountStatsResponse
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted. | OperationStatus |
Assessments
Maturity: Under Development
The API endpoints in this section allow you to create an assessment, as well as retrieve a status about your assessment.
Create assessment
Code samples
POST /v1/org/{org}/assessments HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /assessments
Maturity: Under Development
Creates an assessment.
Body parameter
{
"hostname": "example.com",
"clearCache": false
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body* | body | CreateAssessmentRequest | The hostname for which the assessment is created. |
Example responses
200 Response
{
"assessment": {
"id": "eaa6b8c0-5a12-4e5d-add0-fdafb4e89f5d",
"host": "example.com",
"path": "/",
"unicodeHost": "example.com",
"status": "in_progress",
"epochTime": 1710854089,
"statTcpConnections": 0,
"statTcpEndpointsCount": 0,
"expectedDuration": 0
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetAssessmentStatusResponse |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Gets status of an assessment
Code samples
GET /v1/org/{org}/assessments/{hostname};status HTTP/1.1
Host: api.hardenize.com
GET /assessments/{hostname};status
Maturity: Under Development
Retrieves the status of an assessment based on the provided hostname.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | The hostname for which assessment status is to be retrieved. |
Example responses
200 Response
{
"assessment": {
"id": "81763d1c-3722-4e66-89ef-b811844bc46c",
"host": "example.com",
"path": "/",
"unicodeHost": "example.com",
"status": "available",
"statusMessage": null,
"epochTime": 1710773815,
"statTcpConnections": 51,
"statTcpEndpointsCount": 12,
"expectedTcpConnections": 50,
"expectedDuration": 0
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetAssessmentStatusResponse |
400 | Bad Request | Bad request. The provided hostname is invalid. | Inline |
Response Schema
Status Code 400
Name | Type | Required | Restrictions | Description |
---|---|---|---|---|
» error | string | false | none | none |
Audit Log
Maturity: Under Development
Audit logs represent a record of key events associated with an organization. They're designed to help with gaining and understanding of activity within an organization, document the associated changes and highlight relevant security events.
Please note that, whilst this feature is still in development, we may change the event schema as well as remove all events from time to time if necessary.
List audit events
Code samples
GET /v1/org/{org}/auditlog HTTP/1.1
Host: api.hardenize.com
GET /auditlog
Retrieves the audit events recorded within the requested time frame. This endpoint will change in due course, as this section matures, to add limits, and support for pagination and filtering.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
from | query | string(date-time) | Timestamp of the earliest audit event to return, inclusive. |
to | query | string(date-time) | Timestamp of the latest audit event to return, inclusive. |
Example responses
200 Response
{
"events": [
{
"id": 10001,
"actorType": "u",
"actorId": "userId:12090749",
"actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
"timestamp": "2018-09-03T14:09:59.000Z",
"remoteAddr": "18.233.176.231",
"sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"resourceType": "user",
"resourceId": "12090749",
"action": "user.auth.succeeded",
"status": 200,
"details": {
"method": "password"
}
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListAuditEventsResponse |
Configuration
Endpoints in this section provide access to the configuration of the current organization account, as well as make it possible to make configuration changes.
Get Access Control Configuration
Code samples
GET /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com
GET /config/accessControl
Retrieves the current configuration of network access controls. If there are no allowed network ranges in the configuration, that means that all IP addresses are allowed.
Example responses
200 Response
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": "disabled",
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": "disabled"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Access Control Configuration | GetAccessControlConfigResponse |
Get Certificate Monitoring Configuration
Code samples
GET /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com
GET /config/certificateMonitoring
Retrieves the current configuration of certificate monitoring.
Example responses
200 Response
{
"notificationsEmailAddresses": [
"dev@hardenize.com"
],
"notificationsCustomText": "This is a custom text message",
"pkiTeamId": "devteam",
"notificationsSendOverdue": false,
"notificationsSendCritical": false,
"certsDueDays": 45,
"certsOverdueDays": 6,
"certsCriticalDays": 2,
"vendorCertsCriticalDays": 2,
"monitorNetworks": true,
"includeNetworks": [
"127.0.0.1/32"
],
"excludeNetworks": [
"127.0.0.1/32"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Certificate Monitoring Configuration | CertificateMonitoringResponse |
Get Certificate Transparency Monitoring Configuration
Code samples
GET /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com
GET /config/ctMonitoring
Retrieves the current configuration of certificate transparency monitoring.
Example responses
200 Response
{
"discoveryEmailNotifications": "escalations",
"closeCertKnown": false,
"closeCertInstalled": false,
"closeCertExpired": false,
"closeCertRevoked": false,
"closeCaaMatchFull": false,
"closeIssuerAllowed": false,
"closeAllowedIssuerKeywords": [
"string"
],
"closeAllowedIssuerKeywordsOverrides": [
{
"pattern": "string",
"keywords": [
"string"
]
}
],
"closeCaseInactive": true,
"closeCaseInactiveDays": 60,
"escalateCertNotInstalled": false,
"escalateCertNotInstalledDays": 120,
"escalateCaaMismatch": true,
"escalateCertNotCtCompliant": false,
"escalateIssuerNotAllowed": false,
"escalateIssuerForbidden": true,
"escalateForbiddenIssuerKeywords": [
"forbidden"
],
"escalateCertMaxLifetimeExceeded": false
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Certificate Transparency Monitoring Configuration | CtMonitoringResponse |
Get Host Defaults Configuration
Code samples
GET /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com
GET /config/hostDefaults
Retrieves the current configuration of host defaults.
Example responses
200 Response
{
"newHostStatus": "archived",
"newHostInheritStatus": true,
"newHostInheritGroup": false
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Host Defaults Configuration | HostDefaultsResponse |
Get Host Exclusions
Code samples
GET /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com
GET /config/hostExclusions
Retrieves the current host exclusions
Example responses
200 Response
{
"hostExclusions": [
"example.com"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Host Exclusions | HostExclusionsResponse |
Get MFA Configuration
Code samples
GET /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com
GET /config/mfa
Retrieves the current multi-factor authentication (MFA) configuration.
Example responses
200 Response
{
"mfaRequired": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | MFA Configuration | GetMfaConfigResponse |
Get Network Scanning Configuration
Code samples
GET /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com
GET /config/networkScanning
Retrieves the current network scanning configuration.
Example responses
200 Response
{
"netscanStatic": true,
"netscanDynamic": true,
"monitorCloudIps": true,
"netscanExclusions": [
"127.0.0.1/32"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetNetworkScanningConfigResponse |
Get SAML Configuration
Code samples
GET /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com
GET /config/saml
Retrieves the current SAML configuration.
Example responses
200 Response
{
"enabled": true,
"idpMetadata": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | SAML Configuration | GetSamlConfigResponse |
Update Access Control Configuration
Code samples
POST /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/accessControl
Updates the configuration of network access controls. When making changes to the allowed network ranges, please take care to whitelist the IP address from which the request is being made. To allow access from any IP address, submit an empty list. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values.
Body parameter
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": "disabled",
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": "disabled"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateAccessControlConfigRequest | none |
Example responses
200 Response
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": true,
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateAccessControlConfigResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update Certificate Monitoring Configuration
Code samples
POST /v1/org/{org}/config/certificateMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/certificateMonitoring
Updates the configuration of certificate monitoring.
Body parameter
{
"notificationsEmailAddresses": [
"dev@hardenize.com"
],
"notificationsCustomText": "This is a custom notification text",
"pkiTeamId": "devteam",
"notificationsSendOverdue": false,
"notificationsSendCritical": true,
"certsDueDays": 45,
"certsOverdueDays": 12,
"certsCriticalDays": 6,
"vendorCertsCriticalDays": 6,
"monitorNetworks": true,
"includeNetworks": [
"127.0.0.1/32"
],
"excludeNetworks": [
"127.0.0.1/32"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateCertificateMonitoringRequest | none |
Example responses
200 Response
{
"notificationsEmailAddresses": [
"dev@hardenize.com"
],
"notificationsCustomText": "This is a custom text message",
"pkiTeamId": "devteam",
"notificationsSendOverdue": false,
"notificationsSendCritical": false,
"certsDueDays": 45,
"certsOverdueDays": 6,
"certsCriticalDays": 2,
"vendorCertsCriticalDays": 2,
"monitorNetworks": true,
"includeNetworks": [
"127.0.0.1/32"
],
"excludeNetworks": [
"127.0.0.1/32"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CertificateMonitoringResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update Certificate Transparency Monitoring Configuration
Code samples
POST /v1/org/{org}/config/ctMonitoring HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/ctMonitoring
Updates the configuration of certificate transparency monitoring.
Body parameter
{
"discoveryEmailNotifications": "escalations",
"closeCertKnown": false,
"closeCertInstalled": true,
"closeCertExpired": false,
"closeCertRevoked": true,
"closeCaaMatchFull": false,
"closeIssuerAllowed": true,
"closeAllowedIssuerKeywords": [
"string"
],
"closeAllowedIssuerKeywordsOverrides": [
{
"pattern": "string",
"keywords": [
"string"
]
}
],
"closeCaseInactive": false,
"closeCaseInactiveDays": true,
"escalateCertNotInstalled": false,
"escalateCertNotInstalledDays": true,
"escalateCaaMismatch": true,
"escalateCertNotCtCompliant": false,
"escalateIssuerNotAllowed": true,
"escalateIssuerForbidden": false,
"escalateForbiddenIssuerKeywords": [
"string"
],
"escalateCertMaxLifetimeExceeded": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateCtMonitoringRequest | none |
Example responses
200 Response
{
"discoveryEmailNotifications": "escalations",
"closeCertKnown": false,
"closeCertInstalled": false,
"closeCertExpired": false,
"closeCertRevoked": false,
"closeCaaMatchFull": false,
"closeIssuerAllowed": false,
"closeAllowedIssuerKeywords": [
"string"
],
"closeAllowedIssuerKeywordsOverrides": [
{
"pattern": "string",
"keywords": [
"string"
]
}
],
"closeCaseInactive": true,
"closeCaseInactiveDays": 60,
"escalateCertNotInstalled": false,
"escalateCertNotInstalledDays": 120,
"escalateCaaMismatch": true,
"escalateCertNotCtCompliant": false,
"escalateIssuerNotAllowed": false,
"escalateIssuerForbidden": true,
"escalateForbiddenIssuerKeywords": [
"forbidden"
],
"escalateCertMaxLifetimeExceeded": false
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CtMonitoringResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update Host Defaults Configuration
Code samples
POST /v1/org/{org}/config/hostDefaults HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/hostDefaults
Updates the configuration of host defaults.
Body parameter
{
"newHostStatus": "archived",
"newHostInheritStatus": true,
"newHostInheritGroup": false
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateHostDefaultsRequest | none |
Example responses
200 Response
{
"newHostStatus": "archived",
"newHostInheritStatus": true,
"newHostInheritGroup": false
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | HostDefaultsResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update Host Exclusions
Code samples
POST /v1/org/{org}/config/hostExclusions HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/hostExclusions
Updates the list of host exclusions
Body parameter
{
"hostExclusions": [
[
"example.com"
]
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateHostExclusionsRequest | none |
Example responses
200 Response
{
"hostExclusions": [
"example.com"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | HostExclusionsResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update MFA Configuration
Code samples
POST /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/mfa
Updates the MFA configuration for this organization.
Body parameter
{
"mfaRequired": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateMfaConfigRequest | none |
Example responses
200 Response
{
"mfaRequired": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateMfaConfigResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation or MFA not enabled for this organization | None |
Update Network Scanning Configuration
Code samples
POST /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/networkScanning
Updates the network scanning configuration for this organisation. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values. Because we carry out network scanning as a slow operation stretched over the course of an entire day, it may take up to 24 hours for your changes to become active.
Body parameter
{
"netscanStatic": true,
"netscanDynamic": true,
"monitorCloudIps": true,
"netscanExclusions": [
"127.0.0.1/32"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateNetworkScanningConfigRequest | none |
Example responses
200 Response
{
"netscanStatic": true,
"netscanDynamic": true,
"monitorCloudIps": true,
"netscanExclusions": [
"127.0.0.1/32"
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetNetworkScanningConfigResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Update SAML Configuration
Code samples
POST /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /config/saml
Updates the SAML configuration for this organization.
Body parameter
{
"enabled": true,
"idpMetadata": "string"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateSamlConfigRequest | none |
Example responses
200 Response
{
"enabled": true,
"idpMetadata": "string"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateSamlConfigResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | Insufficient permissions to perform operation or MFA not enabled for this organization | None |
Certificates
The API endpoints in this section allow you to retrieve information about all your certificates, as well as upload your new certificates to us as they become available.
Create certificate
Code samples
POST /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/x-pem-file
POST /certs
Use this API endpoint to upload a new certificate to your account. For example, if you've automated certificate generation, we suggest that you also automatically submit all new certificates to Hardenize. That way, when we observe the same certificate via Certificate Transparency, we will know for sure that it belongs to you. We may be able to determine that in any case if we see that the certificate has been installed, but uploading it to us makes this more reliable.
For best results, we recommend that you upload the entire certificate chain received from your CA. That will ensure we also add the required intermediates to your list of certificates. The leaf certificate must be placed first.
Body parameter
-----BEGIN CERTIFICATE-----
MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qv
s6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCC
AfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsO
UClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
Y29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5o
YXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDe
bJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2
pkP4CxvriyrLQwpB6s2RFQM=
-----END CERTIFICATE-----
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body* | body | string | PEM-encoded certificate or certificate chain. If a chain is provided, the leaf certificate must be placed first. |
Example responses
201 Response
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.559Z",
"notAfter": "2024-12-20T16:02:26.559Z",
"effectiveNotAfter": "2024-12-20T16:02:26.559Z",
"revokedOn": "2024-12-20T16:02:26.559Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.560Z",
"lastSeen": "2024-12-20T16:02:26.560Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.560Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.560Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.560Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
201 | Created | Certificate created. | CreateCertResponse |
202 | Accepted | Certificate already exists. | CreateCertResponse |
400 | Bad Request | Invalid certificate chain. | None |
Get certificate
Code samples
GET /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com
GET /certs/{sha256}
Returns the certificate with the given SHA256 hash, if available in the account.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
sha256* | path | string | none |
extended | query | boolean | if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect. |
Detailed descriptions
extended: if set, returns certificate with the following additional fields: analysis, matchedHosts, matchedWildcardHosts, thirdPartyHosts, deployments. Setting to false has no effect.
Example responses
200 Response
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.563Z",
"notAfter": "2024-12-20T16:02:26.563Z",
"effectiveNotAfter": "2024-12-20T16:02:26.563Z",
"revokedOn": "2024-12-20T16:02:26.563Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.563Z",
"lastSeen": "2024-12-20T16:02:26.563Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.563Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.563Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.563Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
},
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Successfully retrieved certificate | GetCertResponse |
404 | Not Found | Certificate not found | None |
Get certificate statistics
Code samples
GET /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com
GET /certs/;stats
Maturity: Under Development
Returns certificate statistics from the cache if they exist. If not returns 404 status.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
group | query | string | If set, returns only the statistics for certificates that belong to the specified group. |
Detailed descriptions
group: If set, returns only the statistics for certificates that belong to the specified group.
Example responses
202 Response
{
"certStats": {
"totals": {
"activeOrNonExpired": 0,
"onlyOwn": 0,
"onlyThirdParty": 0,
"onlyActive": 0
},
"summary": {
"total": 0,
"unique": 0,
"certs": 0,
"precerts": 0,
"duplicates": 0,
"valid": 0,
"notYetValid": 0,
"expired": 0,
"effectivelyExpired": 0,
"revoked": 0,
"revokedNotExpired": 0,
"endEntity": 0,
"ca": 0
},
"thirdParty": {
"total": 0,
"unique": 0,
"endEntity": 0,
"ca": 0
},
"usage": {
"active": 0,
"expired": 0,
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"analysis": {
"issuerCa": {
"property1": 0,
"property2": 0
},
"keyAlg": {
"property1": 0,
"property2": 0
},
"keyAlgLen": {
"property1": 0,
"property2": 0
},
"keyStrength": {
"property1": 0,
"property2": 0
},
"sigAlg": {
"property1": 0,
"property2": 0
},
"validation": {
"property1": 0,
"property2": 0
},
"lifetimes": {
"property1": 0,
"property2": 0
},
"wildcards": 0,
"nonWildcards": 0
},
"activity": {
"issuanceTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"revocationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"timestamp": "2024-12-20T16:02:26.564Z"
},
"extras": {
"certsDueDays": 0,
"certsOverdueDays": 0,
"certsCriticalDays": 0
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Successfully retrieved certificate statistics | CertsStatsResponse |
404 | Not Found | Certificate statistics not found | None |
Get Certificate Trust Paths
Code samples
GET /v1/org/{org}/certs/{sha256}/trustPaths HTTP/1.1
Host: api.hardenize.com
GET /certs/{sha256}/trustPaths
Maturity: Under Development
Generates the trust paths for the certificate with the given SHA256 hash.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
sha256* | path | string | none |
pathOptions | query | string | Determines the filters for trust path result. |
Detailed descriptions
pathOptions: Determines the filters for trust path result.
all
: Include all trust paths, valid paths and paths with errors. Default!
validPreferred
: Prefer valid paths, but include all paths if none are valid.
validOnly
: Only valid trust paths are returned. Empty result if none is valid.
Enumerated Values
Parameter | Value |
---|---|
pathOptions | all |
pathOptions | validPreferred |
pathOptions | validOnly |
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.566Z",
"notAfter": "2024-12-20T16:02:26.566Z",
"effectiveNotAfter": "2024-12-20T16:02:26.566Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.566Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
],
"paths": [
{
"chain": [
"46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
"1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
],
"valid": true,
"complete": true,
"hasErrors": false,
"depth": 3,
"errors": []
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Successfully found certificate and generated certificate trust paths | CertificateTrustPaths |
404 | Not Found | Certificate not found | None |
Get certificates calendar
Code samples
GET /v1/org/{org}/certs/;calendar HTTP/1.1
Host: api.hardenize.com
GET /certs/;calendar
Downloads the certificates calendar.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
groupId | query | string | none |
Example responses
200 Response
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Successfully retrieved certificates calendar | string |
Get CT Log list
Code samples
GET /v1/org/{org}/certs/ctLogs HTTP/1.1
Host: api.hardenize.com
GET /certs/ctLogs
Retrieves the CT Log list.
Example responses
200 Response
{
"ctLogs": [
{
"name": "Cloudflare 'Nimbus2023' Log",
"url": "ct.cloudflare.com/logs/nimbus2023",
"mmd": 86400,
"lastIndex": 94000,
"lastTimestamp": "2024-12-20T16:02:26.567Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | CT Log list | CtLogsResponse |
400 | Bad Request | Invalid request parameters | None |
403 | Forbidden | You don't have permission to perform this operation. | None |
Get DigiCert Order
Code samples
GET /v1/org/{org}/certs/{sha256}/digicert/order HTTP/1.1
Host: api.hardenize.com
GET /certs/{sha256}/digicert/order
This endpoint can be used to retrieve a DigiCert Order associated with a certificate, provided there is a working DigiCert CertCentral integration in place. When invoked, we look for the order information using the CertCentral API. If we obtain a response, this endpoint will pass through the results back in its response. The full documentation for the response is available in DigiCert's API documentation.
Please note that, before invoking the CertCentral API, we can't tell if a certificate is the configured DigiCert account. If it's not, you will see a 404 response. We have also noticed that CertCentral sometimes responds with a 503 status code for a certificate that resides in someone else's account. That might happen if you attempt to fetch order information for a managed/third-party certificate issued by DigiCert. We try to detect this case early by checking the certificate before talking to CertCentral.
There is no caching of order information at present, but we anticipate that it will be added in a future release.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
sha256* | path | string | none |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Order information available | None |
400 | Bad Request | Invalid request or certificate not applicable | None |
404 | Not Found | Certificate or order not found | None |
List certificates
Code samples
GET /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com
GET /certs
By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
active | query | boolean | If set, returns only active or inactive certificates |
expired | query | boolean | If set, returns only expired or non-expired certificates |
expireInDays | query | integer | If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp |
host | query | string | If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards) |
limit | query | integer | If set, returns only up to the specified number of certificates. |
newSince | query | string(date-time) | If set, returns only certificates added to the account since the specified date. |
excludeDuplicates | query | boolean | if set to true, will return non duplicate certificates. |
activeOrNonExpired | query | boolean | If set to true, returns active or non-expired certificates. Setting to false has no effect. |
spkiSha256 | query | string | If set, returns only certificates whose public key (SPKI) matches the provided hash |
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.568Z",
"notAfter": "2024-12-20T16:02:26.568Z",
"effectiveNotAfter": "2024-12-20T16:02:26.568Z",
"revokedOn": "2024-12-20T16:02:26.568Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.568Z",
"lastSeen": "2024-12-20T16:02:26.568Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.568Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.568Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.569Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListCertsResponse |
List certificates summaries
Code samples
GET /v1/org/{org}/certs/summaries HTTP/1.1
Host: api.hardenize.com
GET /certs/summaries
By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
active | query | boolean | If set, returns only active or inactive certificates |
expired | query | boolean | If set, returns only expired or non-expired certificates |
expireInDays | query | integer | If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp |
host | query | string | If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards) |
limit | query | integer | If set, returns only up to the specified number of certificates. |
newSince | query | string(date-time) | If set, returns only certificates added to the account since the specified date. |
excludeDuplicates | query | boolean | if set to true, will return non duplicate certificates. |
activeOrNonExpired | query | boolean | If set to true, returns active or non-expired certificates. Setting to false has no effect. |
spkiSha256 | query | string | If set, returns only certificates whose public key (SPKI) matches the provided hash |
ownership | query | string | If set, returns only certificates whose ownership matches the value in the regex pattern |
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.570Z",
"notAfter": "2024-12-20T16:02:26.570Z",
"effectiveNotAfter": "2024-12-20T16:02:26.570Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.570Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CertificateSummaryResponse |
List expiring certificates
Code samples
GET /v1/org/{org}/certs/expiringCerts/{groupLabel} HTTP/1.1
Host: api.hardenize.com
GET /certs/expiringCerts/{groupLabel}
Maturity: Under Development
Retrieves expiring certificates.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
groupLabel | path | string | If set, returns only the expiring certificates whose domain belongs to the specified group. |
interval | query | integer | If set, returns only the expiring certificates in the last days days. |
ignoreExpiredDays | query | integer | If set, returns certificates expired more than ignoreExpiredDays days ago. |
limit | query | integer | If set, returns only the first limit expiring certificates. |
Detailed descriptions
groupLabel: If set, returns only the expiring certificates whose domain belongs to the specified group.
interval: If set, returns only the expiring certificates in the last days
days.
ignoreExpiredDays: If set, returns certificates expired more than ignoreExpiredDays
days ago.
limit: If set, returns only the first limit
expiring certificates.
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.571Z",
"notAfter": "2024-12-20T16:02:26.571Z",
"effectiveNotAfter": "2024-12-20T16:02:26.571Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.571Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CertificateSummaryResponse |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
List expiring endpoints
Code samples
GET /v1/org/{org}/certs/expiringEndpoints/{groupLabel} HTTP/1.1
Host: api.hardenize.com
GET /certs/expiringEndpoints/{groupLabel}
Maturity: Under Development
Retrieves a list of expiring endpoints, which are network locations where we're seeing certificates
that are about to expire. When using this API endpoint, first you need to think whether
you want to see certificates that have already expired. By default, you will get all expired
certificates. If you want to see only a subset, use one of expiredSince
, expiredForDays
, or
expiredForTier
parameters. The second decision is about what still-valid certificates
you want to see and for how long in the future. By default, we return the certificates that
fall within the overdue
tier, but you can use the expireBy
, expireInDays
, or expireInTier
parameters to override this. It is sometimes useful to use tiers, because they are
always translated to the correct time ranges based on your current settings.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
groupLabel | path | string | If set, returns only the expiring endpoints whose domain belongs to the specified group. |
expiredForDays | query | integer | If set, returns only endpoints with certificates expired in the last expiredForDays days. |
expiredSince | query | date-time | If set, returns only endpoints with certificates that expired since the provided timestamp. |
expiredForTier | query | string | If set, converts the supplied tier to the correct expiredForDays value. |
expireBy | query | date-time | If set, returns only endpoints with certificates that will expire by the provided timestamp. |
expireInDays | query | integer | If set, returns only endpoints with certificates expiring in the next expireInDays days. |
expireInTier | query | string | If set, converts the supplied tier to the correct expireInTier value. |
limit | query | integer | If set, returns only the first limit expiring endpoints. The default limit is 1,000. |
integration | query | string | none |
Detailed descriptions
groupLabel: If set, returns only the expiring endpoints whose domain belongs to the specified group.
expiredForDays: If set, returns only endpoints with certificates expired in the last expiredForDays
days.
expiredSince: If set, returns only endpoints with certificates that expired since the provided timestamp.
expiredForTier: If set, converts the supplied tier to the correct expiredForDays
value.
expireBy: If set, returns only endpoints with certificates that will expire by the provided timestamp.
expireInDays: If set, returns only endpoints with certificates expiring in the next expireInDays
days.
expireInTier: If set, converts the supplied tier to the correct expireInTier
value.
limit: If set, returns only the first limit
expiring endpoints. The default limit is 1,000.
Example responses
200 Response
{
"expiringEndpoints": [
{
"hostname": "example.net",
"serviceHostname": "service.example.com",
"serviceDomain": "example.com",
"serviceAddress": "127.0.0.1",
"servicePort": 443,
"certNotAfter": "2024-12-20T16:02:26.572Z",
"certEffectiveNotAfter": "2024-12-20T16:02:26.572Z",
"serviceLastSeen": "2024-12-20T16:02:26.572Z",
"certShortId": "572908a",
"certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"certIssuerCa": "Let's Encrypt",
"certSan": "*.hardenize.com",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"asNumber": "12345",
"hostClassificationStatus": "active",
"hostClassificationTags": [
[
"signin"
]
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
],
"extras": {
"certsDueDays": 0,
"certsOverdueDays": 0,
"certsCriticalDays": 0
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ExpiringEndpointsResponse |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
List issuance history
Code samples
GET /v1/org/{org}/certs/issuanceHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com
GET /certs/issuanceHistory/{groupLabel}
Maturity: Under Development
Retrieves certificates issuance.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
groupLabel | path | string | If set, returns only the certificates issuance whose domain belongs to the specified group. |
interval | query | integer | If set, returns only the certificates issuance in the last days days. |
limit | query | integer | If set, returns only the first limit certificates issuance. |
Detailed descriptions
groupLabel: If set, returns only the certificates issuance whose domain belongs to the specified group.
interval: If set, returns only the certificates issuance in the last days
days.
limit: If set, returns only the first limit
certificates issuance.
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.573Z",
"notAfter": "2024-12-20T16:02:26.573Z",
"effectiveNotAfter": "2024-12-20T16:02:26.573Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.573Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CertificateSummaryResponse |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
List revoked certificates
Code samples
GET /v1/org/{org}/certs/revocationHistory/{groupLabel} HTTP/1.1
Host: api.hardenize.com
GET /certs/revocationHistory/{groupLabel}
Maturity: Under Development
Retrieves revoked certificates.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
interval | query | integer | If set, returns only the revoked certificates which were revoked in the last days days. |
limit | query | integer | If set, returns only the first limit revoked certificates. |
groupLabel | path | string | If set, returns only the revoked certificates whose domain belongs to the specified group. |
Detailed descriptions
interval: If set, returns only the revoked certificates which were revoked in the last days
days.
limit: If set, returns only the first limit
revoked certificates.
groupLabel: If set, returns only the revoked certificates whose domain belongs to the specified group.
Example responses
200 Response
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.574Z",
"notAfter": "2024-12-20T16:02:26.574Z",
"effectiveNotAfter": "2024-12-20T16:02:26.574Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.574Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CertificateSummaryResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request certificates statistics
Code samples
POST /v1/org/{org}/certs/;stats HTTP/1.1
Host: api.hardenize.com
POST /certs/;stats
Maturity: Under Development
Request statistics about certificates in the organization.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: CertsStatsResponse
Parameters
Parameter | In | Type | Description |
---|---|---|---|
group | query | string | If set, returns only the statistics for certificates that belong to the specified group. |
Detailed descriptions
group: If set, returns only the statistics for certificates that belong to the specified group.
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted. | OperationStatus |
Request certificates, paginated
Code samples
POST /v1/org/{org}/certs/;listCerts HTTP/1.1
Host: api.hardenize.com
POST /certs/;listCerts
Maturity: Under Development
Request a list of all your certificates.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: ListCertsResponse
Parameters
Parameter | In | Type | Description |
---|---|---|---|
active | query | boolean | If set, returns only active or inactive certificates |
expired | query | boolean | If set, returns only expired or non-expired certificates |
expireInDays | query | integer | If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp |
host | query | string | If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards) |
limit | query | integer | If set, returns only up to the specified number of certificates. |
newSince | query | string(date-time) | If set, returns only certificates added to the account since the specified date. |
excludeDuplicates | query | boolean | if set to true, will return non duplicate certificates. |
activeOrNonExpired | query | boolean | If set to true, returns active or non-expired certificates. Setting to false has no effect. |
spkiSha256 | query | string | If set, returns only certificates whose public key (SPKI) matches the provided hash |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Update certificate
Code samples
POST /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /certs/{sha256}
Updates the certificate with the given SHA256. Most certificate fields are read-only as they are extracted from certificates themselves. The fields that can be changed are related to how certificates are managed.
Body parameter
{
"muted": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
sha256* | path | string | none |
body | body | UpdateCertRequest | none |
Example responses
200 Response
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.575Z",
"notAfter": "2024-12-20T16:02:26.575Z",
"effectiveNotAfter": "2024-12-20T16:02:26.575Z",
"revokedOn": "2024-12-20T16:02:26.575Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.575Z",
"lastSeen": "2024-12-20T16:02:26.575Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.576Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.576Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.576Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Certificate updated | UpdateCertResponse |
404 | Not Found | Certificate not found | None |
Certificate Discoveries
Maturity: Under Development
This section provides access to the certificate discoveries functionality. When Certificate Transparency (CT) monitoring is enabled in a Hardenize account, we monitor worldwide issuance of public certificates in real time. We further examine the hosts embedded in each certificate and import relevant certificates into the account. We further create an instance of certificate discovery, where we analyze the certificate for misissuance and conformance with organization policies.
Certificate discoveries are updated daily until they are closed, either manually or by one of the configured policy rules. Please note that the discovery fields preserve the last open state; they're not updated once the discovery is closed.
Get certificate discovery
Code samples
GET /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
GET /certDiscoveries/{id}
Maturity: Under Development
Returns the requested certificate discovery.
Example responses
200 Response
{
"certDiscovery": {
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.577Z",
"notAfter": "2024-12-20T16:02:26.577Z",
"effectiveNotAfter": "2024-12-20T16:02:26.577Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.577Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"certKnown": false,
"certInstalled": true,
"certExpired": false,
"certRevoked": false,
"issuerAllowed": true,
"issuerAllowedKeyword": "GlobalSign",
"issuerNotAllowed": false,
"issuerForbidden": false,
"issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"caaMismatch": false,
"caaMatchFull": false,
"notCtCompliant": false,
"maxLifetimeExceeded": false,
"timeoutCaseInactive": false,
"timeoutCertNotInstalled": false,
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
],
"matchedHostsInfo": {
"property1": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
},
"property2": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
},
"matchedHostsCaaHistory": {
"property1": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.577Z",
"lastSeen": "2024-12-20T16:02:26.577Z",
"records": [
"string"
]
}
],
"property2": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.577Z",
"lastSeen": "2024-12-20T16:02:26.577Z",
"records": [
"string"
]
}
]
},
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetCertDiscoveryResponse |
404 | Not Found | Cert discovery doesn't exist | None |
List certificate discoveries
Code samples
GET /v1/org/{org}/certDiscoveries HTTP/1.1
Host: api.hardenize.com
GET /certDiscoveries
Maturity: Under Development
Returns a list of certificate discoveries matching the search criteria.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
status | query | string | If set, returns only the certificate discoveries matching the status. |
limit | query | integer | If set, returns only the first limit certificate discoveries. |
since | query | string(date-time) | If set, returns only certificate discoveries created since the specified date. |
Detailed descriptions
status: If set, returns only the certificate discoveries matching the status.
limit: If set, returns only the first limit
certificate discoveries.
since: If set, returns only certificate discoveries created since the specified date.
Example responses
200 Response
{
"certDiscoveries": [
{
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.579Z",
"notAfter": "2024-12-20T16:02:26.579Z",
"effectiveNotAfter": "2024-12-20T16:02:26.579Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.579Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListCertDiscoveriesResponse |
Update certificate discovery
Code samples
POST /v1/org/{org}/certDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /certDiscoveries/{id}
Maturity: Under Development
Updates the requested certificate discovery.
Body parameter
{
"status": "closed",
"resolution": "reconciled"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body* | body | UpdateCertDiscoveryRequest | none |
Example responses
200 Response
{
"certDiscovery": {
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.580Z",
"notAfter": "2024-12-20T16:02:26.580Z",
"effectiveNotAfter": "2024-12-20T16:02:26.580Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.580Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"certKnown": false,
"certInstalled": true,
"certExpired": false,
"certRevoked": false,
"issuerAllowed": true,
"issuerAllowedKeyword": "GlobalSign",
"issuerNotAllowed": false,
"issuerForbidden": false,
"issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"caaMismatch": false,
"caaMatchFull": false,
"notCtCompliant": false,
"maxLifetimeExceeded": false,
"timeoutCaseInactive": false,
"timeoutCertNotInstalled": false,
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
],
"matchedHostsInfo": {
"property1": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
},
"property2": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
},
"matchedHostsCaaHistory": {
"property1": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.580Z",
"lastSeen": "2024-12-20T16:02:26.580Z",
"records": [
"string"
]
}
],
"property2": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.580Z",
"lastSeen": "2024-12-20T16:02:26.580Z",
"records": [
"string"
]
}
]
},
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Certificate updated | UpdateCertDiscoveryResponse |
404 | Not Found | Certificate not found | None |
Dashboards
The API endpoints in this section allow you to retrieve information about your dashboards.
Request dashboard statistics
Code samples
POST /v1/org/{org}/dashboards/;stats HTTP/1.1
Host: api.hardenize.com
POST /dashboards/;stats
Maturity: Under Development
Request general statistics about the organization.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: CreateDashboardResponse
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted. | OperationStatus |
DNS
DNS APIs can be used to synchronize your DNS configuration for Hardenize. Our first supported endpoint enables you to upload your DNS zone files, enabling Hardenize to discover new hosts.
Upload DNS zone
Code samples
POST /v1/org/{org}/dns/zones?root=example.com HTTP/1.1
Host: api.hardenize.com
Content-Type: text/plain
POST /dns/zones
Use this endpoint to upload your DNS zone file to Hardenize. The zone file will be parsed to find new hosts, which will then be added to the account.
Body parameter
$ORIGIN example.com.
$TTL 1h
@ IN SOA ns.example.com. admin.example.com. ( 2018081601 1d 2h 4w 1h )
@ IN NS ns
@ IN MX 10 mx.example.com.
@ IN A 192.0.2.1
IN AAAA 2001:db8:10::1
ns IN A 192.0.2.2
IN AAAA 2001:db8:10::2
www IN CNAME example.com.
mx IN A 192.0.2.3
Parameters
Parameter | In | Type | Description |
---|---|---|---|
root* | query | string | The root of the uploaded DNS zone, for example example.com . |
body* | body | string | DNS zone file |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Zone successfully processed | None |
Events
We use events to record various things of interest that happen in your account. For example, if we see a certificate that matches one of your domain names in Certificate Transparency (CT) logs, we can take that CT log entry and store it as an event. In this way, you can periodically retrieve the available events and stay up to date. Events are also used as basis for our event hooks, which provide real-time notifications.
We support the following event types:
Event Type | Description | Event Data |
---|---|---|
ct.entry |
One CT log entry matched to the account. The purpose of this event is to enable you to interface directly with the public CT logs while seeing only CT log entries that are relevant to you. One event of this type is generated for every appearance of precertificate and certificate in public CT logs. This usually means that there will be 2-5 events for every precertificate, depending on the certificate validity period. Certificates are also commonly seen in the logs, although that's not guaranteed. In most situations, the pki.cert.new is the more appropriate choice of you only care about new issuance events. We collect all information from your CT log entries even if this event is not enabled; within 24 hours of certificate issuance, the aggregated information will be stored in the appropriate Certificate record. |
MatchedCtEntry |
issue.new |
New issue. Emitted whenever a new issue is created. | Issue |
issue.update |
Updated issue. Emitted every time an issue is updated. | Issue |
pki.cert.new |
New certificate or precertificate added to the account, from any source, including Certificate Transparency, network, or manual upload. The purpose of this event is to enable you to react, in real-time, when a new certificate becomes known. You should be aware that you will get potentially multiple objects for the same issuance. You can check for this using the tbsSha256 field, which has the same value in the precertificate/certificate combo. This event is generated for own and third-party certificates, including CA certificates. If the latter group is not of interest, check the event data fields to discard them. |
Certificate |
Event Hooks
You can use event hooks to have your events pushed to you in real-time. We currently support two delivery mechanisms:
-
PubSub; This event type is based on a message queue and appropriate when the event volume is very high. It's configured manually and enabled on a case-by-case basis.
