Hardenize Organization API v1.086.2

Scroll down for code samples, example requests and responses. Select a language for code samples from the tabs above or the mobile navigation menu.

Hardenize is a platform for continuous monitoring of network and security configuration. Hardenize supports individual accounts, intended for use by a single person, and organization accounts, which are shared among potentially many individuals. Whereas individual accounts are limited, organization accounts can have access to all Hardenize features. The Organization API, documented here, provides ability to manage and retrieve information from organization accounts.

Overview

Stability and Versioning

We aim to provide a stable API that will not break your code as we make new releases. However, this is a living API, which contains parts that are stable, as well as parts that are still under active development. As you read this documentation and adopt the API features, please observe the provided notices to understand what changes we may make in the future.

By default (in absence of any warnings), the API should be considered stable. That means that the future releases won't introduce incompatible changes. For example, we will not move or remove API endpoints, and we won't otherwise change the API structure. However, we may make forward-compatible changes even to the stable parts of the API to introduce new functionality. This means that we may add new API endpoints, new fields to existing objects, and in some cases even new field values where that makes sense (for some non-critical fields). To ensure that no breakage takes place, please ensure that your code ignores unknown fields and unknown field values in response objects.

Parts of this API that are not stable are marked with Under Development and can change without notice. The lifecycle of an API extension is roughly that we will release new parts early, polish them in response to your feedback, and declare them stable once they're considered mature.

Base Location

This specification shows the API endpoints relative to the API's base location, which is shown below. Before you use the base URL, replace the {org} placeholder with your organization's label:

https://api.hardenize.com/v1/org/{org}/

The organization label is easy to find, just access your account and observe the URL in the browser. It's going to be the last segment of the URL when you navigate to your account's homepage. The URL may be in one of the two following formats:

https://www.hardenize.com/org/feistyduck/
https://app.redsift.cloud/sift/hardenize/org/red-sift-hardenize.feistyduck/

In the first URL, the label is feistyduck. In the second, the label includes prefix and is red-sift-hardenize.feistyduck.

Request Methods

When it comes to how we use HTTP request methods, we try to follow the spirit of the HTTP specification. We use GET for requests that retrieve information without making any changes on the server. We use POST for requests that modify data. We use DELETE when data is being deleted.

Paths

We use path segments to group API endpoints with common functions, or endpoints that manage the same type of entity (e.g., certificates). Wherever possible, we use plural forms, for example hosts and groups.

We also use path segment parameters (Section 3.3 in the URI RFC) for types of requests that don't alter resource state but request an action to be performed. A nice way to think about this model is that some resources have buttons, and that you are able to push these buttons via actions. You could say that these endpoints are controllers, and they're common in RPC-style APIs.

The first action we implemented was for webhook testing; to test a webhook, you first build a path that identifies a specific webhook, then append a path segment parameter to indicate which action to perform. The complete path then looks like this: /eventHooks/b349dd;test. Although path segments are not very commonly seen in practice, we believe they're very well suited for this particular use case.

HTTP Response Codes

HTTP doesn't provide a full range of useful response codes, but we try to use the status code that makes more sense. In most cases you'll only need to differentiate between 2xx (all good), 4xx (your fault), and 5xx (our fault) responses.

200 OK - successful operation; body contains response
201 Created - entity created
202 Accepted - entity exists, but we don't want to raise an error
204 No Content - successful operation; no further information in the body
206 Partial Content - partial resource delivered as requested
303 See Other - operation results not yet available
400 Bad Request - invalid request (your fault); body contains error messages
401 Not Authenticated - credentials not provided or invalid
403 Forbidden - you are not authorized to perform action
404 Not Found - entity not found or invalid URL
405 Method Not Allowed - endpoint doesn't support the attempted request method
409 Conflict - conflict with the current state of the target resource
416 Range Not Satisfiable - unable to provide the request range
429 Too Many Requests - too many requests, in succession or at the same time
500 Internal Server Error - request processing failed (our fault)
502 Bad Gateway - API not currently available, for example down for maintenance
503 Service Unavailable - Unable to respond, possibly due to being overloaded

MIME Types

Most API endpoints in this specification respond with a JSON object and thus use the application/json MIME type. There are a couple of situations when one endpoint may return different objects depending on context; we use additional MIME types to help you to determine what the responses contain:

Error responses - if an endpoint is unable to complete successfully, its response will use a non-200 status code and include an ErrorResponse object in the body. The application/vnd.hardenize.v1.error-response+json MIME type will be used.
Operation statuses - API endpoints that return operation results may return operation status objects if called too early. When that happens, the response body will include an OperationStatus object and use the application/vnd.hardenize.v1.operation-status+json MIME type.

Errors

If an endpoint fails to complete successfully, the response body may include an ErrorResponse instance with one or more error messages. Messages can be associated with the entire transaction or, optionally, with a specific parameter.

{
  "errors": [
    {
      "message": "Operation failed, but we don't want why."
    },
    {
      "param": "firstName",
      "message": "Invalid field value, please try again."
    }
  ]
}

Error responses use a non-200 status code and the application/vnd.hardenize.v1.error-response+json MIME type.

Request Limits

We enforce API usage limits in order to preserve the integrity of our systems. For example, it's very easy to deploy a faulty client that sends thousands of requests by mistake, and we wish to defend against situations like that. At this time, we have two main mechanisms that can refuse a request. First, we monitor access rate using the token bucket algorithm, and allow approximately one request per second, with an allowance for short-term bursts. Second, we don't allow more than 5 concurrent requests. Both parameters are currently checked on per-organization basis.

Every API response includes a custom X-Request-Allowance header that contains our view of how you're using the API. This is what the output may look like:

r: 57/60 (+1/1s); c: 1/5

The line begins with information about the request rate limits. The first value (57) shows your current request allowance, the second (60) the maximum value. In the brackets, we show that the allowance will be increased (up to the maximum) at the rate of one per second. The second part of the output shows concurrent requests; in this case one of out maximum five.

The best approach would be to limit your client to stay within the allowed limits. Alternatively, if you have a request refused, wait for a full minute, at which point your burst allowance will be fully restored.

Suborganization Request Limits

The standard request limits described in the previous section apply to all organisations, but additional limits apply to suborganizations. In this case, we check the organization limits as well as the limits that apply to all suborganizations under the same parent. There are no default settings for these limits, as different values make sense depending on the number of suborganizations created. If a request is rejected because of the parent restrictions, the X-Parent-Request-Allowance header will be included in the response. This header uses the same format as the X-Request-Allowance response header.

Resource Identifiers

In this API, every resource has an identifier that uniquely identifies within the parent collection. Wherever it makes sense we try to use natural identifiers, for example hostname for host entities. Where that's not possible we use a synthetic identifier and call it id. In this case, treat the identifier as opaque. Despite the fact that the identifier names can vary from entity to entity, they're easy to spot because they're always the first field listed in the documentation.

Data Formats

For dates, we use ISO8601, or, more specifically, the profile specified in RFC 3339, Section 5.6.
We typically use hexadecimal encoding for binary data, except in some cases where there are already well-established standards, for example for certificates, which use base64 encoding.

Pagination

Pagination is typically used with API endpoints that may return large amounts of data, where not all of it might be needed, or at least not straight away. If an endpoint supports pagination, clients can initially read only a portion of the response, then come later for the rest. With this approach, the amount of data that needs to be read is minimized, which reduces network traffic and the response latency of interactive operations. There are other benefits. For example potentially expensive operations are cached and don't have to be repeated. Similarly, the data set remains the same, even if the source of the data changes.

We support pagination by splitting operation results into pages of rows, with clients able to collect one, several, or all pages with a single request. Different API endpoints may differ in what they support, in the sense that some may force pagination and some may not allow it.

Clients should use the Range request header to request only one part of the entire resource. For example, the following will obtain only the first page:

Range: pages=1-1

If the server provided a partial response as requested, it will use the 206 Partial Content status code. In this case, the response will also include the Content-Range header that shows what pages have been provided, as well as indicate the total amount of pages available:

Content-Range: pages 1-1/10

We support only retrieval of a single continuous range of pages. If the server cannot fulfil the request, the 416 Not Satisfiable status code will be provided.

Changelog

v1.086.2 (20 September 2023)

Added HTTP status 409 to the list of possible responses.

v1.086.1 (7 September 2023)

The OpenApi schema was cleaned and various syntax issues were fixed.

v1.086.0 (6 June 2023)

The names of several audit log events have been changed to improve the name consistency. The audit log API may see further changes until we declare it stable.

v1.085.0 (3 April 2023)

Audit log API endpoints are now available in preview. The goal of this initial release is to requested feedback from our customers, helping us finalize the API and the data model. In subsequent releases, we will focus on completing the taxonomy of events.
The HDB and Monitor Network API endpoints have been removed. These two sections were experimental and used only internally within our development team.

v1.084.0 (28 February 2023)

We reviewed our APIs for stability and removed the "Under Development" indicators from a variety sections. There are two section that continue to be under development at this time: Issues and Search.

v1.083.0 (31 January 2023)

Issues: Added new "Update issue" endpoint

v1.082.0 (5 November 2022)

Organizations have been extended to support a separate label field. Labels are used in the user interfaces as well as in the URLs exposed to end users. Previously, organization ID also served as a label. Now it's possible to select a nicer, user friendly, label when an organization is created.

v1.081.0 (29 October 2022)

The Update Organization endpoint has been extended to support modification of organization name.

v1.080.0 (15 September 2022)

New integrations: CSC and Safenames.

v1.079.0 (17 August 2022)

Issues: Renamed fixed status to completed, which is more neutral and can be used in a variety of situations.
Issues: Added a variety of additional statuses, including abandoned, bogus, deprecated, ignored, orphaned, and snoozed.
Issues: New field snoozed_until.
Issues: New fields auto_open and auto_preserved_status.

v1.078.0 (28 July 2022)

Added support for programmatic user management, via the new Users section.
Added support for service accounts, which are special user accounts that can only access the API.
Modified the UpdateUser endpoint to return a User object and the 200 status code instead of 204 previously.
Removed the Findings endpoints as they have been replaced by Issues.

v1.077.0 (30 June 2022)

Extended Issues with the details field. This new field is populated in the Get issue and Transfer issues endpoints and provides additional issue-specific information.

v1.076.0 (23 June 2022)

Added lastRegLookupTime field to Host

v1.075.0 (17 June 2022)

Added Issues section.
Deprecated Findings, which will be removed as soon as all detections are migrated to Issues.

v1.074.0 (27 May 2022)

Added Identities section.

v1.073.0 (25 May 2022)

Added support for zone transfers. Hosts whose names match a DNS zone can be configured to perform a zone transfer once a way, either with the primary indicated in the corresponding SOA record, or with an explicitly configured host. There is also a new endpoint to perform a zone transfer on demand, which is useful for testing or to obtain the zone data as needed.

v1.072.0 (28 April 2022)

Added Findings section.

v1.071.0 (28 March 2022)

Extended the Host object with new fields: regNx, regNxTime, regRegistry, and regPublic.

v1.070.0 (2 March 2022)

New Search API endpoint to give direct access to the search functionality.
Added sanCount field to Certificate.

v1.069.0 (3 November 2021)

Added tags field to the various Integrations end-points.

v1.068.0 (22 September 2021)

Added matchIntegration to HostDiscovery. This field is set to true for all discoveries made via an integration with third-party platforms (e.g., cloud accounts).
Added matchNameserver to HostDiscovery. This field is set to true for discoveries made via nameserver monitoring.
Added matchInfo object to HostDiscovery. This field contains further information that describe the discovery origin, for example the name of the nameserver or integration details.

v1.067.0 (3 July 2021)

Added field hostDiscoveryExcludeSuffixes to Organization. This new field can be used to specify multiple host suffixes that will be ignored during discovery.
Renamed two fields belonging to the Organization object: 1) limitTotalHostsHard is now hostLimitHard; 2) hostsAutoimportSubdomains is now hostDiscoveryAutoimportSubdomains. The old names are no longer documented but will remain supported for at least three months following the update.
New fields related to certificate discovery and limits added to Organization: certLimitHard, certDiscoveryEnabled, certDiscoveryError, and certDiscoveryErrorTime.
New fields related to host discovery limits added to Organization: hostDiscoveryEnabled, hostDiscoveryLimitHard, hostDiscoveryError, and hostDiscoveryErrorTime.

v1.066.0 (12 May 2021)

Complete overhaul of the Nameserver Monitoring section. All endpoints have been reviewed, tweaked, refactored, and documented. New endpoints have been added. This section of the API has progressed from experimental to beta.

v1.065.0 (28 April 2021)

New endpoint Get DigiCert Order is now available to fetch DigiCert order information when there is a configured DigiCert integration.
A new API endpoint was introduced to support uniform fetching of results of asynchronous operations. Prior to this API revision, every operation defined its own results endpoint. The existing endpoints are now deprecated, but will continue to be supported.
The X-Operation-Status-Code status code is now used by Get Response Results to communicate the operation status code, keeping it separate from the status code of the API endpoint itself.
Endpoints that return operation results now use the application/vnd.hardenize.v1.operation-status+json MIME type when an OperationStatus object is in the response body.
The OperationStatus object now includes the contentType field.
Added a new section to better document the MIME types and the format of error responses.

v1.064.0 (17 March 2021)

Added support for third-party integrations. In this first release, we support integration with AWS, Azure, and GCP cloud accounts.

v1.063.0 (18 February 2021)

Added tags to Hosts.
Added tags to Network Ranges.
Extended groups with new endpoints to get and update a group.
Added ability to change group name. Group identifiers are now automatically generated from the names, rather than explicitly specified.
Added support auto groups, which are managed. Unlike groups that are manually maintained, hosts are added to and removed from auto-groups based on the assigned tags. A host that shares a tag with a group will be added to the group. A host that no longer shares any tags with the group will be removed.

v1.062.0 (12 December 2020)

The Host object has been extended with an experimental config property that contains host configuration. We are initially exposing DMARC settings, but will proceed to add all other aspects of host configuraiton.
Added new API endpoints for third party integrations

v1.061.0 (30 November 2020)

Added new API endpoints to deal with SAML configuration.

v1.060.0 (14 November 2020)

Added new API endpoints to support configuring multi-factor configuration.

v1.059.0 (2 September 2020)

Extended the Host Discovery Keywords section to support exact matching

v1.058.0 (24 August 2020)

Added new API endpoints to support configuring network scanning.

v1.057.0 (19 August 2020)

Added new API endpoint to update certificate data. At this time, we support setting of the muted field, which controls if a certificate will be ignored for expiration notification purposes.

v1.056.0 (9 July 2020)

Extended the Host Discovery Keywords section to support fine-grained control over what types of matching should be used on a per-keyword basis.

v1.055.0 (8 July 2020)

Replaced discovered_hostname and effective_hostname fields in the Host Discovery API end-points, with a single hostname field. The Update operation no longer has the ability to change the hostname.

v1.054.0 (12 June 2020)

New API endpoints to support host discovery via nameserver monitoring.

v1.053.0 (27 February 2020)

Extended the API with a new section called "Monitor Network", which provides access to our distributed network of monitors that are available to run various network operations. This initial release includes two API endpoints: one that provides a list of available monitor locations and another to run a TLS check from one of the locations.
Added another layer of request limit allowances that apply to all suborganizations created by the same parent.
Certificates imported from our historical database now set the origin field to hdb (previously ct). This change makes it possible to distinguish certificates observed in real-time from those that are imported.

v1.052.0 (27 January 2020)

Introduced several new API endpoints that provide search capabilities of our database of active (non-expired) public certificates. It is possible to search by hostname (exact match, wildcard certificate match, suffix match), keyword (which covers the Subject DN and SAN fields), SHA256, and SPKI.

v1.050.0 (16 January 2020)

Added support for asynchronous operations. Clients are now able to request operations that will continue to be processed after they disconnect. This feature is typically used with operations that may take a long time and produce a large amount of data.
Added support for result pagination. When an endpoint supports this feature (this will typically be true in the case of operations that may produce large amounts of data), clients can request the partial results, one page at a time.

v1.049.0 (8 January 2020)

Extended the Host object with the groups field, which contains the identifiers of all groups the host belongs to.
Added GetNetworkAccessConfig and UpdateNetworkAccessConfig endpoints that support retrieval and updating of network access restrictions configuration for the API and web UI components.

v1.048.0 (21 November 2019)

Added CreateNetworkRange, DeleteNetworkRange, UpdateNetworkRange and ListNetworkRanges API endpoints.

v1.047.0 (21 October 2019)

Added several fields to the Report0 object to indicate full and partial support for various SSL and TLS protocols. The fields that begin with the word "has" (e.g., hasSsl2) indicate that at least one endpoint behind hostname supports a particular protocol. The fields that begin with the word "supports" (e.g., supportsSsl2) indicate that all endpoints behind hostname support a particular protocol.

v1.046.0 (7 October 2019)

Added field hasHttpsTls12OrBetter to the Report0 object.

v1.045.0 (19 September 2019)

Added DeleteHostDiscoveries API endpoint.

v1.044.0 (18 September 2019)

Added UpdateHostDiscoveries API endpoint.

v1.043.0 (24 July 2019)

Added featureHostDiscovery to suborgs, making it possible to control host discovery on a per-suborg basis.
Changed the default setting of hostsAutoimportSubdomains to false.

v1.042.0 (11 July 2019)

Extended the MatchedCtEntry object by adding the tbsSha256 field.
Extended the pki.cert.new event to always send newly-discovered precertificates, even when their certificate counterparts are already known. With this change consumers have more data and can decide what to keep and what to discard. The semantics of this event effectively haven't changed because any endpoints consuming the events would have had to differentiate between precertidicates and certificates prior to this change.

v1.041.0 (4 July 2019)

Extended the CertCtLog object by adding the type field to indicate CT log entry type (precertificate or certificate).
Extended the Certificate object with issuerCa and validation fields.

v1.040.0 (19 June 2019)

Added parentHashesComplete to the Certificate object. Added new value ctPlusRoot for the parentHashesSource field.

v1.039.0 (13 June 2019)

Two fields added to the Certificate object: parentHashes and parentHashesSource.
The Delete hosts operation no longer automatically removes all subdomains. Instead, only the explicitly-listed hosts are deleted. The new subdomains parameter can be used to enable the previous behaviour.
Deprecated the notSymantec value of the symantecStatus field in the Certificate object. Previously, this field was not provided for CA certificates. Going forward, this field also won't be available on certificates that had not been issued from from Symantec's old infrastructure.