-
Webhooks; This is the default event delivery mechanism, where we submit events to a designated web server under your control.
PubSub Event Delivery
PubSub event delivery is a message queue that's implemented on top of Google's PubSub service, which is highly available and stores events for up to 7 days. When we enable this event delivery type, we create one PubSub subscription for the entire account and enable the corresponding hook type. From that point onwards, you can use the API to control exactly which events are delivered to you.
PubSub messages transport event data in the main message body, with the metadata included via the message attributes. PubSub implements at-least-once delivery which means that you may get duplicate events. You can deal with this by designing your processing so that the duplicates don't matter, or by adding a deduplication layer (e.g., based on the unique event identifier). Another characteristic of PubSub is that it doesn't guarantee delivery of events in the chronological order. As such, PubSub may not be a good choice when the order matters.
If you're receiving issue updated via PubSub, make sure to check that the revision of the event you're processing is higher than the last known revision. Issues are typically updated once a day, meaning that you will not normally experience ordering issue if you're consuming events continuously.
Webhook Event Delivery
This mechanism submits events to an HTTPS endpoint that you control. This endpoint must be able to accept and process POST requests with event information. The events are transported in the request bodies, using the same format as the events obtained when you pull this information via this API.
When you successfully
accept an event we send, you must respond with the 204 No Content
status code
and no data in the response body. We are particular about the
response code because we want to be sure the webhook has been
processed correctly. Seeing a 200 response is not really a guarantee
of that, as it's common to see web servers configured to always
respond with 200 status code, even on processing failure.
Generally speaking, it's always helpful to use meaningful status codes as that will help us understand the type of failure and modify our behavior accordingly. For example:
- 400 Bad Request - our submission is invalid
- 429 Too Many Requests - we're sending too many requests
- 500 Internal Server Error - your processing failed
- 503 Service Unavailable - your service is currently not available
- 504 Gateway Timeout - your service didn't respond in time
You should enable keep-alives on your server and use a long timeout value so that we can efficiently send you events in bulk.
It is important that you verify that you are receiving webhooks from us, and not from someone else. There are a couple of ways in which this can be archived. First, you could generate a long random string and embed it in the webhook URL, making it difficult for anyone to just guess the destination you're using. Second, you should check the event metadata to ensure that it matches your expectations. The metadata, which is transported in the request headers, includes a signature based on a per-hook secret.
If a webhook fails, we will continue to attempt delivery over the next 24 hours. Overall, we will attempt delivery of every event to you for about 10 times, backing off exponentially from the first attempt. We may disable webhooks that stay broken for an extended period of time.
Event Hook Metadata
We deliver events along with their associated metadata, as follows:
X-Hardenize-Org
- contains the organization label, for exampledemo
. This field always contains the absolute organization identifier, meaning in the case of suborganizations it will be in the form ofparent.child
.X-Hardenize-EventHookId
- contains the unique event hook identifier. Even though the identifier is not security-sensitive as such, it's generated using a strong random number generator and can be used to verify that the traffic is genuinely coming from our systems.X-Hardenize-Signature
- contains signature of the entire event payload, signed using the secret unique to the event hook. This secret is generated randomly when the hook is created.
Event Signatures
We use HMAC-256 to sign a timestamped event body. The X-Hardenize-Signature
metadata field will therefore include both the timestamp and the actual
signature.
X-Hardenize-Signature: t=1539185809044;
hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8
To verify the signature, first locate the secret corresponding to the event
hook, using the combination of X-Hardenize-Org
and X-Hardenize-EventHookId
fields.
After that, parse the X-Hardenize-Signature
field to extract the timestamp
and signature values. To do this, split the value at the semicolon, then
extract the key-value pairs. Next, create a new data buffer by appending the timestamp
(e.g., 1539185809044
), followed by a semicolon (i.e., ;
), followed by the verbatim
request body. Finally, calculate the HMAC-SHA256 of the data buffer and compare your
result with our signature. Please note that our signature is hex-encoded for transport.
To do a correct comparison you'll have to either hex-decode it first, or hex-encode
your calculation.
If you're worried about replay attacks, you will also need to check that the timestamp doesn't deviate significantly from the time you have. For this to work correctly you need to ensure that you always have the correct time on your server. Additionally, you'll need to be processing the events in near-real time or otherwise account for the processing delay on your end.
If you are unable to validate the event metadata, you must refuse to process the event. If in a webhook, respond with the 400 status code.
Event Collection Best Practices
Even though event hooks are not difficult to set up initially, getting them to work
reliably and unattended over an extended period of time will require some
effort. Things break. Use event hooks only if there aren't better ways to access the information. For
example, if you're interested in the ct.entry
and pki.cert.*
hooks, consider that
we process all the events ourselves, and that information stored in them is always
available to you via this API. For example, if you want to keep a copy of all your
certificates, it's usually easier to retrieve new and updated certificates daily.
Further, consider these best practices for event hook implementation:
-
No matter what you plan to do with the event data, the most important task for a hook is to accept the event. If your hook is continuously unable to receive an event, it will eventually be lost. This is true for all delivery mechanisms, although the parameters may differ.
-
For best results, consider separating event receipt from processing. This is usually best done by acknowledging the event and placing into storage, for some other scheduled task to pick it up on a schedule. (Include authentication in this step.) In this case, even if the processing later fails, you'll still have the event. If you're receiving and processing events at the same time, unchecked processing failures may lead to event loss.
There is greater potential from damage [if your receipt and processing are done at the same time] with PubSub delivery, because your failure to process one event may prevent you from seeing the events that follow it. You can be stuck in a loop where you're continuously trying and failing to process the same event. In this situation, the right strategy is to use a "dead-letter queue" to store the events that have failed.
-
Even with the above, it's best to use the "belt and braces" approach. Configure and handle hooks when you need to observe events in real-time, but also setup daily tasks to retrieve events directly from us, eliminating duplicates. In this way you will ensure that no events are lost.
Create event hook
Code samples
POST /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /eventHooks
Creates a new event hook. Every new event hook starts off as disabled, which means that it's not going to receive events straight away. The expected workflow is to first create an event hook, configure the receiving end, run tests to ensure correct operation, and then finally enable the hook.
Body parameter
{
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateEventHookRequest | none |
Example responses
200 Response
{
"eventHook": {
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Event hook created | CreateEventHookResponse |
403 | Forbidden | Insufficient permissions to perform operation | None |
Delete event hook
Code samples
DELETE /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com
DELETE /eventHooks/{id}
Deletes the event hook with the specified identifier.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Event hook identifier. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Event hook deleted | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
404 | Not Found | Event hook not found | None |
Get event
Code samples
GET /v1/org/{org}/events/{id} HTTP/1.1
Host: api.hardenize.com
GET /events/{id}
Returns the event with the specified identifier.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | Event identifier. |
Example responses
200 Response
{
"event": {
"id": 10001,
"type": "ct",
"createdOn": "2024-12-20T16:02:26.582Z",
"apiVersion": "0.14.0",
"data": {
"field": "value"
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetEventResponse |
404 | Not Found | Event doesn't exist | None |
List event destinations
Code samples
GET /v1/org/{org}/eventDestinations HTTP/1.1
Host: api.hardenize.com
GET /eventDestinations
Lists all managed event destinations. Managed destinations are those that we control, for example PubSub topics.
Example responses
200 Response
{
"eventDestinations": [
{
"destinationId": "pubsub://events/1/1005",
"type": "pubsub",
"project": "hz-events-pubsub",
"topic": "projects/hz-events-pubsub/topics/ep-1-1005",
"subscription": "ep-1-1005",
"subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListEventDestinationsResponse |
List event hooks
Code samples
GET /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com
GET /eventHooks
Lists event hooks that are configured in the account.
Example responses
200 Response
{
"eventHooks": [
{
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListEventHooksResponse |
List event types
Code samples
GET /v1/org/{org}/eventTypes HTTP/1.1
Host: api.hardenize.com
GET /eventTypes
Lists all available event types, showing how they're configured for the account.
Example responses
200 Response
{
"eventTypes": [
{
"name": "ct",
"available": true,
"enabled": true
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListEventTypesResponse |
List events
Code samples
GET /v1/org/{org}/events HTTP/1.1
Host: api.hardenize.com
GET /events
Lists events available in the account. By default, all events are listed, with the earliest first.
Because there is a forced limit of 100 events per invocation, to iterate over more than 100
events you will need to submit multiple requests, remember the timestamp of the last retrieved
event, and use it as the since
parameter in the subsequent invocation.
If you provide one of the optional parameters, only the events matching the specified filters will be
listed. If you provide multiple parameters, only the events matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
since | query | string(date-time) | Returns only events that ocurred after the supplied time. |
type | query | string | Returns only events that match the supplied type. |
limit | query | integer | Limits the number of events in the response. The limit can range between 1 and 100. The default is 100. |
Example responses
200 Response
{
"events": [
{
"id": 10001,
"type": "ct",
"createdOn": "2024-12-20T16:02:26.583Z",
"apiVersion": "0.14.0",
"data": {
"field": "value"
}
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListEventsResponse |
Test event hook
Code samples
POST /v1/org/{org}/eventHooks/{id};test HTTP/1.1
Host: api.hardenize.com
POST /eventHooks/{id};test
Tests the event hook with the specified identifier. By default, we send a test
event, but it's possible to request mock events of
other types using the eventType
parameter. This API endpoint executes synchronously
and may take longer than other API calls (especially in case of unresponsive
receiving servers).
By default, we submit valid and syntactically events. During the configuration phase,
it's useful to test how the receiver behaves with invalid data. We use the invalid
parameter
for this purpose. Set to any value except none
, it instructs the API
to intentionally break one element of the submission. In this case, the
success criteria also changes. By default, we expect a 204 response, except when
we're sending you a broken submission, in which case we expect a 400 in return.
Please note that, when testing deliveries via intermediaries, we're not able to detect processing failures of the final recipient, only of the intermediary. For example, when testing PubSub delivery, this endpoint will return success after successfully publishing to the message queue. Testing with broken events is still useful, but you'll need to detect the failures on the receiving end.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Event hook identifier. |
invalid | query | string | Instructs the API to intentionally break one of the elements of the test submission. Default: none |
eventType | query | string | Determines the event type that will be sent to the event hook. |
Enumerated Values
Parameter | Value |
---|---|
invalid | none |
invalid | hookId |
invalid | org |
invalid | payload |
invalid | signature |
eventType | ct.entry |
eventType | issue.new |
eventType | issue.update |
eventType | pki.cert.new |
eventType | test |
Example responses
200 Response
{
"successful": false,
"errorMessage": "Expected 202 or 204 status code",
"durationMillis": 5814,
"pubsub": {
"destination": "pubsub://events/1/1005",
"message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
"attributes": {
"X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
"X-Hardenize-Org": "demo",
"X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
},
"messageId": "260486610038606"
},
"webook": {
"request": {
"method": "POST",
"url": "https://hardenize.com/webhooks/receive",
"headers": {
"Content-Type": "application/json; charset=UTF-8",
"User-Agent": "Hardenize (https://www.hardenize.com)",
"X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
"X-Hardenize-Org": "demo",
"X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
},
"body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
},
"response": {
"statusCode": 302,
"headers": {
"Location": "https://hardenize.com/redirection",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Content-Type": "text/plain; charset=UTF-8",
"Date": "Wed, 10 Oct 2018 15:36:54 GMT",
"Server": "nginx/1.10.3",
"Transfer-Encoding": "chunked",
"Vary": "Accept-Encoding"
},
"body": "OK"
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Event hook test completed | TestEventHookResponse |
403 | Forbidden | Insufficient permissions to perform operation | None |
404 | Not Found | Event hook not found | None |
Update event hook
Code samples
POST /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /eventHooks/{id}
Updates the event hook with the specified identifier.
Body parameter
{
"eventTypes": [
"ct.entry"
],
"destination": "https://hardenize.com/webhooks/receive",
"status": "disabled"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Event hook identifier. |
body | body | UpdateEventHookRequest | none |
Example responses
200 Response
{
"eventHook": {
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Event hook updated | UpdateEventHookResponse |
403 | Forbidden | Insufficient permissions to perform operation | None |
404 | Not Found | Event hook not found | None |
Update event type
Code samples
POST /v1/org/{org}/eventTypes/{name} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /eventTypes/{name}
Updates one event type, changing the enabled
property to the specified
value. When an event type is enabled, events of that type will be generated
and stored in the database. Associated notifications will be dispatched. This
operation will fail if the event type is not available in the account.
Body parameter
{
"enabled": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
name* | path | string | Event type name. |
body | body | UpdateEventTypeRequest | none |
Example responses
200 Response
{
"eventType": {
"name": "ct",
"available": true,
"enabled": true
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateEventTypeResponse |
403 | Forbidden | Not allowed to change status of event that's not available | None |
404 | Not Found | Event type doesn't exist | None |
Groups
We support groups as a general-purpose mechanism for categorization. For example, a host can be assigned zero, one, or more groups.
Create group
Code samples
POST /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /groups
Creates a new group. The name you choose should be short (especially if you're planning to assign multiple tags to individual entities) and must not already exist, using case-insensitive comparison.
Body parameter
{
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateGroupRequest | none |
Example responses
201 Response
{
"group": {
"id": "production",
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
201 | Created | Group created | CreateGroupResponse |
400 | Bad Request | Invalid parameters | None |
Delete group
Code samples
DELETE /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
DELETE /groups/{id}
Deletes a group. By default, only unused groups can be deleted, but you can specify the force
parameter to override this behavior.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | The name of the group to delete. |
force | query | boolean | If this parameter is provided and set to true, the specified group will be deleted even if it's still in use. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Group deleted | None |
400 | Bad Request | Invalid input | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Group not found | None |
Get group
Code samples
GET /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
GET /groups/{id}
Retrieves group information.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Group identifier. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | None |
400 | Bad Request | Bad Request | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not found | None |
List groups
Code samples
GET /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com
GET /groups
Returns a complete list of all groups used by the organization.
Example responses
200 Response
{
"groups": [
{
"id": "production",
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListGroupsResponse |
Update group
Code samples
POST /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /groups/{id}
Updates a group.
Body parameter
{
"tags": [
"production"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Group identifier. |
body | body | UpdateGroupRequest | none |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Group updated | None |
400 | Bad Request | Invalid input | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Group not found | None |
Host Discovery
Host discovery is a feature of Hardenize designed to make it easier for organizations to build their host inventories and keep them up to date. Having a good inventory is key to having good visibility, so we aim to automate the maintenance tasks wherever possible. Where full automation is not possible, we do as much work as we can and present the information for manual review.
There are three principal ways in which new hosts are discovered. The first is the use of authoritative sources. For example, new hosts could be added manually (e.g., from a list of organization's domain names) or could be imported via an integration with existing systems (e.g., authoritative name servers). All accounts are initially populated with data in this way.
Once an account is bootstrapped, our automated discovery features kick in. An important source of information is our monitoring of public infrastructure. We maintain both historical databases and also follow new information that appears on the network. We then inspect these sources to import information that's connected to the account. A good example of this approach is import of new certificates via Certificate Transparency monitoring.
Finally, the third approach is the analysis and import from the data obtained from our own active monitoring of the hosts that are already in an account's host inventory. Because in this case we know that we're dealing with the data that belongs to the account owner, we're able to further refine our understanding and apply heuristics to make even more useful conclusions. For example, as we can your web sites we record and extract useful information from them.
How Host Discovery Works
To support host discovery, we monitor all hosts we come across (as part of both public and private monitoring). When we encounter a relevant host, we import it into the account and add it to the list od discovered hosts.
In some cases (e.g., suffix matching), our discovery is 100% accurate, and then we are able to add thew newly discovered host directly to the inventory. When that's not possible, the new host sits on the discovery list until a decision about it can be made.
If a host is not classified as belonging to the organization, the decision about it stays in the account so that it can be reused in the future.
Delete host discoveries
Code samples
DELETE /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
DELETE /hostDiscoveries/*
Deletes a list of host discoveries.
Body parameter
{
"ids": [
1
],
"preview": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | DeleteHostDiscoveriesRequest | none |
Example responses
200 Response
{
"ids": [
1
],
"preview": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | DeleteHostDiscoveriesResponse |
400 | Bad Request | Invalid request | None |
Get host discovery
Code samples
GET /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveries/{id}
Returns the specified host discovery.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | The ID of the host discovery to be fetched. |
Example responses
200 Response
{
"hostDiscovery": {
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.586Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.586Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostDiscoveryResponse |
404 | Not Found | Host discovery doesn't exist | None |
List host discoveries
Code samples
GET /v1/org/{org}/hostDiscoveries HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveries
Returns a list of all host discoveries in the account. Optionally, use one of the supported filtering parameters to retrieve only the discoveries that match specific criteria.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
resolution | query | string | If set, returns only the host discoveries with this particular resolution set. |
discoveredSince | query | string(date-time) | If set, returns only the hosts discoveries that have happened since the supplied date. |
origin | query | string | If set, returns only the host discoveries found with this match location. |
limit | query | integer | If set, returns only up to the specified number of hosts. |
Enumerated Values
Parameter | Value |
---|---|
resolution | pending |
resolution | own |
resolution | supplier |
resolution | unrelated |
resolution | infringing |
resolution | phishing |
origin | hdb |
Example responses
200 Response
{
"hostDiscoveries": [
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.587Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.587Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListHostDiscoveriesResponse |
Update host discoveries
Code samples
POST /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveries/*
Updates a list of host discoveries.
When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.
When changing the resolution to "own", all affected discoveries are imported into your host inventory.
Body parameter
{
"ids": [
1
],
"preview": true,
"changes": {
"resolution": "own",
"groups": [
"staging",
"development"
]
}
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateHostDiscoveriesRequest | none |
Example responses
200 Response
{
"hostDiscoveries": [
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.588Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.588Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateHostDiscoveriesResponse |
400 | Bad Request | Invalid request | None |
Update host discovery
Code samples
POST /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveries/{id}
Updates the specified host discovery. Setting the effective hostname is optional, but if a value is provided, it must be the same as the discovered hostname or one of its parents, and must not be a TLD (on the public suffix list). E.g if the discovered hostname is "www.test.example.com", you may set the effective hostname to "test.example.com" or "example.com", but not "com" and not "example.org".
When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.
When changing the resolution to "own", all affected discoveries are imported into your host inventory.
Body parameter
{
"resolution": "own",
"groups": [
"staging",
"development"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | The ID of the host discovery to be updated. |
body | body | UpdateHostDiscoveryRequest | none |
Example responses
200 Response
{
"hostDiscovery": {
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.589Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.589Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateHostDiscoveryResponse |
404 | Not Found | Host discovery doesn't exist | None |
Host Discovery Nameservers
Nameserver monitoring is one of our favourite discovery techniques. We monitor the world's domain names to determine what nameservers they are delegated to and use that information to build a special discovery database. This subsequently enables us to quickly find all domain names delegated to a particular nameserver.
This discovery technique can be used only with an organization's private DNS nameservers, meaning that they host only domain names that belong to the same organization. They can be managed and provided by a third-party, but the name itself must not be shared.
We like this technique because it requires virtually no effort to identify new domains that belong to the organization. Once the private nameservers are identified, the discoveries happen automatically via continuous monitoring of new domains that appear in the name servers. Further, we help discover the private nameservers by monitoring all nameservers used by an account and looking for ones that appear to be used exclusively by the organization's domain names.
Create host discovery nameserver
Code samples
POST /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveryNameservers
Creates one or more nameservers to for discovery purposes. Only private
nameservers can be added to monitoring. As a way of enforcing this requirement,
we check that the nameserver hostname matches a domain name that's in the
host inventory. For example, if example.com
is an organization domain name,
then ns1.example.com
nameserver can be added but ns1.example.org
cannot.
Public servers must not be submitted for monitoring, even if they're under a domain name that is in the inventory.
Body parameter
{
"hostnames": [
"ns1.example.com"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateHostDiscoveryNameserverRequest | none |
Example responses
204 Response
{
"hostDiscoveryKeyword": {
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | OK | CreateHostDiscoveryNameserverResponse |
400 | Bad Request | Invalid request | None |
Delete host discovery nameserver
Code samples
DELETE /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
DELETE /hostDiscoveryNameservers/{hostname}
Deletes a host discovery nameserver.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | A fully-qualified domain name. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Nameserver deleted | None |
404 | Not Found | Nameserver not found | None |
Get host discovery nameserver
Code samples
GET /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveryNameservers/{hostname}
Retrieves a host discovery nameserver.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | A fully-qualified domain name. |
Example responses
200 Response
{
"hostDiscoveryNameserver": {
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostDiscoveryNameserverResponse |
404 | Not Found | Nameserver not found | None |
List host discovery nameservers
Code samples
GET /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveryNameservers
Returns a list of all host discovery nameservers in the account.
Example responses
200 Response
{
"hostDiscoveryNameservers": [
{
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListHostDiscoveryNameserversResponse |
List not-monitored private nameservers
Code samples
GET /v1/org/{org}/hostDiscoveryNameservers/privateNotMonitored HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveryNameservers/privateNotMonitored
Returns a list of all private nameservers that are not already monitored. Our ability to discover your private nameservers depends on active monitored of the host inventory. As part of a host assessment, we check the nameservers and store them in the database. This endpoint builds a list of all nameservers we are aware of, keeps only those that are potentially private (based on the hostnames matching), and removes those that are already monitored.
Example responses
200 Response
[
"example.com"
]
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | Inline |
Response Schema
Update host discovery nameserver
Code samples
POST /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveryNameservers/{hostname}
Updates one host discovery nameserver.
Body parameter
{
"enabled": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | A fully-qualified domain name. |
body | body | UpdateHostDiscoveryNameserverRequest | none |
Example responses
200 Response
{
"hostDiscoveryNameserver": {
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Nameserver updated | GetHostDiscoveryNameserverResponse |
400 | Bad Request | Invalid parameters | None |
404 | Not Found | Nameserver not found | None |
Host Discovery Keywords
Hardenize supports discovery of new hosts based on keyword matching. To support this type of discovery we maintain a database of all domains and subdomains globally. When a keyword is added to an account, we schedule continuous monitoring of this database to discover all hostnames that match it.
Our keyword matching discovery is different from subdomain matching because
keywords can match anywhere in the hostname. Additionally, we implement additional advanced
matching techniques that look for variations. Our fuzzy matching starts with a keyword and
generates many similar phrases using techniques designed to catch, for example, typosquatting. Separately,
we have detection of confusables, where we detect phrases that are visually similar or identical
to the configured keyword. We detect simple character substitution (e.g.,
tw1tter
instead of twitter
), as well as advanced obfuscation attempts using Unicode look-alike
characters (also known as homoglyphs or homographs). If you'd like to see some examples, we maintain
a public project where we showcase our detection of confusables
for some popular keywords.
Using Keyword Discovery
To use keyword discovery, specify one or more keywords, configuring them according to what you wish to be discovered. We recommend that you initially start with stricter keywords, for example only domains that match a keyword exactly. With this approach, you will initially have fewer matches to deal with. As you settle on a discovery review workflow that works for you, you can then then pursue less strict matching, which will generate more useful matches (e.g., entire labels anywhere in the hostname), but is also likely produce false positives.
When a new keyword is added (or a keyword configured), we need to scan our entire database, which is a slow operation. Especially in the case of fuzzy and confusables matching, one keyword may result in hundreds of variations that we search for. The results of the first scan are therefore made available over night. Once that first scan is complete, we continue with real-time monitoring of newly observed domains and subdomains.
Match Limits
Because we have hundreds of millions in our database, keyword matching can result in too many matches when using with a phrase that's not specific enough. In order to deal with this problem, there is a limit to how many matches can be imported at any one time. This limit is designed to kick in when the keyword is used the first time. By default, this limit is set to 10,000 matches. If a keyword reaches this limit, it is disabled with an appropriate error message.
Availability
Keyword discovery features vary across account tiers. If keywords are enabled on an account, there are separate limits for standard and advanced keywords. The advanced keyword allowance can be used to create standard keywords, but the reverse is not possible. Advanced keywords (that support fuzzy matching and confusables) are an add-on and can be added to any package.
Create host discovery keyword
Code samples
POST /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveryKeywords
Creates a new keyword to be used for host discovery. It's important to choose a good keyword that
will not produce many false positives. For example, if you specified the word com
, we would
match on millions of hostnames.
Keyword matching never returns any hostnames that are considered to belong to the account organization. The exclusion happens automatically because those hostnames should have already been added to the account via suffix matching.
Body parameter
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateHostDiscoveryKeywordRequest | none |
Example responses
200 Response
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CreateHostDiscoveryKeywordResponse |
400 | Bad Request | Invalid request | None |
Delete host discovery keyword
Code samples
DELETE /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
DELETE /hostDiscoveryKeywords/{keyword}
Deletes a host discovery keyword.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
keyword* | path | string | The name of the keyword to delete. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Keyword deleted | None |
404 | Not Found | Keyword not found | None |
Get host discovery keyword
Code samples
GET /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveryKeywords/{keyword}
Retrieves a host discovery keyword.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
keyword* | path | string | The name of the keyword to fetch. |
Example responses
200 Response
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostDiscoveryKeywordResponse |
404 | Not Found | Keyword not found | None |
List host discovery keywords
Code samples
GET /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com
GET /hostDiscoveryKeywords
Returns a list of all host discovery keywords in the account.
Example responses
200 Response
{
"hostDiscoveryKeywords": [
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListHostDiscoveryKeywordsResponse |
Update host discovery keyword
Code samples
POST /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hostDiscoveryKeywords/{keyword}
Updates host discovery keyword
Body parameter
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
keyword* | path | string | The name of the keyword to update. |
body | body | UpdateHostDiscoveryKeywordRequest | none |
Example responses
200 Response
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateHostDiscoveryKeywordResponse |
400 | Bad Request | Invalid request | None |
Hosts
Host management, which provides abilities to create and delete your hosts, as well as configure how they're monitored. You are also able to manage how hosts are discovered in this section.
In this section and elsewhere in the API, wherever we accept hostnames, we validate them and perform canonicalization: we convert them to lowercase, and strip the trailing dot if present. This means that the hosts we keep in the database will potentially be different at the character level from the hosts you input. However, they will be semantically the same.
Bulk create hosts
Code samples
POST /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hosts
Adds one or more hosts to the account. No errors will be reported if the list includes one or more hosts that already exist. In that situation, the existing hosts will be treated in the same way as the new hosts when it comes to their status and group membership. New groups are added if required, but existing group memberships won't be affected. If the status
field is not provided then the initial host status will be automatically decided following the account rules for newly discovered hosts.
By default, if a hostname with the www
prefix is submitted, we strip the prefix and store only the parent domain. Our assessments always check both hostname variants. This behavior doesn't apply to special wholesale accounts.
Body parameter
{
"hostnames": [
"example.com"
],
"status": "monitored",
"axfr": "auto",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"name": "thename",
"algorithm": "HMAC_MD5",
"key": "base64key="
},
"groups": [
"production"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateHostsRequest | Names of the hosts that are to be created, along with their initial status. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Hosts added to the account | None |
400 | Bad Request | Invalid request | None |
Bulk delete hosts
Code samples
DELETE /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
DELETE /hosts
Deletes one or more hosts from the account. This operation will
delete all the data exclusively associated with the specified hosts, as well as all
their history. The subdomains are also deleted if the subdomains
option is enabled.
Use the delete operation only on the hosts that have been added to your account by mistake,
in other words on the hosts that don't belong to you. For hosts that do belong to you but
you wish to ignore, set their status to archived
. Please note that not all host data
may be immediately deleted; for some data that may be shared among different hosts we
use reference counting via a garbage collection process that runs from time to time.
Role: Admin.
Body parameter
{
"hostnames": [
"example.com"
],
"subdomains": true,
"preview": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | DeleteHostsRequest | none |
Example responses
200 Response
{
"hostnames": [
"example.com"
],
"preview": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Hosts successfully deleted | DeleteHostsResponse |
400 | Bad Request | Invalid request | None |
Bulk update hosts
Code samples
POST /v1/org/{org}/hosts/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /hosts/*
Updates one or more hosts that are already stored in the account.
Body parameter
{
"hostnames": [
"example.com"
],
"preview": true,
"subdomains": true,
"changes": {
"status": "monitored",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"key": "base64key=",
"name": "thename"
},
"groupOp": "add",
"groups": [
"staging",
"development"
]
}
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateHostsRequest | none |
Example responses
200 Response
{
"hostnames": [
"example.com"
],
"preview": true
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Hosts successfully updated | UpdateHostsResponse |
400 | Bad Request | Invalid request | None |
Get host
Code samples
GET /v1/org/{org}/hosts/{hostname} HTTP/1.1
Host: api.hardenize.com
GET /hosts/{hostname}
Returns the host with the specified name.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | The name of the host whose data you wish to retrieve. |
Example responses
200 Response
{
"host": [
{
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.594Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.594Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.594Z",
"lastRegLookupTime": "2024-12-20T16:02:26.594Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.594Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.595Z",
"lastAssessmentTime": "2024-12-20T16:02:26.595Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.595Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.595Z",
"domainExpireTime": "2024-12-20T16:02:26.595Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostResponse |
400 | Bad Request | Invalid request | None |
404 | Not Found | Host not found | None |
Get Host Screenshot
Code samples
GET /v1/org/{org}/hosts/{hostname}/screenshot HTTP/1.1
Host: api.hardenize.com
GET /hosts/{hostname}/screenshot
Returns screenshot for the specified host
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | The name of the host whose screenshot you wish to retrieve. |
Example responses
200 Response
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | string |
400 | Bad Request | Invalid request | None |
404 | Not Found | Host not found | None |
Get host services
Code samples
GET /v1/org/{org}/hosts/{hostname}/services HTTP/1.1
Host: api.hardenize.com
GET /hosts/{hostname}/services
Returns the services, endpoints and certificates for a host with the specified name.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | The name of the host whose data you wish to retrieve. |
extended | query | boolean | if set, returns host with extras field. Setting to false has no effect. |
Detailed descriptions
extended: if set, returns host with extras
field. Setting to false has no effect.
Example responses
200 Response
{
"hostServices": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.596Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.596Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
],
"certificates": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.596Z",
"notAfter": "2024-12-20T16:02:26.596Z",
"effectiveNotAfter": "2024-12-20T16:02:26.596Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.596Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
],
"extras": {
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.596Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.596Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.596Z",
"lastRegLookupTime": "2024-12-20T16:02:26.596Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.596Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.596Z",
"lastAssessmentTime": "2024-12-20T16:02:26.596Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.596Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.596Z",
"domainExpireTime": "2024-12-20T16:02:26.596Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostServicesResponse |
400 | Bad Request | Invalid request | None |
404 | Not Found | Host not found | None |
Get host stats
Code samples
GET /v1/org/{org}/hosts/;stats HTTP/1.1
Host: api.hardenize.com
GET /hosts/;stats
Returns host statistics from the database. If not returns 404 status.
Example responses
200 Response
{
"monitored": 0,
"archived": 0,
"idle": 0,
"total": 0,
"domains": 0,
"subdomains": 0
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetHostStatsResponse |
404 | Not Found | Host stats not found | None |
List hosts
Code samples
GET /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
GET /hosts
Returns a list of all hosts in the account. If you provide one of the optional parameters, only the hosts matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
group | query | string | If set, returns only the hosts that belong to the specified group. |
hostname | query | string | If set, returns only the hosts whose names match the parameter. One or more hosts may be returned, depending on whether subdomains are being included. |
limit | query | integer | If set, returns only up to the specified number of hosts. |
nx | query | boolean | If set, returns only the hosts with nx matching this value |
origin | query | string | If set, returns only the hosts whose origin matches the parameter. |
status | query | string | If set, returns only the hosts whose statuses match the parameter. |
subdomains | query | boolean | If set, extends the host matching to include all subdomains of the specified name. Default: true. |
regRegistry | query | boolean | If set, extends the host matching to include all domains immediately under a registry suffix. |
regPublic | query | boolean | If set, extends the host matching to include all domains immediately under a public suffix. |
Enumerated Values
Parameter | Value |
---|---|
origin | cert |
origin | ct |
origin | hdb |
origin | manual |
status | monitored |
status | idle |
status | archived |
Example responses
200 Response
{
"hosts": [
{
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.598Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.598Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.598Z",
"lastRegLookupTime": "2024-12-20T16:02:26.598Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.598Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.598Z",
"lastAssessmentTime": "2024-12-20T16:02:26.598Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.598Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.598Z",
"domainExpireTime": "2024-12-20T16:02:26.598Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListHostsResponse |
400 | Bad Request | Invalid request | None |
Request hosts PDF report
Code samples
POST /v1/org/{org}/hosts/{hostname}/pdfReport HTTP/1.1
Host: api.hardenize.com
POST /hosts/{hostname}/pdfReport
Requests a PDF of a report for the specified host. The PDF will be generated asynchronously from the latest assessment results, and it wont trigger an assessment it's self.
Successful response file: PdfFile
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname | path | undefined | The name of the host |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": true,
"statusCode": 200,
"contentType": "application/json; charset=UTF-8",
"pages": 10,
"rows": 2494,
"rowsPerPage": 250
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
Request zone transfer
Code samples
POST /v1/org/{org}/hosts/{hostname};zoneTransfer HTTP/1.1
Host: api.hardenize.com
POST /hosts/{hostname};zoneTransfer
Asynchronous operation. Requests a zone transfer for this name, using the configured settings. This endpoint is useful if you wish to test if a zone transfer can be successfully completed, or if you wish to inspect the state of a particular zone in real time.
DNS zone transfers are usually not allowed from public IP addresses. For this reason we perform this type of zone transfer from a separate set static IP addresses, also known as our integrations outbound addresses. You'll find them documented in your Hardenize account. However, even though these IP addresses uniquely identify us, they shouldn't be trusted as such, given that we use them for all our integrations traffic and all our customers.
Successful response data schema: ZoneTransferResponse
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | The name of the host. |
Detailed descriptions
hostname: The name of the host.
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Identities
To find related domain names, we monitor all configuration aspects of your known domain names and hosts to extract your unique identities. With those in hand, we then continuously monitor global databases to discover new domain names associated with those identities.
Identities are automatically discovered, but need to be manually verified and enabled. This is
because the process of finding associated domains is not exact. Some identities, although
correct, can be considered to be weak because they will result in false positives. For
example, an identity digicert
may find DigiCert, Inc.
but also DigiCert Sdn. Bhd
. These
are two different companies. At the end of the day, it's up to you to determine if
a particular identity is useful. False positives create more work for you because they
beed to be manually reviewed and excluded, but sometimes there may not be a better way
to discover everything that needs to be discovered.
Delete identity
Code samples
DELETE /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
DELETE /identities/{id}
Delete an existing identity. This endpoints should be used to remove identities that were mistakenly considered to be unique, after they are reviewed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | The ID of the identity to be deleted. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | OK | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
Get identity
Code samples
GET /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
GET /identities/{id}
Returns the specified identity.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | The ID of the identity to be fetched. |
Example responses
200 Response
{
"identity": {
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.600Z",
"lastSeen": "2024-12-20T16:02:26.600Z",
"lastCheck": "2024-12-20T16:02:26.600Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.600Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetIdentityResponse |
404 | Not Found | Identity doesn't exist | None |
List identities
Code samples
GET /v1/org/{org}/identities HTTP/1.1
Host: api.hardenize.com
GET /identities
Returns a list of all identities in the account.
Example responses
200 Response
{
"identities": [
{
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.600Z",
"lastSeen": "2024-12-20T16:02:26.600Z",
"lastCheck": "2024-12-20T16:02:26.600Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.600Z"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListIdentitiesResponse |
Update identity
Code samples
POST /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /identities/{id}
Updates the specified identity. The only supported operation is control of whether an identity is enabled, meaning it's actively used to discover associated assets. Only unique identities can be enabled. Normally, only unique identities will be added, but it's possible that an identity is identified as shared after the fact. Such identities will be automatically disabled and should be removed.
Body parameter
{
"enabled": true
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | The ID of the identity to be updated. |
body | body | UpdateIdentityRequest | none |
Example responses
200 Response
{
"identity": {
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.601Z",
"lastSeen": "2024-12-20T16:02:26.601Z",
"lastCheck": "2024-12-20T16:02:26.601Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.601Z"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateIdentityResponse |
400 | Bad Request | Invalid request; details in the response | None |
404 | Not Found | Identity doesn't exist | None |
Integrations
The API endpoints in this section allow you to configure Hardenize to access information in third party systems that contain information about your infrastructure. For example, if you use AWS Route 53, we can pull information about your registered domains as well as the configured DNS zones.
Different types of integrations require different workflows. For example, some integrations (for example, Azure) require only parameters that can be obtained from the other vendor. In other cases (for example, AWS and GCP) you will need to get some data from us, submit it to the third-party, and finally come back to us again to finalize the integration. Please refer to the documentation for more information.