Authentication

HTTP Authentication, scheme: Basic To begin to use the Hardenize Organization API, sign in into your organization and create a new service account, noting the automatically generated credentials. If you're working with suborganizations, request that master API credentials are generated when a new suborganization is created.

Audit Log

Maturity: Under Development

Audit logs represent a record of key events associated with an organization. They're designed to help with gaining and understanding of activity within an organization, document the associated changes and highlight relevant security events.

Please note that, whilst this feature is still in development, we may change the event schema as well as remove all events from time to time if necessary.

List audit events

Code samples

GET /v1/org/{org}/auditlog HTTP/1.1
Host: api.hardenize.com

GET /auditlog

Retrieves the audit events recorded within the requested time frame. This endpoint will change in due course, as this section matures, to add limits, and support for pagination and filtering.

Parameters

Parameter	In	Type	Description
from	query	string(date-time)	Timestamp of the earliest audit event to return, inclusive.
to	query	string(date-time)	Timestamp of the latest audit event to return, inclusive.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListAuditEventsResponse

Certificates

The API endpoints in this section allow you to retrieve information about all your certificates, as well as upload your new certificates to us as they become available.

List certificates

Code samples

GET /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com

GET /certs

By default, this endpoint returns a list of all your certificates. If you provide one of the optional parameters, only the certificates matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
active	query	boolean	If set, returns only active or inactive certificates
expired	query	boolean	If set, returns only expired or non-expired certificates
expireInDays	query	integer	If set, returns only certificates that have already expired or expire in the specified number of days, according to the effectiveNotAfter timestamp
host	query	string	If set, returns only certificates that are valid for the specified host, either because they contain the exact hostname or because they are wildcards and contain the parent hostname (e.g., a search for blog.example.com will match *.example.com wildcards)
limit	query	integer	If set, returns only up to the specified number of certificates.
newSince	query	string(date-time)	If set, returns only certificates added to the account since the specified date.
spkiSha256	query	string	If set, returns only certificates whose public key (SPKI) matches the provided hash

Example responses

200 Response

{
  "certs": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2023-09-22T15:34:49.667Z",
      "notAfter": "2023-09-22T15:34:49.667Z",
      "effectiveNotAfter": "2023-09-22T15:34:49.667Z",
      "revokedOn": "2023-09-22T15:34:49.667Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2023-09-22T15:34:49.667Z",
      "lastSeen": "2023-09-22T15:34:49.667Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListCertsResponse

Create certificate

Code samples

POST /v1/org/{org}/certs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/x-pem-file

POST /certs

Use this API endpoint to upload a new certificate to your account. For example, if you've automated certificate generation, we suggest that you also automatically submit all new certificates to Hardenize. That way, when we observe the same certificate via Certificate Transparency, we will know for sure that it belongs to you. We may be able to determine that in any case if we see that the certificate has been installed, but uploading it to us makes this more reliable.

For best results, we recommend that you upload the entire certificate chain received from your CA. That will ensure we also add the required intermediates to your list of certificates. The leaf certificate must be placed first.

Body parameter

Parameters

Parameter	In	Type	Description
body*	body	string	PEM-encoded certificate or certificate chain. If a chain is provided, the leaf certificate must be placed first.

Example responses

201 Response

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.668Z",
    "notAfter": "2023-09-22T15:34:49.668Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.668Z",
    "revokedOn": "2023-09-22T15:34:49.668Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.668Z",
    "lastSeen": "2023-09-22T15:34:49.668Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Certificate created.	CreateCertResponse
202	Accepted	Certificate already exists.	CreateCertResponse
400	Bad Request	Invalid certificate chain.	None

List certificates, paginated

Code samples

POST /v1/org/{org}/certs/;listCerts HTTP/1.1
Host: api.hardenize.com

POST /certs/;listCerts

Experimental endpoint: Returns a list of all your certificates.

This endpoint spawns a background operation and returns a tracking ID that should be used to poll operation status to determine when the results become available. Refer to the Asynchronous Operations section for more information.

Successful response data schema: ListCertsResponse

Parameters

Parameter	In	Type	Description
limit	query	integer	If set, returns only up to the specified number of certificates.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get certificate

Code samples

GET /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}

Returns the certificate with the given SHA256 hash, if available in the account.

Parameters

Parameter	In	Type	Description
sha256*	path	string	none

Example responses

200 Response

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.670Z",
    "notAfter": "2023-09-22T15:34:49.670Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.670Z",
    "revokedOn": "2023-09-22T15:34:49.670Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.670Z",
    "lastSeen": "2023-09-22T15:34:49.670Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Successfully retrieved certificate	GetCertResponse
404	Not Found	Certificate not found	None

Update certificate

Code samples

POST /v1/org/{org}/certs/{sha256} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /certs/{sha256}

Updates the certificate with the given SHA256. Most certificate fields are read-only as they are extracted from certificates themselves. The fields that can be changed are related to how certificates are managed.

Body parameter

{
  "muted": true
}

Parameters

Parameter	In	Type	Description
sha256*	path	string	none
body	body	UpdateCertRequest	none

Example responses

200 Response

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.671Z",
    "notAfter": "2023-09-22T15:34:49.671Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.671Z",
    "revokedOn": "2023-09-22T15:34:49.671Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.671Z",
    "lastSeen": "2023-09-22T15:34:49.671Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Certificate updated	UpdateCertResponse
404	Not Found	Certificate not found	None

Get DigiCert Order

Code samples

GET /v1/org/{org}/certs/{sha256}/digicert/order HTTP/1.1
Host: api.hardenize.com

GET /certs/{sha256}/digicert/order

This endpoint can be used to retrieve a DigiCert Order associated with a certificate, provided there is a working DigiCert CertCentral integration in place. When invoked, we look for the order information using the CertCentral API. If we obtain a response, this endpoint will pass through the results back in its response. The full documentation for the response is available in DigiCert's API documentation.

Please note that, before invoking the CertCentral API, we can't tell if a certificate is the configured DigiCert account. If it's not, you will see a 404 response. We have also noticed that CertCentral sometimes responds with a 503 status code for a certificate that resides in someone else's account. That might happen if you attempt to fetch order information for a managed/third-party certificate issued by DigiCert. We try to detect this case early by checking the certificate before talking to CertCentral.

There is no caching of order information at present, but we anticipate that it will be added in a future release.

Parameters

Parameter	In	Type	Description
sha256*	path	string	none

Responses

Status	Meaning	Description	Schema
200	OK	Order information available	None
400	Bad Request	Invalid request or certificate not applicable	None
404	Not Found	Certificate or order not found	None

Configuration

Endpoints in this section provide access to the configuration of the current organization account, as well as make it possible to make configuration changes.

Get Access Control Configuration

Code samples

GET /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com

GET /config/accessControl

Retrieves the current configuration of network access controls. If there are no allowed network ranges in the configuration, that means that all IP addresses are allowed.

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Responses

Status	Meaning	Description	Schema
200	OK	Access Control Configuration	GetAccessControlConfigResponse

Update Access Control Configuration

Code samples

POST /v1/org/{org}/config/accessControl HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/accessControl

Updates the configuration of network access controls. When making changes to the allowed network ranges, please take care to whitelist the IP address from which the request is being made. To allow access from any IP address, submit an empty list. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values.

Body parameter

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateAccessControlConfigRequest	none

Example responses

200 Response

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateAccessControlConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Get MFA Configuration

Code samples

GET /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com

GET /config/mfa

Retrieves the current multi-factor authentication (MFA) configuration.

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status	Meaning	Description	Schema
200	OK	MFA Configuration	GetMfaConfigResponse

Update MFA Configuration

Code samples

POST /v1/org/{org}/config/mfa HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/mfa

Updates the MFA configuration for this organization.

Body parameter

{
  "mfaRequired": true
}

Parameters

Parameter	In	Type	Description
body	body	UpdateMfaConfigRequest	none

Example responses

200 Response

{
  "mfaRequired": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateMfaConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation or MFA not enabled for this organization	None

Get Network Scanning Configuration

Code samples

GET /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com

GET /config/networkScanning

Retrieves the current network scanning configuration.

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetNetworkScanningConfigResponse

Update Network Scanning Configuration

Code samples

POST /v1/org/{org}/config/networkScanning HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/networkScanning

Updates the network scanning configuration for this organisation. Not all fields need to be provided. Those that are provided will be updated; those that are not will retain their current values. Because we carry out network scanning as a slow operation stretched over the course of an entire day, it may take up to 24 hours for your changes to become active.

Body parameter

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	UpdateNetworkScanningConfigRequest	none

Example responses

200 Response

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetNetworkScanningConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Get SAML Configuration

Code samples

GET /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com

GET /config/saml

Retrieves the current SAML configuration.

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status	Meaning	Description	Schema
200	OK	SAML Configuration	GetSamlConfigResponse

Update SAML Configuration

Code samples

POST /v1/org/{org}/config/saml HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /config/saml

Updates the SAML configuration for this organization.

Body parameter

{
  "enabled": true,
  "idpMetadata": "string"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateSamlConfigRequest	none

Example responses

200 Response

{
  "enabled": true,
  "idpMetadata": "string"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateSamlConfigResponse
400	Bad Request	Invalid request parameters	None
403	Forbidden	Insufficient permissions to perform operation or MFA not enabled for this organization	None

DNS

DNS APIs can be used to synchronize your DNS configuration for Hardenize. Our first supported endpoint enables you to upload your DNS zone files, enabling Hardenize to discover new hosts.

Upload DNS zone

Code samples

POST /v1/org/{org}/dns/zones?root=example.com HTTP/1.1
Host: api.hardenize.com
Content-Type: text/plain

POST /dns/zones

Use this endpoint to upload your DNS zone file to Hardenize. The zone file will be parsed to find new hosts, which will then be added to the account.

Body parameter

$ORIGIN example.com.
$TTL 1h
@      IN  SOA   ns.example.com. admin.example.com. ( 2018081601 1d 2h 4w 1h )
@      IN  NS    ns
@      IN  MX    10 mx.example.com.
@      IN  A     192.0.2.1
       IN  AAAA  2001:db8:10::1
ns     IN  A     192.0.2.2
       IN  AAAA  2001:db8:10::2
www    IN  CNAME example.com.
mx     IN  A     192.0.2.3

Parameters

Parameter	In	Type	Description
root*	query	string	The root of the uploaded DNS zone, for example `example.com`.
body*	body	string	DNS zone file

Responses

Status	Meaning	Description	Schema
204	No Content	Zone successfully processed	None

Events

We use events to record various things of interest that happen in your account. For example, if we see a certificate that matches one of your domain names in Certificate Transparency (CT) logs, we can take that CT log entry and store it as an event. In this way, you can periodically retrieve the available events and stay up to date. Events are also used as basis for our event hooks, which provide real-time notifications.

We support the following event types:

Event Type	Description	Event Data
`ct.entry`	One CT log entry matched to the account. The purpose of this event is to enable you to interface directly with the public CT logs while seeing only CT log entries that are relevant to you. One event of this type is generated for every appearance of precertificate and certificate in public CT logs. This usually means that there will be 2-5 events for every precertificate, depending on the certificate validity period. Certificates are also commonly seen in the logs, although that's not guaranteed. In most situations, the `pki.cert.new` is the more appropriate choice of you only care about new issuance events. We collect all information from your CT log entries even if this event is not enabled; within 24 hours of certificate issuance, the aggregated information will be stored in the appropriate Certificate record.	MatchedCtEntry
`pki.cert.new`	New certificate or precertificate added to the account, from any source, including Certificate Transparency, network, or manual upload. The purpose of this event is to enable you to react, in real-time, when a new certificate becomes known. You should be aware that you will get potentially multiple objects for the same issuance. You can check for this using the `tbsSha256` field, which has the same value in the precertificate/certificate combo. This event is generated for own and third-party certificates, including CA certificates. If the latter group is not of interest, check the event data fields to discard them.	Certificate

Event Hooks

You can use event hooks to have your events pushed to you in real-time. We currently support two delivery mechanisms:

PubSub; This event type is based on a message queue and appropriate when the event volume is very high. It's configured manually and enabled on a case-by-case basis.
Webhooks; This is the default event delivery mechanism, where we submit events to a designated web server under your control.

PubSub Event Delivery

PubSub event delivery is a message queue that's implemented on top of Google's PubSub service, which is highly available and stores events for up to 7 days. When we enable this event delivery type, we create one PubSub subscription for the entire account and enable the corresponding hook type. From that point onwards, you can use the API to control exactly which events are delivered to you.

PubSub messages transport event data in the main message body, with the metadata included via the message attributes. PubSub implements at-least-once delivery which means that you may get duplicate events. You can deal with this by designing your processing so that the duplicates don't matter, or by adding a deduplication layer (e.g., based on the unique event identifier). Anothter characteristic of PubSub is that it doesn't guarantee delivery of events in the chronological order. As such, PubSub may not be a good choice when the order matters.

Webhook Event Delivery

This mechanism submits events to an HTTPS endpoint that you control. This endpoint must be able to accept and process POST requests with event information. The events are transported in the request bodies, using the same format as the events obtained when you pull this information via this API.

When you successfully accept an event we send, you must respond with the 204 No Content status code and no data in the response body. We are particular about the response code because we want to be sure the webhook has been processed correctly. Seeing a 200 response is not really a guarantee of that, as it's common to see web servers configured to always respond with 200 status code, even on processing failure.

Generally speaking, it's always helpful to use meaningful status codes as that will help us understand the type of failure and modify our behavior accordingly. For example:

400 Bad Request - our submission is invalid
429 Too Many Requests - we're sending too many requests
500 Internal Server Error - your processing failed
503 Service Unavailable - your service is currently not available

You should enable keep-alives on your server and use a long timeout value so that we can efficiently send you events in bulk.

It is important that you verify that you are receiving webhooks from us, and not from someone else. There are a couple of ways in which this can be achived. First, you could generate a long random string and embed it in the webhook URL, making it difficult for anyone to just guess the destination you're using. Second, you should check the event metadata to ensure that it matches your expectations. The metadata, which is transported in the request headers, includes a signature based on a per-hook secret.

If a webhook fails, we will continue to attempt delivery over the next 24 hours. Overall, we will attempt delivery of every event to you for about 10 times, backing off exponentially from the first attempt. We may disable webhooks that stay broken for an extended period of time.

Event Hook Metadata

We deliver events along with their associated metadata, as follows:

X-Hardenize-Org - contains the organization label, for example demo. This field always contains the absolute organization identifier, meaning in the case of suborganizations it will be in the form of parent.child.
X-Hardenize-EventHookId - contains the unique event hook identifier. Even though the identifier is not security-sensitive as such, it's generated using a strong random number generator and can be used to verify that the traffic is genuinely coming from our systems.
X-Hardenize-Signature - contains signature of the entire event payload, signed using the secret unique to the event hook. This secret is generated randomly when the hook is created.

Event Signatures

We use HMAC-256 to sign a timestamped event body. The X-Hardenize-Signature metadata field will therefore include both the timestamp and the actual signature.

X-Hardenize-Signature: t=1539185809044;
  hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8

To verify the signature, first locate the secret corresponding to the event hoook, using the combination of X-Hardenize-Org and X-Hardenize-EventHookId fields. After that, parse the X-Hardenize-Signature field to extract the timestamp and signature values. To do this, split the value at the semicolon, then extract the key-value pairs. Next, create a new data buffer by appending the timestamp (e.g., 1539185809044), followed by a semicolon (i.e., ;), followed by the verbatim request body. Finally, calculate the HMAC-SHA256 of the data buffer and compare your result with our signature. Please note that our signature is hex-encoded for transport. To do a correct comparison you'll have to either hex-decode it first, or hex-encode your calculation.

If you're worried about replay attacks, you will also need to check that the timestamp doesn't deviate significantly from the time you have. For this to work correctly you need to ensure that you always have the correct time on your server. Additionally, you'll need to be processing the events in near-real time or otherwise account for the processing delay on your end.

If you are unable to validate the event metadata, you must refuse to process the event. If in a webhook, respond with the 400 status code.

Event Collection Best Practices

Even though event hooks are not difficult to set up initially, getting them to work reliably and unattended over an extended period of time will require some effort. Things break. Use event hooks only if there aren't better ways to access the information. For example, if you're interested in the ct.entry and pki.cert.* hooks, consider that we process all the events ourselves, and that information stored in them is always available to you via this API. For example, if you want to keep a copy of all your certificates, it's usually easier to retrieve new and updated certificates daily.