AWS: Setup integrations
Code samples
POST /v1/org/{org}/integrations/aws/;setup HTTP/1.1
Host: api.hardenize.com
POST /integrations/aws/;setup
Prepares your Hardenize account to support AWS integrations and returns the parameters that will need to be used on the AWS side.
Example responses
200 Response
{
"externalId": "hardenize-1uspdz"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | SetupAwsIntegrationsResponse |
403 | Forbidden | Forbidden | None |
Create integration
Code samples
POST /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /integrations
Creates a new integration in your account.
Body parameter
{
"type": "aws",
"name": "My Test Integration",
"ref": "123456789012",
"tags": [
"production"
],
"enabled": true,
"config": {
"accountId": "string"
}
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateIntegrationRequest | none |
Example responses
200 Response
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.603Z",
"nextRunTime": "2024-12-20T16:02:26.603Z",
"lastRunTime": "2024-12-20T16:02:26.603Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | CreateIntegrationResponse |
400 | Bad Request | Invalid request | None |
403 | Forbidden | Forbidden | None |
Delete integration
Code samples
DELETE /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
DELETE /integrations/{integrationId}
Delete an existing integration.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
integrationId* | path | string | The ID of the integration to be used. |
Detailed descriptions
integrationId: The ID of the integration to be used.
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | OK | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
GCP: Setup integrations
Code samples
POST /v1/org/{org}/integrations/gcp/;setup HTTP/1.1
Host: api.hardenize.com
POST /integrations/gcp/;setup
Prepares your Hardenize account to support GCP integrations and returns the parameters that will need to be used on the GCP side.
Example responses
200 Response
{
"serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | SetupGcpIntegrationsResponse |
403 | Forbidden | Forbidden | None |
Get integration
Code samples
GET /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
GET /integrations/{integrationId}
Retrieves one integration
Parameters
Parameter | In | Type | Description |
---|---|---|---|
integrationId* | path | string | The ID of the integration to be used. |
Detailed descriptions
integrationId: The ID of the integration to be used.
Example responses
200 Response
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.604Z",
"nextRunTime": "2024-12-20T16:02:26.604Z",
"lastRunTime": "2024-12-20T16:02:26.604Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetIntegrationResponse |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
List integrations
Code samples
GET /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com
GET /integrations
Returns a list of currently configured integrations.
Example responses
200 Response
{
"integrations": [
{
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.605Z",
"nextRunTime": "2024-12-20T16:02:26.605Z",
"lastRunTime": "2024-12-20T16:02:26.605Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListIntegrationsResponse |
403 | Forbidden | Forbidden | None |
Request integration run
Code samples
POST /v1/org/{org}/integrations/{integrationId};run HTTP/1.1
Host: api.hardenize.com
POST /integrations/{integrationId};run
Request integration to run as soon as possible. This endpoint will scheduled the integration, updating the nextRunTime field. A background process will pick up the change and the integration should run within a few minutes. After the integration has run, the lastRunTime field will be updated.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
integrationId* | path | string | The ID of the integration to be used. |
Detailed descriptions
integrationId: The ID of the integration to be used.
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | OK | None |
400 | Bad Request | Invalid request (integration disabled) | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
Test integration connectivity
Code samples
POST /v1/org/{org}/integrations/{integrationId};test HTTP/1.1
Host: api.hardenize.com
POST /integrations/{integrationId};test
Tests if the integration is correctly configured and we are able to successfully connect to the third-party system. If you're interested in the operation of an integration beyond authentication, use the run option, which will authenticate but also attempt to exercise all the configured functionality.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
integrationId* | path | string | The ID of the integration to be used. |
Detailed descriptions
integrationId: The ID of the integration to be used.
Example responses
200 Response
{
"success": false,
"error": "Failed to authenticate"
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | TestIntegrationResponse |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
Update integration
Code samples
POST /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /integrations/{integrationId}
Update an existing integration
Body parameter
{
"name": "My Test Integration",
"ref": "348394209898",
"tags": [
"production"
],
"enabled": true,
"config": {
"accountId": "123456789012"
}
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateIntegrationRequest | none |
integrationId* | path | string | The ID of the integration to be used. |
Detailed descriptions
integrationId: The ID of the integration to be used.
Example responses
200 Response
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.606Z",
"nextRunTime": "2024-12-20T16:02:26.606Z",
"lastRunTime": "2024-12-20T16:02:26.606Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateIntegrationResponse |
400 | Bad Request | Invalid request | None |
403 | Forbidden | Forbidden | None |
404 | Not Found | Not Found | None |
Issues
Maturity: Under Development
The Issues subsystem is where we track actionable insights for aspects of network infrastructure that need to be worked on. At this time, for example, we generate issues for a variety of problems related to DNS configuration, domain name registration, CT monitoring, and certificate expiration.
An issue is given a unique identifier for tracking purposes. Their title
and description
will
explain the basics. Look at the subject
, subjectDomain
, and severity
fields to understand the
potential impact. Additional metadata fields are available to help you make sense of the
problem and its severity. Issue fields are documented in the Issue schema.
Conceptually, issues are simple. We create them when we encounter problems we think you might want to know about it. After that, you can choose to act on them. We automatically close issues when we detect that they are no longer manifesting.
Issue Lifecycle
At the most basic level, we track issues based on whether they are open or closed. This is done via
the open
field. An open issue points to something that needs to be worked on. Once the work is complete,
the issue is considered closed.
When nuance is required, the status
field is used to provide a more granular description of issue
status, describing, for example, how it will be dealt with or how it's been resolved.
Most issues will have one of the two main statuses:
-
active
- the default status for open issues. This status will remain until the issue is resolved or the status is changed to one of the manual statuses documented below. -
completed
- the work on the issue has been completed. For issues opened automatically, this means that the issue is no longer manifesting. The issue is considered closed.
Issues can have one of the following statuses if they are ignored or if dealing with them is postponed:
-
ignored
- the underlying problem hasn't been fixed, but the issue is not going to be addressed and should be considered closed. For example, you might want to use this status if the problem is considered to be insignificant or an acceptable risk. -
snoozed
- dealing with this issue has been postponed, either indefinitely or until a certain point of time, after which the status will revert back toactive
. The issue remains open, but will usually be hidden from the default view. -
bogus
- the issue is flagged as incorrect; the issue is considered closed. Every time you use this status we get a notification, which we may investigate to determine if our assessment needs tuning. If we're not sure why you flagged the issue as incorrect we may get in touch to discuss.
Finally, there are several status that we use when issues are no longer relevant:
-
orphaned
- the issue has been closed because it was attached to an asset that no longer exists or is no longer being monitored. The issue is closed. -
abandoned
- the issue is no longer being updated; this status is typically used for issues that are automatically created from monitoring, but monitoring is no longer taking place for some reason. This could sometimes happen if the nature of the subject changes (e.g., a domain stops being a DNS zone) and the issue falls down through the cracks or if the monitoring policy changes (e.g., you decide to no longer alert on low-severity problems). The issue is closed. -
deprecated
- used when the logic behind the issue no longer applies, typically because it is no longer relevant or it is superseded by another detection. The issue is closed.
Open issues can only be active
or snoozed
. Closed issues can take any of the other statuses.
In our current implementation, we support only issues that are created automatically from
infrastructure monitoring. They are also automatically closed. Until that happens, it's possible
to override the active status and change it to one of ignored
, snoozed
, or bogus
.
There is a periodic background process that looks for issues that are no longer relevant and
assigns them one of abandoned
, deprecated
, or orphaned
.
Get issue
Code samples
GET /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com
GET /issues/{issueId}
Returns the issue that matches the supplied identifier.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
issueId* | path | integer | The identifier of the desired issue. |
Example responses
200 Response
{
"integration": {
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetIssueResponse |
400 | Bad Request | Invalid request | None |
404 | Not Found | Issue not found | None |
List issues
Code samples
GET /v1/org/{org}/issues HTTP/1.1
Host: api.hardenize.com
GET /issues
Returns a list of issues. This endpoint provides partial issue information intended for lists and summaries. For example, issue details are not returned. Complete issue information can be retrieved by fetching an issue directly or by requesting a bulk transfer.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
open | query | boolean | If set, returns only issues that are open or closed as requested. |
status | query | string | If set, returns only issues that match the requested status. |
updatedSince | query | string(date-time) | If set, returns only issues created or updated since the provided timestamp. |
group | query | array[string] | If set, returns only issues that match ALL the requested groups. |
definitionIds | query | string | If set, should contain a comma separated list of definition ids to filter on |
Example responses
200 Response
{
"issues": [
{
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListIssuesResponse |
400 | Bad Request | Invalid request | None |
403 | Forbidden | Forbidden | None |
Transfer issues
Code samples
POST /v1/org/{org}/issues/;transfer HTTP/1.1
Host: api.hardenize.com
POST /issues/;transfer
Initiates an issue transfer, which is an asynchronous operation. This operation is intended for transfer of complete issue information, which may involve a great number of issues as well as large amount of data.
Successful response data schema: ListIssuesResponse
Parameters
Parameter | In | Type | Description |
---|---|---|---|
open | query | boolean | If set, returns only issues that are open or closed as requested. |
status | query | string | If set, returns only issues that match the requested status. |
updatedSince | query | string(date-time) | If set, returns only issues created or updated since the provided timestamp. |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request | None |
403 | Forbidden | Forbidden | None |
Update issue
Code samples
POST /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /issues/{issueId}
Updates an issue. At this time we support setting issue status to one of
bogus
, ignored
, or snoozed
. Setting status to bogus
and ignored
causes the issue to be permanently dismissed and thus closed. The use
of the snooze
status requires that snoozeTimestamp
is set.
Body parameter
{
"status": "snoozed",
"snoozedUntil": "2022-06-17T00:00:00.000Z"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | UpdateIssueRequest | none |
issueId* | path | integer | The identifier of the desired issue. |
Example responses
200 Response
{
"integration": {
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetIssueResponse |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
404 | Not Found | Issue not found | None |
Network Ranges
Add, remove, and update your network ranges. If your organization has access to network scanning in Hardenize, you can also optionally enable scanning for a network range. At this time, scanning is available immediately for IPv4 ranges up to a /22. We manually enable scanning of larger ranges, usually after discussing the requirements with the customer. We don't scan IPv6 ranges.
Create network range
Code samples
POST /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /networkRanges
Creates a new network range. The range can not overlap any existing range. The label you choose should be short. "scan" is optional and will only be allowed if your organization has that feature enabled and the range is suitably small: /24 for IPv4 and /128 for IPv6.
Body parameter
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"range": "192.168.1.0/24",
"scan": true,
"tags": [
"production"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | NetworkRange | none |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
201 | Created | Network range created | None |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
Delete network range
Code samples
DELETE /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com
DELETE /networkRanges/{range}
Deletes a network range if it exists
Parameters
Parameter | In | Type | Description |
---|---|---|---|
range* | path | string | The network range to delete. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Network range deleted | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
404 | Not Found | Network range not found | None |
List network ranges
Code samples
GET /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com
GET /networkRanges
Returns all configured network ranges.
Example responses
200 Response
{
"networkRanges": [
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"range": "192.168.1.0/24",
"scan": true,
"tags": [
"production"
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListNetworkRangesResponse |
Update network range
Code samples
POST /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /networkRanges/{range}
Update the label/description/scan of a network range
Body parameter
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"scan": true,
"tags": [
"production"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
range* | path | string | The network range to update. |
body | body | UpdateNetworkRangeRequest | none |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Network range updated | None |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | Insufficient permissions to perform operation | None |
404 | Not Found | Network range not found | None |
Operations
For activities that may take a long time, we support asynchronous operations that enable you to submit a request and disconnect while our servers continue to work on the requested task. The documentation for each API endpoint will indicate if asynchronous operation is supported and whether it's required or optional.
When a request to do some work asynchronously is submitted, we respond with the 202 Accepted
response, indicating
that work is being scheduled but that it is not yet completed. This is in contrast to the standard 200 OK
response
that you get when a request is immediately completed. When you see a 202 response, the body of the response will
include an OperationStatus
object that tracks the status of the requested work. For example:
HTTP/1.1 202 Accepted
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8
Location: /v1/org/{org}/operations/6e7b190fa8d4ba14f707
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
The best way to think about asynchronous work is that your initial request creates a task which, when complete, produces some results. The task status and its results are two separate resources.
We also provide a set of endpoints that enable you to monitor operation progress. When an operation is created it is assigned a unique identifier, which is part of the operation status. Once you know this identifier you can use it to look up the updated operation status. In addition, the 202 response includes a Location header that contains a link to the operation status.
From this point, the expected workflow is that you will periodically poll the Get Operation
endpoint and monitor
the value in the done
field, which will start as false
and change to true
when the work is completed.
At this point the statusCode
field will contain the final value, which should be interpreted as the HTTP status code
you would have received had the operation been invoked synchronously. Additionally, the status object main
contain further information about the results, for example the number of pages and rows per page. For example:
HTTP/1.1 200 OK
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8
{
"id": "6e7b190fa8d4ba14f707",
"done": true,
"statusCode": 200,
"pages": 100,
"rows": 99754,
"rowsPerPage": 1000
}
If the status code is 200 OK
, then the operation has been successful and you can retrieve the results with a further
GET method to the Get Operation Results
endpoint. Depending on the operation, results may be available on failure
as well. In that situation, for example, the results may include further error information.
If you attempt to access operation results before they're ready, you will be redirected to the Get Operation
endpoint with a 303 See Other
response. In this case, the response body will also include the operation status.
If you observe a 404 Not Found
response, that means that the operation has expired and
should be submitted again if desired. The server will make a best-effort attempt to preserve operation results for
as long as possible, but the expectation is that the results will be consumed immediately as they become available.
In case of partial (paginated) access, it is recommended that the results are collected in under
one hour.
Cancel Operation
Code samples
DELETE /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com
DELETE /operations/{id}
Requests cancellation of the operation with the supplied identifier. The server will attempt to carry out the request, but there are no guarantees that the operation will be successful. Clients that request operations that take a long time (and thus probably require significant resources) should always cancel if they give up waiting.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Operation identifier |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Cancellation request accepted | None |
400 | Bad Request | Invalid parameters | None |
404 | Not Found | Operation not found | None |
Get Operation Results
Code samples
GET /v1/org/{org}/operations/{id}/results HTTP/1.1
Host: api.hardenize.com
GET /operations/{id}/results
Retrieves the results generated by the operation with the supplied identifier. If the operation completed,
this endpoint will deliver the same data as if the operation were invoked directly and completed in the
same HTTP request. The original operation HTTP status code will be placed in the X-Operation-Status-Code
response header. This is done to distinguish failures of the API from operation failures.
If this endpoint is called while the operation is still in progress, this endpoint will respond with the 303
status code and include the operation status information in the response body.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Operation identifier |
Example responses
303 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": true,
"statusCode": 200,
"contentType": "application/json; charset=UTF-8",
"pages": 10,
"rows": 2494,
"rowsPerPage": 250
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Operation results are in the response body | None |
206 | Partial Content | Partial results are in the response body | None |
303 | See Other | Operation not yet completed | OperationStatus |
400 | Bad Request | Invalid request | None |
404 | Not Found | Operation not found | None |
Get Operation Status
Code samples
GET /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com
GET /operations/{id}
Retrieves the status of the operation with the supplied identifier.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Operation identifier |
Example responses
200 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": true,
"statusCode": 200,
"contentType": "application/json; charset=UTF-8",
"pages": 10,
"rows": 2494,
"rowsPerPage": 250
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Request successful | OperationStatus |
400 | Bad Request | Invalid parameters | None |
404 | Not Found | Operation not found | None |
Reports
Maturity: Under Development
In the Report section of the API we provide summaries of the reports done for your monitored hosts. This is the same information that's available in the web application under the Hosts navigation. This section of the API is transient and will be replaced with a more comprehensive implementation in the near future. That's why we have the zero ("0") in the endpoint path.
List reports
Code samples
GET /v1/org/{org}/reports0 HTTP/1.1
Host: api.hardenize.com
GET /reports0
Returns all available reports. If you provide one of the optional parameters, only the reports matching the specified filters will be listed. If you provide multiple parameters, only the reports matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
format | query | string | Response format. Default: json. |
name | query | string | The name of the host whose report summary you wish to retrieve. |
subdomains | query | boolean | If set, extends the host matching to include all subdomains of the specified name. Default: false. |
group | query | string | If set, returns only the summaries for hosts that belong to the specified group. |
Enumerated Values
Parameter | Value |
---|---|
format | csv |
format | json |
Example responses
200 Response
{
"reports": [
{
"hostname": "example.com",
"status": "completed",
"reportTime": "2018-10-10T15:36:49.044Z",
"hasDnssec": true,
"hasSmtp": true,
"hasSmtpTls": true,
"hasSmtpDane": true,
"hasSpf": true,
"hasDmarc": true,
"hasHttp": true,
"hasHttps": true,
"hasHttpsDane": true,
"hasHttpsRedirection": true,
"hasHttpsTls12OrBetter": true,
"hasSsl2": true,
"hasSsl3": true,
"hasTls10": true,
"hasTls11": true,
"hasTls12": true,
"hasTls13": true,
"supportsSsl2": true,
"supportsSsl3": true,
"supportsTls10": true,
"supportsTls11": true,
"supportsTls12": true,
"supportsTls13": true,
"hasHsts": true,
"hasHstsPreloaded": true,
"nameServers": "string",
"dnssec": "string",
"emailTls": "string",
"emailDane": "string",
"spf": "string",
"dmarc": "string",
"wwwTls": "string",
"wwwDane": "string",
"wwwXssProtection": "string",
"wwwXssProtectionEnabled": true,
"wwwXcto": true,
"hsts": "string",
"hpkp": "string",
"cookies": "string",
"mixedContent": "string",
"securityHeaders": "string",
"csp": "string"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListReports0Response |
Request Certificates Report
Code samples
POST /v1/org/{org}/reports/certificates HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/certificates
Maturity: Under Development
Request certificates report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: CertificateReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"active": true,
"revoked": true,
"expiring": true,
"expiringDays": 10
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CertificateReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request DMARC Report
Code samples
POST /v1/org/{org}/reports/dmarc HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/dmarc
Maturity: Under Development
Request DMARC report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: DmarcReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | DmarcReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Domains Report
Code samples
POST /v1/org/{org}/reports/domains HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/domains
Maturity: Under Development
Request domains report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: DomainsReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | DomainsReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Expiring Certificates Report
Code samples
POST /v1/org/{org}/reports/certificates/expiringEndpoints HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/certificates/expiringEndpoints
Maturity: Under Development
Request expiring certificates report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: CertificateExpiringEndpointsReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"integration": "Entrust Dev",
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CertificateExpiringEndpointsReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Host Discoveries Report
Code samples
POST /v1/org/{org}/reports/hostDiscoveries HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/hostDiscoveries
Maturity: Under Development
Request host discoveries report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: DiscoveryHostReportResponse
Body parameter
{
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | DiscoveryHostReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Hosts Report
Code samples
POST /v1/org/{org}/reports/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/hosts
Maturity: Under Development
Request host discoveries report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: HostsReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | HostsReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Ip Addresses Report
Code samples
POST /v1/org/{org}/reports/ipAddresses HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/ipAddresses
Maturity: Under Development
Request ip addresses report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: IpAddressReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | IpAddressReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Issues Report
Code samples
POST /v1/org/{org}/reports/issues HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/issues
Maturity: Under Development
Request issues report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: IssuesReportResponse
Body parameter
{
"type": "active",
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | IssuesReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Network Ranges Report
Code samples
POST /v1/org/{org}/reports/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/networkRanges
Maturity: Under Development
Request network ranges report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: NetworkRangesReportResponse
Body parameter
{
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | NetworkRangesReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Open Ports Report
Code samples
POST /v1/org/{org}/reports/openPorts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/openPorts
Maturity: Under Development
Request open ports report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: OpenPortsReportResponse
Body parameter
{
"address": "192.168.1.1",
"port": 443,
"transport": "tcp",
"service": "other",
"hostname": "example.com",
"limit": 100,
"format": "csv"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | OpenPortsReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Request Spf Report
Code samples
POST /v1/org/{org}/reports/spf HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /reports/spf
Maturity: Under Development
Request spf report.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Successful response data schema: SpfReportResponse
Body parameter
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | SpfReportRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Report Cards
Maturity: Under Development
In the Report section of the API we provide summaries of the report cards done for your monitored hosts.
List report cards
Code samples
GET /v1/org/{org}/reportCards HTTP/1.1
Host: api.hardenize.com
GET /reportCards
Maturity: Under Development
Retrieves all report cards.
Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
group | query | string | If set, returns only the report cards that belong to the specified group. |
newSince | query | string(date-time) | If set, returns only report cards added to the account since the specified date. |
Detailed descriptions
group: If set, returns only the report cards that belong to the specified group.
Example responses
200 Response
{
"reportCards": [
{
"reportVersion": 1,
"domainPunycode": "example.com",
"domainUnicode": "example.com",
"available": true,
"hardenizeVersion": "v1.1603.1",
"timestamp": "2024-12-20T16:02:26.619Z",
"sections": [
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
]
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListReportCardsResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Retrieves a report card for a specified hostname
Code samples
GET /v1/org/{org}/reportCards/{hostname} HTTP/1.1
Host: api.hardenize.com
GET /reportCards/{hostname}
Maturity: Under DevelopmentRetrieves a report card for the specified hostname.
Returns all available report cards. If you provide one of the optional parameters, only the report cards matching the specified filters will be listed. If you provide multiple parameters, only the report cards matching all the specified filters will be listed.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
hostname* | path | string | If set, returns only the report card for the specified hostname. |
Detailed descriptions
hostname: If set, returns only the report card for the specified hostname.
Example responses
200 Response
{
"reportCard": {
"reportVersion": 1,
"domainPunycode": "example.com",
"domainUnicode": "example.com",
"available": true,
"hardenizeVersion": "v1.1603.1",
"timestamp": "2024-12-20T16:02:26.619Z",
"sections": [
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
]
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetReportCardResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Suborganizations
Depending on the type of subscription, organization accounts can be configured to allow creation of nested organizations. These suborganizations are designed to be fully independent, although it's possible to retain some level of control over them via the parent account.
New suborganizations support the same API endpoints, although the capabilities
will typically be different to that of the parent account. To access a suborganization
via this API, first use the parent account to create a new set of master API credentials.
Subsequently, use the new credentials to access the suborganization directly. Do
note that the suborganization identifiers exposed by this API are relative to that
of the parent account. When accessing suborganization APIs directly you need to
use the complete account identifier, which will be in the form of parent.child
.
Attempting to use an incorrect identifier will result in a 404 response.
Create Organization
Code samples
POST /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /suborgs
Creates a new suborganization under this account. If successful, this endpoint returns full information about the newly-created organization.
Body parameter
{
"id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
"name": "Hardenize",
"label": "hardenize",
"status": "active",
"certLimitHard": 1000,
"commercialStatus": "internal",
"generateApiCredentials": true,
"hostDiscoveryAutoimportSubdomains": false,
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostDiscoveryEnabled": true,
"hostDiscoveryLimitHard": 10000,
"hostLimitHard": 1000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateOrgRequest | none |
Example responses
200 Response
{
"org": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Organization created | CreateOrgResponse |
400 | Bad Request | Invalid parameters or organization with the supplied id or name already exists. |
None |
403 | Forbidden | Account doesn't support suborganizations | None |
Delete Organization
Code samples
DELETE /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
DELETE /suborgs/{id}
Permanently deletes one nested organization. Because this operation
is irreversible and thus quite dangerous, this endpoint is typically disabled by default, and may be
enabled on sandbox accounts only. The recommended way to delete organizations is to set the
status to deleted
.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Organization identifier. |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | Organization deleted | None |
403 | Forbidden | Account doesn't support suborganizations, or the delete operation not permitted | None |
404 | Not Found | Organization doesn't exist | None |
Get Organization
Code samples
GET /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
GET /suborgs/{id}
Returns the specified nested organization.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Organization identifier. |
Example responses
200 Response
{
"suborg": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | GetOrgResponse |
403 | Forbidden | Account doesn't support suborganizations | None |
404 | Not Found | Organization doesn't exist | None |
List Organizations
Code samples
GET /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com
GET /suborgs
Returns a complete list of all organizations nested under this account.
Example responses
200 Response
{
"orgs": [
{
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | ListOrgsResponse |
403 | Forbidden | Account doesn't support suborganizations | None |
Update Organization
Code samples
POST /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /suborgs/{id}
Updates the desired nested organization.
Body parameter
{
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"generateApiCredentials": false,
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostDiscoveryEnabled": true,
"hostDiscoveryLimitHard": 10000,
"hostLimitHard": -1,
"featureHostDiscovery": true,
"featureMfa": false,
"featureSaml": false
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | string | Organization identifier. |
body | body | UpdateOrgRequest | none |
Example responses
200 Response
{
"suborg": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | OK | UpdateOrgResponse |
403 | Forbidden | Account doesn't support suborganizations | None |
404 | Not Found | Organization doesn't exist | None |
Search
Maturity: Under Development
At the Business tier and higher, Hardenize accounts include a search
engine that's updated in real time whenever new data becomes available. The search engine
contains multiple indexes, each tracking a different type of data. At this time,
we support the network
and certificates
indexes. Our search engine is based
on Elasticsearch, a de-facto standard.
Request search
Code samples
POST /v1/org/{org}/search HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /search
Request a search to the search engine. The index
parameter should contain the
desired index and the query
parameter should contain the desired query in the
Elasticsearch query format. By default, the results will be in JSON format. If
you wish CSV output instead, supply a list of field names in the columns
parameter. Please note that, as a limitation of Elasticsearch, array fields
cannot be placed in CSV output in their entirety; only the first value will be.
This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.
Body parameter
{
"index": "network",
"query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
"limit": 10,
"columns": [
"hostname",
"address",
"port"
]
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateSearchRequest | none |
Example responses
202 Response
{
"id": "6e7b190fa8d4ba14f707",
"done": false,
"statusCode": 202
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
202 | Accepted | Operation accepted | OperationStatus |
400 | Bad Request | Invalid request; details in the response | None |
403 | Forbidden | Not allowed to access this endpoint | None |
503 | Service Unavailable | Service not able to process request | None |
Users
This section provides support for user management, covering both accounts with access to the application as well as service accounts, a special type of account that's designed for API access.
Cancel invite
Code samples
POST /v1/org/{org}/users/{id};cancelInvite HTTP/1.1
Host: api.hardenize.com
POST /users/{id};cancelInvite
Cancels invitation for this user, if it has not already been accepted. Role: Admin.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | User identifier |
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
204 | No Content | User invite cancelled | None |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | You don't have permission to perform this operation. | None |
404 | Not Found | User with given email doesn't exist within organization | None |
Create service account
Code samples
POST /v1/org/{org}/users;serviceAccount HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /users;serviceAccount
Creates a new service account. Role: Admin.
Body parameter
{
"name": "Data fetcher",
"role": "observer",
"expirationTime": "2024-12-20T16:02:26.623Z"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | CreateServiceAccountRequest | none |
Example responses
201 Response
{
"user": {
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.623Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
201 | Created | Service account created | GetUserResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | You don't have permission to perform this operation. | None |
Get user
Code samples
GET /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com
GET /users/{id}
Retrieves the available information for the requested user account.
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | User identifier |
Example responses
200 Response
{
"user": {
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.624Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | User | GetUserResponse |
404 | Not Found | User with given email doesn't exist within organization | None |
Invite new user
Code samples
POST /v1/org/{org}/users;invite HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /users;invite
Invites a new user to the organization. When this endpoint is used, an email is sent to the provided email address, asking the user to join the organization.
Body parameter
{
"name": "Bob",
"email": "postmaster@example.com",
"role": "observer"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
body | body | InviteUserRequest | none |
Example responses
201 Response
{
"user": {
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.624Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
201 | Created | User invited | GetUserResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | You don't have permission to perform this operation. | None |
List users
Code samples
GET /v1/org/{org}/users HTTP/1.1
Host: api.hardenize.com
GET /users
Lists users that belong to the organization. We don't store user passwords raw in our database and so they will not be provided. Use the password reset function instead.
Example responses
200 Response
{
"users": [
{
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.625Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
]
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | Users | ListUsersResponse |
Update user
Code samples
POST /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json
POST /users/{id}
Updates the specified user. Role: Admin.
Body parameter
{
"name": "Bob",
"deleteMfa": true,
"resetPassword": true,
"expirationTime": "2024-12-20T16:02:26.625Z",
"status": "retired",
"role": "observer"
}
Parameters
Parameter | In | Type | Description |
---|---|---|---|
id* | path | integer | User identifier |
body | body | UpdateUserRequest | none |
Example responses
200 Response
{
"user": {
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.625Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
}
Responses
Status | Meaning | Description | Schema |
---|---|---|---|
200 | OK | User updated | GetUserResponse |
400 | Bad Request | Invalid parameters | None |
403 | Forbidden | You don't have permission to perform this operation. | None |
404 | Not Found | User with given email doesn't exist within organization | None |
Schemas
cidr
"127.0.0.1/32"
IP address range in CIDR notation.
Properties
Name | Type | Description |
---|---|---|
anonymous | string | IP address range in CIDR notation. |
GetAssessmentStatusResponse
{
"assessment": {
"id": "81763d1c-3722-4e66-89ef-b811844bc46c",
"host": "example.com",
"path": "/",
"unicodeHost": "example.com",
"status": "available",
"statusMessage": null,
"epochTime": 1710773815,
"statTcpConnections": 51,
"statTcpEndpointsCount": 12,
"expectedTcpConnections": 50,
"expectedDuration": 0
}
}
Properties
Name | Type | Description |
---|---|---|
assessment | AssessmentStatus | Contains information about the status of an assessment. |
CreateAssessmentRequest
{
"hostname": "example.com",
"clearCache": false
}
Contains information needed to create new assessment
Properties
Name | Type | Description |
---|---|---|
hostname | string | none |
clearCache | boolean | none |
AssessmentStatus
{
"id": "81763d1c-3722-4e66-89ef-b811844bc46c",
"host": "example.com",
"path": "/",
"unicodeHost": "example.com",
"status": "available",
"statusMessage": null,
"epochTime": 1710773815,
"statTcpConnections": 51,
"statTcpEndpointsCount": 12,
"expectedTcpConnections": 50,
"expectedDuration": 0
}
Contains information about the status of an assessment.
Properties
Name | Type | Description |
---|---|---|
id | string | none |
host | string | Name of the host for which the assessment is done. |
path | string | Denotes if it is a root assessment. |
unicodeHost | string | Hostname converted to unicode. |
status | string | Status of the assessment. |
statusMessage | string | none |
epochTime | integer | . |
statTcpConnections | integer | Total number of TCP connections created during the assessment. |
statTcpEndpointsCount | integer | Total number of IP addresses communicated with. |
expectedTcpConnections | integer | Total number of TCP connections we are expecting, available only for repeated assessments. |
expectedDuration | integer | Expected duration of the assessment. |
Enumerated Values
Property | Value |
---|---|
status | not_available |
status | queued |
status | in_progress |
status | failed |
status | completed |
status | available |
AuditEvent
{
"id": 10001,
"actorType": "u",
"actorId": "userId:12090749",
"actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
"timestamp": "2018-09-03T14:09:59.000Z",
"remoteAddr": "18.233.176.231",
"sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"resourceType": "user",
"resourceId": "12090749",
"action": "user.auth.succeeded",
"status": 200,
"details": {
"method": "password"
}
}
Contains information about one audit log event.
Properties
Name | Type | Description |
---|---|---|
id* | integer | none |
actorType* | string | Indicates whether the action was carried by an anonymous actor before authentication (a ), the system (s ), or by an authenticated user or organization (u ). |
actorId | string | Contains a unique identifier associated with the actor. This value will typically contain a reference to a user, with a prefix userId or to an organization, with a prefix orgId: . The value is stable over the long term. |
actorName | string | Contains further information that describes the actor. For users it may contain the name and email address. For organizations, the name. The value here may should not be considered stable as it may change over time, if users or organizations are renamed. |
timestamp* | string(date-time) | The UTC timestamp of the event. |
remoteAddr | string | The remote IP address of the actor. Not available for system events. |
sessionId | string | The actor's unique session identifier. Not available for system events. Please note that we regenerate session IDs after each successful authentication. As a result, you may see one ID at the point when authentication takes place, then another ID immediately after, when we record the sign-in event. |
userAgent | string | The user agent associated with the event. Not all events will have this field, but key events associated with user activity will. |
resourceType* | string | Indicates resource type. |
resourceId* | string | The unique identifier associated with the resource. |
action* | string | The unique action identifier. |
status* | integer | Status of the event as a HTTP status code. |
details | object | Contains additional information specific to the audit event. This field should be considered informational at this point in time. |
Enumerated Values
Property | Value |
---|---|
actorType | a |
actorType | s |
actorType | u |
action | org.user.deleted |
action | org.user.disabled |
action | org.user.enabled |
action | org.user.invited |
action | org.user.uninvited |
action | org.user.joined |
action | org.user.profile_changed |
action | org.user.session_started |
action | user.created |
action | user.deleted |
action | user.email_changed |
action | user.profile_changed |
action | user.auth.mfa_removed_by_admin |
action | user.auth.password_changed |
action | user.auth.password_reset_requested |
action | user.auth.password_reset |
action | user.auth.password_reset_by_admin |
action | user.auth.failed |
action | user.auth.forbidden |
action | user.auth.signed_in |
action | user.auth.signed_out |
action | user.auth.succeeded |
CertDiscoverySummary
{
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.627Z",
"notAfter": "2024-12-20T16:02:26.627Z",
"effectiveNotAfter": "2024-12-20T16:02:26.627Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.627Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
]
}
Contains complete information about a certificate discovered in one of the monitored CT logs.
Properties
Name | Type | Description |
---|---|---|
certDiscoveryId | integer(int64) | Unique identifier. |
certSha256 | string | The SHA256 hash of the associated certificate, if any. |
precertSha256 | string | The SHA256 hash of the associated precertificate, if any. |
tbsSha256 | string | The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination. |
createdOn | string(date-time) | Indicates when this certificate discovery was created. |
updatedOn | string(date-time) | Indicates when this certificate discovery was last updated. |
closedOn | string(date-time) | Indicates when this certificate discovery was last closed. |
escalated | boolean | Indicates when this certificate discovery was escalated. |
status | string | Indicates the status of this certificate discovery. |
resolution | string | Indicates the discovery resolution. |
certSummary | CertificateSummary | Contains summary information about one certificate. |
matchedHosts | [string] | List of organization hosts that were observed in the certificate. |
Enumerated Values
Property | Value |
---|---|
status | triage |
status | open |
status | closed |
resolution | undetermined |
resolution | reconciled |
resolution | policyViolation |
resolution | fraudulent |
CertDiscovery
{
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.628Z",
"notAfter": "2024-12-20T16:02:26.628Z",
"effectiveNotAfter": "2024-12-20T16:02:26.628Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.628Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"certKnown": false,
"certInstalled": true,
"certExpired": false,
"certRevoked": false,
"issuerAllowed": true,
"issuerAllowedKeyword": "GlobalSign",
"issuerNotAllowed": false,
"issuerForbidden": false,
"issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"caaMismatch": false,
"caaMatchFull": false,
"notCtCompliant": false,
"maxLifetimeExceeded": false,
"timeoutCaseInactive": false,
"timeoutCertNotInstalled": false,
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
],
"matchedHostsInfo": {
"property1": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
},
"property2": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
},
"matchedHostsCaaHistory": {
"property1": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.628Z",
"lastSeen": "2024-12-20T16:02:26.628Z",
"records": [
"string"
]
}
],
"property2": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.628Z",
"lastSeen": "2024-12-20T16:02:26.628Z",
"records": [
"string"
]
}
]
},
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
]
}
Contains complete information about a certificate discovered in one of the monitored CT logs.
Properties
Name | Type | Description |
---|---|---|
certDiscoveryId | integer(int64) | Unique identifier. |
certSha256 | string | The SHA256 hash of the associated certificate, if any. |
precertSha256 | string | The SHA256 hash of the associated precertificate, if any. |
tbsSha256 | string | The SHA256 hash of the TBSCertificate structure. This value will be the same for the precertificate & certificate combination. |
createdOn | string(date-time) | Indicates when this certificate discovery was created. |
updatedOn | string(date-time) | Indicates when this certificate discovery was last updated. |
closedOn | string(date-time) | Indicates when this certificate discovery was last closed. |
escalated | boolean | Indicates when this certificate discovery was escalated. |
status | string | Indicates the status of this certificate discovery. |
resolution | string | Indicates the discovery resolution. |
certSummary | CertificateSummary | Contains summary information about one certificate. |
certKnown | boolean | True if the certificate is confirmed as known. This may happen if the certificate is explicitly uploaded via the API, or if we observe the certificate in one of your CA accounts (via an integration). |
certInstalled | boolean | True if the certificate has been installed. |
certExpired | boolean | True if the certificate has expired. |
certRevoked | boolean | True if the certificate has been revoked. |
issuerAllowed | boolean | True if the certificate issuer matched one of the configured keywords. |
issuerAllowedKeyword | string | If issuerAllowed is true, this field contains the keyword that matched. |
issuerNotAllowed | boolean | True if the certificate issuer didn't match any configured keywords. |
issuerForbidden | boolean | True if certificate issuer contains a keyword that is forbidden. |
issuerForbiddenKeyword | string | If issuerForbiddenKeyword is true, this field contains the keyword that matched. |
caaMismatch | boolean | True if the certificate doesn't match the CAA configuration observed immediately after the issuance has been retrieved from a CT log. |
caaMatchFull | boolean | True if all hosts in the certificate matched the CAA configuration observed immediately after the issuance has been retrieved from a CT log. |
notCtCompliant | boolean | True if the certificate is not CT compliant with one or more major vendors, such as Apple, Google, and Microsoft. |
maxLifetimeExceeded | boolean | True if the certificate lifetime is longer than the currently allowed maximum. |
timeoutCaseInactive | boolean | True when a certificate discovery is closed due to inactivity. |
timeoutCertNotInstalled | boolean | True on a certificate discovery that's closed because the certificate has not been seen installed. |
matchedHosts | [string] | List of organization hosts that were observed in the certificate. |
matchedHostsInfo | object | A map containing information about matched hosts, where the keys are hostnames and the values are objects of type DiscoveryHostInfo. |
» additionalProperties | DiscoveryHostInfo | Contains information about the host in the cert discovery |
matchedHostsCaaHistory | object | A map containing the history of Certification Authority Authorization (CAA) records for the matched hosts, where the keys are hostnames and the values are arrays of type HostCaaHistory. |
» additionalProperties | [HostCaaHistory] | none |
matchedWildcardHosts | [string] | List of organization hosts that match wildcard domains in the certificate, if any. |
ctLogs | [CertCtLog] | One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain. |
Enumerated Values
Property | Value |
---|---|
status | triage |
status | open |
status | closed |
resolution | undetermined |
resolution | reconciled |
resolution | policyViolation |
resolution | fraudulent |
DiscoveryHostInfo
{
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
Contains information about the host in the cert discovery
Properties
Name | Type | Description |
---|---|---|
wildcard | boolean | Indicates whether the host was matched using wildcard. |
caa | DiscoveryCaaHostInfo | Contains information about the certificate authority authorization host in the cert discovery |
DiscoveryCaaHostInfo
{
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
Contains information about the certificate authority authorization host in the cert discovery
Properties
Name | Type | Description |
---|---|---|
records | [string] | none |
source | string | none |
time | string(date-time) | none |
allowed | boolean | none |
error | string | none |
HostCaaHistory
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.629Z",
"lastSeen": "2024-12-20T16:02:26.629Z",
"records": [
"string"
]
}
Properties
Name | Type | Description |
---|---|---|
policyHostname | string | The hostname of the CAA policy. |
status | string | The status of the CAA policy. |
statusMessage | string | A message describing the status of the CAA policy. |
firstSeen | string(date-time) | The date and time when the CAA policy was first seen. |
lastSeen | string(date-time) | The date and time when the CAA policy was last seen. |
records | [string] | A list of DNS records. |
Enumerated Values
Property | Value |
---|---|
status | dnsError, |
status | none, |
status | present, |
SigAlg
"RSAwithMD2"
Certificate signature algorithm.
Properties
Name | Type | Description |
---|---|---|
anonymous | string | Certificate signature algorithm. |
Enumerated Values
Property | Value |
---|---|
anonymous | RSAwithMD2 |
anonymous | RSAwithMD5 |
anonymous | RSAwithSHA1 |
anonymous | RSAwithSHA256 |
anonymous | RSAwithSHA384 |
anonymous | RSAwithSHA512 |
anonymous | RSAPSS |
anonymous | DSAwithSHA1 |
anonymous | DSAwithSHA256 |
anonymous | ECDSAwithSHA1 |
anonymous | ECDSAwithSHA256 |
anonymous | ECDSAwithSHA384 |
anonymous | ECDSAwithSHA512 |
Certificate
{
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.630Z",
"notAfter": "2024-12-20T16:02:26.630Z",
"effectiveNotAfter": "2024-12-20T16:02:26.630Z",
"revokedOn": "2024-12-20T16:02:26.630Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.630Z",
"lastSeen": "2024-12-20T16:02:26.630Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.630Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.630Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.630Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
Contains information about one certificate.
Properties
Name | Type | Description |
---|---|---|
shortId | string | Short identifier for the certificate. This value is not unique. |
sha256* | string | Hex-encoded SHA256 hash of the certificate in DER format. |
tbsSha256 | string | Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo. |
subject* | string | Subject distinguished name. |
serial* | string | Hex-encoded serial number. |
issuer* | string | Issuer distinguished name. |
issuerCa | string | The name of the issuing CA, according to CCADB. |
validation | string | Certificate validation type. |
notBefore* | string(date-time) | ISO 8601 timestamp. |
notAfter* | string(date-time) | ISO 8601 timestamp. |
effectiveNotAfter* | string(date-time) | ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2). |
revokedOn* | string(date-time) | Revocation timestamp, if available. |
keyAlg* | string | Private key algorithm, for example RSA or EC. |
keyLen* | integer | Private key length, for example 256 for an ECDSA key or 2048 for an RSA key. |
keyStrength* | integer | Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112. |
sigAlg* | SigAlg | Certificate signature algorithm. |
spkiSha256* | string | Hex-encoded SHA256 of the certificate's SPKI component. |
hosts* | [string] | All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate. |
sanCount | integer | The number of hostnames in the SAN field of the certificate. |
caPathLen* | integer | Indicates if this is a CA certificate. Leaf certificates will have -1 in this field, indicating that they cannot issue further certificates. CA certificates will have 0 or a positive number. CA certificates without path length limit will have 2,147,483,647. |
wildcard* | boolean | Set to true if at least one of the allowed hosts is a wildcard. |
selfSigned* | boolean | Set to true if this is a self-signed certificate. |
firstSeen* | string(date-time) | The first time this certificate was seen, which could be a variety of sources for example, CT, manual upload, or installed on a server. |
lastSeen* | string(date-time) | The last time this certificate was seen installed on a server. |
seenInstalled* | boolean | Indicates if this certificate has been seen installed on a server. |
active* | boolean | Indicates if this certificate has been seen installed recently. |
precert* | boolean | Indicates if the returned certificate is, in fact, a precertificate. |
duplicate* | boolean | Set to true on a precertificate for which the certificate is known. |
managed* | boolean | Indicates if this certificate is managed, i.e. provided by a third-party service that will also automatically renew the certificate when it becomes due. |
ownership* | string | Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false. |
label | string | The label is a human-readable string that can be used to identify the certificate. |
matchesOrgHost* | boolean | Indicates if at least one of the host listed in the certificates matches a hosts that belongs to the organisation. |
symantecStatus | string | Indicates if this certificate was issued from Symantec's PKI infrastructure. This field is not set when it's not necessary, as absence of value indicates that the certificate did not come from Symantec. This field is also never set on CA intermediates and roots. |
ctRequired | boolean | Indicates whether certificate is required to be logged to CT for use on public sites. This is a requirement for all certificates issued from May 2018 onwards, as well for some earlier Symantec certificates. |
ctCompliant | boolean | Indicates whether certificate embeds sufficient SCTs to satisfy CT policies of major platforms. |
ctLogs* | [CertCtLog] | One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain. |
pem* | string | Base64-encoded certificate in DER format. |
origin* | string | Indication of where this certificate came from. This field will contain ct if the certificate was found via real-time monitoring of Certificate Transparency logs, hdb if we imported it from our historical certificate database, net if the certificate was found installed on the network, or manual if the certificate was provided to us (e.g., if it was uploaded via the API). |
originTitle | string | Human readable version of the origin enum value |
originInfo | OriginInfo | Further information about the origin. For example, if the origin is cert , then this field will identify the actual certificate. |
parentHashes | [string] | Contains the SHA256 fingerprints of parent certificates, if they are known. We currently populate this field only using the information obtained from CT log entries. When the object is a precertificate, the parent hashes may include a special precertificate signer CA certificate. |
parentHashesSource | string | Indicates the source of the parent hashes provided in the parentHashes field. If the field contains ct , that means that the parent hashes are exactly as seen in CT. CT entries are not guaranteed to include the root; if we're able to find the right root, we'll use the value ctPlusRoot to indicate that the bulk of the chain is from CT, but that we appended a root to it. The value hardenize is reserved for future use, when we implement path building to identify the hashes for certificates only seen online (and not in CT). |
parentHashesComplete | boolean | True if the parent hashes are available and form a complete chain, false if parent hashes are available but the chain is not complete. This field is not available when parent hashes are not available. |
analysis | ReportCardItem | Describes the item in each report card section. |
matchedHosts | [string] | none |
matchedWildcardHosts | [string] | none |
thirdPartyHosts | [string] | none |
deployments | Deployment | none |
lifetime | string | Contains the ISO-8601 formatted duration of the validity of the certificate |
lifetimeDays | integer | Contains the number of days the certificate is valid. |
ku | [string] | Key Usage extension values. |
eku | [string] | Extended Key Usage extension values. |
mustStaple | boolean | Indicates whether the certificate must support OCSP Stapling. |
aki | string | Authority Key Identifier extension value. |
ski | string | Subject Key Identifier extension value. |
caIssuers | [string] | List of URLs where the certificate issuer's CA certificates can be obtained. |
crl | [string] | List of URLs where the Certificate Revocation Lists (CRLs) for the certificate can be obtained. |
ocsp | [string] | List of URLs where the OCSP responses for the certificate can be obtained. |
ctInfos | [CtInfo] | none |
Enumerated Values
Property | Value |
---|---|
validation | dv |
validation | ev |
validation | iv |
validation | ov |
validation | s |
validation | u |
validation | na |
ownership | own |
ownership | thirdParty |
symantecStatus | phaseOneAffected |
symantecStatus | phaseOneNotAffected |
symantecStatus | phaseTwoAffected |
symantecStatus | phaseTwoNotAffected |
symantecStatus | symantecExcluded |
origin | ct |
origin | hdb |
origin | manual |
origin | net |
parentHashesSource | ct |
parentHashesSource | ctPlusRoot |
parentHashesSource | hardenize |
CertExtras
{
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
}
Properties
Name | Type | Description |
---|---|---|
status | string | none |
certsDueDays | integer | When certificates become due. Certificates that expire in fewer days |
certsOverdueDays | integer | When certificates become overdue. Certificates not renewed by this time are considered overdue |
certsCriticalDays | integer | When certificates become critical. Certificates not replaced by this time are considered critical |
certsLabels | any | List of certificate labels, indicating the type and management source of each certificate. |
ski | string | Subject Key Identifier extension value. |
aki | string | Authority Key Identifier extension value. |
ku | [string] | Key Usage extension values. |
eku | [string] | Extended Key Usage extension values. |
mustStaple | boolean | Indicates whether the certificate must support OCSP Stapling. |
crl | [string] | List of URLs where the Certificate Revocation Lists (CRLs) for the certificate can be obtained. |
ocsp | [string] | List of URLs where the OCSP responses for the certificate can be obtained. |
precert | boolean | Indicates whether this is a pre-certificate |
Enumerated Values
Property | Value |
---|---|
status | ok |
status | warning |
status | error |
status | neutral |
certsLabels | precert |
certsLabels | managed |
certsLabels | thirdParty |
certsLabels | thirdPartyOwnHost |
certsLabels | intermediate |
certsLabels | root |
certsLabels | selfSigned |
CtInfo
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.632Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
Properties
Name | Type | Description |
---|---|---|
id | string | This field contains a HEX encoded SHA256 value of the unique identifier for the CT log server that created the Signed Certificate Timestamp |
timestamp | string(date-time) | ISO 8601 timestamp. This field contains the timestamp indicating when the SCT was created. The timestamp is typically represented in milliseconds since the Unix epoch (January 1, 1970, 00:00:00 UTC) |
name | string | A human-readable description of the CT log |
status | string | The status of the CT log |
Deployment
{
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.632Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.632Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hosts | [HostData] | none |
services | [ServiceData] | none |
HostService
{
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.632Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.632Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
],
"certificates": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.632Z",
"notAfter": "2024-12-20T16:02:26.632Z",
"effectiveNotAfter": "2024-12-20T16:02:26.632Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.632Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
],
"extras": {
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.632Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.632Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.632Z",
"lastRegLookupTime": "2024-12-20T16:02:26.632Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.632Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.632Z",
"lastAssessmentTime": "2024-12-20T16:02:26.632Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.632Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.632Z",
"domainExpireTime": "2024-12-20T16:02:26.632Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
}
Properties
Name | Type | Description |
---|---|---|
hosts | [HostData] | none |
services | [ServiceData] | none |
certificates | [CertificateSummary] | [Contains summary information about one certificate. ] |
extras | Host | The Host object represents one of your hosts that resides in our database. |
HostData
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.633Z"
}
Properties
Name | Type | Description |
---|---|---|
hostname | string | none |
service | string | none |
serviceHostname | string | none |
lastSeen | string(date-time) | none |
Enumerated Values
Property | Value |
---|---|
service | dns |
service | ftp |
service | html |
service | http |
service | https |
service | imap |
service | ldap |
service | mongodb |
service | mysql |
service | nntp |
service | other |
service | pop3 |
service | postgres |
service | rdp |
service | redis |
service | sip |
service | smtp |
service | ssh |
service | telnet |
service | tls |
service | xmpp |
ServiceData
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.634Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
Properties
Name | Type | Description |
---|---|---|
hostname | string | none |
address | string | none |
port | integer | none |
asNumber | integer | none |
asName | string | none |
cloudProvider | string | none |
cloudRegion | string | none |
lastSeen | string(date-time) | none |
certs | [string] | none |
tlsSupportedProtocols | string | List of supported TLS protocols |
tlsConfigurationLevel | string | Indicates the security level of the TLS configuration |
Enumerated Values
Property | Value |
---|---|
tlsSupportedProtocols | TLSv1.3 |
tlsSupportedProtocols | TLSv1.2 |
tlsSupportedProtocols | TLSv1.0 |
tlsSupportedProtocols | SSLv3 |
tlsSupportedProtocols | SSLv2 |
tlsConfigurationLevel | secureWithPostQuantumEncryption |
tlsConfigurationLevel | secure |
tlsConfigurationLevel | insecure |
tlsConfigurationLevel | unknown |
CertificateSummaryResponse
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.634Z",
"notAfter": "2024-12-20T16:02:26.634Z",
"effectiveNotAfter": "2024-12-20T16:02:26.634Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.634Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
]
}
Contains information about summaries of certificates.
Properties
Name | Type | Description |
---|---|---|
certs | [CertificateSummary] | List of certificate summaries |
CertificateSummary
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.635Z",
"notAfter": "2024-12-20T16:02:26.635Z",
"effectiveNotAfter": "2024-12-20T16:02:26.635Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.635Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
Contains summary information about one certificate.
Properties
Name | Type | Description |
---|---|---|
shortId | string | Short identifier for the certificate. This value is not unique. It is used in the Hardenize UI to refer to the certificate. |
label | string | The label is a human-readable string that can be used to identify the certificate. |
sha256* | string | Hex-encoded SHA256 hash of the certificate in DER format. |
spkiSha256 | string | Hex-encoded SHA256 of the certificate's SPKI component. |
keyAlg | string | Private key algorithm, for example RSA or EC. |
keyLen | integer | Private key length, for example 256 for an ECDSA key or 2048 for an RSA key. |
keyStrength | integer | Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112. |
sigAlg | SigAlg | Certificate signature algorithm. |
subject* | string | Subject distinguished name. |
serial* | string | Hex-encoded serial number. |
issuer* | string | Issuer distinguished name. |
issuerCa | string | The name of the issuing CA, according to CCADB. |
ownership | string | Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false. |
notBefore* | string(date-time) | The date+time before which the certificate is not valid |
notAfter* | string(date-time) | The date+time after which the certificate is not valid. |
effectiveNotAfter* | string(date-time) | ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2). |
lifetimeDays | integer | Contains the number of days the certificate is valid. |
lifetimeDaysLeft | integer | Contains the number of days left until the certificate will expire. |
revokedOn* | string(date-time) | Revocation timestamp, if available. |
hosts* | [string] | All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate. |
extras | CertExtras | none |
active | boolean | True if the certificate has been seen installed recently. |
caPathLen | integer | Indicates if the certificate is a leaf or a CA certificate. Leaves will have this value set to -1, CA certificates will have a 0 or some other non-zero value. |
nameDigestNewer | boolean | True if a certificate with the same set of names but a later effective_not_after has been seen. |
Enumerated Values
Property | Value |
---|---|
ownership | own |
ownership | thirdParty |
TrustPath
{
"chain": [
"46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
"1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
],
"valid": true,
"complete": true,
"hasErrors": false,
"depth": 3,
"errors": []
}
Represents a certificate trust path
Properties
Name | Type | Description |
---|---|---|
chain* | [string] | List of sha256 identifiers of the certificates in the trust path chain |
valid* | boolean | Indicates if the certificate path is valid |
complete* | boolean | Indicates if the certificate path is complete from leaf to root |
hasErrors* | boolean | Indicates if there are any validation errors in the path |
depth* | integer | The depth of the certificate chain from leaf to root |
errors* | [TrustPathError] | List of validation errors encountered in the certificate path |
TrustPathError
{
"node": "d073b38943b36bd970ec8f61b3a1aea66e58eff160daee143bcb9d9967867813",
"code": "invalidTime",
"message": "Time not valid: NotAfter: Wed Aug 08 21:17:05 UTC 2018"
}
Represents an error in the certificate trust path
Properties
Name | Type | Description |
---|---|---|
node | string | The sha256 identifier of the certificate node where the error occurred |
code* | string | Error code identifying the type of validation failure |
message* | string | Human-readable description of the error |
CertificateTrustPaths
{
"certs": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.636Z",
"notAfter": "2024-12-20T16:02:26.636Z",
"effectiveNotAfter": "2024-12-20T16:02:26.636Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.636Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
],
"paths": [
{
"chain": [
"46ef67b522f7fceb71c27a341e79a6ae6982b6a3f57bd804e0137db6bdf0c4c3",
"1dfc1605fbad358d8bc844f76d15203fac9ca5c1a79fd4857ffaf2864fbebf96"
],
"valid": true,
"complete": true,
"hasErrors": false,
"depth": 3,
"errors": []
}
]
}
Contains information about certificate trust paths
Properties
Name | Type | Description |
---|---|---|
certs* | [CertificateSummary] | List of certificate summaries of certificates which are part of the trust paths |
paths* | [TrustPath] | List of certificate trust paths |
ExpiringEndpointsResponse
{
"expiringEndpoints": [
{
"hostname": "example.net",
"serviceHostname": "service.example.com",
"serviceDomain": "example.com",
"serviceAddress": "127.0.0.1",
"servicePort": 443,
"certNotAfter": "2024-12-20T16:02:26.636Z",
"certEffectiveNotAfter": "2024-12-20T16:02:26.636Z",
"serviceLastSeen": "2024-12-20T16:02:26.636Z",
"certShortId": "572908a",
"certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"certIssuerCa": "Let's Encrypt",
"certSan": "*.hardenize.com",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"asNumber": "12345",
"hostClassificationStatus": "active",
"hostClassificationTags": [
[
"signin"
]
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
],
"extras": {
"certsDueDays": 0,
"certsOverdueDays": 0,
"certsCriticalDays": 0
}
}
Contains information about expiring endpoints.
Properties
Name | Type | Description |
---|---|---|
expiringEndpoints | [ExpiringEndpoint] | List of certificate summaries |
extras | CertStatsExtras | none |
ExpiringEndpoint
{
"hostname": "example.net",
"serviceHostname": "service.example.com",
"serviceDomain": "example.com",
"serviceAddress": "127.0.0.1",
"servicePort": 443,
"certNotAfter": "2024-12-20T16:02:26.637Z",
"certEffectiveNotAfter": "2024-12-20T16:02:26.637Z",
"serviceLastSeen": "2024-12-20T16:02:26.637Z",
"certShortId": "572908a",
"certSha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"certDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"certSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"certIssuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"certIssuerCa": "Let's Encrypt",
"certSan": "*.hardenize.com",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"asNumber": "12345",
"hostClassificationStatus": "active",
"hostClassificationTags": [
[
"signin"
]
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
Contains summary information about one expiring endpoint.
Properties
Name | Type | Description |
---|---|---|
hostname | string | The name of the host. |
serviceHostname | string | The hostname of the service associated with the endpoint. |
serviceDomain | string | The domain of the service associated with the endpoint. |
serviceAddress | string | The IP address of service associated with the endpoint. |
servicePort | integer | port number. |
certNotAfter | string(date-time) | ISO 8601 timestamp indicating when the certificate for the endpoint expires. |
certEffectiveNotAfter | string(date-time) | ISO 8601 timestamp indicating when the certificate for the endpoint expires. |
serviceLastSeen | string(date-time) | ISO 8601 timestamp indicating when the service was last seen. |
certShortId | string | First 7 characters of a hex-encoded SHA256 hash of the certificate in DER format. |
certSha256 | string | Hex-encoded SHA256 hash of the certificate in DER format. |
certDn | string | Distinguished name of the endpoint's certificate. |
certSerial | string | Hex-encoded serial number of the endpoint's certificate. |
certIssuer | string | Issuer distinguished name. |
certIssuerCa | string | The name of the issuing CA, according to CCADB. |
certSan | string | All hosts specified in the endpoint's certificate's SAN extension, as Unicode. |
asName | string | The name of the Autonomous System (AS). |
asNumber | string | The number of the Autonomous System (AS). |
hostClassificationStatus | string | Represents the status of content classification |
hostClassificationTags | [string] | A list of content classification tags |
tlsSupportedProtocols | string | List of supported TLS protocols |
tlsConfigurationLevel | string | Indicates the security level of the TLS configuration |
Enumerated Values
Property | Value |
---|---|
hostClassificationStatus | active |
hostClassificationStatus | inactive |
hostClassificationStatus | parked |
tlsSupportedProtocols | TLSv1.3 |
tlsSupportedProtocols | TLSv1.2 |
tlsSupportedProtocols | TLSv1.0 |
tlsSupportedProtocols | SSLv3 |
tlsSupportedProtocols | SSLv2 |
tlsConfigurationLevel | secureWithPostQuantumEncryption |
tlsConfigurationLevel | secure |
tlsConfigurationLevel | insecure |
tlsConfigurationLevel | unknown |
CertCtLog
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
Properties
Name | Type | Description |
---|---|---|
name | string | The name is formed from the log field extracting the string after the last '/' or the same string if no '/' characters are present in the string |
log* | string | CT log URL, with scheme omitted. |
timestamp* | integer(int64) | Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC. |
index | integer(int64) | This certificate's index in the referenced CT log. This field is available only when the matching objects are observed directly in CT logs. |
type* | string | Indicates whether a CT log entry belongs to a certificate or precertificate. Normally, precertificate objects will include only precertificate CT log entries. However, certificate objects can include entries of either type. For example, if a certificate has been logged to CT via a precertificate, it will typically include CT log entries pertaining to both the precertificate as well as its own subsequent appearance in the CT logs. |
sources* | [string] | Hardenize collects CT information from multiple sources. This set indicates all the places where we've collected the information we have on a certificate. |
Enumerated Values
Property | Value |
---|---|
type | cert |
type | precert |
CtLogsResponse
{
"ctLogs": [
{
"name": "Cloudflare 'Nimbus2023' Log",
"url": "ct.cloudflare.com/logs/nimbus2023",
"mmd": 86400,
"lastIndex": 94000,
"lastTimestamp": "2024-12-20T16:02:26.637Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
ctLogs | [CtLog] | List of CT log objects |
CtLog
{
"name": "Cloudflare 'Nimbus2023' Log",
"url": "ct.cloudflare.com/logs/nimbus2023",
"mmd": 86400,
"lastIndex": 94000,
"lastTimestamp": "2024-12-20T16:02:26.641Z"
}
Properties
Name | Type | Description |
---|---|---|
name | string | The description of the log entry |
url | string | The network endpoint |
mmd | integer | The maximum merge delay value |
lastIndex | integer | The last directly observed index in this log, if available |
lastTimestamp | string(date-time) | ISO 8601 timestamp of the last observed index, if available |
CreateIntegrationRequest
{
"type": "aws",
"name": "My Test Integration",
"ref": "123456789012",
"tags": [
"production"
],
"enabled": true,
"config": {
"accountId": "string"
}
}
This object should contain all the information required to create a
new integration in your account. Some of the information is generic
and used for all integration types. Integration-specific information
should be placed in the config
field, whilst ensuring the the
provided data matches the integration type.
Properties
Name | Type | Description |
---|---|---|
type* | string | Integration type that indicates which integration is being created. |
name* | string | Name to assign to integration. Must be unique. |
ref | string | Integration reference; this is an optional utility field intended to carry information that uniquely identifies the account we're connecting to. |
tags | [string] | A list of tags. Tags are added to resources fetched from your configured integration and propagated to hosts. Tag names can use only letters and digits. |
enabled* | boolean | Whether or not the integration should be enabled immediately. |
config* | any | Integration-specific configuration parameters, matching the selected integration as specified in the type parameter. |
oneOf
Name | Type | Description |
---|---|---|
» anonymous | CreateAwsIntegrationConfig | AWS integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateAzureIntegrationConfig | Azure integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateCloudflareIntegrationConfig | Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateCscIntegrationConfig | CSC integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateDigiCertIntegrationConfig | DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateGcpIntegrationConfig | GCP integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateMarkMonitorIntegrationConfig | MarkMonitor integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateNs1IntegrationConfig | NS1 integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CreateSafenamesIntegrationConfig | Safenames integration parameters. |
Enumerated Values
Property | Value |
---|---|
type | aws |
type | azure |
type | cloudflare |
type | csc |
type | digicert |
type | gcp |
type | markmonitor |
type | ns1 |
type | safenames |
AwsIntegrationConfig
{
"accountId": "string"
}
AWS integration parameters.
Properties
Name | Type | Description |
---|---|---|
accountId* | string | AWS account ID. |
CreateAwsIntegrationConfig
{
"accountId": "string"
}
AWS integration parameters.
Properties
Name | Type | Description |
---|---|---|
accountId* | string | AWS account ID. |
AzureIntegrationConfig
{
"clientId": "a85f9541-6472-054d-af7b-802663282441",
"tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43"
}
Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.
Properties
Name | Type | Description |
---|---|---|
clientId* | string | Azure client identifier. |
tenantId* | string | Azure tenant identifier. |
CreateAzureIntegrationConfig
{
"clientId": "a85f9541-6472-054d-af7b-802663282441",
"tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
"secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}
Azure integration parameters.
Properties
Name | Type | Description |
---|---|---|
clientId* | string | Azure client identifier. |
tenantId* | string | Azure tenant identifier. |
secret* | string | Azure secret token. |
DigiCertIntegrationConfig
{}
DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.
Properties
None
CreateDigiCertIntegrationConfig
{
"apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}
DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be accepted.
Properties
Name | Type | Description |
---|---|---|
apiKey* | string | none |
GcpIntegrationConfig
{
"project": "green-lantern-324920"
}
GCP integration parameters.
Properties
Name | Type | Description |
---|---|---|
project* | string | The GCP project name |
CreateGcpIntegrationConfig
{
"project": "green-lantern-324920"
}
GCP integration parameters.
Properties
Name | Type | Description |
---|---|---|
project* | string | The GCP project name |
CloudflareIntegrationConfig
{}
Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.
Properties
None
CreateCloudflareIntegrationConfig
{
"apiKey": "uhhiGI7ghuoiuhIU2feu",
"authKey": "27761d57fd9035185dfc45eb1275ecacd",
"email": "postmaster@example.com"
}
Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.
Properties
Name | Type | Description |
---|---|---|
apiKey | string | none |
authKey | string | none |
string | none |
CscIntegrationConfig
{}
CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.
Properties
None
CreateCscIntegrationConfig
{
"apiKey": "23g78h23rgheriuh2r8h2rg8h2rgiuh23g",
"bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}
CSC integration parameters.
Properties
Name | Type | Description |
---|---|---|
apiKey* | string | none |
bearerToken* | string | none |
Ns1IntegrationConfig
{}
NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.
Properties
None
CreateNs1IntegrationConfig
{
"apiKey": "uhhiGI7ghuoiuhIU2feu"
}
NS1 integration parameters.
Properties
Name | Type | Description |
---|---|---|
apiKey* | string | none |
MarkMonitorIntegrationConfig
{
"username": "user"
}
MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards
Properties
Name | Type | Description |
---|---|---|
username* | string | The MarkMonitor api username |
CreateMarkMonitorIntegrationConfig
{
"username": "user",
"password": "pass"
}
MarkMonitor integration parameters.
Properties
Name | Type | Description |
---|---|---|
username* | string | none |
password* | string | none |
SafenamesIntegrationConfig
{
"username": "user"
}
Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards
Properties
Name | Type | Description |
---|---|---|
username* | string | The Safenames username |
CreateSafenamesIntegrationConfig
{
"username": "user",
"password": "pass"
}
Safenames integration parameters.
Properties
Name | Type | Description |
---|---|---|
username* | string | none |
password* | string | none |
CreateIntegrationResponse
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.644Z",
"nextRunTime": "2024-12-20T16:02:26.644Z",
"lastRunTime": "2024-12-20T16:02:26.644Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Properties
Name | Type | Description |
---|---|---|
integration* | Integration | Represents a third-party integration. |
CreateHostsRequest
{
"hostnames": [
"example.com"
],
"status": "monitored",
"axfr": "auto",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"name": "thename",
"algorithm": "HMAC_MD5",
"key": "base64key="
},
"groups": [
"production"
]
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | List of hosts to create. Each host in this array must be a valid registrable domain (according to the Public Suffix List) or a subdomain of a registrable domain. |
status | string | Desired host status. If the status is not specified, the initial status is determined based on the account's default status for new hosts as well as the status of parent hosts (depending on the configuration). |
axfr | string | If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled . To enable zone transfers, change the value of this field to enabled . For more information about how zone transfers are made, refer to the Request zone transfer endpoint. |
axfrHost | string | Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead. |
axfrTsig | CreateHostsRequestAxfrTsig | none |
groups | [string] | List of groups to which the new hosts should be added. If the account is configured to inherit group membership from parent hosts, those groups are added in addition to the ones explicitly specified here. |
Enumerated Values
Property | Value |
---|---|
status | monitored |
status | idle |
status | archived |
axfr | auto |
axfr | enabled |
axfr | disabled |
CreateHostsRequestAxfrTsig
{
"name": "thename",
"algorithm": "HMAC_MD5",
"key": "base64key="
}
Properties
Name | Type | Description |
---|---|---|
name* | string | TSIG key name. |
algorithm* | string | TSIG algorithm. |
key* | string | TSIG key, Base64-encoded. |
Enumerated Values
Property | Value |
---|---|
algorithm | HMAC_MD5 |
algorithm | HMAC_SHA1 |
algorithm | HMAC_SHA224 |
algorithm | HMAC_SHA256 |
algorithm | HMAC_SHA384 |
algorithm | HMAC_SHA512 |
CreateHostDiscoveryKeywordRequest
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
]
}
A keyword used for host discovery.
Properties
Name | Type | Description |
---|---|---|
keyword* | string | The text to match with. Must consist of only lowercase letters, digits, and dashes. Periods can also be used, but only when keyword is matched across DNS labels. To avoid too many matches, we require that keywords have at least 5 characters, and up to 32. |
enabled* | boolean | Indicates if the keyword is currently active. |
matchScope* | string | Determines if the keyword will match domains and subdomains (all ) or only domains. |
matchPosition* | string | Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant. |
matchExact* | boolean | If set, enables exact matching. |
matchFuzzy* | boolean | If set, enables fuzzy matching. |
matchConfusables* | boolean | If set, enables matching of confusable characters and homographes. |
exclusions* | [string] | Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored. |
Enumerated Values
Property | Value |
---|---|
matchScope | all |
matchScope | domains |
matchPosition | anywhere |
matchPosition | label |
matchPosition | labelStart |
matchPosition | labelEnd |
matchPosition | labelStartOrEnd |
CreateHostDiscoveryKeywordResponse
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryKeyword* | HostDiscoveryKeyword | A keyword used for host discovery. |
CreateHostDiscoveryNameserverRequest
{
"hostnames": [
"ns1.example.com"
]
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | none |
UpdateHostDiscoveryNameserverRequest
{
"enabled": true
}
Properties
Name | Type | Description |
---|---|---|
enabled | boolean | Controls whether a nameserver is actively monitored. A nameserver could be disabled if it's responsible for too many matches, which usually indicates a misconfigured. Alternatively, a nameserver may be disabled if it no longer matches any of the organization's domains. |
CreateHostDiscoveryNameserverResponse
{
"hostDiscoveryKeyword": {
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryKeyword* | HostDiscoveryNameserver | A keyword used for host discovery. |
DiscoveryHostReportRequest
{
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
limit | integer | If set, returns only up to the specified number of host discoveries. |
format | string | If set, returns host discoveries in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
DiscoveryHostReportResponse
{
"discoveries": [
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.646Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.647Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
discoveries | [HostDiscovery] | [This object represents our discovery of a host which might be relevant to your organization.] |
CreateCertResponse
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.647Z",
"notAfter": "2024-12-20T16:02:26.647Z",
"effectiveNotAfter": "2024-12-20T16:02:26.647Z",
"revokedOn": "2024-12-20T16:02:26.647Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.648Z",
"lastSeen": "2024-12-20T16:02:26.648Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.648Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.648Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.648Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
}
Properties
Name | Type | Description |
---|---|---|
cert | Certificate | Contains information about one certificate. |
CreateEventHookRequest
{
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive"
}
Properties
Name | Type | Description |
---|---|---|
hookType* | string | Desired event hook type. |
eventTypes* | [string] | A list of event types to send to this event hook. |
status | string | Initial status for this hook. Default: disabled. |
destination* | string | Event hook destination; for webhooks, this must be an HTTPS URL. For deliveries via PubSub, you must supply here a valid destination obtained via the List Event Destinations API endpoint. |
Enumerated Values
Property | Value |
---|---|
hookType | pubsub |
hookType | webhook |
CreateEventHookResponse
{
"eventHook": {
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
}
Properties
Name | Type | Description |
---|---|---|
eventHook* | EventHook | Event hook objects contain information pertaining to a destination to which events are delivered (pushed). |
CreateNetworkRangeRequest
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"range": "192.168.1.0/24",
"scan": true,
"tags": [
"production"
]
}
Properties
None
CreateOrgRequest
{
"id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
"name": "Hardenize",
"label": "hardenize",
"status": "active",
"certLimitHard": 1000,
"commercialStatus": "internal",
"generateApiCredentials": true,
"hostDiscoveryAutoimportSubdomains": false,
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostDiscoveryEnabled": true,
"hostDiscoveryLimitHard": 10000,
"hostLimitHard": 1000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
Properties
Name | Type | Description |
---|---|---|
id* | string | Unique ID that should be used to refer to the new organization. This value should be unique across all organizations that belong to the same parent. The syntax must match that of a DNS host label, using only lowercase characters. This field can be set, but cannot be updated. |
name | string | Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value. |
label | string | Organization label is a user-friendly identifier and also has to be unique across the organizations belonging to the same parent. Labels are shown in the application UI and URLs. This field is optional; if it is not provided, the id parameter will be used instead. This field can be set, but cannot be updated. |
status | string | The initial status the organization should have. Default: active. |
certLimitHard | integer | Hard limit on the number of certificates in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit. |
commercialStatus | string | The initial commercial status for the new organization. Default: internal. |
generateApiCredentials | boolean | If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost. Default: false. |
hostDiscoveryAutoimportSubdomains | boolean | If set, newly discovered host that are subdomain of known hosts will be automatically added to the host inventory. Requires featureHostDiscovery to be enabled. Default: false. |
hostDiscoveryExcludeSuffixes | [string] | If provided, this field is a list of domain suffixes that should be ignored during discovery. |
hostDiscoveryEnabled | boolean | Indicates if host discovery is enabled. |
hostDiscoveryLimitHard | integer | Hard limit on the number of host discoveries in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit. |
hostLimitHard | integer | Hard limit on the number of hosts in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit. |
featureHostDiscovery | boolean | If set, enables the host discovery feature. The feature must be available in the parent organization. Default: false. |
featureMfa | boolean | If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false |
featureSaml | boolean | If set, enables SAML. The feature must be available in the parent organization. Default: false |
Enumerated Values
Property | Value |
---|---|
status | active |
status | dormant |
status | suspended |
status | deleted |
commercialStatus | free |
commercialStatus | internal |
commercialStatus | paying |
commercialStatus | trial |
CreateOrgResponse
{
"org": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Properties
Name | Type | Description |
---|---|---|
org* | Organization | none |
CreateGroupRequest
{
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
Properties
Name | Type | Description |
---|---|---|
name* | string | Display name, typically used for human interaction. Groups also have an identifier, which we automatically generate from the names. Group identifiers and names must be unique, after whitespace is trimmed and text converted to lowercase. |
auto | boolean | Indicates if this group is an auto-group, meaning that hosts are added to it and removed from based on whether they have matching tags. Hosts added to a group if they have at least one matching tag. Hosts are removed from a group if they have no matching tags. |
tags | [string] | Tags associated with this group. Auto-groups only. |
UpdateGroupRequest
{
"tags": [
"production"
]
}
Properties
Name | Type | Description |
---|---|---|
tags | [string] | Tags associated with this group. Auto-tags only. |
CreateGroupResponse
{
"group": {
"id": "production",
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
}
Properties
Name | Type | Description |
---|---|---|
group* | Group | The Group object represents one account group. |
CreateSearchRequest
{
"index": "network",
"query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
"limit": 10,
"columns": [
"hostname",
"address",
"port"
]
}
Encapsulates parameters required to submit a search. At minimum, provide the index
and query
fields. If you wish to get the data back in CSV format, supply the
desired field names in the columns
field. To know what field names are available, it's
usually best to examine the JSON output of a limited number of results, then re-run the
query to get CSV output.