Further, consider these best practices for event hook implementation:

No matter what you plan to do with the event data, the most important task for a hook is to accept the event. If your hook is continuously unable to receive an event, it will eventually be lost. This is true for all delivery mechanisms, although the parameters may differ.
For best results, consider separating event receipt from processing. This is usually best done by acknowledging the event and placing into storage, for some other scheduled task to pick it up on a schedule. (Include authentication in this step.) In this case, even if the processing later fails, you'll still have the event. If you're receiving and processing events at the same time, unchecked processing failures may lead to event loss.

There is greater potential from damage [if your receipt and processing are done at the same time] with PubSub delivery, because your failure to process one event may prevent you from seeing the events that follow it. You can be stuck in a loop where you're continuously trying and failing to process the same event. In this situation, the right strategy is to use a "dead-letter queue" to store the events that have failed.
Even with the above, it's best to use the "belt and braces" approach. Configure and handle hooks when you need to observe events in real-time, but also setup daily tasks to retrieve events directly from us, eliminating duplicates. In this way you will ensure that no events are lost.

List events

Code samples

GET /v1/org/{org}/events HTTP/1.1
Host: api.hardenize.com

GET /events

Lists events available in the account. By default, all events are listed, with the earliest first. Because there is a forced limit of 100 events per invocation, to iterate over more than 100 events you will need to submit multiple requests, remember the timestamp of the last retrieved event, and use it as the since parameter in the subsequent invocation. If you provide one of the optional parameters, only the events matching the specified filters will be listed. If you provide multiple parameters, only the events matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
since	query	string(date-time)	Returns only events that ocurred after the supplied time.
type	query	string	Returns only events that match the supplied type.
limit	query	integer	Limits the number of events in the response. The limit can range between 1 and 100. The default is 100.

Example responses

200 Response

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2023-09-22T15:34:49.675Z",
      "apiVersion": "0.14.0",
      "data": "{ \"field\": \"value\" }"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventsResponse

Get event

Code samples

GET /v1/org/{org}/events/{id} HTTP/1.1
Host: api.hardenize.com

GET /events/{id}

Returns the event with the specified identifier.

Parameters

Parameter	In	Type	Description
id*	path	integer	Event identifier.

Example responses

200 Response

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2023-09-22T15:34:49.676Z",
    "apiVersion": "0.14.0",
    "data": "{ \"field\": \"value\" }"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetEventResponse
404	Not Found	Event doesn't exist	None

List event destinations

Code samples

GET /v1/org/{org}/eventDestinations HTTP/1.1
Host: api.hardenize.com

GET /eventDestinations

Lists all managed event destinations. Managed destinations are those that we control, for example PubSub topics.

Example responses

200 Response

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventDestinationsResponse

List event hooks

Code samples

GET /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com

GET /eventHooks

Lists event hooks that are configured in the account.

Example responses

200 Response

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventHooksResponse

Create event hook

Code samples

POST /v1/org/{org}/eventHooks HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks

Creates a new event hook. Every new event hook starts off as disabled, which means that it's not going to receive events straight away. The expected workflow is to first create an event hook, configure the receiving end, run tests to ensure correct operation, and then finally enable the hook.

Body parameter

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Parameters

Parameter	In	Type	Description
body	body	CreateEventHookRequest	none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook created	CreateEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None

Delete event hook

Code samples

DELETE /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /eventHooks/{id}

Deletes the event hook with the specified identifier.

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.

Responses

Status	Meaning	Description	Schema
204	No Content	Event hook deleted	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

Update event hook

Code samples

POST /v1/org/{org}/eventHooks/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventHooks/{id}

Updates the event hook with the specified identifier.

Body parameter

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.
body	body	UpdateEventHookRequest	none

Example responses

200 Response

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook updated	UpdateEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

Test event hook

Code samples

POST /v1/org/{org}/eventHooks/{id};test HTTP/1.1
Host: api.hardenize.com

POST /eventHooks/{id};test

Tests the event hook with the specified identifier. By default, we send a test event, but it's possible to request mock events of other types using the eventType parameter. This API endpoint executes synchronously and may take longer than other API calls (especially in case of unresponsive receiving servers).

By default, we submit valid and syntactically events. During the configuration phase, it's useful to test how the receiver behaves with invalid data. We use the invalid parameter for this purpose. Set to any value except none, it instructs the API to intentionally break one element of the submission. In this case, the success criteria also changes. By default, we expect a 204 response, except when we're sending you a broken submission, in which case we expect a 400 in return.

Please note that, when testing deliveries via intermediaries, we're not able to detect processing failures of the final recepient, only of the intermediary. For example, when testing PubSub delivery, this endpoint will return success after successfully publishing to the message queue. Testing with broken events is still useful, but you'll need to detect the failures on the receiving end.

Parameters

Parameter	In	Type	Description
id*	path	string	Event hook identifier.
invalid	query	string	Instructs the API to intentionally break one of the elements of the test submission. Default: `none`
eventType	query	string	Determines the event type that will be sent to the event hook.

Enumerated Values

Parameter	Value
invalid	none
invalid	hookId
invalid	org
invalid	payload
invalid	signature
eventType	ct.entry
eventType	pki.cert.new
eventType	test

Example responses

200 Response

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Event hook test completed	TestEventHookResponse
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Event hook not found	None

List event types

Code samples

GET /v1/org/{org}/eventTypes HTTP/1.1
Host: api.hardenize.com

GET /eventTypes

Lists all available event types, showing how they're configured for the account.

Example responses

200 Response

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListEventTypesResponse

Update event type

Code samples

POST /v1/org/{org}/eventTypes/{name} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /eventTypes/{name}

Updates one event type, changing the enabled property to the specified value. When an event type is enabled, events of that type will be generated and stored in the database. Associated notifications will be dispatched. This operation will fail if the event type is not available in the account.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
name*	path	string	Event type name.
body	body	UpdateEventTypeRequest	none

Example responses

200 Response

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateEventTypeResponse
403	Forbidden	Not allowed to change status of event that's not available	None
404	Not Found	Event type doesn't exist	None

Groups

We support groups as a general-purpose mechanism for categorization. For example, a host can be assigned zero, one, or more groups.

List groups

Code samples

GET /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com

GET /groups

Returns a complete list of all groups used by the organization.

Example responses

200 Response

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListGroupsResponse

Create group

Code samples

POST /v1/org/{org}/groups HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups

Creates a new group. The name you choose should be short (especially if you're planning to assign multiple tags to individual entities) and must not already exist, using case-insensitive comparison.

Body parameter

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateGroupRequest	none

Example responses

201 Response

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Group created	CreateGroupResponse
400	Bad Request	Invalid parameters	None

Get group

Code samples

GET /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

GET /groups/{id}

Retrieves group information.

Parameters

Parameter	In	Type	Description
id*	path	integer	Group identifier.

Responses

Status	Meaning	Description	Schema
200	OK	OK	None
400	Bad Request	Bad Request	None
403	Forbidden	Forbidden	None
404	Not Found	Not found	None

Update group

Code samples

POST /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /groups/{id}

Updates a group.

Body parameter

{
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
id*	path	integer	Group identifier.
body	body	UpdateGroupRequest	none

Responses

Status	Meaning	Description	Schema
204	No Content	Group updated	None
400	Bad Request	Invalid input	None
403	Forbidden	Forbidden	None
404	Not Found	Group not found	None

Delete group

Code samples

DELETE /v1/org/{org}/groups/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /groups/{id}

Deletes a group. By default, only unused groups can be deleted, but you can specify the force parameter to override this behavior.

Parameters

Parameter	In	Type	Description
id*	path	string	The name of the group to delete.
force	query	boolean	If this parameter is provided and set to true, the specified group will be deleted even if it's still in use.

Responses

Status	Meaning	Description	Schema
204	No Content	Group deleted	None
400	Bad Request	Invalid input	None
403	Forbidden	Forbidden	None
404	Not Found	Group not found	None

Host Discovery

Host discovery is a feature of Hardenize designed to make it easier for organizations to build their host inventories and keep them up to date. Having a good inventory is key to having good visibility, so we aim to automate the maintenance tasks wherever possible. Where full automation is not possible, we do as much work as we can and present the information for manual review.

There are three principal ways in which new hosts are discovered. The first is the use of authoritative sources. For example, new hosts could be added manually (e.g., from a list of organization's domain names) or could be imported via an integration with existing systems (e.g., authoritative name servers). All accounts are initially populated with data in this way.

Once an account is bootstrapped, our automated discovery features kick in. An important source of information is our monitoring of public infrastructure. We maintain both historical databases and also follow new information that appears on the network. We then inspect these sources to import information that's connected to the account. A good example of this approach is import of new certificates via Certificate Transparency monitoring.

Finally, the third approach is the analysis and import from the data obtained from our own active monitoring of the hosts that are already in an account's host inventory. Because in this case we know that we're dealing with the data that belongs to the account owner, we're able to further refine our understanding and apply heuristics to make even more useful conclusions. For example, as we can your web sites we record and extract useful information from them.

How Host Discovery Works

To support host discovery, we monitor all hosts we come across (as part of both public and private monitoring). When we encounter a relevant host, we import it into the account and add it to the list od discovered hosts.

In some cases (e.g., suffix matching), our discovery is 100% accurate, and then we are able to add thew newly discovered host directly to the inventory. When that's not possible, the new host sits on the discovery list until a decision about it can be made.

If a host is not classified as belonging to the organization, the decision about it stays in the account so that it can be reused in the future.

List host discoveries

Code samples

GET /v1/org/{org}/hostDiscoveries HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries

Returns a list of all host discoveries in the account. Optionally, use one of the supported filtering parameters to retrieve only the discoveries that match specific criteria.

Parameters

Parameter	In	Type	Description
resolution	query	string	If set, returns only the host discoveries with this particular resolution set.
discoveredSince	query	string(date-time)	If set, returns only the hosts discoveries that have happened since the supplied date.
origin	query	string	If set, returns only the host discoveries found with this match location.
limit	query	integer	If set, returns only up to the specified number of hosts.

Enumerated Values

Parameter	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing
origin	hdb

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2023-09-22T15:34:49.680Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2023-09-22T15:34:49.680Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveriesResponse

Get host discovery

Code samples

GET /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveries/{id}

Returns the specified host discovery.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the host discovery to be fetched.

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2023-09-22T15:34:49.681Z",
    "origin": "hdb",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2023-09-22T15:34:49.681Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryResponse
404	Not Found	Host discovery doesn't exist	None

Update host discovery

Code samples

POST /v1/org/{org}/hostDiscoveries/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/{id}

Updates the specified host discovery. Setting the effective hostname is optional, but if a value is provided, it must be the same as the discovered hostname or one of its parents, and must not be a TLD (on the public suffix list). E.g if the discovered hostname is "www.test.example.com", you may set the effective hostname to "test.example.com" or "example.com", but not "com" and not "example.org".

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the host discovery to be updated.
body	body	UpdateHostDiscoveryRequest	none

Example responses

200 Response

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2023-09-22T15:34:49.681Z",
    "origin": "hdb",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2023-09-22T15:34:49.681Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveryResponse
404	Not Found	Host discovery doesn't exist	None

Update host discoveries

Code samples

POST /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveries/*

Updates a list of host discoveries.

When changing the resolution, the resolution of all other discoveries that have a hostname matching the targetted discoveries effective hostname, are also updated.

When changing the resolution to "own", all affected discoveries are imported into your host inventory.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostDiscoveriesRequest	none

Example responses

200 Response

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2023-09-22T15:34:49.682Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2023-09-22T15:34:49.682Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveriesResponse
400	Bad Request	Invalid request	None

Delete host discoveries

Code samples

DELETE /v1/org/{org}/hostDiscoveries/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hostDiscoveries/*

Deletes a list of host discoveries.

Body parameter

{
  "ids": [
    1
  ],
  "preview": true
}

Parameters

Parameter	In	Type	Description
body	body	DeleteHostDiscoveriesRequest	none

Example responses

200 Response

{
  "ids": [
    1
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	DeleteHostDiscoveriesResponse
400	Bad Request	Invalid request	None

Host Discovery Nameservers

Nameserver monitoring is one of our favourite discovery techniques. We monitor the world's domain names to determine what nameservers they are delegated to and use that information to build a special discovery database. This subsequently enables us to quickly find all domain names delegated to a particular nameserver.

This discovery technique can be used only with an organization's private DNS nameservers, meaning that they host only domain names that belong to the same organization. They can be managed and provided by a third-party, but the name itself must not be shared.

We like this technique because it requires virtually no effort to identify new domains that belong to the organization. Once the private nameservers are identified, the discoveries happen automatically via continuous monitoring of new domains that appear in the name servers. Further, we help discover the private nameservers by monitoring all nameservers used by an account and looking for ones that appear to be used exclusively by the organization's domain names.

List not-monitored private nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/privateNotMonitored HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/privateNotMonitored

Returns a list of all private nameservers that are not already monitored. Our ability to discover your private nameservers depends on active monitored of the host inventory. As part of a host assessment, we check the nameservers and store them in the database. This endpoint builds a list of all nameservers we are aware of, keeps only those that are potentially private (based on the hostnames matching), and removes those that are already monitored.

Example responses

200 Response

[
  "example.com"
]

Responses

Status	Meaning	Description	Schema
200	OK	OK	Inline

Response Schema

List host discovery nameservers

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers

Returns a list of all host discovery nameservers in the account.

Example responses

200 Response

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveryNameserversResponse

Create host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers

Creates one or more nameservers to for discovery purposes. Only private nameservers can be added to monitoring. As a way of enforcing this requirement, we check that the nameserver hostname matches a domain name that's in the host inventory. For example, if example.com is an organization domain name, then ns1.example.com nameserver can be added but ns1.example.org cannot.

Public servers must not be submitted for monitoring, even if they're under a domain name that is in the inventory.

Body parameter

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostDiscoveryNameserverRequest	none

Example responses

204 Response

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
204	No Content	OK	CreateHostDiscoveryNameserverResponse
400	Bad Request	Invalid request	None

Get host discovery nameserver

Code samples

GET /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryNameservers/{hostname}

Retrieves a host discovery nameserver.

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryNameserverResponse
404	Not Found	Nameserver not found	None

Update host discovery nameserver

Code samples

POST /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryNameservers/{hostname}

Updates one host discovery nameserver.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.
body	body	UpdateHostDiscoveryNameserverRequest	none

Example responses

200 Response

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Nameserver updated	GetHostDiscoveryNameserverResponse
400	Bad Request	Invalid parameters	None
404	Not Found	Nameserver not found	None

Delete host discovery nameserver

Code samples

DELETE /v1/org/{org}/hostDiscoveryNameservers/{hostname} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryNameservers/{hostname}

Deletes a host discovery nameserver.

Parameters

Parameter	In	Type	Description
hostname*	path	string	A fully-qualified domain name.

Responses

Status	Meaning	Description	Schema
204	No Content	Nameserver deleted	None
404	Not Found	Nameserver not found	None

Host Discovery Keywords

Hardenize supports discovery of new hosts based on keyword matching. To support this type of discovery we maintain a database of all domains and subdomains globally. When a keyword is added to an account, we schedule continuous monitoring of this database to discover all hostnames that match it.

Our keyword matching discovery is different from subdomain matching because keywords can match anywhere in the hostname. Additionally, we implement additional advanced matching techniques that look for variations. Our fuzzy matching starts with a keyword and generates many similar phrases using techniques designed to catch, for example, typosquatting. Separately, we have detection of confusables, where we detect phrases that are visually similar or identical to the configured keyword. We detect simple character substitition (e.g., tw1tter instead of twitter), as well as advanced obfuscation attempts using Unicode look-alike characters (also known as homoglyphs or homographs). If you'd like to see some examples, we maintain a public project where we showcase our detection of confusables for some popular keywords.

Using Keyword Discovery

To use keyword discovery, specify one or more keywords, configuring them according to what you wish to be discovered. We recommend that you initially start with stricter keywords, for example only domains that match a keyword exactly. With this approach, you will initially have fewer matches to deal with. As you settle on a discovery review workflow that works for you, you can then then pursue less strict matching, which will generate more useful matches (e.g., entire labels anywhere in the hostname), but is also likely produce false positives.

When a new keyword is added (or a keyword configured), we need to scan our entire database, which is a slow operation. Especially in the case of fuzzy and confusables matching, one keyword may result in hundreds of variations that we search for. The results of the first scan are therefore made available over night. Once that first scan is complete, we continue with real-time monitoring of newly observed domains and subdomains.

Match Limits

Because we have hundreds of millions in our database, keyword matching can result in too many matches when using with a phrase that's not specific enough. In order to deal with this problem, there is a limit to how many matches can be imported at any one time. This limit is designed to kick in when the keyword is used the first time. By default, this limit is set to 10,000 matches. If a keyword reaches this limit, it is disabled with an appropriate error message.

Availability

Keyword discovery features vary across account tiers. If keywords are enabled on an account, there are separate limits for standard and advanced keywords. The advanced keyword allowance can be used to create standard keywords, but the reverse is not possible. Advanced keywords (that support fuzzy matching and confusables) are an add-on and can be added to any package.

List host discovery keywords

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords

Returns a list of all host discovery keywords in the account.

Example responses

200 Response

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostDiscoveryKeywordsResponse

Create host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords

Creates a new keyword to be used for host discovery. It's important to choose a good keyword that will not produce many false positives. For example, if you specified the word com, we would match on millions of hostnames.