Properties
Name | Type | Description |
---|---|---|
index* | string | The index against which the supplied query will be executed. |
query* | string | The desired query, using the Elasticsearch query language. |
limit | integer | When provided, the output will be limited to the requested number of results. This parameter can be useful when you're experimenting with a complex query and don't wish to incur the overhead of fetching, downloading, and processing the entire result set. Default: no limit. |
columns | [string] | When this field is provided in the requests, search results will be provided in CSV format with the fields as specified. |
Enumerated Values
Property | Value |
---|---|
index | certificates |
index | network |
CreateTlsCheckRequest
{
"host": "hardenize.com",
"port": 443,
"location": "london",
"resolverStrategy": "all"
}
TLS check parameters.
Properties
Name | Type | Description |
---|---|---|
host* | string | Endpoint hostname, which must be one of the names in the asset inventory. IP addresses are currently not supported. |
port* | integer | Endpoint port, for example 443. |
location* | string | Location from which the check should be performed. |
resolverStrategy | string | DNS resolver strategy to use to convert hostname to IP addresses for testing. Default: all. |
Enumerated Values
Property | Value |
---|---|
resolverStrategy | all |
resolverStrategy | all4 |
resolverStrategy | all6 |
resolverStrategy | one4 |
resolverStrategy | one46 |
resolverStrategy | one6 |
resolverStrategy | one64 |
DeleteHostsRequest
{
"hostnames": [
"example.com"
],
"subdomains": true,
"preview": true
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | List of hosts to delete. |
subdomains | boolean | If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false |
preview | boolean | If set, this parameter enables preview mode, which means that no hosts will be deleted. Instead, the response will include the list of hosts that would have been deleted. Default: false. |
DeleteHostsResponse
{
"hostnames": [
"example.com"
],
"preview": true
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | List of hosts that have been deleted (or would have been deleted, in preview mode). |
preview* | boolean | Indicates if the action was executed or only previewed. |
Event
{
"id": 10001,
"type": "ct",
"createdOn": "2024-12-20T16:02:26.652Z",
"apiVersion": "0.14.0",
"data": {
"field": "value"
}
}
Event objects are created in response to various things of interest that happen in your
account. They are designed to be a generic storage and retrieval system that can carry
arbitrary embedded objects, which are encoded in JSON format. The type
fields is used as
indicator as to which embedded object is stored in the data
field. We also record the version of the
API at the time the data object was created. Should there be differences in the format, you
can use the apiVersion
field to determine exactly how the data should be handled.
Properties
Name | Type | Description |
---|---|---|
id* | integer | none |
type* | string | none |
createdOn* | string(date-time) | none |
apiVersion* | string | none |
data* | string | none |
EventDestination
{
"destinationId": "pubsub://events/1/1005",
"type": "pubsub",
"project": "hz-events-pubsub",
"topic": "projects/hz-events-pubsub/topics/ep-1-1005",
"subscription": "ep-1-1005",
"subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}
Contains information about one destination that can be used to receive events.
Properties
Name | Type | Description |
---|---|---|
destinationId* | string | Unique system-generated identifier. |
type* | string | Destination type. Different fields may be available depending on this value. |
project | string | PubSub project name. |
topic | string | PubSub topic name. |
subscription | string | PubSub subscription name. |
subscriberCredentials | string | Contains raw Google GCP service account file that should be used to authenticate when retrieving from the subscription associated with this destination. |
Enumerated Values
Property | Value |
---|---|
type | pubsub |
EventHook
{
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
Event hook objects contain information pertaining to a destination to which events are delivered (pushed).
Properties
Name | Type | Description |
---|---|---|
id* | string | Contains the system-generated event hook identifier. This value is strongly random and, because it's provided with every event, can be used for an easy security check on the receiving end. |
hookType* | string | Contains hook type. |
eventTypes* | [string] | Contains the list of event types that will be sent to this hook. |
status* | string | Indicates the current status of the event hook. The normal states are enabled and disabled . If a hook is determine to be inoperational, we will automatically disable it and change its state to failed . |
destination | string | Contains the destination where events will be sent. |
secret* | string | Contains a strongly random secret value unique to this hook. Used to sign events on delivery. |
Enumerated Values
Property | Value |
---|---|
hookType | pubsub |
hookType | webhook |
status | enabled |
status | disabled |
status | failed |
EventType
{
"name": "ct",
"available": true,
"enabled": true
}
Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.
Properties
Name | Type | Description |
---|---|---|
name* | string | none |
available* | boolean | Specifies whether the account supports generation of this type of event. |
enabled* | boolean | Specifies whether events of this type are currently being generated. |
ErrorMessage
{
"param": "string",
"message": "string"
}
One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole.
Properties
Name | Type | Description |
---|---|---|
param | string | none |
message* | string | none |
ErrorResponse
{
"errors": [
{
"param": "string",
"message": "string"
}
]
}
This object is returned whenever a processing error occurs. It contains a list of error messages, some of which may be attributed to specific request parameters.
Properties
Name | Type | Description |
---|---|---|
errors* | [ErrorMessage] | [One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole. ] |
GetCertResponse
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.654Z",
"notAfter": "2024-12-20T16:02:26.654Z",
"effectiveNotAfter": "2024-12-20T16:02:26.654Z",
"revokedOn": "2024-12-20T16:02:26.654Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.654Z",
"lastSeen": "2024-12-20T16:02:26.654Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.663Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.663Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.663Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
},
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
}
}
Properties
Name | Type | Description |
---|---|---|
cert* | Certificate | Contains information about one certificate. |
extras | CertExtras | none |
GetEventResponse
{
"event": {
"id": 10001,
"type": "ct",
"createdOn": "2024-12-20T16:02:26.664Z",
"apiVersion": "0.14.0",
"data": {
"field": "value"
}
}
}
Properties
Name | Type | Description |
---|---|---|
event* | Event | Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled. |
GetHostDiscoveryResponse
{
"hostDiscovery": {
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.664Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.665Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscovery* | HostDiscovery | This object represents our discovery of a host which might be relevant to your organization. |
GetHostDiscoveryKeywordResponse
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryKeyword* | HostDiscoveryKeyword | A keyword used for host discovery. |
GetHostDiscoveryNameserverResponse
{
"hostDiscoveryNameserver": {
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryNameserver* | HostDiscoveryNameserver | A keyword used for host discovery. |
GetAccessControlConfigResponse
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": "disabled",
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": "disabled"
}
Current network access configuration.
Properties
Name | Type | Description |
---|---|---|
apiNetworks* | [string] | List of network address ranges from which access to the API should be allowed. Empty list means no restrictions. |
apiNetworksCascade* | string | If set to true, the configured API whitelist is enforced on all child organizations. |
appNetworks* | [string] | List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions. |
appNetworksCascade* | string | If set to true, the configured web application whitelist is enforced on all child organizations. |
Enumerated Values
Property | Value |
---|---|
apiNetworksCascade | disabled |
apiNetworksCascade | enabled |
appNetworksCascade | disabled |
appNetworksCascade | enabled |
GetIssueResponse
{
"integration": {
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
}
Properties
Name | Type | Description |
---|---|---|
integration | Issue | none |
SetupAwsIntegrationsResponse
{
"externalId": "hardenize-1uspdz"
}
Information needed to set up an AWS integration.
Properties
Name | Type | Description |
---|---|---|
externalId* | string | The externalId parameter to use when creating the integration AWS role. |
SetupGcpIntegrationsResponse
{
"serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}
Information needed to set up a GCP integration.
Properties
Name | Type | Description |
---|---|---|
serviceAccount* | string | Email address of the service account you need to grant access for |
HostExclusionsResponse
{
"hostExclusions": [
"example.com"
]
}
The current list of host exclusions.
Properties
Name | Type | Description |
---|---|---|
hostExclusions | [string] | none |
HostDefaultsResponse
{
"newHostStatus": "archived",
"newHostInheritStatus": true,
"newHostInheritGroup": false
}
The current host defaults configuration.
Properties
Name | Type | Description |
---|---|---|
newHostStatus | string | The new host status. |
newHostInheritStatus | boolean | The new host inherit status. |
newHostInheritGroup | boolean | The new host inherit group. |
Enumerated Values
Property | Value |
---|---|
newHostStatus | archived |
newHostStatus | monitored |
newHostStatus | idle |
UpdateHostDefaultsRequest
{
"newHostStatus": "archived",
"newHostInheritStatus": true,
"newHostInheritGroup": false
}
When set default host configuration is overwritten.
Properties
Name | Type | Description |
---|---|---|
newHostStatus | string | The new host status. |
newHostInheritStatus | boolean | The new host inherit status. |
newHostInheritGroup | boolean | The new host inherit group. |
Enumerated Values
Property | Value |
---|---|
newHostStatus | archived |
newHostStatus | monitored |
newHostStatus | idle |
UpdateHostExclusionsRequest
{
"hostExclusions": [
[
"example.com"
]
]
}
List of hosts to exclude
Properties
Name | Type | Description |
---|---|---|
hostExclusions | [string] | none |
CertificateMonitoringResponse
{
"notificationsEmailAddresses": [
"dev@hardenize.com"
],
"notificationsCustomText": "This is a custom text message",
"pkiTeamId": "devteam",
"notificationsSendOverdue": false,
"notificationsSendCritical": false,
"certsDueDays": 45,
"certsOverdueDays": 6,
"certsCriticalDays": 2,
"vendorCertsCriticalDays": 2,
"monitorNetworks": true,
"includeNetworks": [
"127.0.0.1/32"
],
"excludeNetworks": [
"127.0.0.1/32"
]
}
The current certificate monitoring configuration.
Properties
Name | Type | Description |
---|---|---|
notificationsEmailAddresses | [string] | none |
notificationsCustomText | string | none |
pkiTeamId | string | none |
notificationsSendOverdue | boolean | none |
notificationsSendCritical | boolean | none |
certsDueDays | integer(int32) | none |
certsOverdueDays | integer(int32) | none |
certsCriticalDays | integer(int32) | none |
vendorCertsCriticalDays | integer(int32) | none |
monitorNetworks | boolean | none |
includeNetworks | [cidr] | Contains a list of network ranges that are included in certificate monitoring. |
excludeNetworks | [cidr] | Contains a list of network ranges that are excluded from certificate monitoring. |
UpdateCertificateMonitoringRequest
{
"notificationsEmailAddresses": [
"dev@hardenize.com"
],
"notificationsCustomText": "This is a custom notification text",
"pkiTeamId": "devteam",
"notificationsSendOverdue": false,
"notificationsSendCritical": true,
"certsDueDays": 45,
"certsOverdueDays": 12,
"certsCriticalDays": 6,
"vendorCertsCriticalDays": 6,
"monitorNetworks": true,
"includeNetworks": [
"127.0.0.1/32"
],
"excludeNetworks": [
"127.0.0.1/32"
]
}
When set the default certificate monitoring configuration is overwritten.
Properties
Name | Type | Description |
---|---|---|
notificationsEmailAddresses | [string] | none |
notificationsCustomText | string | none |
pkiTeamId | string | If not supplied, the value remains the same as before. To delete, use an empty string |
notificationsSendOverdue | boolean | none |
notificationsSendCritical | boolean | none |
certsDueDays | integer(int32) | none |
certsOverdueDays | integer(int32) | none |
certsCriticalDays | integer(int32) | none |
vendorCertsCriticalDays | integer(int32) | none |
monitorNetworks | boolean | none |
includeNetworks | [cidr] | Contains a list of IP address range in CIDR notation that are included in certificate monitoring |
excludeNetworks | [cidr] | Contains a list of IP address range in CIDR notation that are excluded from certificate monitoring |
CtMonitoringResponse
{
"discoveryEmailNotifications": "escalations",
"closeCertKnown": false,
"closeCertInstalled": false,
"closeCertExpired": false,
"closeCertRevoked": false,
"closeCaaMatchFull": false,
"closeIssuerAllowed": false,
"closeAllowedIssuerKeywords": [
"string"
],
"closeAllowedIssuerKeywordsOverrides": [
{
"pattern": "string",
"keywords": [
"string"
]
}
],
"closeCaseInactive": true,
"closeCaseInactiveDays": 60,
"escalateCertNotInstalled": false,
"escalateCertNotInstalledDays": 120,
"escalateCaaMismatch": true,
"escalateCertNotCtCompliant": false,
"escalateIssuerNotAllowed": false,
"escalateIssuerForbidden": true,
"escalateForbiddenIssuerKeywords": [
"forbidden"
],
"escalateCertMaxLifetimeExceeded": false
}
The current certificate transparency monitoring configuration.
Properties
Name | Type | Description |
---|---|---|
discoveryEmailNotifications | string | The discovery email notification recipients. |
closeCertKnown | boolean | none |
closeCertInstalled | boolean | none |
closeCertExpired | boolean | none |
closeCertRevoked | boolean | none |
closeCaaMatchFull | boolean | none |
closeIssuerAllowed | boolean | none |
closeAllowedIssuerKeywords | [string] | none |
closeAllowedIssuerKeywordsOverrides | [CloseAllowedIssuerKeywordsOverride] | [Allowed issuer keywords to override ] |
closeCaseInactive | boolean | none |
closeCaseInactiveDays | integer(int32) | none |
escalateCertNotInstalled | boolean | none |
escalateCertNotInstalledDays | integer(int32) | none |
escalateCaaMismatch | boolean | none |
escalateCertNotCtCompliant | boolean | none |
escalateIssuerNotAllowed | boolean | none |
escalateIssuerForbidden | boolean | none |
escalateForbiddenIssuerKeywords | [string] | none |
escalateCertMaxLifetimeExceeded | boolean | none |
Enumerated Values
Property | Value |
---|---|
discoveryEmailNotifications | all |
discoveryEmailNotifications | escalations |
discoveryEmailNotifications | none |
CloseAllowedIssuerKeywordsOverride
{
"pattern": "string",
"keywords": [
"string"
]
}
Allowed issuer keywords to override
Properties
Name | Type | Description |
---|---|---|
pattern | string | none |
keywords | [string] | none |
UpdateCtMonitoringRequest
{
"discoveryEmailNotifications": "escalations",
"closeCertKnown": false,
"closeCertInstalled": true,
"closeCertExpired": false,
"closeCertRevoked": true,
"closeCaaMatchFull": false,
"closeIssuerAllowed": true,
"closeAllowedIssuerKeywords": [
"string"
],
"closeAllowedIssuerKeywordsOverrides": [
{
"pattern": "string",
"keywords": [
"string"
]
}
],
"closeCaseInactive": false,
"closeCaseInactiveDays": true,
"escalateCertNotInstalled": false,
"escalateCertNotInstalledDays": true,
"escalateCaaMismatch": true,
"escalateCertNotCtCompliant": false,
"escalateIssuerNotAllowed": true,
"escalateIssuerForbidden": false,
"escalateForbiddenIssuerKeywords": [
"string"
],
"escalateCertMaxLifetimeExceeded": true
}
New CT monitoring configuration
Properties
Name | Type | Description |
---|---|---|
discoveryEmailNotifications | string | The discovery email notification recipients. |
closeCertKnown | boolean | none |
closeCertInstalled | boolean | none |
closeCertExpired | boolean | none |
closeCertRevoked | boolean | none |
closeCaaMatchFull | boolean | none |
closeIssuerAllowed | boolean | none |
closeAllowedIssuerKeywords | [string] | none |
closeAllowedIssuerKeywordsOverrides | [CloseAllowedIssuerKeywordsOverride] | [Allowed issuer keywords to override ] |
closeCaseInactive | boolean | none |
closeCaseInactiveDays | integer(int32) | none |
escalateCertNotInstalled | boolean | none |
escalateCertNotInstalledDays | integer(int32) | none |
escalateCaaMismatch | boolean | none |
escalateCertNotCtCompliant | boolean | none |
escalateIssuerNotAllowed | boolean | none |
escalateIssuerForbidden | boolean | none |
escalateForbiddenIssuerKeywords | [string] | none |
escalateCertMaxLifetimeExceeded | boolean | none |
Enumerated Values
Property | Value |
---|---|
discoveryEmailNotifications | all |
discoveryEmailNotifications | escalations |
discoveryEmailNotifications | none |
GetMfaConfigResponse
{
"mfaRequired": true
}
The current multi-factor authentication (MFA) configuration.
Properties
Name | Type | Description |
---|---|---|
mfaRequired* | boolean | If set, all users must have multi-factor enabled in order to access this organization. |
UpdateAwsIntegrationConfig
{
"accountId": "123456789012"
}
Properties
Name | Type | Description |
---|---|---|
accountId | string | The account identifier of the AWS Role created for this integration. The identifier is just the number part of the entire Amazon Role Number (ARN) string. |
UpdateAzureIntegrationConfig
{
"clientId": "a85f9541-6472-054d-af7b-802663282441",
"tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
"secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}
Properties
Name | Type | Description |
---|---|---|
clientId | string | Azure client identifier. |
tenantId | string | Azure tenant identifier. |
secret | string | Azure secret token. |
UpdateCloudflareIntegrationConfig
{
"apiKey": "uhhiGI7ghuoiuhIU2feu",
"authKey": "a986c4a2d345acd9663018742f3600bf9edba",
"email": "postmaster@example.com"
}
Properties
Name | Type | Description |
---|---|---|
apiKey | string | The Cloudflare API key |
authKey | string | Cloudflare global api key (legacy auth) |
string | none |
UpdateCscIntegrationConfig
{
"apiKey": "23g923guh3uh2gj2dokd",
"bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}
Properties
Name | Type | Description |
---|---|---|
apiKey | string | The CSC API key |
bearerToken | string | The CSC API bearer token |
UpdateDigiCertIntegrationConfig
{
"apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}
Properties
Name | Type | Description |
---|---|---|
apiKey | string | The DigiCert API key |
UpdateGcpIntegrationConfig
{
"project": "green-lantern-324920"
}
Properties
Name | Type | Description |
---|---|---|
project | string | The GCP project name |
UpdateMarkMonitorIntegrationConfig
{
"username": "user",
"password": "pass"
}
Properties
Name | Type | Description |
---|---|---|
username | string | The MarkMonitor API username |
password | string | The MarkMonitor API password |
UpdateSafenamesIntegrationConfig
{
"username": "user",
"password": "pass"
}
Properties
Name | Type | Description |
---|---|---|
username | string | The Safenames username |
password | string | The Safenames password |
UpdateNs1IntegrationConfig
{
"apiKey": "uhhiGI7ghuoiuhIU2feu"
}
Properties
Name | Type | Description |
---|---|---|
apiKey | string | The DigiCert API key |
UpdateIntegrationRequest
{
"name": "My Test Integration",
"ref": "348394209898",
"tags": [
"production"
],
"enabled": true,
"config": {
"accountId": "123456789012"
}
}
This object is designed to carry the information you wish to use
to update a particular integration. Include only the fields
you wish to change; all other fields will remain unchanged. The
data in the config
field must be appropriate for the integration type.
Properties
Name | Type | Description |
---|---|---|
name | string | Name to assign to integration. Must be unique. |
ref | string | Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to. |
tags | [string] | A list of tags. Tags are added to resources fetched from your configured integration. Tag names can use only letters and digits. |
enabled | boolean | Whether or not the integration should be enabled immediately. |
config | any | Integration-specific configuration parameters, matching the selected integration as specified in the type parameter. |
oneOf
Name | Type | Description |
---|---|---|
» anonymous | UpdateAwsIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateAzureIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateCloudflareIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateCscIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateDigiCertIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateGcpIntegrationConfig | none |
xor
Name | Type | Description |
---|---|---|
» anonymous | UpdateNs1IntegrationConfig | none |
GetIdentityResponse
{
"identity": {
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.670Z",
"lastSeen": "2024-12-20T16:02:26.670Z",
"lastCheck": "2024-12-20T16:02:26.670Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.670Z"
}
}
Properties
Name | Type | Description |
---|---|---|
identity* | Identity | This object represents an identity. |
Identity
{
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.670Z",
"lastSeen": "2024-12-20T16:02:26.670Z",
"lastCheck": "2024-12-20T16:02:26.670Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.670Z"
}
This object represents an identity.
Properties
Name | Type | Description |
---|---|---|
identityId* | integer | A unique identifier which you can use to refer to a particular identity when updating. |
type* | string | The type of identity, for example WHOIS registrant or email address. |
enabled* | boolean | If this identity is enabled for discovery |
identity* | string | The identity text. |
createdOn* | string(date-time) | Indicates when was the first time we observed this identity. |
lastSeen* | string(date-time) | Indicates the last time we observed this identity. |
lastCheck | string(date-time) | Indicates the last time we looked for new assets connected to this identity. |
error | string | The text of the error message. If an error occurs, the identity may be disabled. This may happen if a shared identity is initially added as unique, but later determined to actually be shared. |
errorTime | string(date-time) | Contains the time of the most recent error related to this identity. |
Enumerated Values
Property | Value |
---|---|
type | cert_dn_o |
type | dns_mx |
type | dns_soa_rname |
type | whois_email |
type | whois_registrant |
GetIntegrationResponse
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.671Z",
"nextRunTime": "2024-12-20T16:02:26.671Z",
"lastRunTime": "2024-12-20T16:02:26.671Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Properties
Name | Type | Description |
---|---|---|
integration* | Integration | Represents a third-party integration. |
UpdateIntegrationResponse
{
"integration": {
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.671Z",
"nextRunTime": "2024-12-20T16:02:26.671Z",
"lastRunTime": "2024-12-20T16:02:26.671Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
}
Properties
Name | Type | Description |
---|---|---|
integration* | Integration | Represents a third-party integration. |
UpdateMfaConfigRequest
{
"mfaRequired": true
}
Desired changes to the multi-factor authentication configuration.
Properties
Name | Type | Description |
---|---|---|
mfaRequired | boolean | If set, all users must have multi-factor enabled in order to access this organization. |
UpdateMfaConfigResponse
{
"mfaRequired": true
}
The multi-factor authentication (MFA) configuration after a successful update operation.
Properties
Name | Type | Description |
---|---|---|
mfaRequired* | boolean | If set, all users must have multi-factor enabled in order to access this organization. |
GetNetworkScanningConfigResponse
{
"netscanStatic": true,
"netscanDynamic": true,
"monitorCloudIps": true,
"netscanExclusions": [
"127.0.0.1/32"
]
}
The current network scanning configuration.
Properties
Name | Type | Description |
---|---|---|
netscanStatic* | boolean | If set, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning. |
netscanDynamic* | boolean | If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled. |
monitorCloudIps* | boolean | If set to true, scanning of IP addresses discovered by cloud integrations is enabled. |
netscanExclusions* | [cidr] | Contains a list of network ranges that will be excluded from network scanning. |
GetSamlConfigResponse
{
"enabled": true,
"idpMetadata": "string"
}
The current SAML configuration.
Properties
Name | Type | Description |
---|---|---|
enabled* | boolean | If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured. |
idpMetadata | string | Identity Provider (IdP) metadata XML. |
UpdateSamlConfigRequest
{
"enabled": true,
"idpMetadata": "string"
}
Encapsulates desired changes to the SAML cofiguration.
Properties
Name | Type | Description |
---|---|---|
enabled | boolean | If set, enables SAML for this organization. Requires correctly configured IdP metadata. |
idpMetadata | string | Identity Provider (IdP) metadata XML. To remove existing metadata, set this value to an empty string. This will be detected and the field will be set to null. |
UpdateSamlConfigResponse
{
"enabled": true,
"idpMetadata": "string"
}
The SAML configuration after a successful update operation.
Properties
Name | Type | Description |
---|---|---|
enabled* | boolean | If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured. |
idpMetadata | string | Identity Provider (IdP) metadata XML. |
OperationStatus
{
"id": "6e7b190fa8d4ba14f707",
"done": true,
"statusCode": 200,
"contentType": "application/json; charset=UTF-8",
"pages": 10,
"rows": 2494,
"rowsPerPage": 250
}
Properties
Name | Type | Description |
---|---|---|
id* | string | Unique operation identifier. |
done* | boolean | If false , indicates that the operation is still in progress. If true , indicates that all processing ended. |
statusCode | integer | HTTP status code of the operation, typically 200 (completed), 400 (bad request), 404 (requested data not found), 410 (operation cancelled), 500 (internal server error), 502 (remote server or service malfunctioned), and 503 (remote server or service not available). This field is available only after operation completes. |
contentType | string | The content type associated with operation results. |
pages | integer | How many pages there there in the operation result. |
rows | integer | Total number of rows in the operation result. |
rowsPerPage | integer | How many rows there are in each result page. |
FetchDigiCertOrderRequest
{}
This object is currently only a placeholder that's used to support adding additional fetch parameters in the future. For now, only an empty object is required to be included in the request body.
Properties
None
GetOrgResponse
{
"suborg": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Properties
Name | Type | Description |
---|---|---|
suborg | Organization | none |
Group
{
"id": "production",
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
The Group object represents one account group.
Properties
Name | Type | Description |
---|---|---|
id* | string | none |
name* | string | none |
auto* | boolean | True if this group is an auto-group. |
tags | [string] | Tags associated with this group. Auto-groups only. |
HdbCertsByHostSuffixRequest
{
"host": "example.com",
"includeExactMatch": true,
"includeWildcardMatch": true,
"includeSubDomains": true,
"includePem": true,
"limit": 100
}
Parameters for a HDB search of public certificates by host suffix. You must supply at least one of includeExactMatch
, includeWildcardMatch
or includeSubDomains
.
Properties
Name | Type | Description |
---|---|---|
host* | string | Host suffix to search by (e.g., example.com). |
includeExactMatch | boolean | Include certificates containing the exact hostname. Default: false. |
includeWildcardMatch | boolean | Include certificates that match the host suffix due to containing a wildcard in them. For example, for www.example.com, a wildcard match would include certificates with *.example.com. Default: false. |
includeSubDomains | boolean | Include certificates containing any subdomain of the supplied host suffix. Default: false. |
includePem | boolean | Include the raw certificate in PEM format. Default: false. |
limit | integer | Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit. |
HdbCertsByKeywordRequest
{
"keyword": "example",
"includePem": true,
"limit": 100
}
Parameters for a HDB search of public certificates by keyword.
Properties
Name | Type | Description |
---|---|---|
keyword* | string | The keyword to be used in the search. |
includePem | boolean | Include the raw certificate in PEM format. Default: false. |
limit | integer | Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit. |
HdbCertsBySpkiRequest
{
"spki": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"includePem": true,
"limit": 100
}
Parameters for a HDB search of public certificates by SPKI.
Properties
Name | Type | Description |
---|---|---|
spki* | string | SHA256 hash of the requested SPKI. |
includePem | boolean | Include the raw certificate in PEM format. Default: false. |
limit | integer | Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit. |
HdbCertResponse
{
"cert": {
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"unpacked": {
"label": "www.example.com",
"subject": "CN=www.example.com",
"commonNames": [
"www.example.com"
],
"san": [
"mail.example.com"
],
"ski": "af47cb938e299991ec6538685ec20affbf817b2f",
"issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
"issuer": "Let's Encrypt Authority X3",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
"notBefore": "2024-12-20T16:02:26.675Z",
"notAfter": "2024-12-20T16:02:26.675Z",
"issuerUrls": [
"http://cert.int-x3.letsencrypt.org/"
],
"crlUrls": [
"http://crl.pki.goog/GTS1O1.crl"
],
"ocspUrls": [
"http://ocsp.pki.goog/gts1o1"
],
"fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
"fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
"keyUsage": [
"keyEncipherment"
],
"extendedKeyUsage": [
"serverAuth"
],
"scts": [
{
"logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
"logName": "DigiCert Yeti2020 Log",
"timestamp": "2024-12-20T16:02:26.675Z"
}
],
"mustStaple": true,
"sigAlg": {
"oid": "1.2.840.113549.1.1.11",
"name": "SHA256withRSA"
},
"subjectKey": {
"algName": "RSA",
"bits": 2048,
"strength": 112,
"spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
},
"ca": true,
"caPathLen": 1
}
}
}
A single certificate returned by a HDB search.
Properties
Name | Type | Description |
---|---|---|
cert* | HdbCert | A certificate as returned by a HDB search. |
HdbCertsListResponse
{
"certs": [
{
"sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"subject": "CN=www.example.com",
"notAfter": "2024-12-20T16:02:26.676Z",
"names": [
"example.com"
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
}
]
}
A list of certificates as returned by a HDB search.
Properties
Name | Type | Description |
---|---|---|
certs* | [HdbCertsListCert] | [A certificate as returned by a HDB search.] |
HdbCertsListCert
{
"sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"subject": "CN=www.example.com",
"notAfter": "2024-12-20T16:02:26.676Z",
"names": [
"example.com"
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
}
A certificate as returned by a HDB search.
Properties
Name | Type | Description |
---|---|---|
sha256* | string | SHA256 hash of the certificate. |
spkiSha256* | string | Hex-encoded SHA256 of the certificate's SPKI component. |
subject* | string | Certificate subject Distinguished Name in text format. |
notAfter* | string(date-time) | ISO 8601 timestamp. |
names | [string] | none |
pem | string | Base64-encoded certificate in DER format. |
HdbCert
{
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"unpacked": {
"label": "www.example.com",
"subject": "CN=www.example.com",
"commonNames": [
"www.example.com"
],
"san": [
"mail.example.com"
],
"ski": "af47cb938e299991ec6538685ec20affbf817b2f",
"issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
"issuer": "Let's Encrypt Authority X3",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
"notBefore": "2024-12-20T16:02:26.676Z",
"notAfter": "2024-12-20T16:02:26.676Z",
"issuerUrls": [
"http://cert.int-x3.letsencrypt.org/"
],
"crlUrls": [
"http://crl.pki.goog/GTS1O1.crl"
],
"ocspUrls": [
"http://ocsp.pki.goog/gts1o1"
],
"fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
"fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
"keyUsage": [
"keyEncipherment"
],
"extendedKeyUsage": [
"serverAuth"
],
"scts": [
{
"logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
"logName": "DigiCert Yeti2020 Log",
"timestamp": "2024-12-20T16:02:26.676Z"
}
],
"mustStaple": true,
"sigAlg": {
"oid": "1.2.840.113549.1.1.11",
"name": "SHA256withRSA"
},
"subjectKey": {
"algName": "RSA",
"bits": 2048,
"strength": 112,
"spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
},
"ca": true,
"caPathLen": 1
}
}
A certificate as returned by a HDB search.
Properties
Name | Type | Description |
---|---|---|
pem* | string | Base64-encoded certificate in DER format. |
unpacked | UnpackedCert | Various information parsed from the certificate. |
Host
{
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.677Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.677Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.677Z",
"lastRegLookupTime": "2024-12-20T16:02:26.677Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.677Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.677Z",
"lastAssessmentTime": "2024-12-20T16:02:26.677Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.677Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.677Z",
"domainExpireTime": "2024-12-20T16:02:26.677Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
The Host object represents one of your hosts that resides in our database.
Properties
Name | Type | Description |
---|---|---|
hostname* | string | A fully-qualified domain name. |
punyHostname | string | A fully-qualified domain name, as Punycode. |
createdOn* | string(date-time) | none |
status* | string | This host's monitoring status. If the status is monitored , we're going to use all account features to monitor this host, including active network monitoring. If the status is idle , we're going to use only passive information gathering (e.g., via Certificate Transparency). If the status is archived , we're not going to perform any host-related activity, but existing data will be preserved. This status is intended for use with hosts that are no longer of interest, but whose history should be preserved. |
axfr | string | If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled . To enable zone transfers, change the value of this field to enabled . |
axfrHost | string | Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead. |
axfrTsig | HostAxfrTsig | none |
lastAxfrTime | string(date-time) | The time of the last successful zone transfer. |
axfrError | string | The error message associated with the last unsuccessful zone transfer. |
lastAxfrErrorTime | string(date-time) | The time of the last unsuccessful zone transfer. |
lastRegLookupTime | string(date-time) | The time of the last successful domain registration lookup |
origin* | string | Indication of where this host came from. |
originTitle | string | Human readable version of the origin enum value |
originInfo | OriginInfo | Further information about the origin. For example, if the origin is cert , then this field will identify the actual certificate. |
nx* | boolean | If true, this host effectively doesn't exist in the DNS. |
nxTime | string(date-time) | When nx is true, this field contains the timestamp of when we first detected that it no longer exists in the DNS. |
regRegistry* | boolean | True if this host is a registrable domain name under a registry (IANA) suffix. If this field is true then regPublic will also be true. Updated based on the latest Public Suffix List information. |
regPublic* | boolean | True if this host is a registrable domain name under any public suffix. This field can be true when regRegistry is not. Updated based on the latest Public Suffix List information. |
regNx | boolean | If true, this field indicates that the registrable domain doesn't exist. Absent if the host is not a registrable domain name. |
regNxTime | string(date-time) | When regNx is true, this field contains the timestamp of when we first detected that the registrable domain name no longer exists. |
lastAssessmentTime | string(date-time) | The time of the last successful assessment. |
assessmentError | string | Error message, which is available only if the last assessment resulted in an error. |
lastAssessmentAttemptTime | string(date-time) | When was the last assessment attempted? |
groups* | [string] | Under Development: Identifiers of all groups this host belongs to. |
tags* | [string] | none |
domainRegistrant | string | The individual or entity who registers a domain name. |
domainRegistrarName | string | The name of the domain registrar with whom the domain name is registered. |
domainStatuses | [string] | The statuses of the domain name within the domain registry. |
domainCreationTime | string(date-time) | The date and time when the domain name was initially registered or create. |
domainExpireTime | string(date-time) | The date and time when the domain registration is set to expire. |
domainRegistryLock | boolean | This field indicates whether the domain name has a registry lock applied to it. |
domainRegistrarLock | boolean | This field indicates whether the domain name has a registrar lock applied to it. |
domainLookupStatus | string | Represents the status of the domain ok, if present otherwise unknown |
config | object | Under Development: This field is an object that contains detailed host configuration. It's not fully documented at this time because we're still working on the data model. You can use the data in this field if it's useful to you, but do note that the format is very likely to change. |
classificationStatus | string | Represents the status of content classification |
classificationTags | [string] | A list of content classification tags |
Enumerated Values
Property | Value |
---|---|
status | archived |
status | idle |
status | monitored |
axfr | auto |
axfr | enabled |
axfr | disabled |
origin | cert |
origin | ct |
origin | hdb |
origin | manual |
classificationStatus | active |
classificationStatus | inactive |
classificationStatus | parked |
HostAxfrTsig
{
"algorithm": "HMAC_MD5",
"name": "thename"
}
Properties
Name | Type | Description |
---|---|---|
algorithm* | string | Axfr transfer algorithm |
name* | string | Axfr transfer name |
Enumerated Values
Property | Value |
---|---|
algorithm | HMAC_MD5 |
algorithm | HMAC_SHA1 |
algorithm | HMAC_SHA224 |
algorithm | HMAC_SHA256 |
algorithm | HMAC_SHA384 |
algorithm | HMAC_SHA512 |
HostDiscovery
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.678Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.678Z"
}
This object represents our discovery of a host which might be relevant to your organization.
Properties
Name | Type | Description |
---|---|---|
discoveryId* | integer | A unique identifier which you can use to refer to a particular host discovery when updating |
autoResolved* | boolean | We may have automatically resolved your discovery. If we have, this will be set to true |
hostname* | string | The hostname that we discovered, that we think might be relevant to you |
discoveredTime | string(date-time) | The date and time that we made this particular discovery |
origin* | string | The location at which we discovered the hostname. |
originTitle | string | Human readable version of the origin enum value |
originInfo | OriginInfo | Further information about the origin. For example, if the origin is cert , then this field will identify the actual certificate. |
matchInfo | MatchInfo | Information describing how the discovery came about. |
matchCertDNO | boolean | True if discovery matched a certificates DN O field |
matchIntegration | boolean | True if discovery was via a configured integration. |
matchKeyword | boolean | True if discovery matched a keyword. |
matchMx | boolean | True if discovery was via our DNS MX lookup. |
matchNameserver | boolean | True if discovery was via our nameserver lookup. |
matchSubdomain | boolean | True if discovery is a subdomain of a known host. |
matchRname | boolean | True if discovery was via our DNS SOA RNAME lookup. |
matchWhois | boolean | True if discovery was via our whois lookup. |
resolution* | string | The current resolution state of the discovery. This is usually set to "pending" to indicate that you should resolve the discovery in some manner. |
updatedTime | string(date-time) | The date and time that this discovery was last updated |
Enumerated Values
Property | Value |
---|---|
origin | cert |
origin | ct |
origin | hdb |
origin | manual |
resolution | pending |
resolution | own |
resolution | supplier |
resolution | unrelated |
resolution | infringing |
resolution | phishing |
HostDiscoveryKeyword
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
A keyword used for host discovery.