Keyword matching never returns any hostnames that are considered to belong to the account organization. The exclusion happens automatically because those hostnames should have already been added to the account via suffix matching.

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostDiscoveryKeywordRequest	none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CreateHostDiscoveryKeywordResponse
400	Bad Request	Invalid request	None

Get host discovery keyword

Code samples

GET /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

GET /hostDiscoveryKeywords/{keyword}

Retrieves a host discovery keyword.

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to fetch.

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostDiscoveryKeywordResponse
404	Not Found	Keyword not found	None

Update host discovery keyword

Code samples

POST /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hostDiscoveryKeywords/{keyword}

Updates host discovery keyword

Body parameter

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to update.
body	body	UpdateHostDiscoveryKeywordRequest	none

Example responses

200 Response

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateHostDiscoveryKeywordResponse
400	Bad Request	Invalid request	None

Delete host discovery keyword

Code samples

DELETE /v1/org/{org}/hostDiscoveryKeywords/{keyword} HTTP/1.1
Host: api.hardenize.com

DELETE /hostDiscoveryKeywords/{keyword}

Deletes a host discovery keyword.

Parameters

Parameter	In	Type	Description
keyword*	path	string	The name of the keyword to delete.

Responses

Status	Meaning	Description	Schema
204	No Content	Keyword deleted	None
404	Not Found	Keyword not found	None

Hosts

Host management, which provides abilities to create and delete your hosts, as well as configure how they're monitored. You are also able to manage how hosts are discovered in this section.

In this section and elsewhere in the API, wherever we accept hostnames, we validate them and perform canonicalization: we convert them to lowercase, and strip the trailing dot if present. This means that the hosts we keep in the database will potentially be different at the character level from the hosts you input. However, they will be semantically the same.

List hosts

Code samples

GET /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com

GET /hosts

Returns a list of all hosts in the account. If you provide one of the optional parameters, only the hosts matching the specified filters will be listed. If you provide multiple parameters, only the certificates matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
group	query	string	If set, returns only the hosts that belong to the specified group.
hostname	query	string	If set, returns only the hosts whose names match the parameter. One or more hosts may be returned, depending on whether subdomains are being included.
limit	query	integer	If set, returns only up to the specified number of hosts.
origin	query	string	If set, returns only the hosts whose origin matches the parameter.
status	query	string	If set, returns only the hosts whose statuses match the parameter.
subdomains	query	boolean	If set, extends the host matching to include all subdomains of the specified name. Default: true.

Enumerated Values

Parameter	Value
origin	cert
origin	ct
origin	hdb
origin	manual
status	monitored
status	idle
status	archived

Example responses

200 Response

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2023-09-22T15:34:49.687Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2023-09-22T15:34:49.687Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2023-09-22T15:34:49.687Z",
      "lastRegLookupTime": "2023-09-22T15:34:49.687Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2023-09-22T15:34:49.687Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2023-09-22T15:34:49.687Z",
      "lastAssessmentTime": "2023-09-22T15:34:49.687Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2023-09-22T15:34:49.687Z",
      "groups": [
        "my_group"
      ],
      "tags": [
        "production"
      ],
      "config": {}
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListHostsResponse
400	Bad Request	Invalid request	None

Bulk create hosts

Code samples

POST /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts

Adds one or more hosts to the account. No errors will be reported if the list includes one or more hosts that already exist. In that situation, the existing hosts will be treated in the same way as the new hosts when it comes to their status and group membership. New groups are added if required, but existing group memberships won't be affected. If the status field is not provided then the initial host status will be automatically decided following the account rules for newly discovered hosts.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateHostsRequest	Names of the hosts that are to be created, along with their initial status.

Responses

Status	Meaning	Description	Schema
204	No Content	Hosts added to the account	None
400	Bad Request	Invalid request	None

Bulk delete hosts

Code samples

DELETE /v1/org/{org}/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

DELETE /hosts

Deletes one or more hosts from the account. This operation will delete all the data exclusively associated with the specified hosts, as well as all their history. The subdomains are also deleted if the subdomains option is enabled. Use the delete operation only on the hosts that have been added to your account by mistake, in other words on the hosts that don't belong to you. For hosts that do belong to you but you wish to ignore, set their status to archived. Please note that not all host data may be immediately deleted; for some data that may be shared among different hosts we use reference counting via a garbage collection process that runs from time to time. Role: Admin.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Parameters

Parameter	In	Type	Description
body	body	DeleteHostsRequest	none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	Hosts successfully deleted	DeleteHostsResponse
400	Bad Request	Invalid request	None

Bulk update hosts

Code samples

POST /v1/org/{org}/hosts/* HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /hosts/*

Updates one or more hosts that are already stored in the account.

Body parameter

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateHostsRequest	none

Example responses

200 Response

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Responses

Status	Meaning	Description	Schema
200	OK	Hosts successfully updated	UpdateHostsResponse
400	Bad Request	Invalid request	None

Get host

Code samples

GET /v1/org/{org}/hosts/{hostname} HTTP/1.1
Host: api.hardenize.com

GET /hosts/{hostname}

Returns the host with the specified name.

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host whose data you wish to retrieve.

Example responses

200 Response

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2023-09-22T15:34:49.688Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2023-09-22T15:34:49.688Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2023-09-22T15:34:49.688Z",
      "lastRegLookupTime": "2023-09-22T15:34:49.688Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2023-09-22T15:34:49.689Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2023-09-22T15:34:49.689Z",
      "lastAssessmentTime": "2023-09-22T15:34:49.689Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2023-09-22T15:34:49.689Z",
      "groups": [
        "my_group"
      ],
      "tags": [
        "production"
      ],
      "config": {}
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetHostResponse
400	Bad Request	Invalid request	None
404	Not Found	Host not found	None

Request zone transfer

Code samples

POST /v1/org/{org}/hosts/{hostname};zoneTransfer HTTP/1.1
Host: api.hardenize.com

POST /hosts/{hostname};zoneTransfer

Asynchronous operation. Requests a zone transfer for this name, using the configured settings. This endpoint is useful if you wish to test if a zone transfer can be succesefully completed, or if you wish to inspect the state of a particular zone in real time.

DNS zone transfers are usually not allowed from public IP addresses. For this reason we perform this type of zone transfer from a separate set static IP addresses, also known as our integrations outbound addresses. You'll find them documented in your Hardenize account. However, even though these IP addresses uniquely identify us, they shouldn't be trusted as such, given that we use them for all our integrations traffic and all our customers.

Successful response data schema: ZoneTransferResponse

Parameters

Parameter	In	Type	Description
hostname*	path	string	The name of the host.

Detailed descriptions

hostname: The name of the host.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Identities

To find related domain names, we monitor all configuration aspects of your known domain names and hosts to extract your unique identities. With those in hand, we then continuously monitor global databases to discover new domain names associated with those identities.

Identities are automatically discovered, but need to be manually verified and enabled. This is because the process of finding associated domains is not exact. Some identities, although correct, can be considered to be weak because they will result in false positives. For example, an identity digicert may find DigiCert, Inc. but also DigiCert Sdn. Bhd. These are two different companies. At the end of the day, it's up to you to determine if a particular identity is useful. False positives create more work for you because they beed to be manually reviewed and excluded, but sometimes there may not be a better way to discover everything that needs to be discovered.

List identities

Code samples

GET /v1/org/{org}/identities HTTP/1.1
Host: api.hardenize.com

GET /identities

Returns a list of all identities in the account.

Example responses

200 Response

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2023-09-22T15:34:49.689Z",
      "lastSeen": "2023-09-22T15:34:49.689Z",
      "lastCheck": "2023-09-22T15:34:49.689Z",
      "error": "Not a unique identity.",
      "errorTime": "2023-09-22T15:34:49.689Z"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIdentitiesResponse

Get identity

Code samples

GET /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

GET /identities/{id}

Returns the specified identity.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be fetched.

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2023-09-22T15:34:49.689Z",
    "lastSeen": "2023-09-22T15:34:49.689Z",
    "lastCheck": "2023-09-22T15:34:49.689Z",
    "error": "Not a unique identity.",
    "errorTime": "2023-09-22T15:34:49.689Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIdentityResponse
404	Not Found	Identity doesn't exist	None

Update identity

Code samples

POST /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /identities/{id}

Updates the specified identity. The only supported operation is control of whether an identity is enabled, meaning it's actively used to discover associated assets. Only unique identities can be enabled. Normally, only unique identities will be added, but it's possible that an identity is identified as shared after the fact. Such identities will be automatically disabled and should be removed.

Body parameter

{
  "enabled": true
}

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be updated.
body	body	UpdateIdentityRequest	none

Example responses

200 Response

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2023-09-22T15:34:49.690Z",
    "lastSeen": "2023-09-22T15:34:49.690Z",
    "lastCheck": "2023-09-22T15:34:49.690Z",
    "error": "Not a unique identity.",
    "errorTime": "2023-09-22T15:34:49.690Z"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateIdentityResponse
400	Bad Request	Invalid request; details in the response	None
404	Not Found	Identity doesn't exist	None

Delete identity

Code samples

DELETE /v1/org/{org}/identities/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /identities/{id}

Delete an existing identity. This endpoints should be used to remove identities that were mistakenly considered to be unique, after they are reviewed.

Parameters

Parameter	In	Type	Description
id*	path	integer	The ID of the identity to be deleted.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Integrations

The API endpoints in this section allow you to configure Hardenize to access information in third party systems that contain information about your infrastructure. For example, if you use AWS Route 53, we can pull information about your registered domains as well as the configured DNS zones.

Different types of integrations require different workflows. For example, some integrations (for example, Azure) require only parameters that can be obtained from the other vendor. In other cases (for example, AWS and GCP) you will need to get some data from us, submit it to the third-party, and finally come back to us again to finalize the integration. Please refer to the documentation for more information.

List integrations

Code samples

GET /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com

GET /integrations

Returns a list of currently configured integrations.

Example responses

200 Response

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2023-09-22T15:34:49.690Z",
      "nextRunTime": "2023-09-22T15:34:49.690Z",
      "lastRunTime": "2023-09-22T15:34:49.690Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIntegrationsResponse
403	Forbidden	Forbidden	None

Create integration

Code samples

POST /v1/org/{org}/integrations HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations

Creates a new integration in your account.

Body parameter

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

Parameters

Parameter	In	Type	Description
body	body	CreateIntegrationRequest	none

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.692Z",
    "nextRunTime": "2023-09-22T15:34:49.692Z",
    "lastRunTime": "2023-09-22T15:34:49.692Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	CreateIntegrationResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Get integration

Code samples

GET /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

GET /integrations/{integrationId}

Retrieves one integration

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.692Z",
    "nextRunTime": "2023-09-22T15:34:49.692Z",
    "lastRunTime": "2023-09-22T15:34:49.692Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIntegrationResponse
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Update integration

Code samples

POST /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /integrations/{integrationId}

Update an existing integration

Body parameter

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

Parameters

Parameter	In	Type	Description
body	body	UpdateIntegrationRequest	none
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.693Z",
    "nextRunTime": "2023-09-22T15:34:49.693Z",
    "lastRunTime": "2023-09-22T15:34:49.693Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateIntegrationResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Delete integration

Code samples

DELETE /v1/org/{org}/integrations/{integrationId} HTTP/1.1
Host: api.hardenize.com

DELETE /integrations/{integrationId}

Delete an existing integration.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Request integration run

Code samples

POST /v1/org/{org}/integrations/{integrationId};run HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};run

Request integration to run as soon as possible. This endpoint will scheduled the integration, updating the nextRunTime field. A background process will pick up the change and the integration should run within a few minutes. After the integration has run, the lastRunTime field will be updated.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Responses

Status	Meaning	Description	Schema
204	No Content	OK	None
400	Bad Request	Invalid request (integration disabled)	None
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

Test integration connectivity

Code samples

POST /v1/org/{org}/integrations/{integrationId};test HTTP/1.1
Host: api.hardenize.com

POST /integrations/{integrationId};test

Tests if the integration is correctly configured and we are able to successfully connect to the third-party system. If you're interested in the operation of an integration beyond authentication, use the run option, which will authenticate but also attempt to exercise all the configured functionality.

Parameters

Parameter	In	Type	Description
integrationId*	path	string	The ID of the integration to be used.

Detailed descriptions

integrationId: The ID of the integration to be used.

Example responses

200 Response

{
  "success": false,
  "error": "Failed to authenticate"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	TestIntegrationResponse
403	Forbidden	Forbidden	None
404	Not Found	Not Found	None

AWS: Setup integrations

Code samples

POST /v1/org/{org}/integrations/aws/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/aws/;setup

Prepares your Hardenize account to support AWS integrations and returns the parameters that will need to be used on the AWS side.

Example responses

200 Response

{
  "externalId": "hardenize-1uspdz"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	SetupAwsIntegrationsResponse
403	Forbidden	Forbidden	None

GCP: Setup integrations

Code samples

POST /v1/org/{org}/integrations/gcp/;setup HTTP/1.1
Host: api.hardenize.com

POST /integrations/gcp/;setup

Prepares your Hardenize account to support GCP integrations and returns the parameters that will need to be used on the GCP side.

Example responses

200 Response

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	SetupGcpIntegrationsResponse
403	Forbidden	Forbidden	None

Issues

Maturity: Under Development

The Issues section, currently in the early stages of development, is where we track problems detected during our monitoring and inspection. At this time, we're creating issues related to DNS configuration, dangling DNS records, and dangling services.

List issues

Code samples

GET /v1/org/{org}/issues HTTP/1.1
Host: api.hardenize.com

GET /issues

Returns a list of issues. This endpoint provides partial issue information intended for lists and summaries. For example, issue details are not returned. Complete issue information can be retrieved by fetching an issue directly or by requesting a bulk transfer.

Parameters

Parameter	In	Type	Description
open	query	boolean	If set, returns only issues that are open or closed as requested.
status	query	string	If set, returns only issues that match the requested status.
updatedSince	query	string(date-time)	If set, returns only issues created or updated since the provided timestamp.

Example responses

200 Response

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      }
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListIssuesResponse
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Transfer issues

Code samples

POST /v1/org/{org}/issues/;transfer HTTP/1.1
Host: api.hardenize.com

POST /issues/;transfer

Initiates an issue transfer, which is an asynchronous operation. This operation is intended for transfer of complete issue information, which may involve a great number of issues as well as large amount of data.

Successful response data schema: ListIssuesResponse

Parameters

Parameter	In	Type	Description
open	query	boolean	If set, returns only issues that are open or closed as requested.
status	query	string	If set, returns only issues that match the requested status.
updatedSince	query	string(date-time)	If set, returns only issues created or updated since the provided timestamp.

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request	None
403	Forbidden	Forbidden	None

Get issue

Code samples

GET /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com

GET /issues/{issueId}

Returns the issue that matches the supplied identifier.

Parameters

Parameter	In	Type	Description
issueId*	path	integer	The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIssueResponse
400	Bad Request	Invalid request	None
404	Not Found	Issue not found	None

Update issue

Code samples

POST /v1/org/{org}/issues/{issueId} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /issues/{issueId}

Updates an issue. At this time we support setting issue status to one of bogus, ignored, or snoozed. Setting status to bogus and ignored causes the issue to be permanently dismissed and thus closed. The use of the snooze status requires that snoozeTimestamp is set.

Body parameter

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Parameters

Parameter	In	Type	Description
body	body	UpdateIssueRequest	none
issueId*	path	integer	The identifier of the desired issue.

Example responses

200 Response

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    }
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetIssueResponse
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
404	Not Found	Issue not found	None

Network Ranges

Add, remove, and update your network ranges. If your organization has access to network scanning in Hardenize, you can also optionally enable scannning for a network range. At this time, scanning is available immediately for IPv4 ranges up to a /22. We manually enable scanning of larger ranges, usually after discussing the requirements with the customer. We don't scan IPv6 ranges.

List network ranges

Code samples

GET /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com

GET /networkRanges

Returns all configured network ranges.

Example responses

200 Response

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListNetworkRangesResponse

Create network range

Code samples

POST /v1/org/{org}/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges

Creates a new network range. The range can not overlap any existing range. The label you choose should be short. "scan" is optional and will only be allowed if your organization has that feature enabled and the range is suitably small: /24 for IPv4 and /128 for IPv6.

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	NetworkRange	none

Responses

Status	Meaning	Description	Schema
201	Created	Network range created	None
400	Bad Request	Invalid parameters	None
403	Forbidden	Insufficient permissions to perform operation	None

Delete network range

Code samples

DELETE /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com

DELETE /networkRanges/{range}

Deletes a network range if it exists

Parameters

Parameter	In	Type	Description
range*	path	string	The network range to delete.

Responses

Status	Meaning	Description	Schema
204	No Content	Network range deleted	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Network range not found	None

Update network range

Code samples

POST /v1/org/{org}/networkRanges/{range} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /networkRanges/{range}

Update the label/description/scan of a network range

Body parameter

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Parameters

Parameter	In	Type	Description
range*	path	string	The network range to update.
body	body	UpdateNetworkRangeRequest	none

Responses

Status	Meaning	Description	Schema
204	No Content	Network range updated	None
400	Bad Request	Invalid parameters	None
403	Forbidden	Insufficient permissions to perform operation	None
404	Not Found	Network range not found	None

Operations

For activities that may take a long time, we support asynchronous operations that enable you to submit a request and disconnect while our servers continue to work on the requested task. The documentation for each API endpoint will indicate if asynchronous operation is supported and whether it's required or optional.