Properties
Name | Type | Description |
---|---|---|
keyword* | string | The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32. |
enabled* | boolean | Indicates if the keyword is currently active. |
matchScope* | string | Determines what type of results the keyword will look for. |
matchPosition* | string | Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant. |
matchExact* | boolean | If set, enables exact matching. |
matchFuzzy* | boolean | If set, enables fuzzy matching. |
matchConfusables* | boolean | If set, enables mathing of confusable characters and homographes. |
exclusions* | [string] | Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored. |
error | string | If keyword had been disabled because of an error, this field contains the error message. |
errorTime | string(date-time) | If keyword had been disabled because of an error, this field contains the time the disabling took place. |
Enumerated Values
Property | Value |
---|---|
matchScope | all |
matchScope | domains |
matchPosition | anywhere |
matchPosition | label, |
matchPosition | labelStart |
matchPosition | labelEnd |
matchPosition | labelStartOrEnd |
HostDiscoveryNameserver
{
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
A keyword used for host discovery.
Properties
Name | Type | Description |
---|---|---|
hostname | string | A fully-qualified domain name. |
punyHostname | string | A fully-qualified domain name, as Punycode. |
createdOn | string(date-time) | Holds nameserver creation timestamp. |
enabled | boolean | Indicates whether this nameserver is used for discovery. Nameservers are enabled by default and this field set to true. Nameservers that return too many matches (typically an indication of shared nameservers) will be disabled with an error message and timestamp provided. |
error | string | When nameserver is disabled by the system, this field contains the error message that explains the problem. |
errorTime | string(date-time) | Holds error timestamp; this is typically when the server had been disabled. |
Integration
{
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.680Z",
"nextRunTime": "2024-12-20T16:02:26.680Z",
"lastRunTime": "2024-12-20T16:02:26.680Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
Represents a third-party integration.
Properties
Name | Type | Description |
---|---|---|
integrationId* | integer(int64) | Unique integration identifier. |
name* | string | Integration name. |
ref | string | Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to. |
type* | string | Integration type |
enabled* | boolean | Indicates if the integration is enabled. |
tags* | [string] | none |
error | string | If a fatal error occurs when we attempt to connect to the other party, the integration will be disabled; this field contains the error message. |
errorTime | string(date-time) | The time when the error occured. |
nextRunTime | string(date-time) | When an integration is enabled, this field indicates the next time it is scheduled to run. |
lastRunTime | string(date-time) | If present, the last time the integration was attempted. |
lastRunErrors | [string] | If any non-fatal errors are encountered, this field will contain the corresponding error messages. For example, if permissions are incorrectly configured, we may be able to connect to the third-party account but not perform all desired operations. |
config* | any | Integration-specific configuration parameters, matching the selected integration as specified in the type parameter. |
oneOf
Name | Type | Description |
---|---|---|
» anonymous | AwsIntegrationConfig | AWS integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | AzureIntegrationConfig | Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CloudflareIntegrationConfig | Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards. |
xor
Name | Type | Description |
---|---|---|
» anonymous | CscIntegrationConfig | CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards. |
xor
Name | Type | Description |
---|---|---|
» anonymous | DigiCertIntegrationConfig | DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards. |
xor
Name | Type | Description |
---|---|---|
» anonymous | GcpIntegrationConfig | GCP integration parameters. |
xor
Name | Type | Description |
---|---|---|
» anonymous | MarkMonitorIntegrationConfig | MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards |
xor
Name | Type | Description |
---|---|---|
» anonymous | Ns1IntegrationConfig | NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards. |
xor
Name | Type | Description |
---|---|---|
» anonymous | SafenamesIntegrationConfig | Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards |
Enumerated Values
Property | Value |
---|---|
type | aws |
type | azure |
type | cloudflare |
type | csc |
type | digicert |
type | gcp |
type | markmonitor |
type | ns1 |
type | safenames |
Issue
{
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
Properties
Name | Type | Description |
---|---|---|
issueId* | integer | Unique issue identifier. |
revision* | integer | Issue revision. Starts at 1 and increments every time the issue is updated. |
definitionId | string | Unique identifier of the definition from which this issue was created. Automatically created issues will always have this field set. |
subject | string | Opaque value that identifies the subject of the issue. The subject describes the infrastructure element affected by the issue, for example a domain name. Provided for grouping and sorting purposes. |
subjectDomain | string | If applicable, the domain name associated with the subject. Provided for grouping and sorting purposes. |
title* | string | Descriptive issue title. Copied from the definition, if the issue has one. |
category* | string | Issue category. Copied from the definition, if the issue has one, otherwise assigned at creation. |
severity* | string | Issue severity. |
cause | string | Opaque value that identifies the root cause of the issue. Provided for grouping and sorting purposes. |
causeDomain | string | If applicable, the domain name associated with the cause. Provided for grouping and sorting purposes. |
causeIp | string | If applicable, the IP address associated with the cause. Provided for grouping and sorting purposes. |
open* | boolean | Indicates if this issue is open or closed. |
status* | string | Describes the current issue status. Issues that are automatically created will use the active and completed statuses. An issue may become orphaned of the subject disappears or monitoring ceases. |
auto* | boolean | If true, this issue was automatically created from a network observation, and will be automatically resolved once the problem has been addressed. |
autoOpen | boolean | This field is used only with auto issue and tracks the status of the detected problem. Unlike issues themselves, which can be manually closed, this field always reflects what is observed at network level. |
autoPreservedStatus | string | This field is used to preserve the status of an issue that is auto-closed. If we need to reopen the issue later, we will restore the correct status. |
createdOn* | string(date-time) | Indicates when this issue was created. |
lastClosed | string(date-time) | Indicates when this issue was last closed. An issue may have more than one timestamp in this field if it's closed then reopened. |
lastUpdated* | string(date-time) | Indicates when this issue was last updated. This field will also be set immediately after an issue is created and the timestamp will be the same as in createdOn . |
lastChecked | string(date-time) | Indicates when this issue was last checked. Always set for automatic issues. |
lastConfirmed | string(date-time) | Indicates when this issue was last confirmed. Always set for automatic issues. |
snoozedUntil | string(date-time) | If an issue is snoozed, this field contains an optional timestamp after which the issue will automatically be restored back to active status. |
details | object | Contains issue-specific information. Issues are designed to track a variety of problems as well as notifications and other event types. For this reason, the main fields are generic in nature, but that's where this field comes in, to carry additiona data custom-tailored for the problem at hand. To interpret this object, examine the @type property and process it accordingly. |
groups | [string] | List of all groups this issue belongs to. |
Enumerated Values
Property | Value |
---|---|
severity | info |
severity | low |
severity | medium |
severity | high |
severity | critical |
severity | urgent |
status | abandoned |
status | active |
status | bogus |
status | completed |
status | deprecated |
status | ignored |
status | orphaned |
status | snoozed |
ListAuditEventsResponse
{
"events": [
{
"id": 10001,
"actorType": "u",
"actorId": "userId:12090749",
"actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
"timestamp": "2018-09-03T14:09:59.000Z",
"remoteAddr": "18.233.176.231",
"sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
"resourceType": "user",
"resourceId": "12090749",
"action": "user.auth.succeeded",
"status": 200,
"details": {
"method": "password"
}
}
]
}
Properties
Name | Type | Description |
---|---|---|
events | [AuditEvent] | [Contains information about one audit log event. ] |
ListCertDiscoveriesResponse
{
"certDiscoveries": [
{
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.681Z",
"notAfter": "2024-12-20T16:02:26.681Z",
"effectiveNotAfter": "2024-12-20T16:02:26.681Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.682Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
certDiscoveries* | [CertDiscoverySummary] | [Contains complete information about a certificate discovered in one of the monitored CT logs. ] |
GetCertDiscoveryResponse
{
"certDiscovery": {
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.682Z",
"notAfter": "2024-12-20T16:02:26.682Z",
"effectiveNotAfter": "2024-12-20T16:02:26.682Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.682Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"certKnown": false,
"certInstalled": true,
"certExpired": false,
"certRevoked": false,
"issuerAllowed": true,
"issuerAllowedKeyword": "GlobalSign",
"issuerNotAllowed": false,
"issuerForbidden": false,
"issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"caaMismatch": false,
"caaMatchFull": false,
"notCtCompliant": false,
"maxLifetimeExceeded": false,
"timeoutCaseInactive": false,
"timeoutCertNotInstalled": false,
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
],
"matchedHostsInfo": {
"property1": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
},
"property2": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
},
"matchedHostsCaaHistory": {
"property1": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.683Z",
"lastSeen": "2024-12-20T16:02:26.683Z",
"records": [
"string"
]
}
],
"property2": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.683Z",
"lastSeen": "2024-12-20T16:02:26.683Z",
"records": [
"string"
]
}
]
},
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
]
}
}
Properties
Name | Type | Description |
---|---|---|
certDiscovery* | CertDiscovery | Contains complete information about a certificate discovered in one of the monitored CT logs. |
ListCertsResponse
{
"certs": [
{
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.683Z",
"notAfter": "2024-12-20T16:02:26.683Z",
"effectiveNotAfter": "2024-12-20T16:02:26.683Z",
"revokedOn": "2024-12-20T16:02:26.683Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.684Z",
"lastSeen": "2024-12-20T16:02:26.684Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.684Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.684Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.684Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
certs* | [Certificate] | [Contains information about one certificate. ] |
ListCertSummariesResponse
{
"certs": [
{
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.685Z",
"notAfter": "2024-12-20T16:02:26.685Z",
"effectiveNotAfter": "2024-12-20T16:02:26.685Z",
"revokedOn": "2024-12-20T16:02:26.685Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.685Z",
"lastSeen": "2024-12-20T16:02:26.685Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.685Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.685Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.685Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
certs* | [Certificate] | [Contains information about one certificate. ] |
ListEventDestinationsResponse
{
"eventDestinations": [
{
"destinationId": "pubsub://events/1/1005",
"type": "pubsub",
"project": "hz-events-pubsub",
"topic": "projects/hz-events-pubsub/topics/ep-1-1005",
"subscription": "ep-1-1005",
"subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}
]
}
Properties
Name | Type | Description |
---|---|---|
eventDestinations* | [EventDestination] | [Contains information about one destination that can be used to receive events. ] |
ListEventHooksResponse
{
"eventHooks": [
{
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
]
}
Properties
Name | Type | Description |
---|---|---|
eventHooks* | [EventHook] | [Event hook objects contain information pertaining to a destination to which events are delivered (pushed). ] |
ListEventsResponse
{
"events": [
{
"id": 10001,
"type": "ct",
"createdOn": "2024-12-20T16:02:26.686Z",
"apiVersion": "0.14.0",
"data": {
"field": "value"
}
}
]
}
Properties
Name | Type | Description |
---|---|---|
events* | [Event] | [Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled. ] |
ListEventTypesResponse
{
"eventTypes": [
{
"name": "ct",
"available": true,
"enabled": true
}
]
}
Properties
Name | Type | Description |
---|---|---|
eventTypes* | [EventType] | [Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them. ] |
GetHostResponse
{
"host": [
{
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.686Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.686Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.686Z",
"lastRegLookupTime": "2024-12-20T16:02:26.686Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.686Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.686Z",
"lastAssessmentTime": "2024-12-20T16:02:26.686Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.686Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.686Z",
"domainExpireTime": "2024-12-20T16:02:26.686Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
host* | [Host] | [The Host object represents one of your hosts that resides in our database.] |
GetHostStatsResponse
{
"monitored": 0,
"archived": 0,
"idle": 0,
"total": 0,
"domains": 0,
"subdomains": 0
}
Properties
Name | Type | Description |
---|---|---|
monitored | integer | none |
archived | integer | none |
idle | integer | none |
total | integer | none |
domains | integer | none |
subdomains | integer | none |
ListHostsResponse
{
"hosts": [
{
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.686Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.686Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.686Z",
"lastRegLookupTime": "2024-12-20T16:02:26.686Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.687Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.687Z",
"lastAssessmentTime": "2024-12-20T16:02:26.687Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.687Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.687Z",
"domainExpireTime": "2024-12-20T16:02:26.687Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
hosts* | [Host] | [The Host object represents one of your hosts that resides in our database.] |
GetHostServicesResponse
{
"hostServices": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.687Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.687Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
],
"certificates": [
{
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.687Z",
"notAfter": "2024-12-20T16:02:26.687Z",
"effectiveNotAfter": "2024-12-20T16:02:26.687Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.687Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
}
],
"extras": {
"hostname": "🔥.hardenize.com",
"punyHostname": "xn--4v8h.hardenize.com",
"createdOn": "2024-12-20T16:02:26.687Z",
"status": "archived",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"name": "thename"
},
"lastAxfrTime": "2024-12-20T16:02:26.687Z",
"axfrError": "string",
"lastAxfrErrorTime": "2024-12-20T16:02:26.687Z",
"lastRegLookupTime": "2024-12-20T16:02:26.687Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"nx": true,
"nxTime": "2024-12-20T16:02:26.687Z",
"regRegistry": true,
"regPublic": true,
"regNx": false,
"regNxTime": "2024-12-20T16:02:26.687Z",
"lastAssessmentTime": "2024-12-20T16:02:26.687Z",
"assessmentError": "Host not found",
"lastAssessmentAttemptTime": "2024-12-20T16:02:26.687Z",
"groups": [
"mygroup"
],
"tags": [
"production"
],
"domainRegistrant": "string",
"domainRegistrarName": "string",
"domainStatuses": [
"string"
],
"domainCreationTime": "2024-12-20T16:02:26.687Z",
"domainExpireTime": "2024-12-20T16:02:26.687Z",
"domainRegistryLock": false,
"domainRegistrarLock": false,
"domainLookupStatus": "string",
"config": {},
"classificationStatus": "active",
"classificationTags": [
"signin"
]
}
}
}
Properties
Name | Type | Description |
---|---|---|
hostServices* | HostService | none |
ListHostDiscoveriesResponse
{
"hostDiscoveries": [
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.688Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.688Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveries* | [HostDiscovery] | [This object represents our discovery of a host which might be relevant to your organization.] |
ListHostDiscoveryKeywordsResponse
{
"hostDiscoveryKeywords": [
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryKeywords* | [HostDiscoveryKeyword] | [A keyword used for host discovery.] |
ListHostDiscoveryNameserversResponse
{
"hostDiscoveryNameservers": [
{
"hostname": "ns1.hardenize.com",
"punyHostname": "ns1.hardenize.com",
"createdOn": "2020-06-10T15:36:49.044Z",
"enabled": false,
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryNameservers* | [HostDiscoveryNameserver] | [A keyword used for host discovery.] |
ListIdentitiesResponse
{
"identities": [
{
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.689Z",
"lastSeen": "2024-12-20T16:02:26.689Z",
"lastCheck": "2024-12-20T16:02:26.689Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.689Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
identities* | [Identity] | [This object represents an identity.] |
ListIntegrationsResponse
{
"integrations": [
{
"integrationId": 1,
"name": "My Test Integration",
"ref": "348394209898",
"type": "aws",
"enabled": true,
"tags": [
"production"
],
"error": "Invalid credentials for logging in to integration",
"errorTime": "2024-12-20T16:02:26.689Z",
"nextRunTime": "2024-12-20T16:02:26.689Z",
"lastRunTime": "2024-12-20T16:02:26.689Z",
"lastRunErrors": [
"Unable to obtain list of registered domain names."
],
"config": {
"accountId": "string"
}
}
]
}
Properties
Name | Type | Description |
---|---|---|
integrations* | [Integration] | [Represents a third-party integration. ] |
ListIssuesResponse
{
"issues": [
{
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
issues | [Issue] | none |
ListOrgsResponse
{
"orgs": [
{
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
]
}
Properties
Name | Type | Description |
---|---|---|
orgs* | [Organization] | none |
ZoneTransferResponse
"string"
Zone data in plain text format.
Properties
Name | Type | Description |
---|---|---|
anonymous | string | Zone data in plain text format. |
ListMonitorLocationsResponse
{
"locations": [
"atlanta",
"frankfurt",
"london",
"miami",
"sanjose",
"saopaulo",
"singapore",
"sydney",
"tokyo"
]
}
Properties
Name | Type | Description |
---|---|---|
locations* | [string] | none |
ListNetworkRangesResponse
{
"networkRanges": [
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"range": "192.168.1.0/24",
"scan": true,
"tags": [
"production"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
networkRanges* | [NetworkRange] | none |
ListReports0Response
{
"reports": [
{
"hostname": "example.com",
"status": "completed",
"reportTime": "2018-10-10T15:36:49.044Z",
"hasDnssec": true,
"hasSmtp": true,
"hasSmtpTls": true,
"hasSmtpDane": true,
"hasSpf": true,
"hasDmarc": true,
"hasHttp": true,
"hasHttps": true,
"hasHttpsDane": true,
"hasHttpsRedirection": true,
"hasHttpsTls12OrBetter": true,
"hasSsl2": true,
"hasSsl3": true,
"hasTls10": true,
"hasTls11": true,
"hasTls12": true,
"hasTls13": true,
"supportsSsl2": true,
"supportsSsl3": true,
"supportsTls10": true,
"supportsTls11": true,
"supportsTls12": true,
"supportsTls13": true,
"hasHsts": true,
"hasHstsPreloaded": true,
"nameServers": "string",
"dnssec": "string",
"emailTls": "string",
"emailDane": "string",
"spf": "string",
"dmarc": "string",
"wwwTls": "string",
"wwwDane": "string",
"wwwXssProtection": "string",
"wwwXssProtectionEnabled": true,
"wwwXcto": true,
"hsts": "string",
"hpkp": "string",
"cookies": "string",
"mixedContent": "string",
"securityHeaders": "string",
"csp": "string"
}
]
}
Properties
Name | Type | Description |
---|---|---|
reports* | [Report0] | [Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts . In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error , warning , and good . The complete explanation of the possible values is available in the Report0Quality component. It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report. ] |
GetReportCardResponse
{
"reportCard": {
"reportVersion": 1,
"domainPunycode": "example.com",
"domainUnicode": "example.com",
"available": true,
"hardenizeVersion": "v1.1603.1",
"timestamp": "2024-12-20T16:02:26.691Z",
"sections": [
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
]
}
}
Properties
Name | Type | Description |
---|---|---|
reportCard* | ReportCard | Contains a summary of report card. |
ListReportCardsResponse
{
"reportCards": [
{
"reportVersion": 1,
"domainPunycode": "example.com",
"domainUnicode": "example.com",
"available": true,
"hardenizeVersion": "v1.1603.1",
"timestamp": "2024-12-20T16:02:26.691Z",
"sections": [
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
reportCards* | [ReportCard] | [Contains a summary of report card. ] |
ListGroupsResponse
{
"groups": [
{
"id": "production",
"name": "Production",
"auto": true,
"tags": [
"production"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
groups* | [Group] | [The Group object represents one account group.] |
MatchedCtEntry
{
"log": "ct.googleapis.com/icarus",
"index": 251676662,
"timestamp": 1538747492396,
"sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "3b5893340f0b241c599b27a8e74a13177d5ba6e87f30f6fc5ddc2c3f069e6546",
"precert": false,
"subject": "CN=www.example.com",
"issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
"hosts": [
"example.com"
],
"chain": [
"MIIGJTCCBQ2gAwIBAgISA9CTYlAcEi7o1Cyk3RM9D6/JMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MDIxMTA2NTdaFw0xODA3MzExMTA2NTdaMBwxGjAYBgNVBAMTEWJvbm4tMDYucWx1ZWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+muYgsZOUD2epeJwP6ToDmE6YeO9T+gsf9ACuLbrQqC5JZPy+AmREuo3dU3dkmBRoU9Brpmo/KMQavKueGVW3DpAIJKemGBC0yWNFgTho4+DAOvSM4odcB96HPFIh0vp13LH5og/wsNZwt+n56mrUTrcqnZYbUwugBghb0QCptwCnHnKOk2/YdRRraasgmiFWYeNjCqBUR5iKqmubgBoCqqkBYzWUhjWc7aySKYQFpSlZ2d3t0IilJp5sZq5pDiHa58G6fGZSh9TIAZvuvozW762cghBZgEF3wlvKy1joSAWLalPYQcsd0v2G9F7vJOu6Rf9HAbmdKqnu0i8TExjwIDAQABo4IDMTCCAy0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQlgfnFoFLAegwCUrKiuz+Nu61SCDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDMGA1UdEQQsMCqCEWJvbm4tMDYucWx1ZWQubmV0ghV3d3cuYm9ubi0wNi5xbHVlZC5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYyC/mssAAAQDAEgwRgIhAMnyq3/kzpvp7LcXm3JqeCjh1dMB0fZTv9pIvpPCS4GPAiEA9f+JLP1KKuaXnwr3rin4Y8tBG8a10YGaKT3RnJOs7wIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWMgv5reAAAEAwBHMEUCIA1jzhkoel+MFmVIdspCwyKVdzZZsBwx8WiJixPju9ELAiEA4Xw2ABUkt3IK67G+GrABu1Ik+R/7BVFjo3GvMIRBJ+AwDQYJKoZIhvcNAQELBQADggEBAHKPt1cq8LEy0wmtmBoThNL6AevJz2WM/KRKBYvEHiXcLN3Z9a1eQ6c8g4A84AARBDgXUfkc3W29AIW0A5wTLVazUE5H7bIoiQJXT2Z6KMXxFqwx5pRu8f1oXUx3xLhJoHkDEGrbD5uy7j9bI25pI9g5obAY88es8ZFJz25PEozA2R/NpXZEnHVbvyOHx4Pr6z3ctuH+WWpK96jWEMBP5pAx5qXBYI5g9bHGy2nYuuq0ZIuOPVK1k7SlctBrrBJx2q1ANUaEfIyPjd2qsjfoI5//6Jn+jHDM1XrdvZ+7S60SDqXktwHS98o5jRZnGWLu1S6nVcHWQzjPBhiSvAukuJw=",
"MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=="
],
"matchedHosts": [
"example.com"
]
}
Contains information extracted from a CT log entry that had been matched against an account and imported.
Properties
Name | Type | Description |
---|---|---|
log* | string | CT log URL, with the scheme omitted. |
index* | integer(int64) | Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC. |
timestamp* | integer(int64) | This certificate's index in the referenced CT log. |
sha256* | string | SHA256 hash of the leaf certificate/precertificate. |
tbsSha256* | string | Hex-encoded SHA256 hash of the TBSCertificate structure. This value will be the same in the precertificate/certificate combo. |
precert* | boolean | Indicator of whether the leaf is a precertificate. |
subject* | string | Certificate subject Distinguished Name in text format. |
issuer* | string | Certificate issuer Distinguished Name in text format. |
hosts* | [string] | Hostnames and IP addresses extracted from the leaf certificate. |
chain* | [string] | Certificate chain stored in the matched CT log entry. |
matchedHosts* | [string] | List of account hosts that were matched against the CT log entry. |
MatchInfo
{
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
}
Information describing how the discovery came about.
Properties
Name | Type | Description |
---|---|---|
certdno | MatchInfoCertDNO | none |
integration | MatchInfoIntegration | none |
keyword | MatchInfoKeyword | none |
mx | MatchInfoMx | none |
nameserver | MatchInfoNameserver | none |
rname | MatchInfoRname | none |
whois | MatchInfoWhois | none |
MatchInfoCertDNO
{
"o": "Cloudflare, Inc."
}
Properties
Name | Type | Description |
---|---|---|
o | string | Certificate DN, O field to use when searching for matching certs |
MatchInfoIntegration
{
"name": "AWS Production",
"type": "aws",
"ref": "string"
}
Properties
Name | Type | Description |
---|---|---|
name | string | Integration name, copied from the configuration. |
type | string | Integration type. |
ref | string | Integration reference (e.g., account ID), copied from the configuration. |
MatchInfoKeyword
{
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
}
Properties
Name | Type | Description |
---|---|---|
matches | [MatchInfoKeywordMatch] | none |
MatchInfoKeywordMatch
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
Properties
Name | Type | Description |
---|---|---|
encoding | string | Whether match was made against an ASCII version of the name or the Unicode version. |
keyword | string | The keyword that matched. |
matchPosition | string | Where in the name the keyword matched. |
matchScope | string | Keyword scope. |
search | string | Indication of which algorithm caused the match. |
Enumerated Values
Property | Value |
---|---|
encoding | ascii |
encoding | unicode |
matchPosition | anywhere |
matchPosition | label |
matchPosition | labelStart |
matchPosition | labelEnd |
matchPosition | labelStartOrEnd |
matchScope | all |
matchScope | domains |
search | bitSquatting |
search | confusables |
search | hyphenation |
search | insertion |
search | omission |
search | repetition |
search | replacement |
search | substring |
search | transposition |
search | vowelSwap |
MatchInfoMx
{
"mx": "mail.example.com"
}
Properties
Name | Type | Description |
---|---|---|
mx | string | MX hostname to use when searching for matching MX records |
MatchInfoNameserver
{
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
matches | [MatchInfoNameserverMatch] | none |
MatchInfoNameserverMatch
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
Properties
Name | Type | Description |
---|---|---|
name | string | Nameserver name. |
firstSeen | string(date-time) | Timestamp of the first observation of this name. |
MatchInfoRname
{
"email": "postmaster@example.com"
}
Properties
Name | Type | Description |
---|---|---|
string | Email to use when searching for matching DNS SOA records |
MatchInfoWhois
{
"keywords": [
"example.com"
]
}
Properties
Name | Type | Description |
---|---|---|
keywords | [string] | List of keywords used when search the whois |
OriginInfo
{
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
}
Further information about the origin. For example, if the origin
is cert
, then this field will identify the actual certificate.
Properties
Name | Type | Description |
---|---|---|
net | OriginInfoNet | none |
OriginInfoNet
{
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
Properties
Name | Type | Description |
---|---|---|
host | string | Network hostname, when available. |
address* | string | Network IPv4 or IPv6 address. |
port* | integer | Network port. |
protocol* | string | Network protocol. |
Organization
{
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
Properties
Name | Type | Description |
---|---|---|
id* | string | Unique ID of an organization. The value stored in this field is always relative to that of the parent organization. For example, if the parent's ID is hardenize and you created a new nested organization called prod , you will observe this shorter identifier in the API responses. If you wish to access the nested organization via the API, you will need to specify its full identifier, which would be hardenize.prod . |
name* | string | Human-readable organization name. |
status* | string | By default, an organization will be active immediately after it is created. If the status is changed to dormant, all operations and features in the account will be disabled, however the users will still be able to access the organization and the data in the account. If the status is changed to suspended, the organization will effectively become deleted from an external perspective. The deleted status is made available to enable delayed deletion of accounts. An organization with this status is expected to be deleted in the near future; for example, there could be a weekly process that obtains a list of all organizations scheduled for deletion and actually deletes them. |
commercialStatus* | string | The commercialStatus field is used to track how a suborganization is used, for accounting and billing purposes. When creating a suborganization, select the value that's the most appropriate. Update the value as the status changes (e.g., from trial to paying ). |
apiUsername | string | The username that can be used to access this organization's API. |
apiPassword | string | The password that can be used to access this organization's API. Because we don't store plaintext in our database, this field is available only immediately after the organization is created. |
hostDiscoveryAutoimportSubdomains* | boolean | Determines if newly discovered subdomains (of known organization hosts) will be automatically added to the inventory. |
hostDiscoveryEnabled* | boolean | Indicates if host discovery is enabled. |
hostDiscoveryError | string | When host discovery is disabled because of an error (e.g., too many hosts discovered), this field contains the error message. |
hostDiscoveryErrorTime | string(date-time) | Indicates the time of error. |
hostDiscoveryExcludeSuffixes | [string] | If provided, this field is a list of domain suffixes that should be ignored during discovery. |
hostLimitHard* | integer | Determines if there is a limit on the number of monitored hosts in the account. Set to -1 when there is no limit. |
hostDiscoveryLimitHard* | integer | Hard limit on the number of host discoveries in the organization. Default: -1 (unlimited). |
certLimitHard* | integer | Hard limit on the number of certificates in the organization. |
featureHostDiscovery* | boolean | If set, host discovery is enabled for this organization. |
featureMfa* | boolean | If set, multi-factor authentication is enabled for this organization. |
featureSaml* | boolean | If set, SAML is enabled for this organization. |
Enumerated Values
Property | Value |
---|---|
status | active |
status | dormant |
status | suspended |
status | deleted |
commercialStatus | free |
commercialStatus | internal |
commercialStatus | paying |
commercialStatus | trial |
NetworkRange
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"range": "192.168.1.0/24",
"scan": true,
"tags": [
"production"
]
}
Properties
Name | Type | Description |
---|---|---|
label* | string | A short label to identify the network range. |
description | string | A longer description of the purposes of the network range. |
range* | string | The network range in CIDR format. |
scan | boolean | Whether or not this network should be scanned. |
tags | [string] | none |
Report0
{
"hostname": "example.com",
"status": "completed",
"reportTime": "2018-10-10T15:36:49.044Z",
"hasDnssec": true,
"hasSmtp": true,
"hasSmtpTls": true,
"hasSmtpDane": true,
"hasSpf": true,
"hasDmarc": true,
"hasHttp": true,
"hasHttps": true,
"hasHttpsDane": true,
"hasHttpsRedirection": true,
"hasHttpsTls12OrBetter": true,
"hasSsl2": true,
"hasSsl3": true,
"hasTls10": true,
"hasTls11": true,
"hasTls12": true,
"hasTls13": true,
"supportsSsl2": true,
"supportsSsl3": true,
"supportsTls10": true,
"supportsTls11": true,
"supportsTls12": true,
"supportsTls13": true,
"hasHsts": true,
"hasHstsPreloaded": true,
"nameServers": "string",
"dnssec": "string",
"emailTls": "string",
"emailDane": "string",
"spf": "string",
"dmarc": "string",
"wwwTls": "string",
"wwwDane": "string",
"wwwXssProtection": "string",
"wwwXssProtectionEnabled": true,
"wwwXcto": true,
"hsts": "string",
"hpkp": "string",
"cookies": "string",
"mixedContent": "string",
"securityHeaders": "string",
"csp": "string"
}
Contains a summary of one Hardenize assessment. The available fields fall into one
of two categories. In the first category are boolean fields that indicate if a particular
feature is present, for example, hasTls
and hasHsts
. In the second category are the
fields that describe the quality of the configuration. These fields will take self-descriptive
values such as error
, warning
, and good
. The complete explanation of the possible
values is available in the Report0Quality component.
It is possible that a field is not present, which happens when the neither
true nor false make sense. For example, if a host doesn't support TLS, the hasHsts
field will
not be in the report.
Properties
Name | Type | Description |
---|---|---|
hostname* | string | none |
status* | string | none |
reportTime | string(date-time) | none |
hasDnssec | boolean | none |
hasSmtp | boolean | none |
hasSmtpTls | boolean | none |
hasSmtpDane | boolean | none |
hasSpf | boolean | none |
hasDmarc | boolean | none |
hasHttp | boolean | none |
hasHttps | boolean | none |
hasHttpsDane | boolean | none |
hasHttpsRedirection | boolean | none |
hasHttpsTls12OrBetter | boolean | none |
hasSsl2 | boolean | none |
hasSsl3 | boolean | none |
hasTls10 | boolean | none |
hasTls11 | boolean | none |
hasTls12 | boolean | none |
hasTls13 | boolean | none |
supportsSsl2 | boolean | none |
supportsSsl3 | boolean | none |
supportsTls10 | boolean | none |
supportsTls11 | boolean | none |
supportsTls12 | boolean | none |
supportsTls13 | boolean | none |
hasHsts | boolean | none |
hasHstsPreloaded | boolean | none |
nameServers | string(v0quality) | none |
dnssec | string(v0quality) | none |
emailTls | string(v0quality) | none |
emailDane | string(v0quality) | none |
spf | string(v0quality) | none |
dmarc | string(v0quality) | none |
wwwTls | string(v0quality) | none |
wwwDane | string(v0quality) | none |
wwwXssProtection | string(v0quality) | none |
wwwXssProtectionEnabled | boolean | none |
wwwXcto | boolean | none |
hsts | string(v0quality) | none |
hpkp | string(v0quality) | none |
cookies | string(v0quality) | none |
mixedContent | string(v0quality) | none |
securityHeaders | string(v0quality) | none |
csp | string(v0quality) | none |
Enumerated Values
Property | Value |
---|---|
status | completed |
status | failed |
status | notAvailable |
ReportCard
{
"reportVersion": 1,
"domainPunycode": "example.com",
"domainUnicode": "example.com",
"available": true,
"hardenizeVersion": "v1.1603.1",
"timestamp": "2024-12-20T16:02:26.693Z",
"sections": [
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
]
}
Contains a summary of report card.
Properties
Name | Type | Description |
---|---|---|
reportVersion | integer | none |
domainPunycode | string | none |
domainUnicode | string | none |
available | boolean | none |
hardenizeVersion | string | Hardenize application version that produced the report card data |
timestamp | string(date-time) | none |
sections | [ReportCardSection] | [Contains details about different section of the report card. ] |
ReportCardSection
{
"id": "SECTION_DOMAIN",
"name": "Domain",
"items": [
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
]
}
Contains details about different section of the report card.
Properties
Name | Type | Description |
---|---|---|
id | string | none |
name | string | none |
items | [ReportCardItem] | [Describes the item in each report card section. ] |
ReportCardItem
{
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
}
Describes the item in each report card section.
Properties
Name | Type | Description |
---|---|---|
id | string | none |
name | string | none |
status | string | none |
remarks | [ReportCardRemark] | [Describes the remarks of a report card item. ] |
Enumerated Values
Property | Value |
---|---|
status | none |
status | good |
status | warning |
status | error |
status | unknown |
ReportCardRemark
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
Describes the remarks of a report card item.