When a request to do some work asynchronously is submitted, we respond with the 202 Accepted response, indicating that work is being scheduled but that it is not yet completed. This is in contrast to the standard 200 OK response that you get when a request is immediately completed. When you see a 202 response, the body of the response will include an OperationStatus object that tracks the status of the requested work. For example:

HTTP/1.1 202 Accepted
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8
Location: /v1/org/{org}/operations/6e7b190fa8d4ba14f707

{
    "id": "6e7b190fa8d4ba14f707",
    "done": false,
    "statusCode": 202
}

The best way to think about asynchronous work is that your initial request creates a task which, when complete, produces some results. The task status and its results are two separate resources.

We also provide a set of endpoints that enable you to monitor operation progress. When an operation is created it is assigned a unique identifier, which is part of the operation status. Once you know this identifier you can use it to look up the updated operation status. In addition, the 202 response includes a Location header that contains a link to the operation status.

From this point, the expected workflow is that you will periodically poll the Get Operation endpoint and monitor the value in the done field, which will start as false and change to true when the work is completed. At this point the statusCode field will contain the final value, which should be interpreted as the HTTP status code you would have received had the operation been invoked synchronously. Additionally, the status object main contain further information about the restuls, for example the number of pages and rows per page. For example:

HTTP/1.1 200 OK
Content-Type: application/vnd.hardenize.v1.operation-status+json; charset=UTF-8

{
    "id": "6e7b190fa8d4ba14f707",
    "done": true,
    "statusCode": 200,
    "pages": 100,
    "rows": 99754,
    "rowsPerPage": 1000
}

If the status code is 200 OK, then the operation has been successful and you can retrieve the results with a further GET method to the Get Operation Results endpoint. Depending on the operation, results may be available on failure as well. In that situation, for example, the results may include further error information.

If you attempt to access operation results before they're ready, you will be redirected to the Get Operation endpoint with a 303 See Other response. In this case, the response body will also include the operation status. If you observe a 404 Not Found response, that means that the operation has expired and should be submitted again if desired. The server will make a best-effort attempt to preserve operation results for as long as possible, but the expectation is that the results will be consumed immediately as they become available. In case of partial (paginated) access, it is recommended that the results are collected in under one hour.

Cancel Operation

Code samples

DELETE /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /operations/{id}

Requests cancellation of the operation with the supplied identifier. The server will attempt to carry out the request, but there are no guarantees that the operation will be successful. Clients that request operations that take a long time (and thus probably require significant resources) should always cancel if they give up waiting.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Responses

Status	Meaning	Description	Schema
202	Accepted	Cancellation request accepted	None
400	Bad Request	Invalid parameters	None
404	Not Found	Operation not found	None

Get Operation Status

Code samples

GET /v1/org/{org}/operations/{id} HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}

Retrieves the status of the operation with the supplied identifier.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Example responses

200 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status	Meaning	Description	Schema
200	OK	Request successful	OperationStatus
400	Bad Request	Invalid parameters	None
404	Not Found	Operation not found	None

Get Operation Results

Code samples

GET /v1/org/{org}/operations/{id}/results HTTP/1.1
Host: api.hardenize.com

GET /operations/{id}/results

Retrieves the results generated by the operation with the supplied identifier. If the operation completed, this endpoint will deliver the same data as if the operation were invoked directly and completed in the same HTTP request. The original operation HTTP status code will be placed in the X-Operation-Status-Code response header. This is done to distinguish failures of the API from operation failures.

If this endpoint is called while the operation is still in progress, this endpoint will respond with the 303 status code and include the operation status information in the response body.

Parameters

Parameter	In	Type	Description
id*	path	string	Operation identifier

Example responses

303 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Responses

Status	Meaning	Description	Schema
200	OK	Operation results are in the response body	None
206	Partial Content	Partial results are in the response body	None
303	See Other	Operation not yet completed	OperationStatus
400	Bad Request	Invalid request	None
404	Not Found	Operation not found	None

Reports

Maturity: Under Development

In the Report section of the API we provide summaries of the reports done for your monitored hosts. This is the same information that's available in the web application under the Hosts navigation. This section of the API is transient and will be replaced with a more comprehensive implementation in the near future. That's why we have the zero ("0") in the endpoint path.

List reports

Code samples

GET /v1/org/{org}/reports0 HTTP/1.1
Host: api.hardenize.com

GET /reports0

Returns all available reports. If you provide one of the optional parameters, only the reports matching the specified filters will be listed. If you provide multiple parameters, only the reports matching all the specified filters will be listed.

Parameters

Parameter	In	Type	Description
format	query	string	Response format. Default: json.
name	query	string	The name of the host whose report summary you wish to retrieve.
subdomains	query	boolean	If set, extends the host matching to include all subdomains of the specified name. Default: false.
group	query	string	If set, returns only the summaries for hosts that belong to the specified group.

Enumerated Values

Parameter	Value
format	csv
format	json

Example responses

200 Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListReports0Response

Get Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates

Experimental endpoint: Fetches certificates report.

Successful response data schema: CertificateReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Parameters

Parameter	In	Type	Description
body	body	CertificateReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Expiring Certificates Report

Code samples

POST /v1/org/{org}/reports/certificates/expiringEndpoints HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/certificates/expiringEndpoints

Experimental endpoint: Fetches expiring certificates report.

Successful response data schema: CertificateExpiringEndpointsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	CertificateExpiringEndpointsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get DMARC Report

Code samples

POST /v1/org/{org}/reports/dmarc HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/dmarc

Experimental endpoint: Fetches DMARC report.

Successful response data schema: DmarcReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	DmarcReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Domains Report

Code samples

POST /v1/org/{org}/reports/domains HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/domains

Experimental endpoint: Fetches domains report.

Successful response data schema: DomainsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	DomainsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Hosts Report

Code samples

POST /v1/org/{org}/reports/hosts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hosts

Experimental endpoint: Fetches host discoveries report.

Successful response data schema: HostsReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	HostsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Host Discoveries Report

Code samples

POST /v1/org/{org}/reports/hostDiscoveries HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/hostDiscoveries

Experimental endpoint: Fetches host discoveries report.

Successful response data schema: DiscoveryHostReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	DiscoveryHostReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Issues Report

Code samples

POST /v1/org/{org}/reports/issues HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/issues

Experimental endpoint: Fetches issues report.

Successful response data schema: IssuesReportResponse

Body parameter

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	IssuesReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Ip Addresses Report

Code samples

POST /v1/org/{org}/reports/ipAddresses HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/ipAddresses

Experimental endpoint: Fetches ip addresses report.

Successful response data schema: IpAddressReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	IpAddressReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Network Ranges Report

Code samples

POST /v1/org/{org}/reports/networkRanges HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/networkRanges

Experimental endpoint: Fetches network ranges report.

Successful response data schema: NetworkRangesReportResponse

Body parameter

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	NetworkRangesReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Open Ports Report

Code samples

POST /v1/org/{org}/reports/openPorts HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/openPorts

Experimental endpoint: Fetches open ports report.

Successful response data schema: OpenPortsReportResponse

Body parameter

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Parameters

Parameter	In	Type	Description
body	body	OpenPortsReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Get Spf Report

Code samples

POST /v1/org/{org}/reports/spf HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /reports/spf

Experimental endpoint: Fetches spf report.

Successful response data schema: SpfReportResponse

Body parameter

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	SpfReportRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Suborganizations

Depending on the type of subscription, organization accounts can be configured to allow creation of nested organizations. These suborganizations are designed to be fully independent, although it's possible to retain some level of control over them via the parent account.

New suborganizations support the same API endpoints, although the capabilities will typically be different to that of the parent account. To access a suborganization via this API, first use the parent account to create a new set of master API credentials. Subsequently, use the new credentials to access the suborganization directly. Do note that the suborganization identifiers exposed by this API are relative to that of the parent account. When accessing suborganization APIs directly you need to use the complete account identifier, which will be in the form of parent.child. Attempting to use an incorrect identifier will result in a 404 response.

List Organizations

Code samples

GET /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com

GET /suborgs

Returns a complete list of all organizations nested under this account.

Example responses

200 Response

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	ListOrgsResponse
403	Forbidden	Account doesn't support suborganizations	None

Create Organization

Code samples

POST /v1/org/{org}/suborgs HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs

Creates a new suborganization under this account. If successful, this endpoint returns full information about the newly-created organization.

Body parameter

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter	In	Type	Description
body	body	CreateOrgRequest	none

Example responses

200 Response

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	Organization created	CreateOrgResponse
400	Bad Request	Invalid parameters or organization with the supplied `id` or `name` already exists.	None
403	Forbidden	Account doesn't support suborganizations	None

Get Organization

Code samples

GET /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

GET /suborgs/{id}

Returns the specified nested organization.

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	GetOrgResponse
403	Forbidden	Account doesn't support suborganizations	None
404	Not Found	Organization doesn't exist	None

Delete Organization

Code samples

DELETE /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com

DELETE /suborgs/{id}

Permanently deletes one nested organization. Because this operation is irreversible and thus quite dangerous, this endpoint is typically disabled by default, and may be enabled on sandbox accounts only. The recommended way to delete organizations is to set the status to deleted.

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.

Responses

Status	Meaning	Description	Schema
204	No Content	Organization deleted	None
403	Forbidden	Account doesn't support suborganizations, or the delete operation not permitted	None
404	Not Found	Organization doesn't exist	None

Update Organization

Code samples

POST /v1/org/{org}/suborgs/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /suborgs/{id}

Updates the desired nested organization.

Body parameter

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Parameters

Parameter	In	Type	Description
id*	path	string	Organization identifier.
body	body	UpdateOrgRequest	none

Example responses

200 Response

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	OK	UpdateOrgResponse
403	Forbidden	Account doesn't support suborganizations	None
404	Not Found	Organization doesn't exist	None

Search

Maturity: Under Development

At the Business tier and higher, Hardenize accounts include a search engine that's updated in real time whenever new data becomes available. The search engine contains multiple indexes, each tracking a different type of data. At this time, we support the network and certificates indexes. Our search engine is based on Elasticsearch, a de-facto standard.

Submit Query

Code samples

POST /v1/org/{org}/search HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /search

Submits a query to the search engine. The index parameter should contain the desired index and the query parameter should contain the desired query in the Elasticsearch query format. By default, the results will be in JSON format. If you wish CSV output instead, supply a list of field names in the columns parameter. Please note that, as a limitation of Elasticsearch, array fields cannot be placed in CSV output in their entirety; only the first value will be.

Body parameter

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Parameters

Parameter	In	Type	Description
body	body	CreateSearchRequest	none

Example responses

202 Response

{
  "id": "6e7b190fa8d4ba14f707",
  "done": false,
  "statusCode": 202
}

Responses

Status	Meaning	Description	Schema
202	Accepted	Operation accepted	OperationStatus
400	Bad Request	Invalid request; details in the response	None
403	Forbidden	Not allowed to access this endpoint	None
503	Service Unavailable	Service not able to process request	None

Users

This section provides support for user management, covering both accounts with access to the application as well as service accounts, a special type of account that's designed for API access.

List users

Code samples

GET /v1/org/{org}/users HTTP/1.1
Host: api.hardenize.com

GET /users

Lists users that belong to the organization. We don't store user passwords raw in our database and so they will not be provided. Use the password reset function instead.

Example responses

200 Response

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2023-09-22T15:34:49.703Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Responses

Status	Meaning	Description	Schema
200	OK	Users	ListUsersResponse

Invite new user

Code samples

POST /v1/org/{org}/users;invite HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;invite

Invites a new user to the organization. When this endpoint is used, an email is sent to the provided email address, asking the user to join the organization.

Body parameter

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Parameters

Parameter	In	Type	Description
body	body	InviteUserRequest	none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2023-09-22T15:34:49.703Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	User invited	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None

Create service account

Code samples

POST /v1/org/{org}/users;serviceAccount HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users;serviceAccount

Creates a new service account. Role: Admin.

Body parameter

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2023-09-22T15:34:49.705Z"
}

Parameters

Parameter	In	Type	Description
body	body	CreateServiceAccountRequest	none

Example responses

201 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2023-09-22T15:34:49.706Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
201	Created	Service account created	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None

Cancel invite

Code samples

POST /v1/org/{org}/users/{id};cancelInvite HTTP/1.1
Host: api.hardenize.com

POST /users/{id};cancelInvite

Cancels invitation for this user, if it has not already been accepted. Role: Admin.

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier

Responses

Status	Meaning	Description	Schema
204	No Content	User invite cancelled	None
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None
404	Not Found	User with given email doesn't exist within organization	None

Get user

Code samples

GET /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com

GET /users/{id}

Retrieves the available information for the requested user account.

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2023-09-22T15:34:49.706Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	User	GetUserResponse
404	Not Found	User with given email doesn't exist within organization	None

Update user

Code samples

POST /v1/org/{org}/users/{id} HTTP/1.1
Host: api.hardenize.com
Content-Type: application/json

POST /users/{id}

Updates the specified user. Role: Admin.

Body parameter

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2023-09-22T15:34:49.706Z",
  "status": "retired",
  "role": "observer"
}

Parameters

Parameter	In	Type	Description
id*	path	integer	User identifier
body	body	UpdateUserRequest	none

Example responses

200 Response

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2023-09-22T15:34:49.706Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Responses

Status	Meaning	Description	Schema
200	OK	User updated	GetUserResponse
400	Bad Request	Invalid parameters	None
403	Forbidden	You don't have permission to perform this operation.	None
404	Not Found	User with given email doesn't exist within organization	None

Schemas

cidr

"127.0.0.1/32"

IP address range in CIDR notation.

Properties

Name	Type	Description
anonymous	string	IP address range in CIDR notation.

AuditEvent

{
  "id": 10001,
  "actorType": "u",
  "actorId": "userId:12090749",
  "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
  "timestamp": "2018-09-03T14:09:59.000Z",
  "remoteAddr": "18.233.176.231",
  "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
  "resourceType": "user",
  "resourceId": "12090749",
  "action": "user.auth.succeeded",
  "status": 200,
  "details": {
    "method": "password"
  }
}

Contains information about one audit log event.

Properties

Name	Type	Description
id*	integer	none
actorType*	string	Indicates whether the action was carried by an anonymous actor before authentication (`a`), the system (`s`), or by an authenticated user or organization (`u`).
actorId	string	Contains a unique identifier associated with the actor. This value will typically contain a reference to a user, with a prefix `userId` or to an organization, with a prefix `orgId:`. The value is stable over the long term.
actorName	string	Contains further information that describes the actor. For users it may contain the name and email address. For organizations, the name. The value here may should not be considered stable as it may change over time, if users or organizations are renamed.
timestamp*	string(date-time)	The UTC timestamp of the event.
remoteAddr	string	The remote IP address of the actor. Not available for system events.
sessionId	string	The actor's unique session identifier. Not available for system events. Please note that we regenerate session IDs after each successful authentication. As a result, you may see one ID at the point when authentication takes place, then another ID immediately after, when we record the sign-in event.
userAgent	string	The user agent associated with the event. Not all events will have this field, but key events associated with user activity will.
resourceType*	string	Indicates resource type.
resourceId*	string	The unique identifier associated with the resource.
action*	string	The unique action identifier.
status*	integer	Status of the event as a HTTP status code.
details	object	Contains additional information specific to the audit event. This field should be considered informational at this point in time.

Enumerated Values

Property	Value
actorType	a
actorType	s
actorType	u
action	org.user.deleted
action	org.user.disabled
action	org.user.enabled
action	org.user.invited
action	org.user.uninvited
action	org.user.joined
action	org.user.profile_changed
action	org.user.session_started
action	user.created
action	user.deleted
action	user.email_changed
action	user.profile_changed
action	user.auth.mfa_removed_by_admin
action	user.auth.password_changed
action	user.auth.password_reset_requested
action	user.auth.password_reset
action	user.auth.password_reset_by_admin
action	user.auth.failed
action	user.auth.forbidden
action	user.auth.signed_in
action	user.auth.signed_out
action	user.auth.succeeded

Certificate

{
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "validation": "dv",
  "notBefore": "2023-09-22T15:34:49.707Z",
  "notAfter": "2023-09-22T15:34:49.707Z",
  "effectiveNotAfter": "2023-09-22T15:34:49.707Z",
  "revokedOn": "2023-09-22T15:34:49.707Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "ECDSAwithSHA256",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "sanCount": 1,
  "caPathLen": -1,
  "wildcard": true,
  "selfSigned": false,
  "firstSeen": "2023-09-22T15:34:49.707Z",
  "lastSeen": "2023-09-22T15:34:49.707Z",
  "seenInstalled": true,
  "active": true,
  "precert": false,
  "duplicate": false,
  "managed": true,
  "ownership": "own",
  "matchesOrgHost": true,
  "symantecStatus": "symantecExcluded",
  "ctRequired": true,
  "ctCompliant": true,
  "ctLogs": [
    {
      "log": "ct.googleapis.com/rocketeer",
      "timestamp": 1533791245857,
      "index": 232455,
      "type": "cert",
      "sources": [
        "log",
        "tls"
      ]
    }
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "origin": "ct",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "parentHashes": [
    "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
    "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
  ],
  "parentHashesSource": "ct",
  "parentHashesComplete": true
}

Contains information about one certificate.

Properties

Name	Type	Description
sha256*	string	Hex-encoded SHA256 hash of the certificate in DER format.
tbsSha256	string	Hex-encoded SHA256 hash of the `TBSCertificate` structure. This value will be the same in the precertificate/certificate combo.
subject*	string	Subject distinguished name.
serial*	string	Hex-encoded serial number.
issuer*	string	Issuer distinguished name.
issuerCa	string	The name of the issuing CA, according to CCADB.
validation	string	Certificate validation type.
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
effectiveNotAfter*	string(date-time)	ISO 8601 timestamp. This fields contains the time after which the certificate cannot be used in practice. For example, certificates issued from the old Symantec PKI infrastructure have been deprecated and can no longer be used for web sites, even though they are still technically valid. Depending on the deprecation phase, Symantec certificates will have the effective dates of March 1, 2018 (phase one) or September 1, 2018 (phase 2).
revokedOn*	string(date-time)	Revocation timestamp, if available.
keyAlg*	string	Private key algorithm, for example RSA or EC.
keyLen*	integer	Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength*	integer	Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg*	string	Certificate signature algorithm.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
hosts*	[string]	All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
sanCount	integer	The number of hostnames in the SAN field of the certificate.
caPathLen*	integer	Indicates if this is a CA certificate. Leaf certificates will have -1 in this field, indicating that they cannot issue further certificates. CA certificates will have 0 or a positive number. CA certificates without path length limit will have 2,147,483,647.
wildcard*	boolean	Set to true if at least one of the allowed hosts is a wildcard.
selfSigned*	boolean	Set to true if this is a self-signed certificate.
firstSeen*	string(date-time)	The first time this certificate was seen, which could be a variety of sources for example, CT, manual upload, or installed on a server.
lastSeen*	string(date-time)	The last time this certificate was seen installed on a server.
seenInstalled*	boolean	Indicates if this certificate has been seen installed on a server.
active*	boolean	Indicates if this certificate has been seen installed recently.
precert*	boolean	Indicates if the returned certificate is, in fact, a precertificate.
duplicate*	boolean	Set to true on a precertificate for which the certificate is known.
managed*	boolean	Indicates if this certificate is managed, i.e. provided by a third-party service that will also automatically renew the certificate when it becomes due.
ownership*	string	Indicates if this certificate belongs to the organisation, which means that it is served from one of the organization's properties. Do note that, in the case of certificate name mismatch, someone else's certificate may be considered as own. In that case, the matchesOrgHost field will be set to false.
matchesOrgHost*	boolean	Indicates if at least one of the host listed in the certificates matches a hosts that belongs to the organisation.
symantecStatus	string	Indicates if this certificate was issued from Symantec's PKI infrastructure. This field is not set when it's not necessary, as absence of value indicates that the certificate did not come from Symantec. This field is also never set on CA intermediates and roots.
ctRequired	boolean	Indicates whether certificate is required to be logged to CT for use on public sites. This is a requirement for all certificates issued from May 2018 onwards, as well for some earlier Symantec certificates.
ctCompliant	boolean	Indicates whether certificate embeds sufficient SCTs to satisfy CT policies of major platforms.
ctLogs*	[CertCtLog]	One entry for every observation of this certificate in CT logs. Excludes third-party CA certificates that have been imported to complete the certificate chain.
pem*	string	Base64-encoded certificate in DER format.
origin*	string	Indication of where this certificate came from. This field will contain `ct` if the certificate was found via real-time monitoring of Certificate Transparency logs, `hdb` if we imported it from our historical certificate database, `net` if the certificate was found installed on the network, or `manual` if the certificate was provided to us (e.g., if it was uploaded via the API).
originInfo	OriginInfo	Further information about the origin. For example, if the origin is `cert`, then this field will identify the actual certificate.
parentHashes	[string]	Contains the SHA256 fingerprints of parent certificates, if they are known. We currently populate this field only using the information obtained from CT log entries. When the object is a precertificate, the parent hashes may include a special precertificate signer CA certificate.
parentHashesSource	string	Indicates the source of the parent hashes provided in the `parentHashes` field. If the field contains `ct`, that means that the parent hashes are exactly as seen in CT. CT entries are not guaranteed to include the root; if we're able to find the right root, we'll use the value `ctPlusRoot` to indicate that the bulk of the chain is from CT, but that we appended a root to it. The value `hardenize` is reserved for future use, when we implement path building to identify the hashes for certificates only seen online (and not in CT).
parentHashesComplete	boolean	True if the parent hashes are available and form a complete chain, false if parent hashes are available but the chain is not complete. This field is not available when parent hashes are not available.

Enumerated Values

Property	Value
validation	dv
validation	ev
validation	iv
validation	ov
validation	s
validation	u
validation	na
sigAlg	RSAwithMD2
sigAlg	RSAwithMD5
sigAlg	RSAwithSHA1
sigAlg	RSAwithSHA256
sigAlg	RSAwithSHA384
sigAlg	RSAwithSHA512
sigAlg	RSAPSS
sigAlg	DSAwithSHA1
sigAlg	DSAwithSHA256
sigAlg	ECDSAwithSHA1
sigAlg	ECDSAwithSHA256
sigAlg	ECDSAwithSHA384
sigAlg	ECDSAwithSHA512
ownership	own
ownership	thirdParty
symantecStatus	phaseOneAffected
symantecStatus	phaseOneNotAffected
symantecStatus	phaseTwoAffected
symantecStatus	phaseTwoNotAffected
symantecStatus	symantecExcluded
origin	ct
origin	hdb
origin	manual
origin	net
parentHashesSource	ct
parentHashesSource	ctPlusRoot
parentHashesSource	hardenize

CertCtLog

{
  "log": "ct.googleapis.com/rocketeer",
  "timestamp": 1533791245857,
  "index": 232455,
  "type": "cert",
  "sources": [
    "log",
    "tls"
  ]
}

Properties

Name	Type	Description
log*	string	CT log URL, with scheme omitted.
timestamp*	integer(int64)	Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
index	integer(int64)	This certificate's index in the referenced CT log. This field is available only when the matching objects are observed directly in CT logs.
type*	string	Indicates whether a CT log entry belongs to a certificate or precertificate. Normally, precertificate objects will include only precertificate CT log entries. However, certificate objects can include entries of either type. For example, if a certificate has been logged to CT via a precertificate, it will typically include CT log entries pertaining to both the precertificate as well as its own subsqeuent appearance in the CT logs.
sources*	[string]	Hardenize collects CT information from multiple sources. This set indicates all the places where we've collected the information we have on a certificate.

Enumerated Values

Property	Value
type	cert
type	precert

CreateIntegrationRequest

{
  "type": "aws",
  "name": "My Test Integration",
  "ref": "123456789012",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "string"
  }
}

This object should contain all the information required to create a new integration in your account. Some of the information is generic and used for all integration types. Integration-specific information should be placed in the config field, whilst ensuring the the provided data matches the integration type.

Properties

Name	Type	Description
type*	string	Integration type that indicates which integration is being created.
name*	string	Name to assign to integration. Must be unique.
ref	string	Integration reference; this is an optional utility field intended to carry information that uniquely identifies the account we're connecting to.
tags	[string]	A list of tags. Tags are added to resources fetched from your configured integration and propagated to hosts. Tag names can use only letters and digits.
enabled*	boolean	Whether or not the integration should be enabled immediately.
config*	any	Integration-specific configuration parameters, matching the selected integration as specified in the `type` parameter.

oneOf

Name	Type	Description
» anonymous	CreateAwsIntegrationConfig	AWS integration parameters.

xor

Name	Type	Description
» anonymous	CreateAzureIntegrationConfig	Azure integration parameters.

xor

Name	Type	Description
» anonymous	CreateCloudflareIntegrationConfig	Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

xor

Name	Type	Description
» anonymous	CreateCscIntegrationConfig	CSC integration parameters.

xor

Name	Type	Description
» anonymous	CreateDigiCertIntegrationConfig	DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be acceprted.

xor

Name	Type	Description
» anonymous	CreateGcpIntegrationConfig	GCP integration parameters.

xor

Name	Type	Description
» anonymous	CreateMarkMonitorIntegrationConfig	MarkMonitor integration parameters.

xor

Name	Type	Description
» anonymous	CreateNs1IntegrationConfig	NS1 integration parameters.

xor

Name	Type	Description
» anonymous	CreateSafenamesIntegrationConfig	Safenames integration parameters.

Enumerated Values

Property	Value
type	aws
type	azure
type	cloudflare
type	csc
type	digicert
type	gcp
type	markmonitor
type	ns1
type	safenames

AwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name	Type	Description
accountId*	string	AWS account ID.

CreateAwsIntegrationConfig

{
  "accountId": "string"
}

AWS integration parameters.

Properties

Name	Type	Description
accountId*	string	AWS account ID.

AzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43"
}

Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

Properties

Name	Type	Description
clientId*	string	Azure client identifier.
tenantId*	string	Azure tenant identifier.

CreateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Azure integration parameters.

Properties

Name	Type	Description
clientId*	string	Azure client identifier.
tenantId*	string	Azure tenant identifier.
secret*	string	Azure secret token.

DigiCertIntegrationConfig

{}

DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

DigiCert CertCentral integration parameters. Please ensure that the provided API key is configured as read-only. Keys that are configured for write operations will not be acceprted.

Properties

Name	Type	Description
apiKey*	string	none

GcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name	Type	Description
project*	string	The GCP project name

CreateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

GCP integration parameters.

Properties

Name	Type	Description
project*	string	The GCP project name

CloudflareIntegrationConfig

{}

Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "27761d57fd9035185dfc45eb1275ecacd",
  "email": "postmaster@example.com"
}

Cloudflare integration parameters. Supply either "apiKey" for recommended auth, or "email" and "authKey" for legacy auth.

Properties

Name	Type	Description
apiKey	string	none
authKey	string	none
email	string	none

CscIntegrationConfig

{}

CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

Properties

None

CreateCscIntegrationConfig

{
  "apiKey": "23g78h23rgheriuh2r8h2rg8h2rgiuh23g",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

CSC integration parameters.

Properties

Name	Type	Description
apiKey*	string	none
bearerToken*	string	none

Ns1IntegrationConfig

{}

NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

Properties

None

CreateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

NS1 integration parameters.

Properties

Name	Type	Description
apiKey*	string	none

MarkMonitorIntegrationConfig

{
  "username": "user"
}

MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name	Type	Description
username*	string	The MarkMonitor api username

CreateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

MarkMonitor integration parameters.

Properties

Name	Type	Description
username*	string	none
password*	string	none

SafenamesIntegrationConfig

{
  "username": "user"
}

Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Properties

Name	Type	Description
username*	string	The Safenames username

CreateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Safenames integration parameters.

Properties

Name	Type	Description
username*	string	none
password*	string	none

CreateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.710Z",
    "nextRunTime": "2023-09-22T15:34:49.710Z",
    "lastRunTime": "2023-09-22T15:34:49.710Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

CreateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "status": "monitored",
  "axfr": "auto",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "name": "thename",
    "algorithm": "HMAC_MD5",
    "key": "base64key="
  },
  "groups": [
    "production"
  ]
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to create. Each host in this array must be a valid registrable domain (according to the Public Suffix List) or a subdomain of a registrable domain.
status	string	Desired host status. If the status is not specified, the initial status is determined based on the account's default status for new hosts as well as the status of parent hosts (depending on the configuration).
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to `auto` which is a setting that is reserved for a future expansion and currently has the same meaning as `disabled`. To enable zone transfers, change the value of this field to `enabled`. For more information about how zone transfers are made, refer to the Request zone transfer endpoint.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig	CreateHostsRequestAxfrTsig	none
groups	[string]	List of groups to which the new hosts should be added. If the account is configured to inherit group membership from parent hosts, those groups are added in addition to the ones explicitly specified here.

Enumerated Values

Property	Value
status	monitored
status	idle
status	archived
axfr	auto
axfr	enabled
axfr	disabled

CreateHostsRequestAxfrTsig

{
  "name": "thename",
  "algorithm": "HMAC_MD5",
  "key": "base64key="
}

Properties

Name	Type	Description
name*	string	TSIG key name.
algorithm*	string	TSIG algorithm.
key*	string	TSIG key, Base64-encoded.

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

CreateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, and dashes. Periods can also be used, but only when keyword is matched across DNS labels. To avoid too many matches, we require that keywords have at least 5 characters, and up to 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines if the keyword will match domains and subdomains (`all`) or only domains.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables mathing of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

CreateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

CreateHostDiscoveryNameserverRequest

{
  "hostnames": [
    "ns1.example.com"
  ]
}

Properties

Name	Type	Description
hostnames*	[string]	none

UpdateHostDiscoveryNameserverRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled	boolean	Controls whether a nameserver is actively monitored. A nameserver could be disabled if it's responsible for too many matches, which usually indicates a misconfigured. Alternatively, a nameserver may be disabled if it no longer matches any of the organization's domains.

CreateHostDiscoveryNameserverResponse

{
  "hostDiscoveryKeyword": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryNameserver	A keyword used for host discovery.

DiscoveryHostReportRequest

{
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
limit	integer	If set, returns only up to the specified number of host discoveries.
format	string	If set, returns host discoveries in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv

DiscoveryHostReportResponse

{
  "discoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2023-09-22T15:34:49.712Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2023-09-22T15:34:49.712Z"
    }
  ]
}

Properties

Name	Type	Description
discoveries	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

CreateCertResponse

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.712Z",
    "notAfter": "2023-09-22T15:34:49.712Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.712Z",
    "revokedOn": "2023-09-22T15:34:49.712Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.712Z",
    "lastSeen": "2023-09-22T15:34:49.712Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Properties

Name	Type	Description
cert	Certificate	Contains information about one certificate.

CreateEventHookRequest

{
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive"
}

Properties

Name	Type	Description
hookType*	string	Desired event hook type.
eventTypes*	[string]	A list of event types to send to this event hook.
status	string	Initial status for this hook. Default: disabled.
destination*	string	Event hook destination; for webhooks, this must be an HTTPS URL. For deliveries via PubSub, you must supply here a valid destination obtained via the List Event Destinations API endpoint.

Enumerated Values

Property	Value
hookType	pubsub
hookType	webhook

CreateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Properties

Name	Type	Description
eventHook*	EventHook	Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

CreateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

None

CreateOrgRequest

{
  "id": "7f070931-0cfb-41cb-bb05-98a792d238b1",
  "name": "Hardenize",
  "label": "hardenize",
  "status": "active",
  "certLimitHard": 1000,
  "commercialStatus": "internal",
  "generateApiCredentials": true,
  "hostDiscoveryAutoimportSubdomains": false,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": 1000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
id*	string	Unique ID that should be used to refer to the new organization. This value should be unique across all organizations that belong to the same parent. The syntax must match that of a DNS host label, using only lowercase characters. This field can be set, but cannot be updated.
name	string	Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the `id` parameter will be used as the default value.
label	string	Organization label is a user-friendly identifier and also has to be unique across the organizations belonging to the same parent. Labels are shown in the application UI and URLs. This field is optional; if it is not provided, the `id` parameter will be used instead. This field can be set, but cannot be updated.
status	string	The initial status the organization should have. Default: active.
certLimitHard	integer	Hard limit on the number of certificates in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
commercialStatus	string	The initial commercial status for the new organization. Default: internal.
generateApiCredentials	boolean	If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost. Default: false.
hostDiscoveryAutoimportSubdomains	boolean	If set, newly discovered host that are subdomain of known hosts will be automatically added to the host inventory. Requires featureHostDiscovery to be enabled. Default: false.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled	boolean	Indicates if host discovery is enabled.
hostDiscoveryLimitHard	integer	Hard limit on the number of host discoveries in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
hostLimitHard	integer	Hard limit on the number of hosts in the inventory. If this value is not supplied or if it is set to -1, the default value configured in the parent organization will be used. If a value is provided, it must be less than or equal to the parent limit.
featureHostDiscovery	boolean	If set, enables the host discovery feature. The feature must be available in the parent organization. Default: false.
featureMfa	boolean	If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml	boolean	If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

CreateOrgResponse

{
  "org": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
org*	Organization	none

CreateGroupRequest

{
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
name*	string	Display name, typically used for human interaction. Groups also have an identifier, which we automatically generate from the names. Group identifiers and names must be unique, after whitespace is trimmed and text converted to lowercase.
auto	boolean	Indicates if this group is an auto-group, meaning that hosts are added to it and removed from based on whether they have matching tags. Hosts added to a group if they have at least one matching tag. Hosts are removed from a group if they have no matching tags.
tags	[string]	Tags associated with this group. Auto-groups only.

UpdateGroupRequest

{
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
tags	[string]	Tags associated with this group. Auto-tags only.

CreateGroupResponse

{
  "group": {
    "id": "production",
    "name": "Production",
    "auto": true,
    "tags": [
      "production"
    ]
  }
}

Properties

Name	Type	Description
group*	Group	The Group object represents one account group.

CreateSearchRequest

{
  "index": "network",
  "query": "pki.certs.sha256:f7e960995532d54a845f70e9f3430fccda1f7f3925f874ab50e8105777764d74",
  "limit": 10,
  "columns": [
    "hostname",
    "address",
    "port"
  ]
}

Encapsulates parameters required to submit a search. At minimum, provide the index and query fields. If you wish to get the data back in CSV format, supply the desired field names in the columns field. To know what field names are available, it's usually best to examine the JSON output of a limited number of results, then re-run the query to get CSV output.