Properties
Name | Type | Description |
---|---|---|
id | string | none |
title | string | none |
content | string | none |
severity | string | none |
data | object | Additional data associated with the report remark |
» additionalProperties | any | none |
Enumerated Values
Property | Value |
---|---|
severity | good |
severity | info |
severity | neutral |
severity | notice |
severity | powerup |
severity | warning |
severity | unknown |
severity | error |
DmarcReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of results. |
format | string | If set, returns results in the format specified. Default: JSON |
tags | [string] | If set, returns results which contain at least one of the specified tags. |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
DmarcReportResponse
{
"dmarc": [
{
"key": "example.com",
"policy": "reject",
"policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
}
]
}
Properties
Name | Type | Description |
---|---|---|
dmarc | [DmarcReport] | none |
DmarcReport
{
"key": "example.com",
"policy": "reject",
"policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
}
Properties
Name | Type | Description |
---|---|---|
key* | string | The domain name. |
policy | string | DMARC receiver policy |
policyText* | string | The text of the DMARC policy. |
Enumerated Values
Property | Value |
---|---|
policy | none |
policy | reject |
policy | quarantine |
DomainsReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of domains. |
format | string | If set, returns domains in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
DomainsReportResponse
{
"domains": [
{
"name": "example.com",
"punyName": "example.com",
"dnsNx": false,
"regNx": false,
"lookupStatus": "OK",
"registrant": "Privacy service provided by Withheld for Privacy ehf",
"registrar": "NameCheap, Inc.",
"statuses": [
"clientTransferProhibited"
],
"statusGood": true,
"registrarLock": true,
"registryLock": false,
"registration": "2019-04-16T09:13:56Z",
"expiration": "2024-04-16T09:13:56Z",
"contactAbuse": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactAdmin": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactRegistrar": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactRegistrant": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactTechnical": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"groups": [
"hardenize",
"feistyduck"
],
"tags": [
"tag1",
"tag2"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
domains | [DomainsReport] | none |
DomainsReport
{
"name": "example.com",
"punyName": "example.com",
"dnsNx": false,
"regNx": false,
"lookupStatus": "OK",
"registrant": "Privacy service provided by Withheld for Privacy ehf",
"registrar": "NameCheap, Inc.",
"statuses": [
"clientTransferProhibited"
],
"statusGood": true,
"registrarLock": true,
"registryLock": false,
"registration": "2019-04-16T09:13:56Z",
"expiration": "2024-04-16T09:13:56Z",
"contactAbuse": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactAdmin": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactRegistrar": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactRegistrant": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"contactTechnical": {
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
},
"groups": [
"hardenize",
"feistyduck"
],
"tags": [
"tag1",
"tag2"
]
}
Properties
Name | Type | Description |
---|---|---|
name* | string | The domain name. |
punyName* | string | The punycode representation of the domain name. |
dnsNx* | boolean | Indicates whether the domain has DNSNX. |
regNx* | boolean | Indicates whether the domain has RegNX. |
lookupStatus | string | The lookup status of the domain. |
registrant | string | The registrant of the domain. |
registrar | string | The registrar of the domain. |
statuses | [string] | The statuses associated with the domain. |
statusGood | boolean | Status indicator (Good). |
registrarLock | boolean | Registrar lock indicator. |
registryLock | boolean | Registry lock indicator. |
registration | string(date-time) | Domain registration date and time. |
expiration | string(date-time) | Domain expiration date and time. |
contactAbuse | Contact | none |
contactAdmin | Contact | none |
contactRegistrar | Contact | none |
contactRegistrant | Contact | none |
contactTechnical | Contact | none |
groups | [string] | The groups associated with the domain. |
tags | [string] | The tags associated with the domain. |
Contact
{
"type": "CONTACT_ABUSE",
"firstName": "Redacted for Privacy",
"organization": "Privacy service provided by Withheld for Privacy ehf",
"street1": "Kalkofnsvegur 2",
"city": "Reykjavik",
"state": "Capital Region",
"postcode": "101",
"country": "IS",
"email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
"phone": "+354.4212434"
}
Properties
Name | Type | Description |
---|---|---|
type | string | Type of contact. |
firstName | string | First name of the contact. |
organization | string | Organization of the contact. |
street1 | string | Street address of the contact. |
city | string | City of the contact. |
state | string | State or region of the contact. |
postcode | string | Postal code of the contact. |
country | string | Country of the contact. |
string | Email address of the contact. | |
phone | string | Phone number of the contact. |
IssuesReportRequest
{
"type": "active",
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
type | string | if set, will filter the results with the specified type. Default: all |
limit | integer | If set, returns only up to the specified number of issues. |
format | string | If set, returns issues in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
type | all |
type | active |
type | orphaned |
type | completed |
type | ignored |
type | snoozed |
type | bogus |
type | abandoned |
type | deprecated |
format | json |
format | csv |
format | xlsx |
IssuesReportResponse
{
"issues": [
{
"issueId": 10001,
"revision": 1,
"definitionId": "DNS1001",
"subject": "OPAQUE",
"subjectDomain": "example.com",
"title": "Dangling Resource Record",
"category": "DNS",
"severity": "high",
"cause": "OPAQUE",
"causeDomain": "nxdomain.example.com",
"causeIp": "192.168.1.1",
"open": true,
"status": "active",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": "2022-06-17T00:00:00Z",
"lastClosed": "2022-06-17T00:00:00Z",
"lastUpdated": "2022-06-17T00:00:00Z",
"lastChecked": "2022-06-17T00:00:00Z",
"lastConfirmed": "2022-06-17T00:00:00Z",
"snoozedUntil": "2022-06-17T00:00:00Z",
"details": {
"@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
"rrDomain": "example.com",
"rrEffectiveDomain": "_xmpp-server._tcp.example.com",
"rrType": "SRV",
"danglingType": "nxdomain",
"causeDomain": "nxdomain.example.com"
},
"groups": [
"Product"
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
issues | [Issue] | none |
IssuesReport
{
"issueId": 0,
"revision": 0,
"definitionId": "string",
"subject": "string",
"subjectDomain": "string",
"title": "string",
"category": "string",
"severity": "string",
"cause": "string",
"causeDomain": "string",
"causeIp": {
"holder": {
"originalHostName": "string",
"hostName": "string",
"address": 0,
"family": 0
},
"canonicalHostName": "string"
},
"open": true,
"status": "string",
"auto": true,
"autoOpen": true,
"autoPreservedStatus": "string",
"createdOn": 0,
"lastClosed": 0,
"lastUpdated": 0,
"lastChecked": 0,
"lastConfirmed": 0,
"snoozedUntil": 0,
"details": {}
}
Properties
Name | Type | Description |
---|---|---|
issueId | integer | none |
revision | integer | none |
definitionId | string | none |
subject | string | none |
subjectDomain | string | none |
title | string | none |
category | string | none |
severity | string | none |
cause | string | none |
causeDomain | string | none |
causeIp | object | none |
» holder | object | none |
»» originalHostName | string | none |
»» hostName | string | none |
»» address | integer | none |
»» family | integer | none |
» canonicalHostName | string | none |
open | boolean | none |
status | string | none |
auto | boolean | none |
autoOpen | boolean | none |
autoPreservedStatus | string | none |
createdOn | integer | none |
lastClosed | integer | none |
lastUpdated | integer | none |
lastChecked | integer | none |
lastConfirmed | integer | none |
snoozedUntil | integer | none |
details | object | none |
IpAddressReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of results. |
format | string | If set, returns results in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
IpAddressReportResponse
{
"ipAddresses": [
{
"ip": "123.101.73.30",
"cloudIntegrationAccountId": "1234567890",
"cloudResourceType": "Virtual Machine",
"cloudResourceId": "vm-12345",
"cloudIntegrationName": "Azure Integration",
"cloudIntegrationRef": "azure://subscription/123456",
"cloudResourceName": "MyVM",
"cloudResourceZone": "Zone-1",
"cloudProvider": "Azure",
"asNumber": "8075",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"locCountryCode": "NL",
"cloudRegion": "East US"
}
]
}
Properties
Name | Type | Description |
---|---|---|
ipAddresses | [IpAddressReport] | none |
IpAddressReport
{
"ip": "123.101.73.30",
"cloudIntegrationAccountId": "1234567890",
"cloudResourceType": "Virtual Machine",
"cloudResourceId": "vm-12345",
"cloudIntegrationName": "Azure Integration",
"cloudIntegrationRef": "azure://subscription/123456",
"cloudResourceName": "MyVM",
"cloudResourceZone": "Zone-1",
"cloudProvider": "Azure",
"asNumber": "8075",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"locCountryCode": "NL",
"cloudRegion": "East US"
}
Properties
Name | Type | Description |
---|---|---|
ip* | string | The IP address. |
cloudIntegrationAccountId | string | The ID of the cloud integration account. |
cloudResourceType | string | The type of cloud resource. |
cloudResourceId | string | The ID of the cloud resource. |
cloudIntegrationName | string | The name of the cloud integration. |
cloudIntegrationRef | string | The reference to the cloud integration. |
cloudResourceName | string | The name of the cloud resource. |
cloudResourceZone | string | The availability zone of the cloud resource. |
cloudProvider | string | The cloud provider (e.g., Azure, AWS). |
asNumber | string | The Autonomous System (AS) number. |
asName | string | The name of the Autonomous System (AS). |
locCountryCode | string | The country code of the location. |
cloudRegion | string | The cloud region where the resource is located. |
NetworkRangesReportRequest
{
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Properties
Name | Type | Description |
---|---|---|
limit | integer | If set, returns only up to the specified number of results. |
format | string | If set, returns results in the format specified. Default: JSON |
tags | [string] | If set, returns results with the specified tags. |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
NetworkRangesReportResponse
{
"network-ranges": [
{
"range": "52.0.205.39/32",
"label": "Lab DNS1",
"description": "dns1-production-lab.hardenize.net"
}
]
}
Properties
Name | Type | Description |
---|---|---|
network-ranges | [NetworkRangesReport] | none |
NetworkRangesReport
{
"range": "52.0.205.39/32",
"label": "Lab DNS1",
"description": "dns1-production-lab.hardenize.net"
}
Properties
Name | Type | Description |
---|---|---|
range* | string | The IP range in CIDR notation. |
label* | string | A label or name for the IP range. |
description | string | A description of the IP range. |
OpenPortsReportRequest
{
"address": "192.168.1.1",
"port": 443,
"transport": "tcp",
"service": "other",
"hostname": "example.com",
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
address | string | If set, filters the response by the provided address. Address can be supplied as a network range in CIDR (192.168.10.1/24) form or as an individual IP address (192.168.10.1) |
port | integer | If set, filters the response by the provided port. |
transport | string | If set, filters the response by the provided transport. |
service | string | If set, filters the response by the provided service. |
hostname | string | If set, searching for "example.com" would find any open ports with a hostname being the same as "example.com" or a subdomain of it |
limit | integer | If set, returns only up to the specified number of results. |
format | string | If set, returns results in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
transport | tcp |
transport | udp |
format | json |
format | csv |
format | xlsx |
OpenPortsReportResponse
{
"open-ports": [
{
"address": "123.234.73.24",
"port": 25,
"transport": "tcp",
"service": "smtp",
"hostname": "example-com.mail.protection.outlook.com"
}
]
}
Properties
Name | Type | Description |
---|---|---|
open-ports | [OpenPortsReport] | none |
OpenPortsReport
{
"address": "123.234.73.24",
"port": 25,
"transport": "tcp",
"service": "smtp",
"hostname": "example-com.mail.protection.outlook.com"
}
Properties
Name | Type | Description |
---|---|---|
address* | string | The IP address. |
port* | integer | The port number. |
transport* | string | The transport protocol (e.g., tcp, udp). |
service* | string | The service name. |
hostname | string | The hostname associated with the address. |
SpfReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"tags": [
"test"
]
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of results. |
format | string | If set, returns results in the format specified. Default: JSON |
tags | [string] | If set, returns results with the specified tags. |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
SpfReportResponse
{
"spf": [
{
"key": "example.com",
"policyText": "v=spf1 include:spf.protection.outlook.com -all",
"lookups": 8
}
]
}
Properties
Name | Type | Description |
---|---|---|
spf | [SpfReport] | none |
SpfReport
{
"key": "example.com",
"policyText": "v=spf1 include:spf.protection.outlook.com -all",
"lookups": 8
}
Properties
Name | Type | Description |
---|---|---|
key* | string | The domain name. |
policyText* | string | The SPF policy text. |
lookups | integer | The number of SPF lookups |
CertificateReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv",
"active": true,
"revoked": true,
"expiring": true,
"expiringDays": 10
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of certificates. |
format | string | If set, returns certificates in the format specified. Default: JSON |
active | boolean | If set, returns only active certificates. |
revoked | boolean | If set, returns only revoked certificates. |
expiring | boolean | If set, returns both expired certificates and the ones which expire in N days, where N is configurable at Settings -> Certificate Notifications -> When Certificates Become Overdue |
expiringDays | integer | If set, overrides the default number of expiring days when 'expiring' is set to true. |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
CertificateReportResponse
{
"certificates": [
{
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.698Z",
"notAfter": "2024-12-20T16:02:26.698Z",
"effectiveNotAfter": "2024-12-20T16:02:26.698Z",
"revokedOn": "2024-12-20T16:02:26.698Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.698Z",
"lastSeen": "2024-12-20T16:02:26.698Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.698Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.698Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.699Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
]
}
Properties
Name | Type | Description |
---|---|---|
certificates | [Certificate] | [Contains information about one certificate. ] |
PdfFile
"string"
PDF file content
Properties
Name | Type | Description |
---|---|---|
anonymous | string(binary) | PDF file content |
CertificateExpiringEndpointsReportRequest
{
"group": "productgroup",
"limit": 100,
"integration": "Entrust Dev",
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of expired certificates. |
integration | string | If set, filters the response with expired certificates which belong to an integration. |
format | string | If set, returns expired certificates in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
CertificateExpiringEndpointsReportResponse
{
"expiringEndpoints": [
{
"host": "example.com",
"serviceHostname": "service.example.com",
"serviceDomain": "example.com",
"serviceLocation": "US-West",
"port": 443,
"certificateExpires": "2024-12-20T16:02:26.699Z",
"serviceLastSeen": "2024-12-20T16:02:26.699Z",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"certificateSan": "*.hardenize.com",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"asNumber": "12345"
}
]
}
Properties
Name | Type | Description |
---|---|---|
expiringEndpoints | [CertificateExpiringEndpointsReport] | none |
CertificateExpiringEndpointsReport
{
"host": "example.com",
"serviceHostname": "service.example.com",
"serviceDomain": "example.com",
"serviceLocation": "US-West",
"port": 443,
"certificateExpires": "2024-12-20T16:02:26.700Z",
"serviceLastSeen": "2024-12-20T16:02:26.700Z",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"certificateSan": "*.hardenize.com",
"asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
"asNumber": "12345"
}
Properties
Name | Type | Description |
---|---|---|
host | string | The hostname of the endpoint. |
serviceHostname | string | The hostname of the service associated with the endpoint. |
serviceDomain | string | The domain of the service associated with the endpoint. |
serviceLocation | string | The location or region where the service is located. |
port | integer | The port number of the endpoint. |
certificateExpires | string(date-time) | ISO 8601 timestamp indicating when the certificate for the endpoint expires. |
serviceLastSeen | string(date-time) | ISO 8601 timestamp indicating when the service was last seen. |
sha256* | string | Hex-encoded SHA256 hash of the endpoint's certificate in DER format. |
certificateDn | string | Distinguished name of the endpoint's certificate. |
certificateSerial | string | Hex-encoded serial number of the endpoint's certificate. |
issuer* | string | Distinguished name of the certificate issuer. |
issuerCa | string | The name of the issuing CA for the endpoint's certificate, according to CCADB. |
certificateSan | string | All hosts specified in the endpoint's certificate's SAN extension, as Unicode. |
asName | string | The name of the Autonomous System (AS). |
asNumber | string | The number of the Autonomous System (AS). |
HostsReportRequest
{
"group": "productgroup",
"limit": 100,
"format": "csv"
}
Properties
Name | Type | Description |
---|---|---|
group | string | If set, filters the response with the provided group label. |
limit | integer | If set, returns only up to the specified number of domains. |
format | string | If set, returns hosts in the format specified. Default: JSON |
Enumerated Values
Property | Value |
---|---|
format | json |
format | csv |
format | xlsx |
HostsReportResponse
{
"hosts": [
{
"assetId": 11117,
"hostname": "example.com",
"creationTime": "2023-09-14T12:59:25Z",
"summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
"reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
"groups": [
"feistyduck",
"hardenize"
],
"tags": [
"test"
],
"errorMessage": "Hostname not found",
"errorTime": "2023-09-15T08:47:45Z",
"nxTime": "2023-09-15T08:47:00Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hosts | [HostReport] | none |
HostReport
{
"assetId": 11117,
"hostname": "example.com",
"creationTime": "2023-09-14T12:59:25Z",
"summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": \"2024-05-27T09:47:23.134\", \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"2024-05-27T09:46:58\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false, \"wwwXcto\": false}",
"reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
"groups": [
"feistyduck",
"hardenize"
],
"tags": [
"test"
],
"errorMessage": "Hostname not found",
"errorTime": "2023-09-15T08:47:45Z",
"nxTime": "2023-09-15T08:47:00Z"
}
Properties
Name | Type | Description |
---|---|---|
assetId* | integer | The unique identifier for the asset. |
hostname* | string | The hostname associated with the asset. |
creationTime* | string(date-time) | The timestamp indicating when the asset was created. |
summary | string | A summary of the host information in JSON format. |
reportCard | string | A report card containing sections and items related to the asset. |
groups | [string] | Groups which the asset belongs to, if any. |
tags | [string] | Tags associated with the asset, if any. |
errorMessage | string | An error message associated with the asset (if applicable). |
errorTime | string(date-time) | The timestamp indicating when the error occurred (if applicable). |
nxTime | string(date-time) | The timestamp indicating when the asset became non-existent (if applicable). |
Report0Quality
{
"quality": "good"
}
This field describes the quality of configuration of particular element. The four most commonly seen values here are good, warning, error, and neutral. Out of these, the best is cleary good, but neutral is all right, depending on your policies (e.g., you might not want to deploy a particular security technology). Hardenize uses warnings and errors only when something is broken, misconfigured, or has a negative security implication. Neither of these qualities is used if you don't have a particular security feature. We use unknown if we don't have enough information to make a judgement. Finally, warningAbsent and errorAbsent are special statuses that we use to indicate when warnings and errors are indicated due to absence of feature. This might happen, for example, if a site supports plaintext HTTP but not encrypted HTTPS.
Properties
Name | Type | Description |
---|---|---|
quality | string | none |
Enumerated Values
Property | Value |
---|---|
quality | good |
quality | error |
quality | errorAbsent |
quality | neutral |
quality | unknown |
quality | warning |
quality | warningAbsent |
TestEventHookResponse
{
"successful": false,
"errorMessage": "Expected 202 or 204 status code",
"durationMillis": 5814,
"pubsub": {
"destination": "pubsub://events/1/1005",
"message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
"attributes": {
"X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
"X-Hardenize-Org": "demo",
"X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
},
"messageId": "260486610038606"
},
"webook": {
"request": {
"method": "POST",
"url": "https://hardenize.com/webhooks/receive",
"headers": {
"Content-Type": "application/json; charset=UTF-8",
"User-Agent": "Hardenize (https://www.hardenize.com)",
"X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
"X-Hardenize-Org": "demo",
"X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
},
"body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
},
"response": {
"statusCode": 302,
"headers": {
"Location": "https://hardenize.com/redirection",
"Cache-Control": "no-cache",
"Connection": "keep-alive",
"Content-Type": "text/plain; charset=UTF-8",
"Date": "Wed, 10 Oct 2018 15:36:54 GMT",
"Server": "nginx/1.10.3",
"Transfer-Encoding": "chunked",
"Vary": "Accept-Encoding"
},
"body": "OK"
}
}
}
Embeds a transcript of an event hook test, providing request and response information, as well as an indication of whether the hook is operating correctly.
Properties
Name | Type | Description |
---|---|---|
successful | boolean | Indication of whether the event hook test was successful. If the HTTP request itself is successful, the status code must be in the 2xx range. If the test is not successful, the errorMessage field will contain an explanation. |
errorMessage | string | Error message, in case of test failure only. |
durationMillis | integer(int64) | Duration of the HTTP request submitted to the hook, in milliseconds. |
pubsub | object | Webhook-specific diagnostic information. |
» destination | string | PubSub destination. |
» message | string | Message body. |
» attributes | object | Message attributes. |
» messageId | string | PubSub message ID. |
webook | object | Webhook-specific diagnostic information. |
» request | object | Information about the submitted HTTP request, including some selected request headers. |
»» method | string | Request method; always POST. |
»» url | string | Webhook URL used for the test. |
»» headers | object | Selected HTTP request headers. |
»» body | string | Raw request body, as a string. |
» response | object | Information about the HTTP response received from the remote server. |
»» statusCode | integer | HTTP response status code obtained from the remote server. |
»» headers | object | Complete HTTP response headers received from the remote server. |
»» body | string | Raw response body, as a string. |
UpdateCertRequest
{
"muted": true
}
Updates one certificate. All fields are optional, but at least one field must be provided.
Properties
Name | Type | Description |
---|---|---|
muted | boolean | If set to true, certificate notifications will be disabled for this certificate, even if it's observed on the network near its expiration. |
UpdateCertResponse
{
"cert": {
"shortId": "572908a",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"validation": "dv",
"notBefore": "2024-12-20T16:02:26.701Z",
"notAfter": "2024-12-20T16:02:26.701Z",
"effectiveNotAfter": "2024-12-20T16:02:26.701Z",
"revokedOn": "2024-12-20T16:02:26.701Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"sanCount": 1,
"caPathLen": -1,
"wildcard": true,
"selfSigned": false,
"firstSeen": "2024-12-20T16:02:26.701Z",
"lastSeen": "2024-12-20T16:02:26.701Z",
"seenInstalled": true,
"active": true,
"precert": false,
"duplicate": false,
"managed": true,
"ownership": "own",
"label": "ssl760680.cloudflaressl.com",
"matchesOrgHost": true,
"symantecStatus": "symantecExcluded",
"ctRequired": true,
"ctCompliant": true,
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
],
"pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
"origin": "ct",
"originTitle": "CT",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"parentHashes": [
"25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
"0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
],
"parentHashesSource": "ct",
"parentHashesComplete": true,
"analysis": {
"id": "ITEM_DOMAIN_REGISTRATION",
"name": "Domain Registration",
"status": "good",
"remarks": [
{
"id": "DNS_ZONE_NAMESERVER_NOT_OPERATIONAL",
"title": "Nameserver is not operational",
"content": "Good. The private key associated with this certificate is secure.",
"severity": "good",
"data": {
"Name": "dns1.registrar-servers.com.",
"Address": "2610:a1:1024::200",
"Reverse name": "dns1.registrar-servers.com."
}
}
]
},
"matchedHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"thirdPartyHosts": [
"hardenize.com"
],
"deployments": {
"hosts": [
{
"hostname": "string",
"service": "dns",
"serviceHostname": "string",
"lastSeen": "2024-12-20T16:02:26.701Z"
}
],
"services": [
{
"hostname": "string",
"address": "string",
"port": 0,
"asNumber": 0,
"asName": "string",
"cloudProvider": "string",
"cloudRegion": "string",
"lastSeen": "2024-12-20T16:02:26.701Z",
"certs": [
"93b42928a04ab3c571cf65cb05bf44cb585d3f2086b6b1835fc63fd4e57abb46",
"c10f09624558e5ab5e17c6c7708063dbaa558c314f7169f0845d975a7cfb65cd"
],
"tlsSupportedProtocols": [
"TLSv1.2",
"TLSv1.3"
],
"tlsConfigurationLevel": "secure"
}
]
},
"lifetime": "PT17652H",
"lifetimeDays": 736,
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"caIssuers": [
"http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt"
],
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"ctInfos": [
{
"id": "985868f5d681a3e3200119e2c15656eb55f208d0339301dbc951b79f131be04b",
"timestamp": "2024-12-20T16:02:26.701Z",
"name": "Google 'Xenon2024' log",
"status": "Qualified"
}
]
}
}
Properties
Name | Type | Description |
---|---|---|
cert* | Certificate | Contains information about one certificate. |
UpdateCertDiscoveryRequest
{
"status": "closed",
"resolution": "reconciled"
}
Contains parameters of a Cert Discovery which can be updated.
Properties
Name | Type | Description |
---|---|---|
status | string | If set, updates the certificate discovery status. Reopening a discovery will automatically clear the resolution. |
resolution | string | If set, updates the certificate discovery resolution |
Enumerated Values
Property | Value |
---|---|
status | open |
status | closed |
resolution | undetermined |
resolution | reconciled |
resolution | policyViolation |
resolution | fraudulent |
UpdateCertDiscoveryResponse
{
"certDiscovery": {
"certDiscoveryId": 11766,
"certSha256": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"precertSha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
"tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
"createdOn": "2022-06-17T00:00:00Z",
"updatedOn": "2022-06-17T00:00:00Z",
"closedOn": "2022-06-17T00:00:00Z",
"escalated": false,
"status": "open",
"resolution": "undetermined",
"certSummary": {
"shortId": "572908a",
"label": "ssl760680.cloudflaressl.com",
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "RSAwithMD2",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"issuerCa": "Let's Encrypt",
"ownership": "own",
"notBefore": "2024-12-20T16:02:26.702Z",
"notAfter": "2024-12-20T16:02:26.702Z",
"effectiveNotAfter": "2024-12-20T16:02:26.702Z",
"lifetimeDays": 736,
"lifetimeDaysLeft": 125,
"revokedOn": "2024-12-20T16:02:26.702Z",
"hosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"extras": {
"status": "ok",
"certsDueDays": 60,
"certsOverdueDays": 13,
"certsCriticalDays": 4,
"certsLabels": "managed",
"ski": "98723fb581325b326cbd6cb6953dab7dadb971d8",
"aki": "keyid:3dd350a5d6a0adeef34a600a65d321d4f8f8d60f",
"ku": [
"keyEncipherment",
"digitalSignature"
],
"eku": [
"serverAuth",
"clientAuth"
],
"mustStaple": true,
"crl": [
"http://crl3.digicert.com/sha2-ev-server-g2.crl",
"http://crl4.digicert.com/sha2-ev-server-g2.crl"
],
"ocsp": [
"http://ocsp.digicert.com"
],
"precert": false
},
"active": true,
"caPathLen": -1,
"nameDigestNewer": true
},
"certKnown": false,
"certInstalled": true,
"certExpired": false,
"certRevoked": false,
"issuerAllowed": true,
"issuerAllowedKeyword": "GlobalSign",
"issuerNotAllowed": false,
"issuerForbidden": false,
"issuerForbiddenKeyword": "cd61de3019f7c6fb5c50b6760b5c3bb0c421e799c6f0949cb5a9bff52c6ccd42",
"caaMismatch": false,
"caaMatchFull": false,
"notCtCompliant": false,
"maxLifetimeExceeded": false,
"timeoutCaseInactive": false,
"timeoutCertNotInstalled": false,
"matchedHosts": [
[
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
]
],
"matchedHostsInfo": {
"property1": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
},
"property2": {
"wildcard": false,
"caa": {
"records": [
"string"
],
"source": "string",
"time": "2022-06-17T00:00:00Z",
"allowed": true,
"error": "UnknownHostException: 127.0.0.1:5053: invalid IPv6 address literal"
}
}
},
"matchedHostsCaaHistory": {
"property1": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.702Z",
"lastSeen": "2024-12-20T16:02:26.702Z",
"records": [
"string"
]
}
],
"property2": [
{
"policyHostname": "string",
"status": "present",
"statusMessage": "string",
"firstSeen": "2024-12-20T16:02:26.702Z",
"lastSeen": "2024-12-20T16:02:26.702Z",
"records": [
"string"
]
}
]
},
"matchedWildcardHosts": [
"bonn-06.qlued.net",
"www.bonn-06.qlued.net"
],
"ctLogs": [
{
"name": "rocketeer",
"log": "ct.googleapis.com/rocketeer",
"timestamp": 1533791245857,
"index": 232455,
"type": "cert",
"sources": [
"log",
"tls"
]
}
]
}
}
Properties
Name | Type | Description |
---|---|---|
certDiscovery* | CertDiscovery | Contains complete information about a certificate discovered in one of the monitored CT logs. |
UpdateNetworkRangeRequest
{
"label": "DC01 Public",
"description": "Public IP range for London data center",
"scan": true,
"tags": [
"production"
]
}
Update the network range information. You must supply one or more of these values. The range itself can't be changed with this operation. Instead, delete the range and create it again.
Properties
Name | Type | Description |
---|---|---|
label | string | A short label to identify the network range |
description | string | A longer description of the purposes of the network range |
scan | boolean | Whether or not this network should be scanned |
tags | [string] | none |
UpdateIssueRequest
{
"status": "snoozed",
"snoozedUntil": "2022-06-17T00:00:00.000Z"
}
Updates an issue
Properties
Name | Type | Description |
---|---|---|
status | string | Set a new status. |
snoozedUntil | string(date-time) | Set status back to active automatically after this time. |
Enumerated Values
Property | Value |
---|---|
status | active |
status | bogus |
status | ignored |
status | snoozed |
UpdateUserRequest
{
"name": "Bob",
"deleteMfa": true,
"resetPassword": true,
"expirationTime": "2024-12-20T16:02:26.703Z",
"status": "retired",
"role": "observer"
}
Updates attributes for a user. All fields are optional, but at least one field must be provided.
Properties
Name | Type | Description |
---|---|---|
name | string | Change the users name or service account's description |
deleteMfa | boolean | Will delete MFA for a user if it is enabled. Allowing them to log in using only their email address and password. Not for service accounts. |
resetPassword | boolean | Changes the password to a new random one. For service accounts only |
expirationTime | string(date-time) | Update expiration time. For service accounts only |
status | string | Update user status |
role | string | Update user role |
Enumerated Values
Property | Value |
---|---|
status | active |
status | retired |
role | owner |
role | admin |
role | member |
role | observer |
UpdateEventHookRequest
{
"eventTypes": [
"ct.entry"
],
"destination": "https://hardenize.com/webhooks/receive",
"status": "disabled"
}
Provides new field values to update an existing event hook. No fields are required, but you need to provide at least of the supported fields.
Properties
Name | Type | Description |
---|---|---|
eventTypes | [string] | An updated list of event types to send to this event hook. |
destination | string | Event hook destination; for webhooks, this must be a HTTPS URL. |
status | string | New event hook status. |
Enumerated Values
Property | Value |
---|---|
status | enabled |
status | disabled |
status | failed |
UpdateEventHookResponse
{
"eventHook": {
"id": "bfc384726b6447a4b70a171de49e466f",
"hookType": "webhook",
"eventTypes": [
"ct.entry"
],
"status": "enabled",
"destination": "https://hardenize.com/webhooks/receive",
"secret": "3685c06a966e4d0ea625d0b475719661"
}
}
Returned after a successful event hook update operation.
Properties
Name | Type | Description |
---|---|---|
eventHook* | EventHook | Event hook objects contain information pertaining to a destination to which events are delivered (pushed). |
UpdateEventTypeRequest
{
"enabled": true
}
Properties
Name | Type | Description |
---|---|---|
enabled* | boolean | New setting for whether event type is enabled. |
UpdateEventTypeResponse
{
"eventType": {
"name": "ct",
"available": true,
"enabled": true
}
}
Properties
Name | Type | Description |
---|---|---|
eventType* | EventType | Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them. |
UpdateHostDiscoveryResponse
{
"hostDiscovery": {
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.703Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.704Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscovery* | HostDiscovery | This object represents our discovery of a host which might be relevant to your organization. |
UpdateHostsChanges
{
"status": "monitored",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"key": "base64key=",
"name": "thename"
},
"groupOp": "add",
"groups": [
"staging",
"development"
]
}
Properties
Name | Type | Description |
---|---|---|
status | string | Desired host status. |
axfr | string | If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled. |
axfrHost | string | Instead of doing AXFRs from the primary nameserver as per the zones SOA record, use this hostname or IP address instead. Set to a blank string to remove. |
axfrTsig | UpdateHostsChangesAxfrTsig | none |
groupOp | string | This parameter selects one of three operations. The add operation will add the specified groups to the hosts. The remove operation will remove the specified groups from the hosts. The set operation will first remove all existing tags from the hosts, then apply the specified groups. This field is mandatory when at least one group is specified. |
groups | [string] | List of tags that should be used in the requested tag operation. |
Enumerated Values
Property | Value |
---|---|
status | monitored |
status | idle |
status | archived |
axfr | auto |
axfr | enabled |
axfr | disabled |
groupOp | add |
groupOp | remove |
groupOp | set |
UpdateHostDiscoveryRequest
{
"resolution": "own",
"groups": [
"staging",
"development"
]
}
Properties
Name | Type | Description |
---|---|---|
resolution* | string | If set, updates the discoveries resolution. |
groups | [string] | When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own' |
Enumerated Values
Property | Value |
---|---|
resolution | pending |
resolution | own |
resolution | supplier |
resolution | unrelated |
resolution | infringing |
resolution | phishing |
UpdateHostsChangesAxfrTsig
{
"algorithm": "HMAC_MD5",
"key": "base64key=",
"name": "thename"
}
Properties
Name | Type | Description |
---|---|---|
algorithm | string | Axfr transfer algorithm |
key | string | Axfr transfer key |
name | string | Axfr transfer name |
Enumerated Values
Property | Value |
---|---|
algorithm | HMAC_MD5 |
algorithm | HMAC_SHA1 |
algorithm | HMAC_SHA224 |
algorithm | HMAC_SHA256 |
algorithm | HMAC_SHA384 |
algorithm | HMAC_SHA512 |
UpdateHostDiscoveriesRequest
{
"ids": [
1
],
"preview": true,
"changes": {
"resolution": "own",
"groups": [
"staging",
"development"
]
}
}
Properties
Name | Type | Description |
---|---|---|
ids* | [integer] | List of discovery ids to update. |
preview | boolean | If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false |
changes | UpdateHostDiscoveriesChanges | none |
UpdateHostDiscoveriesResponse
{
"hostDiscoveries": [
{
"discoveryId": 11113,
"autoResolved": false,
"hostname": "www.🔥.hardenize.com",
"discoveredTime": "2024-12-20T16:02:26.704Z",
"origin": "hdb",
"originTitle": "HDB",
"originInfo": {
"net": {
"host": "aspmx.l.google.com",
"address": "2a00:1450:400c:c00:0:0:0:1b",
"port": 25,
"protocol": "smtp"
}
},
"matchInfo": {
"certdno": {
"o": "Cloudflare, Inc."
},
"integration": {
"name": "AWS Production",
"type": "aws",
"ref": "string"
},
"keyword": {
"matches": [
{
"encoding": "ascii",
"keyword": "string",
"matchPosition": "anywhere",
"matchScope": "all",
"search": "bitSquatting"
}
]
},
"mx": {
"mx": "mail.example.com"
},
"nameserver": {
"matches": [
{
"name": "ns1.hardenize.com",
"firstSeen": "2021-09-21T15:32:02.322Z"
}
]
},
"rname": {
"email": "postmaster@example.com"
},
"whois": {
"keywords": [
"example.com"
]
}
},
"matchCertDNO": false,
"matchIntegration": true,
"matchKeyword": false,
"matchMx": false,
"matchNameserver": false,
"matchSubdomain": false,
"matchRname": false,
"matchWhois": false,
"resolution": "pending",
"updatedTime": "2024-12-20T16:02:26.705Z"
}
]
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveries* | [HostDiscovery] | [This object represents our discovery of a host which might be relevant to your organization.] |
UpdateHostDiscoveriesChanges
{
"resolution": "own",
"groups": [
"staging",
"development"
]
}
Properties
Name | Type | Description |
---|---|---|
resolution | string | If set, updates the discoveries resolution. |
groups | [string] | When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own' |
Enumerated Values
Property | Value |
---|---|
resolution | pending |
resolution | own |
resolution | supplier |
resolution | unrelated |
resolution | infringing |
resolution | phishing |
DeleteHostDiscoveriesRequest
{
"ids": [
1
],
"preview": true
}
Properties
Name | Type | Description |
---|---|---|
ids* | [integer] | List of discovery ids to delete. |
preview | boolean | If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false |
DeleteHostDiscoveriesResponse
{
"ids": [
1
],
"preview": true
}
Properties
Name | Type | Description |
---|---|---|
ids* | [integer] | List of affected discovery ids. |
preview* | boolean | Whether or not we ran in preview mode. |
UpdateHostDiscoveryKeywordRequest
{
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
]
}
A keyword used for host discovery.