Properties

Name	Type	Description
index*	string	The index against which the supplied query will be executed.
query*	string	The desired query, using the Elasticsearch query language.
limit	integer	When provided, the output will be limited to the requested number of results. This parameter can be useful when you're experimenting with a complex query and don't wish to incur the overhead of fetching, downloading, and processing the entire result set. Default: no limit.
columns	[string]	When this field is provided in the requests, search results will be provided in CSV format with the fields as specified.

Enumerated Values

Property	Value
index	certificates
index	network

CreateTlsCheckRequest

{
  "host": "hardenize.com",
  "port": 443,
  "location": "london",
  "resolverStrategy": "all"
}

TLS check parameters.

Properties

Name	Type	Description
host*	string	Endpoint hostname, which must be one of the names in the asset inventory. IP addresses are currently not supported.
port*	integer	Endpoint port, for example 443.
location*	string	Location from which the check should be performed.
resolverStrategy	string	DNS resolver strategy to use to convert hostname to IP addresses for testing. Default: all.

Enumerated Values

Property	Value
resolverStrategy	all
resolverStrategy	all4
resolverStrategy	all6
resolverStrategy	one4
resolverStrategy	one46
resolverStrategy	one6
resolverStrategy	one64

DeleteHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "subdomains": true,
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to delete.
subdomains	boolean	If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
preview	boolean	If set, this parameter enables preview mode, which means that no hosts will be deleted. Instead, the response will include the list of hosts that would have been deleted. Default: false.

DeleteHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts that have been deleted (or would have been deleted, in preview mode).
preview*	boolean	Indicates if the action was executed or only previewed.

Event

{
  "id": 10001,
  "type": "ct",
  "createdOn": "2023-09-22T15:34:49.714Z",
  "apiVersion": "0.14.0",
  "data": "{ \"field\": \"value\" }"
}

Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The type fields is used as indicator as to which embedded object is stored in the data field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the apiVersion field to determine exactly how the data should be handled.

Properties

Name	Type	Description
id*	integer	none
type*	string	none
createdOn*	string(date-time)	none
apiVersion*	string	none
data*	string	none

EventDestination

{
  "destinationId": "pubsub://events/1/1005",
  "type": "pubsub",
  "project": "hz-events-pubsub",
  "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
  "subscription": "ep-1-1005",
  "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
}

Contains information about one destination that can be used to receive events.

Properties

Name	Type	Description
destinationId*	string	Unique system-generated identifier.
type*	string	Destination type. Different fields may be available depending on this value.
project	string	PubSub project name.
topic	string	PubSub topic name.
subscription	string	PubSub subscription name.
subscriberCredentials	string	Contains raw Google GCP service account file that should be used to authenticate when retrieving from the subscription associated with this destination.

Enumerated Values

Property	Value
type	pubsub

EventHook

{
  "id": "bfc384726b6447a4b70a171de49e466f",
  "hookType": "webhook",
  "eventTypes": [
    "ct.entry"
  ],
  "status": "enabled",
  "destination": "https://hardenize.com/webhooks/receive",
  "secret": "3685c06a966e4d0ea625d0b475719661"
}

Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

Properties

Name	Type	Description
id*	string	Contains the system-generated event hook identifier. This value is strongly random and, because it's provided with every event, can be used for an easy security check on the receiving end.
hookType*	string	Contains hook type.
eventTypes*	[string]	Contains the list of event types that will be sent to this hook.
status*	string	Indicates the current status of the event hook. The normal states are `enabled` and `disabled`. If a hook is determine to be inoperational, we will automatically disable it and change its state to `failed`.
destination	string	Contains the destination where events will be sent.
secret*	string	Contains a strongly random secret value unique to this hook. Used to sign events on delivery.

Enumerated Values

Property	Value
hookType	pubsub
hookType	webhook
status	enabled
status	disabled
status	failed

EventType

{
  "name": "ct",
  "available": true,
  "enabled": true
}

Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

Properties

Name	Type	Description
name*	string	none
available*	boolean	Specifies whether the account supports generation of this type of event.
enabled*	boolean	Specifies whether events of this type are currently being generated.

ErrorMessage

{
  "param": "string",
  "message": "string"
}

One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole.

Properties

Name	Type	Description
param	string	none
message*	string	none

ErrorResponse

{
  "errors": [
    {
      "param": "string",
      "message": "string"
    }
  ]
}

This object is returned whenever a processing error occurs. It contains a list of error messages, some of which may be attributed to specific request parameters.

Properties

Name	Type	Description
errors*	[ErrorMessage]	[One instance of this object is returned for every problem encountered during request processing. If the object includes parameter name, the problem is related to that parameter, otherwise the problem applies to the request as a whole. ]

GetCertResponse

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.715Z",
    "notAfter": "2023-09-22T15:34:49.715Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.715Z",
    "revokedOn": "2023-09-22T15:34:49.715Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.715Z",
    "lastSeen": "2023-09-22T15:34:49.715Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Properties

Name	Type	Description
cert*	Certificate	Contains information about one certificate.

GetEventResponse

{
  "event": {
    "id": 10001,
    "type": "ct",
    "createdOn": "2023-09-22T15:34:49.715Z",
    "apiVersion": "0.14.0",
    "data": "{ \"field\": \"value\" }"
  }
}

Properties

Name	Type	Description
event*	Event	Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The `type` fields is used as indicator as to which embedded object is stored in the `data` field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the `apiVersion` field to determine exactly how the data should be handled.

GetHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2023-09-22T15:34:49.715Z",
    "origin": "hdb",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2023-09-22T15:34:49.716Z"
  }
}

Properties

Name	Type	Description
hostDiscovery*	HostDiscovery	This object represents our discovery of a host which might be relevant to your organization.

GetHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

GetHostDiscoveryNameserverResponse

{
  "hostDiscoveryNameserver": {
    "hostname": "ns1.hardenize.com",
    "punyHostname": "ns1.hardenize.com",
    "createdOn": "2020-06-10T15:36:49.044Z",
    "enabled": false,
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryNameserver*	HostDiscoveryNameserver	A keyword used for host discovery.

GetAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

Current network access configuration.

Properties

Name	Type	Description
apiNetworks*	[string]	List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade*	string	If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks*	[string]	List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade*	string	If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property	Value
apiNetworksCascade	disabled
apiNetworksCascade	enabled
appNetworksCascade	disabled
appNetworksCascade	enabled

GetIssueResponse

{
  "integration": {
    "issueId": 10001,
    "revision": 1,
    "definitionId": "DNS1001",
    "subject": "OPAQUE",
    "subjectDomain": "example.com",
    "title": "Dangling Resource Record",
    "category": "DNS",
    "severity": "high",
    "cause": "OPAQUE",
    "causeDomain": "nxdomain.example.com",
    "causeIp": "192.168.1.1",
    "open": true,
    "status": "active",
    "auto": true,
    "autoOpen": true,
    "autoPreservedStatus": "string",
    "createdOn": "2022-06-17T00:00:00Z",
    "lastClosed": "2022-06-17T00:00:00Z",
    "lastUpdated": "2022-06-17T00:00:00Z",
    "lastChecked": "2022-06-17T00:00:00Z",
    "lastConfirmed": "2022-06-17T00:00:00Z",
    "snoozedUntil": "2022-06-17T00:00:00Z",
    "details": {
      "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
      "rrDomain": "example.com",
      "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
      "rrType": "SRV",
      "danglingType": "nxdomain",
      "causeDomain": "nxdomain.example.com"
    }
  }
}

Properties

Name	Type	Description
integration	Issue	none

SetupAwsIntegrationsResponse

{
  "externalId": "hardenize-1uspdz"
}

Information needed to set up an AWS integration.

Properties

Name	Type	Description
externalId*	string	The `externalId` parameter to use when creating the integration AWS role.

SetupGcpIntegrationsResponse

{
  "serviceAccount": "integration-customer-abc123@hardenize-app-production.iam.gserviceaccount.com"
}

Information needed to set up a GCP integration.

Properties

Name	Type	Description
serviceAccount*	string	Email address of the service account you need to grant access for

GetMfaConfigResponse

{
  "mfaRequired": true
}

The current multi-factor authentiction (MFA) configuration.

Properties

Name	Type	Description
mfaRequired*	boolean	If set, all users must have multi-factor enabled in order to access this organization.

UpdateAwsIntegrationConfig

{
  "accountId": "123456789012"
}

Properties

Name	Type	Description
accountId	string	The account identifier of the AWS Role created for this integration. The identifier is just the number part of the entire Amazon Role Number (ARN) string.

UpdateAzureIntegrationConfig

{
  "clientId": "a85f9541-6472-054d-af7b-802663282441",
  "tenantId": "384be286-81d3-4642-e7a3-7faae3a9fd43",
  "secret": "2q4xUYw/rTp3qoJ9x=pP.KXwUq?mnPO/"
}

Properties

Name	Type	Description
clientId	string	Azure client identifier.
tenantId	string	Azure tenant identifier.
secret	string	Azure secret token.

UpdateCloudflareIntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu",
  "authKey": "a986c4a2d345acd9663018742f3600bf9edba",
  "email": "postmaster@example.com"
}

Properties

Name	Type	Description
apiKey	string	The Cloudflare API key
authKey	string	Cloudflare global api key (legacy auth)
email	string	none

UpdateCscIntegrationConfig

{
  "apiKey": "23g923guh3uh2gj2dokd",
  "bearerToken": "483fabc7-1234-4321-f12f-f48a8de8f3cf"
}

Properties

Name	Type	Description
apiKey	string	The CSC API key
bearerToken	string	The CSC API bearer token

UpdateDigiCertIntegrationConfig

{
  "apiKey": "52YEKYDT7FARJTGWCN5B7K7YNME3APZOMP4X"
}

Properties

Name	Type	Description
apiKey	string	The DigiCert API key

UpdateGcpIntegrationConfig

{
  "project": "green-lantern-324920"
}

Properties

Name	Type	Description
project	string	The GCP project name

UpdateMarkMonitorIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name	Type	Description
username	string	The MarkMonitor API username
password	string	The MarkMonitor API password

UpdateSafenamesIntegrationConfig

{
  "username": "user",
  "password": "pass"
}

Properties

Name	Type	Description
username	string	The Safenames username
password	string	The Safenames password

UpdateNs1IntegrationConfig

{
  "apiKey": "uhhiGI7ghuoiuhIU2feu"
}

Properties

Name	Type	Description
apiKey	string	The DigiCert API key

UpdateIntegrationRequest

{
  "name": "My Test Integration",
  "ref": "348394209898",
  "tags": [
    "production"
  ],
  "enabled": true,
  "config": {
    "accountId": "123456789012"
  }
}

This object is designed to carry the information you wish to use to update a particular integration. Include only the fields you wish to change; all other fields will remain unchanged. The data in the config field must be appropriate for the integration type.

Properties

Name	Type	Description
name	string	Name to assign to integration. Must be unique.
ref	string	Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
tags	[string]	A list of tags. Tags are added to resources fetched from your configured integration. Tag names can use only letters and digits.
enabled	boolean	Whether or not the integration should be enabled immediately.
config	any	Integration-specific configuration parameters, matching the selected integration as specified in the `type` parameter.

oneOf

Name	Type	Description
» anonymous	UpdateAwsIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateAzureIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateCloudflareIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateCscIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateDigiCertIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateGcpIntegrationConfig	none

xor

Name	Type	Description
» anonymous	UpdateNs1IntegrationConfig	none

GetIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2023-09-22T15:34:49.718Z",
    "lastSeen": "2023-09-22T15:34:49.718Z",
    "lastCheck": "2023-09-22T15:34:49.718Z",
    "error": "Not a unique identity.",
    "errorTime": "2023-09-22T15:34:49.718Z"
  }
}

Properties

Name	Type	Description
identity*	Identity	This object represents an identity.

Identity

{
  "identityId": 11113,
  "type": "dns_soa_rname",
  "enabled": true,
  "identity": "postmaster@example.com",
  "createdOn": "2023-09-22T15:34:49.718Z",
  "lastSeen": "2023-09-22T15:34:49.718Z",
  "lastCheck": "2023-09-22T15:34:49.718Z",
  "error": "Not a unique identity.",
  "errorTime": "2023-09-22T15:34:49.718Z"
}

This object represents an identity.

Properties

Name	Type	Description
identityId*	integer	A unique identifier which you can use to refer to a particular identity when updating.
type*	string	The type of identity, for example WHOIS registrant or email address.
enabled*	boolean	If this identity is enabled for discovery
identity*	string	The identity text.
createdOn*	string(date-time)	Indicates when was the first time we observed this identity.
lastSeen*	string(date-time)	Indicates the last time we observed this identity.
lastCheck	string(date-time)	Indicates the last time we looked for new assets connected to this identity.
error	string	The text of the error message. If an error ocurrs, the identity may be disabled. This may happen if a shared identity is initially added as unique, but later determined to actually be shared.
errorTime	string(date-time)	Contains the time of the most recent error related to this identity.

Enumerated Values

Property	Value
type	cert_dn_o
type	dns_mx
type	dns_soa_rname
type	whois_email
type	whois_registrant

GetIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.718Z",
    "nextRunTime": "2023-09-22T15:34:49.718Z",
    "lastRunTime": "2023-09-22T15:34:49.718Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

UpdateIntegrationResponse

{
  "integration": {
    "integrationId": 1,
    "name": "My Test Integration",
    "ref": "348394209898",
    "type": "aws",
    "enabled": true,
    "tags": [
      "production"
    ],
    "error": "Invalid credentials for logging in to integration",
    "errorTime": "2023-09-22T15:34:49.718Z",
    "nextRunTime": "2023-09-22T15:34:49.718Z",
    "lastRunTime": "2023-09-22T15:34:49.718Z",
    "lastRunErrors": [
      "Unable to obtain list of registered domain names."
    ],
    "config": {
      "accountId": "string"
    }
  }
}

Properties

Name	Type	Description
integration*	Integration	Represents a third-party integration.

UpdateMfaConfigRequest

{
  "mfaRequired": true
}

Desired changes to the multi-factor authentication cofiguration.

Properties

Name	Type	Description
mfaRequired	boolean	If set, all users must have multi-factor enabled in order to access this organization.

UpdateMfaConfigResponse

{
  "mfaRequired": true
}

The multi-factor authentiction (MFA) configuration after a successful update operation.

Properties

Name	Type	Description
mfaRequired*	boolean	If set, all users must have multi-factor enabled in order to access this organization.

GetNetworkScanningConfigResponse

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

The current network scanning configuration.

Properties

Name	Type	Description
netscanStatic*	boolean	If set, scaning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic*	boolean	If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps*	boolean	If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions*	[cidr]	Contains a list of network ranges that will be excluded from network scaning.

GetSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The current SAML configuration.

Properties

Name	Type	Description
enabled*	boolean	If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata	string	Identity Provider (IdP) metadata XML.

UpdateSamlConfigRequest

{
  "enabled": true,
  "idpMetadata": "string"
}

Encapsulates desired changes to the SAML cofiguration.

Properties

Name	Type	Description
enabled	boolean	If set, enables SAML for this organization. Requires correctly configured IdP metadata.
idpMetadata	string	Identity Provider (IdP) metadata XML. To remove existing metadata, set this value to an empty string. This will be detected and the field will be set to null.

UpdateSamlConfigResponse

{
  "enabled": true,
  "idpMetadata": "string"
}

The SAML configuration after a successful update operation.

Properties

Name	Type	Description
enabled*	boolean	If set, SAML will be available during sign in, provided the IdP metadata has been correctly configured.
idpMetadata	string	Identity Provider (IdP) metadata XML.

OperationStatus

{
  "id": "6e7b190fa8d4ba14f707",
  "done": true,
  "statusCode": 200,
  "contentType": "application/json; charset=UTF-8",
  "pages": 10,
  "rows": 2494,
  "rowsPerPage": 250
}

Properties

Name	Type	Description
id*	string	Unique operation identifier.
done*	boolean	If `false`, indicates that the operation is still in progress. If `true`, indicates that all processing ended.
statusCode	integer	HTTP status code of the operation, typically 200 (completed), 400 (bad request), 404 (requested data not found), 410 (operation cancelled), 500 (internal server error), 502 (remote server or service malfunctioned), and 503 (remote server or service not available). This field is available only after operation completes.
contentType	string	The content type associated with operation results.
pages	integer	How many pages there there in the operation result.
rows	integer	Total number of rows in the operation result.
rowsPerPage	integer	How many rows there are in each result page.

FetchDigiCertOrderRequest

{}

This object is currently only a placeholder that's used to support adding additional fetch parameters in the future. For now, only an empty object is required to be included in the request body.

Properties

None

GetOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
suborg	Organization	none

Group

{
  "id": "production",
  "name": "Production",
  "auto": true,
  "tags": [
    "production"
  ]
}

The Group object represents one account group.

Properties

Name	Type	Description
id*	string	none
name*	string	none
auto*	boolean	True if this group is an auto-group.
tags	[string]	Tags associated with this group. Auto-groups only.

HdbCertsByHostSuffixRequest

{
  "host": "example.com",
  "includeExactMatch": true,
  "includeWildcardMatch": true,
  "includeSubDomains": true,
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by host suffix. You must supply at least one of includeExactMatch, includeWildcardMatch or includeSubDomains.