Properties
Name | Type | Description |
---|---|---|
keyword* | string | The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32. |
enabled* | boolean | Indicates if the keyword is currently active. |
matchScope* | string | Determines what type of results the keyword will look for. |
matchPosition* | string | Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant. |
matchExact* | boolean | If set, enables exact matching. |
matchFuzzy* | boolean | If set, enables fuzzy matching. |
matchConfusables* | boolean | If set, enables matching of confusable characters and homographes. |
exclusions* | [string] | Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored. |
Enumerated Values
Property | Value |
---|---|
matchScope | all |
matchScope | domains |
matchPosition | anywhere |
matchPosition | label, |
matchPosition | labelStart |
matchPosition | labelEnd |
matchPosition | labelStartOrEnd |
UpdateHostDiscoveryKeywordResponse
{
"hostDiscoveryKeyword": {
"keyword": "hard",
"enabled": true,
"matchScope": "all",
"matchPosition": "anywhere",
"matchExact": true,
"matchFuzzy": true,
"matchConfusables": true,
"exclusions": [
"chard"
],
"error": "Disabled due to too many matches: 10000",
"errorTime": "2020-06-12T15:00:00.011Z"
}
}
Properties
Name | Type | Description |
---|---|---|
hostDiscoveryKeyword* | HostDiscoveryKeyword | A keyword used for host discovery. |
UpdateIdentityRequest
{
"enabled": true
}
Properties
Name | Type | Description |
---|---|---|
enabled | boolean | Enable/disable an identity. |
UpdateIdentityResponse
{
"identity": {
"identityId": 11113,
"type": "dns_soa_rname",
"enabled": true,
"identity": "postmaster@example.com",
"createdOn": "2024-12-20T16:02:26.706Z",
"lastSeen": "2024-12-20T16:02:26.706Z",
"lastCheck": "2024-12-20T16:02:26.706Z",
"error": "Not a unique identity.",
"errorTime": "2024-12-20T16:02:26.706Z"
}
}
Properties
Name | Type | Description |
---|---|---|
identity* | Identity | This object represents an identity. |
TlsCheck
{
"request": {
"host": "hardenize.com",
"port": 443,
"location": "london",
"resolverStrategy": "all"
},
"responses": [
{
"endpoint": {
"host": "hardenize.com",
"address": "104.17.158.13",
"port": 443,
"location": "london"
},
"status": "success",
"connections": [
{
"remoteAddress": "104.17.158.13",
"remotePort": 443,
"tls": {
"protocol": "TLSv1.3",
"suite": "TLS_AES_256_GCM_SHA384",
"certificates": [
"65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
"cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
"9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
]
}
}
]
}
],
"certificates": [
{
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"notBefore": "2024-12-20T16:02:26.706Z",
"notAfter": "2024-12-20T16:02:26.706Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "ECDSAwithSHA256",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
}
]
}
Properties
Name | Type | Description |
---|---|---|
request* | CreateTlsCheckRequest | TLS check parameters. |
responses* | [TlsCheckResponse] | none |
certificates* | [NetworkCertificate] | Certificates observed across all network operations. |
TlsCheckResponse
{
"endpoint": {
"host": "hardenize.com",
"address": "104.17.158.13",
"port": 443,
"location": "london"
},
"status": "success",
"connections": [
{
"remoteAddress": "104.17.158.13",
"remotePort": 443,
"tls": {
"protocol": "TLSv1.3",
"suite": "TLS_AES_256_GCM_SHA384",
"certificates": [
"65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
"cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
"9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
]
}
}
]
}
Properties
Name | Type | Description |
---|---|---|
endpoint | NetworkEndpoint | none |
status | string | none |
connections | [NetworkConnection] | none |
Enumerated Values
Property | Value |
---|---|
status | success |
status | failure |
NetworkCertificate
{
"sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
"subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
"issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"notBefore": "2024-12-20T16:02:26.706Z",
"notAfter": "2024-12-20T16:02:26.707Z",
"keyAlg": "EC",
"keyLen": 256,
"keyStrength": 128,
"sigAlg": "ECDSAwithSHA256",
"spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
"hosts": [
"*.hardenize.com"
],
"pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
}
Properties
Name | Type | Description |
---|---|---|
sha256* | string | Hex-encoded SHA256 hash of the certificate in DER format. |
subject* | string | Subject distinguished name. |
issuer* | string | Issuer distinguished name. |
serial* | string | Hex-encoded serial number. |
notBefore* | string(date-time) | ISO 8601 timestamp. |
notAfter* | string(date-time) | ISO 8601 timestamp. |
keyAlg* | string | Private key algorithm, for example RSA or EC. |
keyLen* | integer | Private key length, for example 256 for an ECDSA key or 2048 for an RSA key. |
keyStrength* | integer | Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112. |
sigAlg* | string | Certificate signature algorithm. |
spkiSha256* | string | Hex-encoded SHA256 of the certificate's SPKI component. |
hosts* | [string] | All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate. |
pem* | string | none |
Enumerated Values
Property | Value |
---|---|
sigAlg | RSAwithMD2 |
sigAlg | RSAwithMD5 |
sigAlg | RSAwithSHA1 |
sigAlg | RSAwithSHA256 |
sigAlg | RSAwithSHA384 |
sigAlg | RSAwithSHA512 |
sigAlg | RSAPSS |
sigAlg | DSAwithSHA1 |
sigAlg | DSAwithSHA256 |
sigAlg | ECDSAwithSHA1 |
sigAlg | ECDSAwithSHA256 |
sigAlg | ECDSAwithSHA384 |
sigAlg | ECDSAwithSHA512 |
NetworkConnection
{
"remoteAddress": "104.17.158.13",
"remotePort": 443,
"tls": {
"protocol": "TLSv1.3",
"suite": "TLS_AES_256_GCM_SHA384",
"certificates": [
"65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
"cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
"9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
]
}
}
Properties
Name | Type | Description |
---|---|---|
remoteAddress* | string | none |
remotePort* | integer | none |
tls | TlsConnection | none |
TlsConnection
{
"protocol": "TLSv1.3",
"suite": "TLS_AES_256_GCM_SHA384",
"certificates": [
"65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
"cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
"9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
]
}
Properties
Name | Type | Description |
---|---|---|
protocol | string | none |
suite | string | none |
certificates | [string] | none |
Enumerated Values
Property | Value |
---|---|
protocol | TLSv1.3 |
protocol | TLSv1.2 |
protocol | TLSv1.0 |
protocol | SSLv3 |
protocol | SSLv2 |
NetworkEndpoint
{
"host": "hardenize.com",
"address": "104.17.158.13",
"port": 443,
"location": "london"
}
Properties
Name | Type | Description |
---|---|---|
host | string | none |
address | string | none |
port | integer | none |
location | string | none |
TestIntegrationResponse
{
"success": false,
"error": "Failed to authenticate"
}
Properties
Name | Type | Description |
---|---|---|
success* | boolean | Whether or not the test succeeded |
error | string | If the test failed, a suitable error message |
UpdateHostsRequest
{
"hostnames": [
"example.com"
],
"preview": true,
"subdomains": true,
"changes": {
"status": "monitored",
"axfr": "enabled",
"axfrHost": "stealth.ns.example.com",
"axfrTsig": {
"algorithm": "HMAC_MD5",
"key": "base64key=",
"name": "thename"
},
"groupOp": "add",
"groups": [
"staging",
"development"
]
}
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | List of hosts to update. |
preview | boolean | If set, doesn't carry out the operation, but returns a list of hosts that would have been affected. Default: false |
subdomains | boolean | If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false |
changes | UpdateHostsChanges | none |
UpdateHostsResponse
{
"hostnames": [
"example.com"
],
"preview": true
}
Properties
Name | Type | Description |
---|---|---|
hostnames* | [string] | List of hosts that have been updated (or would have been updated, in preview mode). |
preview* | boolean | Indicates if the action was executed or only previewed. |
UpdateAccessControlConfigRequest
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": "disabled",
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": "disabled"
}
All fields are optional. Supply only the fields that need updating.
Properties
Name | Type | Description |
---|---|---|
apiNetworks | [cidr] | List of network address ranges from which access to the API should be allowed. Empty list means no restrictions. |
apiNetworksCascade | string | If set to true, the configured API whitelist is enforced on all child organizations. |
appNetworks | [cidr] | List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions. |
appNetworksCascade | string | If set to true, the configured web application whitelist is enforced on all child organizations. |
Enumerated Values
Property | Value |
---|---|
apiNetworksCascade | disabled |
apiNetworksCascade | enabled |
appNetworksCascade | disabled |
appNetworksCascade | enabled |
UpdateAccessControlConfigResponse
{
"apiNetworks": [
"127.0.0.1/32"
],
"apiNetworksCascade": true,
"appNetworks": [
"127.0.0.1/32"
],
"appNetworksCascade": true
}
Management access restrictions configuration, after the requested changes have been applied.
Properties
Name | Type | Description |
---|---|---|
apiNetworks* | [cidr] | Network address range from which access to the API is allowed. |
apiNetworksCascade* | boolean | Indicator of whether the API network access configuration should cascade to all child organizations. |
appNetworks* | [cidr] | Network address range from which access to the web application is allowed. |
appNetworksCascade* | boolean | Indicator of whether the web application network access configuration should cascade to all child organizations. |
UpdateNetworkScanningConfigRequest
{
"netscanStatic": true,
"netscanDynamic": true,
"monitorCloudIps": true,
"netscanExclusions": [
"127.0.0.1/32"
]
}
All fields are optional. Supply only the fields that need updating.
Properties
Name | Type | Description |
---|---|---|
netscanStatic | boolean | If set to true, scanning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning. |
netscanDynamic | boolean | If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled. |
monitorCloudIps | boolean | If set to true, scanning of IP addresses discovered by cloud integrations is enabled. |
netscanExclusions | [cidr] | Contains a list of network ranges that will be excluded from network scaning. |
UpdateOrgRequest
{
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"generateApiCredentials": false,
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostDiscoveryEnabled": true,
"hostDiscoveryLimitHard": 10000,
"hostLimitHard": -1,
"featureHostDiscovery": true,
"featureMfa": false,
"featureSaml": false
}
Properties
Name | Type | Description |
---|---|---|
name | string | Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the id parameter will be used as the default value. |
status | string | none |
commercialStatus | string | none |
generateApiCredentials | boolean | If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost. |
hostDiscoveryAutoimportSubdomains | boolean | If provided, updates the corresponding organization setting. |
hostDiscoveryExcludeSuffixes | [string] | If provided, this field is a list of domain suffixes that should be ignored during discovery. |
hostDiscoveryEnabled | boolean | If provided, enables or disables host discovery. |
hostDiscoveryLimitHard | integer | If provided, updates the host discovery limit. |
hostLimitHard | integer | If provided, updates the hard host limit. |
featureHostDiscovery | boolean | If provided, updates the corresponding organization setting. The feature must be available in the parent organization to be enabled in a suborg. |
featureMfa | boolean | If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false |
featureSaml | boolean | If set, enables SAML. The feature must be available in the parent organization. Default: false |
Enumerated Values
Property | Value |
---|---|
status | active |
status | dormant |
status | suspended |
status | deleted |
commercialStatus | free |
commercialStatus | internal |
commercialStatus | paying |
commercialStatus | trial |
UpdateOrgResponse
{
"suborg": {
"id": "hardenize",
"name": "Hardenize",
"status": "active",
"commercialStatus": "internal",
"apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
"apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
"hostDiscoveryAutoimportSubdomains": true,
"hostDiscoveryEnabled": true,
"hostDiscoveryError": "string",
"hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
"hostDiscoveryExcludeSuffixes": [
"sub.example.com"
],
"hostLimitHard": 10000,
"hostDiscoveryLimitHard": 10000,
"certLimitHard": 75000,
"featureHostDiscovery": false,
"featureMfa": false,
"featureSaml": false
}
}
Properties
Name | Type | Description |
---|---|---|
suborg | Organization | none |
UnpackedCert
{
"label": "www.example.com",
"subject": "CN=www.example.com",
"commonNames": [
"www.example.com"
],
"san": [
"mail.example.com"
],
"ski": "af47cb938e299991ec6538685ec20affbf817b2f",
"issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
"issuer": "Let's Encrypt Authority X3",
"serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
"aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
"notBefore": "2024-12-20T16:02:26.708Z",
"notAfter": "2024-12-20T16:02:26.708Z",
"issuerUrls": [
"http://cert.int-x3.letsencrypt.org/"
],
"crlUrls": [
"http://crl.pki.goog/GTS1O1.crl"
],
"ocspUrls": [
"http://ocsp.pki.goog/gts1o1"
],
"fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
"fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
"keyUsage": [
"keyEncipherment"
],
"extendedKeyUsage": [
"serverAuth"
],
"scts": [
{
"logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
"logName": "DigiCert Yeti2020 Log",
"timestamp": "2024-12-20T16:02:26.708Z"
}
],
"mustStaple": true,
"sigAlg": {
"oid": "1.2.840.113549.1.1.11",
"name": "SHA256withRSA"
},
"subjectKey": {
"algName": "RSA",
"bits": 2048,
"strength": 112,
"spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
},
"ca": true,
"caPathLen": 1
}
Various information parsed from the certificate.
Properties
Name | Type | Description |
---|---|---|
label* | string | Summary of the cert |
subject* | string | Certificate subject Distinguished Name in text format. |
commonNames | [string] | Common names of the certificate |
san | [string] | Hostnames from the SAN field |
ski | string | Subject Key Identifier |
issuerDn* | string | Certificate issuer Distinguished Name in text format. |
issuer* | string | Certificate issuer |
serial* | string | Hex-encoded serial number. |
aki | string | Authority Key Identifier |
notBefore* | string(date-time) | ISO 8601 timestamp. |
notAfter* | string(date-time) | ISO 8601 timestamp. |
issuerUrls | [string] | Issuer URLs |
crlUrls | [string] | Certificate Revocation List URL |
ocspUrls | [string] | OCSP URLs |
fingerprintSha1* | string | SHA1 Fingerprint |
fingerprintSha256* | string | SHA256 Fingerprint |
keyUsage* | [string] | Allowed usages for the cert |
extendedKeyUsage* | [string] | Further allowed usages for the cert |
scts | [UnpackedCertSct] | CT Signed Certificate Timestamps |
mustStaple | boolean | Has the must-staple feature |
sigAlg* | UnpackedCertSigAlg | Signature Algorithm |
subjectKey* | UnpackedCertSubjectKey | Subject Key |
ca | boolean | If this cert is a CA cert |
caPathLen | integer | If CA cert, how deep a certification path may exist through it |
UnpackedCertSct
{
"logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
"logName": "DigiCert Yeti2020 Log",
"timestamp": "2024-12-20T16:02:26.709Z"
}
CT Signed Certificate Timestamp
Properties
Name | Type | Description |
---|---|---|
logId* | string | The log ID |
logName* | string | The name of the log |
timestamp* | string(date-time) | ISO 8601 timestamp. |
UnpackedCertSigAlg
{
"oid": "1.2.840.113549.1.1.11",
"name": "SHA256withRSA"
}
Signature Algorithm
Properties
Name | Type | Description |
---|---|---|
oid* | string | Signature algorithm OID |
name* | string | String representation of signature algorithm |
UnpackedCertSubjectKey
{
"algName": "RSA",
"bits": 2048,
"strength": 112,
"spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
}
Subject Key
Properties
Name | Type | Description |
---|---|---|
algName* | string | none |
bits* | integer | none |
strength* | integer | none |
spkiSha256* | string | none |
GetUserResponse
{
"user": {
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.709Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
}
Properties
Name | Type | Description |
---|---|---|
user* | User | The User object represents one of your users that are members of the organization. They can be actual users, or service accounts. |
ListUsersResponse
{
"users": [
{
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.709Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
]
}
Properties
Name | Type | Description |
---|---|---|
users* | [User] | [The User object represents one of your users that are members of the organization. They can be actual users, or service accounts. ] |
CreateServiceAccountRequest
{
"name": "Data fetcher",
"role": "observer",
"expirationTime": "2024-12-20T16:02:26.709Z"
}
Properties
Name | Type | Description |
---|---|---|
name* | string | Name of the service account |
role* | string | Role of the service account |
expirationTime | string(date-time) | Service accounts may have expiration times |
Enumerated Values
Property | Value |
---|---|
role | owner |
role | admin |
role | member |
role | observer |
InviteUserRequest
{
"name": "Bob",
"email": "postmaster@example.com",
"role": "observer"
}
Properties
Name | Type | Description |
---|---|---|
name* | string | The users name |
email* | string | The users email address |
role* | string | The users role |
Enumerated Values
Property | Value |
---|---|
role | owner |
role | admin |
role | member |
role | observer |
User
{
"userId": 10001,
"email": "postmaster@example.com",
"name": "Bob",
"status": "active",
"serviceAccount": true,
"expirationTime": "2024-12-20T16:02:26.709Z",
"password": "61cec76600adc8b7aa522a5078f7c837",
"mfaEnabled": false,
"role": "observer"
}
The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.
Properties
Name | Type | Description |
---|---|---|
userId* | integer | Unique user identifier |
email* | string | The user's email address. In case of service accounts, we generate a special email address on Hardenize's own domain name. |
name* | string | The name of the user or service account. |
status* | string | User status. Normal user accounts begin with invitationSent status, which later changes to active , after the invitation is accepted. If an invitation is cancelled, the user object is deleted. Later on, an account's status may change to retired and possibly back to active . |
serviceAccount* | boolean | Indicates if this user is a service account. |
expirationTime | string(date-time) | Indicates the account's expiration time, if any. |
password | string | When creating service accounts, or resetting their passwords, the auto generated password will be returned in plain text. This is the only time it will be available. |
mfaEnabled | boolean | Whether or not multi-factor authentication is enabled for an account. This field is not present for service accounts, as MFA is not available in that context. |
role* | string | The users role |
Enumerated Values
Property | Value |
---|---|
status | active |
status | retired |
status | invitationSent |
role | owner |
role | admin |
role | member |
role | observer |
CertsStatsResponse
{
"certStats": {
"totals": {
"activeOrNonExpired": 0,
"onlyOwn": 0,
"onlyThirdParty": 0,
"onlyActive": 0
},
"summary": {
"total": 0,
"unique": 0,
"certs": 0,
"precerts": 0,
"duplicates": 0,
"valid": 0,
"notYetValid": 0,
"expired": 0,
"effectivelyExpired": 0,
"revoked": 0,
"revokedNotExpired": 0,
"endEntity": 0,
"ca": 0
},
"thirdParty": {
"total": 0,
"unique": 0,
"endEntity": 0,
"ca": 0
},
"usage": {
"active": 0,
"expired": 0,
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"analysis": {
"issuerCa": {
"property1": 0,
"property2": 0
},
"keyAlg": {
"property1": 0,
"property2": 0
},
"keyAlgLen": {
"property1": 0,
"property2": 0
},
"keyStrength": {
"property1": 0,
"property2": 0
},
"sigAlg": {
"property1": 0,
"property2": 0
},
"validation": {
"property1": 0,
"property2": 0
},
"lifetimes": {
"property1": 0,
"property2": 0
},
"wildcards": 0,
"nonWildcards": 0
},
"activity": {
"issuanceTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"revocationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"timestamp": "2024-12-20T16:02:26.710Z"
},
"extras": {
"certsDueDays": 0,
"certsOverdueDays": 0,
"certsCriticalDays": 0
}
}
Properties
Name | Type | Description |
---|---|---|
certStats* | CertStats | none |
extras | CertStatsExtras | none |
CertStats
{
"totals": {
"activeOrNonExpired": 0,
"onlyOwn": 0,
"onlyThirdParty": 0,
"onlyActive": 0
},
"summary": {
"total": 0,
"unique": 0,
"certs": 0,
"precerts": 0,
"duplicates": 0,
"valid": 0,
"notYetValid": 0,
"expired": 0,
"effectivelyExpired": 0,
"revoked": 0,
"revokedNotExpired": 0,
"endEntity": 0,
"ca": 0
},
"thirdParty": {
"total": 0,
"unique": 0,
"endEntity": 0,
"ca": 0
},
"usage": {
"active": 0,
"expired": 0,
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"analysis": {
"issuerCa": {
"property1": 0,
"property2": 0
},
"keyAlg": {
"property1": 0,
"property2": 0
},
"keyAlgLen": {
"property1": 0,
"property2": 0
},
"keyStrength": {
"property1": 0,
"property2": 0
},
"sigAlg": {
"property1": 0,
"property2": 0
},
"validation": {
"property1": 0,
"property2": 0
},
"lifetimes": {
"property1": 0,
"property2": 0
},
"wildcards": 0,
"nonWildcards": 0
},
"activity": {
"issuanceTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"revocationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
},
"timestamp": "2024-12-20T16:02:26.711Z"
}
Properties
Name | Type | Description |
---|---|---|
totals | TotalsStats | none |
summary | SummaryStats | Own certificates statistics. |
thirdParty | ThirdPartyStats | Third-party certificates statistics. |
usage | UsageStats | Usage statistics. |
analysis | AnalysisStats | Certificate corpus analysis. |
activity | ActivityStats | Activity stats. |
timestamp | string(date-time) | Statistics creation time |
TotalsStats
{
"activeOrNonExpired": 0,
"onlyOwn": 0,
"onlyThirdParty": 0,
"onlyActive": 0
}
Properties
Name | Type | Description |
---|---|---|
activeOrNonExpired | integer | Total active or non-expired certificates. |
onlyOwn | integer | Total certificates that are not third-party. |
onlyThirdParty | integer | Total third-party certificates. |
onlyActive | integer | Total active certificates. |
CertStatsExtras
{
"certsDueDays": 0,
"certsOverdueDays": 0,
"certsCriticalDays": 0
}
Properties
Name | Type | Description |
---|---|---|
certsDueDays | integer | none |
certsOverdueDays | integer | none |
certsCriticalDays | integer | none |
SummaryStats
{
"total": 0,
"unique": 0,
"certs": 0,
"precerts": 0,
"duplicates": 0,
"valid": 0,
"notYetValid": 0,
"expired": 0,
"effectivelyExpired": 0,
"revoked": 0,
"revokedNotExpired": 0,
"endEntity": 0,
"ca": 0
}
Own certificates statistics.
Properties
Name | Type | Description |
---|---|---|
total | integer | Total certificate objects. |
unique | integer | Total unique certificate objects. |
certs | integer | Total certificates. |
precerts | integer | Total precertificates. |
duplicates | integer | Total duplicate certificates. |
valid | integer | Total valid non-duplicate certificates. |
notYetValid | integer | Total not yet valid certificates. |
expired | integer | Total expired certificates. |
effectivelyExpired | integer | Total effectively expired certificates. |
revoked | integer | Total revoked certificates. |
revokedNotExpired | integer | Total revoked but not expired certificates. |
endEntity | integer | Total unique leaf certificates. |
ca | integer | Total unique intermediates and roots. |
ThirdPartyStats
{
"total": 0,
"unique": 0,
"endEntity": 0,
"ca": 0
}
Third-party certificates statistics.
Properties
Name | Type | Description |
---|---|---|
total | integer | none |
unique | integer | Total unique certificate objects. |
endEntity | integer | Total unique leaves. |
ca | integer | Total unique intermediates and roots. |
UsageStats
{
"active": 0,
"expired": 0,
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
}
Usage statistics.
Properties
Name | Type | Description |
---|---|---|
active | integer | Total active/installed; may include certificates that are no longer valid. |
expired | integer | Total expired. |
expirationTimelines | Timeline | none |
ActivityStats
{
"issuanceTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"revocationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
},
"expirationTimelines": {
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
}
Activity stats.
Properties
Name | Type | Description |
---|---|---|
issuanceTimelines | Timeline | none |
revocationTimelines | Timeline | none |
expirationTimelines | Timeline | none |
AnalysisStats
{
"issuerCa": {
"property1": 0,
"property2": 0
},
"keyAlg": {
"property1": 0,
"property2": 0
},
"keyAlgLen": {
"property1": 0,
"property2": 0
},
"keyStrength": {
"property1": 0,
"property2": 0
},
"sigAlg": {
"property1": 0,
"property2": 0
},
"validation": {
"property1": 0,
"property2": 0
},
"lifetimes": {
"property1": 0,
"property2": 0
},
"wildcards": 0,
"nonWildcards": 0
}
Certificate corpus analysis.
Properties
Name | Type | Description |
---|---|---|
issuerCa | object | CA issuers |
» additionalProperties | integer | none |
keyAlg | object | Private key algorithm |
» additionalProperties | integer | none |
keyAlgLen | object | Private key algorithm with length |
» additionalProperties | integer | none |
keyStrength | object | Private key strength |
» additionalProperties | integer | none |
sigAlg | object | Signature algorithm |
» additionalProperties | integer | none |
validation | object | none |
» additionalProperties | integer | none |
lifetimes | object | Count of the certificates with the same lifetimes |
» additionalProperties | integer | none |
wildcards | integer | Total wildcards |
nonWildcards | integer | Total non-wildcards |
Timeline
{
"days": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"weeks": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
},
"months": {
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
}
Properties
Name | Type | Description |
---|---|---|
days | TimelineData | none |
weeks | TimelineData | none |
months | TimelineData | none |
TimelineData
{
"data": [
{
"offset": 0,
"count": 0
}
],
"firstOffset": 0,
"lastOffset": 0,
"count": 0,
"min": 0,
"max": 0
}
Properties
Name | Type | Description |
---|---|---|
data* | [OffsetCount] | none |
firstOffset* | integer | none |
lastOffset* | integer | none |
count* | integer | none |
min* | integer | none |
max* | integer | none |
OffsetCount
{
"offset": 0,
"count": 0
}
Properties
Name | Type | Description |
---|---|---|
offset* | integer | none |
count* | integer | none |
CreateDashboardResponse
{
"orgDashboardStats": {
"orgId": 0,
"overallSummary": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0,
"httpsTls13Present": 0,
"httpsTls12Present": 0,
"httpsTls11Present": 0,
"httpsTls10Present": 0,
"httpsSsl3Present": 0,
"httpsSsl2Present": 0,
"httpsPostQuantumEncryption": 0
},
"groups": [
{
"groupId": 0,
"name": "string",
"label": "string",
"auto": true,
"tags": [
"string"
]
}
],
"monitoredHostCount": 0,
"monitoredDomainCount": 0,
"nonArchivedHostCount": 0,
"nonArchivedDomainCount": 0,
"ipCount": 0,
"activeCertCount": 0,
"buildTime": "2019-08-24T14:15:22Z",
"groupSummaries": {
"property1": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0
},
"property2": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0
}
}
}
}
Properties
Name | Type | Description |
---|---|---|
orgDashboardStats* | OrgDashboardStats | none |
OrgDashboardStats
{
"orgId": 0,
"overallSummary": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0,
"httpsTls13Present": 0,
"httpsTls12Present": 0,
"httpsTls11Present": 0,
"httpsTls10Present": 0,
"httpsSsl3Present": 0,
"httpsSsl2Present": 0,
"httpsPostQuantumEncryption": 0
},
"groups": [
{
"groupId": 0,
"name": "string",
"label": "string",
"auto": true,
"tags": [
"string"
]
}
],
"monitoredHostCount": 0,
"monitoredDomainCount": 0,
"nonArchivedHostCount": 0,
"nonArchivedDomainCount": 0,
"ipCount": 0,
"activeCertCount": 0,
"buildTime": "2019-08-24T14:15:22Z",
"groupSummaries": {
"property1": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0
},
"property2": {
"totalHosts": 0,
"dnssecHosts": 0,
"dnssecPresent": 0,
"dnssecNone": 0,
"dnssecUnknown": 0,
"smtpHosts": 0,
"smtpQualityGood": 0,
"smtpQualityWarning": 0,
"smtpQualityError": 0,
"smtpQualityOther": 0,
"smtpStartTlsPresent": 0,
"smtpStartTlsNone": 0,
"smtpStartTlsUnknown": 0,
"smtpSpfPresent": 0,
"smtpSpfNone": 0,
"smtpSpfUnknown": 0,
"smtpDmarcPresent": 0,
"smtpDmarcNone": 0,
"smtpDmarcUnknown": 0,
"smtpDanePresent": 0,
"smtpDaneNone": 0,
"smtpDaneUnknown": 0,
"httpHosts": 0,
"httpsHosts": 0,
"httpsQualityGood": 0,
"httpsQualityWarning": 0,
"httpsQualityError": 0,
"httpsQualityOther": 0,
"httpsHostsPresent": 0,
"httpsHostsNone": 0,
"httpsHostsUnknown": 0,
"httpsRedirectionPresent": 0,
"httpsRedirectionNone": 0,
"httpsRedirectionNotApplicable": 0,
"httpsRedirectionUnknown": 0,
"httpsHstsPresent": 0,
"httpsHstsNone": 0,
"httpsHstsNotApplicable": 0,
"httpsHstsUnknown": 0,
"httpsHstsPreloadedPresent": 0,
"httpsHstsPreloadedNone": 0,
"httpsHstsPreloadedNotApplicable": 0,
"httpsHstsPreloadedUnknown": 0
}
}
}
Properties
Name | Type | Description |
---|---|---|
orgId | integer | Organization ID |
overallSummary | object | none |
» totalHosts | integer | none |
» dnssecHosts | integer | none |
» dnssecPresent | integer | Hosts that use DNSSEC |
» dnssecNone | integer | Hosts that don't use DNSSEC |
» dnssecUnknown | integer | Hosts whose DNSSEC configuration we weren't able to evaluate reliably |
» smtpHosts | integer | none |
» smtpQualityGood | integer | Hosts that have correct and reasonably secure SMTP configuration |
» smtpQualityWarning | integer | Hosts whose SMTP configuration has small problems or it's missing important features |
» smtpQualityError | integer | Hosts whose SMTP configuration has errors or it's missing critical features |
» smtpQualityOther | integer | Hosts whose SMTP configuration we weren't able to evaluate reliably |
» smtpStartTlsPresent | integer | Hosts that support email encryption via STARTTLS |
» smtpStartTlsNone | integer | Hosts that don't support email encryption via STARTTLS |
» smtpStartTlsUnknown | integer | Hosts whose STARTTLS support we weren't able to evaluate reliably |
» smtpSpfPresent | integer | Hosts that use SPF to control which servers are allowed to send email for them |
» smtpSpfNone | integer | Hosts that don't use SPF to control which servers are allowed to send email for them |
» smtpSpfUnknown | integer | Hosts whose SPF configuration we weren't able to evaluate reliably |
» smtpDmarcPresent | integer | Hosts that have an enforcing DMARC policy |
» smtpDmarcNone | integer | Hosts that don't have an enforcing DMARC policy |
» smtpDmarcUnknown | integer | Hosts whose DMARC configuration we weren't able to evaluate reliably |
» smtpDanePresent | integer | Hosts that use DNSSEC and DANE for SMTP |
» smtpDaneNone | integer | Hosts that don't use DNSSEC and DANE for SMTP |
» smtpDaneUnknown | integer | Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably |
» httpHosts | integer | none |
» httpsHosts | integer | none |
» httpsQualityGood | integer | Sites with well-configured HTTPS |
» httpsQualityWarning | integer | Sites whose HTTPS configuration has smaller problems or lacks important features |
» httpsQualityError | integer | Sites whose HTTPS configuration has errors or lacks critical features |
» httpsQualityOther | integer | Sites whose HTTPS configuration we weren't able to evaluate reliably |
» httpsHostsPresent | integer | Sites that deploy HTTPS with a certificate valid for public consumption |
» httpsHostsNone | integer | Sites with HTTP but without HTTPS |
» httpsHostsUnknown | integer | Sites whose HTTP and HTTPS status we weren't able to evaluate reliably |
» httpsRedirectionPresent | integer | Sites that have an unconditional redirection from HTTP to HTTPS |
» httpsRedirectionNone | integer | Sites that don't enforce HTTPS with a redirection |
» httpsRedirectionNotApplicable | integer | Not applicable; these sites don't have HTTPS |
» httpsRedirectionUnknown | integer | Sites whose HTTPS redirection status we weren't able to evaluate reliably |
» httpsHstsPresent | integer | Sites that deploy HTTP Strict Transport Security (HSTS) |
» httpsHstsNone | integer | Sites that don't deploy HTTP Strict Transport Security (HSTS) |
» httpsHstsNotApplicable | integer | Not applicable; these sites don't have HTTPS |
» httpsHstsUnknown | integer | Sites whose HSTS status we weren't able to evaluate reliably |
» httpsHstsPreloadedPresent | integer | Sites that have preloaded (or pending) HSTS |
» httpsHstsPreloadedNone | integer | Sites that don't have preloaded HSTS |
» httpsHstsPreloadedNotApplicable | integer | Not applicable; these sites don't have HTTPS and/or HSTS |
» httpsHstsPreloadedUnknown | integer | Sites whose HSTS preload status we weren't able to evaluate reliably |
» httpsTls13Present | integer | Sites that support TLS 1.3 |
» httpsTls12Present | integer | Sites that support TLS 1.2 |
» httpsTls11Present | integer | Sites that support TLS 1.1 |
» httpsTls10Present | integer | Sites that support TLS 1.0 |
» httpsSsl3Present | integer | Sites that support SSL 3.0 |
» httpsSsl2Present | integer | Sites that support SSL 2.0 |
» httpsPostQuantumEncryption | integer | Sites that support TLS with post-quantum encryption (using X25519MLKEM768 hybrid key exchange). Post-quantum TLS is still in the process of being standardized and deployed. |
groups | [object] | none |
» groupId | integer | none |
» name | string | none |
» label | string | none |
» auto | boolean | none |
» tags | [string] | none |
monitoredHostCount | integer | none |
monitoredDomainCount | integer | none |
nonArchivedHostCount | integer | none |
nonArchivedDomainCount | integer | none |
ipCount | integer | none |
activeCertCount | integer | none |
buildTime | string(date-time) | none |
groupSummaries | object | none |
» additionalProperties | object | none |
»» totalHosts | integer | none |
»» dnssecHosts | integer | none |
»» dnssecPresent | integer | Hosts that use DNSSEC |
»» dnssecNone | integer | Hosts that don't use DNSSEC |
»» dnssecUnknown | integer | Hosts whose DNSSEC configuration we weren't able to evaluate reliably |
»» smtpHosts | integer | none |
»» smtpQualityGood | integer | Hosts that have correct and reasonably secure SMTP configuration |
»» smtpQualityWarning | integer | Hosts whose SMTP configuration has small problems or it's missing important features |
»» smtpQualityError | integer | Hosts whose SMTP configuration has errors or it's missing critical features |
»» smtpQualityOther | integer | Hosts whose SMTP configuration we weren't able to evaluate reliably |
»» smtpStartTlsPresent | integer | Hosts that support email encryption via STARTTLS |
»» smtpStartTlsNone | integer | Hosts that don't support email encryption via STARTTLS |
»» smtpStartTlsUnknown | integer | Hosts whose STARTTLS support we weren't able to evaluate reliably |
»» smtpSpfPresent | integer | Hosts that use SPF to control which servers are allowed to send email for them |
»» smtpSpfNone | integer | Hosts that don't use SPF to control which servers are allowed to send email for them |
»» smtpSpfUnknown | integer | Hosts whose SPF configuration we weren't able to evaluate reliably |
»» smtpDmarcPresent | integer | Hosts that have an enforcing DMARC policy |
»» smtpDmarcNone | integer | Hosts that don't have an enforcing DMARC policy |
»» smtpDmarcUnknown | integer | Hosts whose DMARC configuration we weren't able to evaluate reliably |
»» smtpDanePresent | integer | Hosts that use DNSSEC and DANE for SMTP |
»» smtpDaneNone | integer | Hosts that don't use DNSSEC and DANE for SMTP |
»» smtpDaneUnknown | integer | Hosts whose DNSSEC and DANE configuration we weren't able to evaluate reliably |
»» httpHosts | integer | none |
»» httpsHosts | integer | none |
»» httpsQualityGood | integer | Sites with well-configured HTTPS |
»» httpsQualityWarning | integer | Sites whose HTTPS configuration has smaller problems or lacks important features |
»» httpsQualityError | integer | Sites whose HTTPS configuration has errors or lacks critical features |
»» httpsQualityOther | integer | Sites whose HTTPS configuration we weren't able to evaluate reliably |
»» httpsHostsPresent | integer | Sites that deploy HTTPS with a certificate valid for public consumption |
»» httpsHostsNone | integer | Sites with HTTP but without HTTPS |
»» httpsHostsUnknown | integer | Sites whose HTTP and HTTPS status we weren't able to evaluate reliably |
»» httpsRedirectionPresent | integer | Sites that have an unconditional redirection from HTTP to HTTPS |
»» httpsRedirectionNone | integer | Sites that don't enforce HTTPS with a redirection |
»» httpsRedirectionNotApplicable | integer | Not applicable; these sites don't have HTTPS |
»» httpsRedirectionUnknown | integer | Sites whose HTTPS redirection status we weren't able to evaluate reliably |
»» httpsHstsPresent | integer | Sites that deploy HTTP Strict Transport Security (HSTS) |
»» httpsHstsNone | integer | Sites that don't deploy HTTP Strict Transport Security (HSTS) |
»» httpsHstsNotApplicable | integer | Not applicable; these sites don't have HTTPS |
»» httpsHstsUnknown | integer | Sites whose HSTS status we weren't able to evaluate reliably |
»» httpsHstsPreloadedPresent | integer | Sites that have preloaded (or pending) HSTS |
»» httpsHstsPreloadedNone | integer | Sites that don't have preloaded HSTS |
»» httpsHstsPreloadedNotApplicable | integer | Not applicable; these sites don't have HTTPS and/or HSTS |
»» httpsHstsPreloadedUnknown | integer | Sites whose HSTS preload status we weren't able to evaluate reliably |
AccountStatsResponse
{
"users": {
"active": 7
},
"hosts": {
"total": 8,
"active": 8,
"monitored": 4,
"monitoredWithServices": 3,
"idle": 3,
"archived": 4
},
"certificates": {
"totalCerts": 15,
"duplicateCerts": 8,
"expiredCerts": 0,
"revokedCerts": 8,
"thirdPartyCerts": 13,
"activeCerts": 8
},
"networkEndpoints": {
"total": 8,
"smtp": 8,
"https": 4
},
"ipv6Addresses": {
"total": 0,
"monitored": 0
},
"ipv4Addresses": {
"total": 3,
"monitored": 3
}
}
Properties
Name | Type | Description |
---|---|---|
users | AccountUsersStats | none |
hosts | AccountHostsStats | none |
certificates | AccountCertificatesStats | none |
networkEndpoints | AccountNetworkEndpointsStats | none |
ipv6Addresses | AccountIpv6AddressesStats | none |
ipv4Addresses | AccountIpv4AddressesStats | none |
AccountHostsStats
{
"total": 8,
"active": 8,
"monitored": 4,
"monitoredWithServices": 3,
"idle": 3,
"archived": 4
}
Properties
Name | Type | Description |
---|---|---|
total | integer | none |
active | integer | none |
monitored | integer | none |
monitoredWithServices | integer | none |
idle | integer | none |
archived | integer | none |
AccountCertificatesStats
{
"totalCerts": 15,
"duplicateCerts": 8,
"expiredCerts": 0,
"revokedCerts": 8,
"thirdPartyCerts": 13,
"activeCerts": 8
}
Properties
Name | Type | Description |
---|---|---|
totalCerts | integer | none |
duplicateCerts | integer | none |
expiredCerts | integer | none |
revokedCerts | integer | none |
thirdPartyCerts | integer | none |
activeCerts | integer | none |
AccountUsersStats
{
"active": 7
}
Properties
Name | Type | Description |
---|---|---|
active | integer | none |
AccountNetworkEndpointsStats
{
"total": 8,
"smtp": 8,
"https": 4
}
Properties
Name | Type | Description |
---|---|---|
total | integer | none |
smtp | integer | none |
https | integer | none |
AccountIpv4AddressesStats
{
"total": 3,
"monitored": 3
}
Properties
Name | Type | Description |
---|---|---|
total | integer | none |
monitored | integer | none |
AccountIpv6AddressesStats
{
"total": 0,
"monitored": 0
}
Properties
Name | Type | Description |
---|---|---|
total | integer | none |
monitored | integer | none |