Properties

Name	Type	Description
host*	string	Host suffix to search by (e.g., example.com).
includeExactMatch	boolean	Include certificates containing the exact hostname. Default: false.
includeWildcardMatch	boolean	Include certificates that match the host suffix due to containing a wildcard in them. For example, for www.example.com, a wildcard match would include certificates with *.example.com. Default: false.
includeSubDomains	boolean	Include certificates containing any subdomain of the supplied host suffix. Default: false.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsByKeywordRequest

{
  "keyword": "example",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by keyword.

Properties

Name	Type	Description
keyword*	string	The keyword to be used in the search.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertsBySpkiRequest

{
  "spki": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "includePem": true,
  "limit": 100
}

Parameters for a HDB search of public certificates by SPKI.

Properties

Name	Type	Description
spki*	string	SHA256 hash of the requested SPKI.
includePem	boolean	Include the raw certificate in PEM format. Default: false.
limit	integer	Limits the number of results in the response. The actual limit is going to be the lower of the value in this field and the current organization limit.

HdbCertResponse

{
  "cert": {
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "unpacked": {
      "label": "www.example.com",
      "subject": "CN=www.example.com",
      "commonNames": [
        "www.example.com"
      ],
      "san": [
        "mail.example.com"
      ],
      "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
      "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
      "issuer": "Let's Encrypt Authority X3",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
      "notBefore": "2023-09-22T15:34:49.720Z",
      "notAfter": "2023-09-22T15:34:49.720Z",
      "issuerUrls": [
        "http://cert.int-x3.letsencrypt.org/"
      ],
      "crlUrls": [
        "http://crl.pki.goog/GTS1O1.crl"
      ],
      "ocspUrls": [
        "http://ocsp.pki.goog/gts1o1"
      ],
      "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
      "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
      "keyUsage": [
        "keyEncipherment"
      ],
      "extendedKeyUsage": [
        "serverAuth"
      ],
      "scts": [
        {
          "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
          "logName": "DigiCert Yeti2020 Log",
          "timestamp": "2023-09-22T15:34:49.720Z"
        }
      ],
      "mustStaple": true,
      "sigAlg": {
        "oid": "1.2.840.113549.1.1.11",
        "name": "SHA256withRSA"
      },
      "subjectKey": {
        "algName": "RSA",
        "bits": 2048,
        "strength": 112,
        "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
      },
      "ca": true,
      "caPathLen": 1
    }
  }
}

A single certificate returned by a HDB search.

Properties

Name	Type	Description
cert*	HdbCert	A certificate as returned by a HDB search.

HdbCertsListResponse

{
  "certs": [
    {
      "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "subject": "CN=www.example.com",
      "notAfter": "2023-09-22T15:34:49.720Z",
      "names": [
        "example.com"
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
    }
  ]
}

A list of certificates as returned by a HDB search.

Properties

Name	Type	Description
certs*	[HdbCertsListCert]	[A certificate as returned by a HDB search.]

HdbCertsListCert

{
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "subject": "CN=www.example.com",
  "notAfter": "2023-09-22T15:34:49.720Z",
  "names": [
    "example.com"
  ],
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM="
}

A certificate as returned by a HDB search.

Properties

Name	Type	Description
sha256*	string	SHA256 hash of the certificate.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
subject*	string	Certificate subject Distinguished Name in text format.
notAfter*	string(date-time)	ISO 8601 timestamp.
names	[string]	none
pem	string	Base64-encoded certificate in DER format.

HdbCert

{
  "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
  "unpacked": {
    "label": "www.example.com",
    "subject": "CN=www.example.com",
    "commonNames": [
      "www.example.com"
    ],
    "san": [
      "mail.example.com"
    ],
    "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
    "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
    "issuer": "Let's Encrypt Authority X3",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
    "notBefore": "2023-09-22T15:34:49.720Z",
    "notAfter": "2023-09-22T15:34:49.720Z",
    "issuerUrls": [
      "http://cert.int-x3.letsencrypt.org/"
    ],
    "crlUrls": [
      "http://crl.pki.goog/GTS1O1.crl"
    ],
    "ocspUrls": [
      "http://ocsp.pki.goog/gts1o1"
    ],
    "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
    "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
    "keyUsage": [
      "keyEncipherment"
    ],
    "extendedKeyUsage": [
      "serverAuth"
    ],
    "scts": [
      {
        "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
        "logName": "DigiCert Yeti2020 Log",
        "timestamp": "2023-09-22T15:34:49.720Z"
      }
    ],
    "mustStaple": true,
    "sigAlg": {
      "oid": "1.2.840.113549.1.1.11",
      "name": "SHA256withRSA"
    },
    "subjectKey": {
      "algName": "RSA",
      "bits": 2048,
      "strength": 112,
      "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
    },
    "ca": true,
    "caPathLen": 1
  }
}

A certificate as returned by a HDB search.

Properties

Name	Type	Description
pem*	string	Base64-encoded certificate in DER format.
unpacked	UnpackedCert	Various information parsed from the certificate.

Host

{
  "hostname": "🔥.hardenize.com",
  "punyHostname": "xn--4v8h.hardenize.com",
  "createdOn": "2023-09-22T15:34:49.721Z",
  "status": "archived",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "name": "thename"
  },
  "lastAxfrTime": "2023-09-22T15:34:49.721Z",
  "axfrError": "string",
  "lastAxfrErrorTime": "2023-09-22T15:34:49.721Z",
  "lastRegLookupTime": "2023-09-22T15:34:49.721Z",
  "origin": "hdb",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "nx": true,
  "nxTime": "2023-09-22T15:34:49.721Z",
  "regRegistry": true,
  "regPublic": true,
  "regNx": false,
  "regNxTime": "2023-09-22T15:34:49.721Z",
  "lastAssessmentTime": "2023-09-22T15:34:49.721Z",
  "assessmentError": "Host not found",
  "lastAssessmentAttemptTime": "2023-09-22T15:34:49.721Z",
  "groups": [
    "my_group"
  ],
  "tags": [
    "production"
  ],
  "config": {}
}

The Host object represents one of your hosts that resides in our database.

Properties

Name	Type	Description
hostname*	string	A fully-qualified domain name.
punyHostname	string	A fully-qualified domain name, as Punycode.
createdOn*	string(date-time)	none
status*	string	This host's monitoring status. If the status is `monitored`, we're going to use all account features to monitor this host, including active network monitoring. If the status is `idle`, we're going to use only passive information gathering (e.g., via Certificate Transparency). If the status is `archived`, we're not going to perform any host-related activity, but existing data will be preserved. This status is intended for use with hosts that are no longer of interest, but whose history should be preserved.
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to `auto` which is a setting that is reserved for a future expansion and currently has the same meaning as `disabled`. To enable zone transfers, change the value of this field to `enabled`.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zone's SOA record, use this hostname or IP address instead.
axfrTsig	HostAxfrTsig	none
lastAxfrTime	string(date-time)	The time of the last successful zone transfer.
axfrError	string	The error message associated with the last unsuccessful zone transfer.
lastAxfrErrorTime	string(date-time)	The time of the last unsuccessful zone transfer.
lastRegLookupTime	string(date-time)	The time of the last successful domain registration lookup
origin*	string	Indication of where this host came from.
originInfo	OriginInfo	Further information about the origin. For example, if the origin is `cert`, then this field will identify the actual certificate.
nx*	boolean	If true, this host effectively doesn't exist in the DNS.
nxTime	string(date-time)	When `nx` is true, this field contains the timestamp of when we first detected that it no longer exists in the DNS.
regRegistry*	boolean	True if this host is a registrable domain name under a registry (IANA) suffix. If this field is true then `regPublic` will also be true. Updated based on the latest Public Suffix List information.
regPublic*	boolean	True if this host is a registrable domain name under any public suffix. This field can be true when `regRegistry` is not. Updated based on the latest Public Suffix List information.
regNx	boolean	If true, this field indicates that the registrable domain doesn't exist. Absent if the host is not a registrable domain name.
regNxTime	string(date-time)	When `regNx` is true, this field contains the timestamp of when we first detected that the registrable domain name no longer exists.
lastAssessmentTime	string(date-time)	The time of the last successful assessment.
assessmentError	string	Error message, which is available only if the last assessment resulted in an error.
lastAssessmentAttemptTime	string(date-time)	When was the last assessment attempted?
groups*	[string]	Under Development: Identifiers of all groups this host belongs to.
tags*	[string]	none
config	object	Under Development: This field is an object that contains detailed host configuration. It's not fully documented at this time because we're still working on the data model. You can use the data in this field if it's useful to you, but do note that the format is very likely to change.

Enumerated Values

Property	Value
status	archived
status	idle
status	monitored
axfr	auto
axfr	enabled
axfr	disabled
origin	cert
origin	ct
origin	hdb
origin	manual

HostAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "name": "thename"
}

Properties

Name	Type	Description
algorithm*	string	Axfr transfer algorithm
name*	string	Axfr transfer name

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

HostDiscovery

{
  "discoveryId": 11113,
  "autoResolved": false,
  "hostname": "www.🔥.hardenize.com",
  "discoveredTime": "2023-09-22T15:34:49.721Z",
  "origin": "hdb",
  "originInfo": {
    "net": {
      "host": "aspmx.l.google.com",
      "address": "2a00:1450:400c:c00:0:0:0:1b",
      "port": 25,
      "protocol": "smtp"
    }
  },
  "matchInfo": {
    "certdno": {
      "o": "Cloudflare, Inc."
    },
    "integration": {
      "name": "AWS Production",
      "type": "aws",
      "ref": "string"
    },
    "keyword": {
      "matches": [
        {
          "encoding": "ascii",
          "keyword": "string",
          "matchPosition": "anywhere",
          "matchScope": "all",
          "search": "bitSquatting"
        }
      ]
    },
    "mx": {
      "mx": "mail.example.com"
    },
    "nameserver": {
      "matches": [
        {
          "name": "ns1.hardenize.com",
          "firstSeen": "2021-09-21T15:32:02.322Z"
        }
      ]
    },
    "rname": {
      "email": "postmaster@example.com"
    },
    "whois": {
      "keywords": [
        "example.com"
      ]
    }
  },
  "matchCertDNO": false,
  "matchIntegration": true,
  "matchKeyword": false,
  "matchMx": false,
  "matchNameserver": false,
  "matchSubdomain": false,
  "matchRname": false,
  "matchWhois": false,
  "resolution": "pending",
  "updatedTime": "2023-09-22T15:34:49.721Z"
}

This object represents our discovery of a host which might be relevant to your organization.

Properties

Name	Type	Description
discoveryId*	integer	A unique identifier which you can use to refer to a particular host discovery when updating
autoResolved*	boolean	We may have automatically resolved your discovery. If we have, this will be set to true
hostname*	string	The hostname that we discovered, that we think might be relevant to you
discoveredTime	string(date-time)	The date and time that we made this particular discovery
origin*	string	The location at which we discovered the hostname.
originInfo	OriginInfo	Further information about the origin. For example, if the origin is `cert`, then this field will identify the actual certificate.
matchInfo	MatchInfo	Information describing how the discovery came about.
matchCertDNO	boolean	True if discovery matched a certificates DN O field
matchIntegration	boolean	True if discovery was via a configured integration.
matchKeyword	boolean	True if discovery matched a keyword.
matchMx	boolean	True if discovery was via our DNS MX lookup.
matchNameserver	boolean	True if discovery was via our nameserver lookup.
matchSubdomain	boolean	True if discovery is a subdomain of a known host.
matchRname	boolean	True if discovery was via our DNS SOA RNAME lookup.
matchWhois	boolean	True if discovery was via our whois lookup.
resolution*	string	The current resolution state of the discovery. This is usually set to "pending" to indicate that you should resolve the discovery in some manner.
updatedTime	string(date-time)	The date and time that this discovery was last updated

Enumerated Values

Property	Value
origin	cert
origin	ct
origin	hdb
origin	manual
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

HostDiscoveryKeyword

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ],
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines what type of results the keyword will look for.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables mathing of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.
error	string	If keyword had been disabled because of an error, this field contains the error message.
errorTime	string(date-time)	If keyword had been disabled because of an error, this field contains the time the disabling took place.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label,
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

HostDiscoveryNameserver

{
  "hostname": "ns1.hardenize.com",
  "punyHostname": "ns1.hardenize.com",
  "createdOn": "2020-06-10T15:36:49.044Z",
  "enabled": false,
  "error": "Disabled due to too many matches: 10000",
  "errorTime": "2020-06-12T15:00:00.011Z"
}

A keyword used for host discovery.

Properties

Name	Type	Description
hostname	string	A fully-qualified domain name.
punyHostname	string	A fully-qualified domain name, as Punycode.
createdOn	string(date-time)	Holds nameserver creation timestamp.
enabled	boolean	Indicates whether this nameserver is used for discovery. Nameservers are enabled by default and this field set to true. Nameservers that return too many matches (typically an indication of shared nameservers) will be disabled with an error message and timestamp provided.
error	string	When nameserver is disabled by the system, this field contains the error message that explains the problem.
errorTime	string(date-time)	Holds error timestamp; this is typically when the server had been disabled.

Integration

{
  "integrationId": 1,
  "name": "My Test Integration",
  "ref": "348394209898",
  "type": "aws",
  "enabled": true,
  "tags": [
    "production"
  ],
  "error": "Invalid credentials for logging in to integration",
  "errorTime": "2023-09-22T15:34:49.722Z",
  "nextRunTime": "2023-09-22T15:34:49.722Z",
  "lastRunTime": "2023-09-22T15:34:49.722Z",
  "lastRunErrors": [
    "Unable to obtain list of registered domain names."
  ],
  "config": {
    "accountId": "string"
  }
}

Represents a third-party integration.

Properties

Name	Type	Description
integrationId*	integer(int64)	Unique integration identifier.
name*	string	Integration name.
ref	string	Integration reference; this field should contain the other party's unique account identifier, enabling you to know exactly which account we're connecting to.
type*	string	Integration type
enabled*	boolean	Indicates if the integration is enabled.
tags*	[string]	none
error	string	If a fatal error occurs when we attemp to connect to the other party, the integration will be disabled; this field contains the error message.
errorTime	string(date-time)	The time when the error occured.
nextRunTime	string(date-time)	When an integration is enabled, this field indicates the next time it is scheduled to run.
lastRunTime	string(date-time)	If present, the last time the integration was attempted.
lastRunErrors	array	If any non-fatal errors are encountered, this field will contain the corresponding error messages. For example, if permissions are incorrectly configured, we may be able to connect to the third-party account but not perform all desired operations.
config*	any	Integration-specific configuration parameters, matching the selected integration as specified in the `type` parameter.

oneOf

Name	Type	Description
» anonymous	AwsIntegrationConfig	AWS integration parameters.

xor

Name	Type	Description
» anonymous	AzureIntegrationConfig	Azure integration parameters. Although we require the Azure secret token initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	CloudflareIntegrationConfig	Cloudflare integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	CscIntegrationConfig	CSC integration parameters. Although we require the API key and bearer token initially, to create an integration, we do not provide them via this API afterwards.

xor

Name	Type	Description
» anonymous	DigiCertIntegrationConfig	DigiCert CertCentral integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	GcpIntegrationConfig	GCP integration parameters.

xor

Name	Type	Description
» anonymous	MarkMonitorIntegrationConfig	MarkMonitor integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

xor

Name	Type	Description
» anonymous	Ns1IntegrationConfig	NS1 integration parameters. Although we require the API key initially, to create an integration, we do not provide it via this API afterwards.

xor

Name	Type	Description
» anonymous	SafenamesIntegrationConfig	Safenames integration parameters. Although we require the password initially, to create an integration, we do not provide it via the API afterwards

Enumerated Values

Property	Value
type	aws
type	azure
type	cloudflare
type	csc
type	digicert
type	gcp
type	markmonitor
type	ns1
type	safenames

Issue

{
  "issueId": 10001,
  "revision": 1,
  "definitionId": "DNS1001",
  "subject": "OPAQUE",
  "subjectDomain": "example.com",
  "title": "Dangling Resource Record",
  "category": "DNS",
  "severity": "high",
  "cause": "OPAQUE",
  "causeDomain": "nxdomain.example.com",
  "causeIp": "192.168.1.1",
  "open": true,
  "status": "active",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": "2022-06-17T00:00:00Z",
  "lastClosed": "2022-06-17T00:00:00Z",
  "lastUpdated": "2022-06-17T00:00:00Z",
  "lastChecked": "2022-06-17T00:00:00Z",
  "lastConfirmed": "2022-06-17T00:00:00Z",
  "snoozedUntil": "2022-06-17T00:00:00Z",
  "details": {
    "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
    "rrDomain": "example.com",
    "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
    "rrType": "SRV",
    "danglingType": "nxdomain",
    "causeDomain": "nxdomain.example.com"
  }
}

Properties

Name	Type	Description
issueId*	integer	Unique issue identifier.
revision*	integer	Issue revision. Starts at 1 and increments every time the issue is updated.
definitionId	string	Unique identifier of the definition from which this issue was created. Automatically created issues will always have this field set.
subject	string	Opaque value that identifies the subject of the issue. The subject describes the infrastructure element affected by the issue, for example a domain name. Provided for grouping and sorting purposes.
subjectDomain	string	If applicable, the domain name associated with the subject. Provided for grouping and sorting purposes.
title*	string	Descriptive issue title. Copied from the definition, if the issue has one.
category*	string	Issue category. Copied from the definition, if the issue has one, otherwise assigned at creation.
severity*	string	Issue severity.
cause	string	Opaque value that identifies the root cause of the issue. Provided for grouping and sorting purposes.
causeDomain	string	If applicable, the domain name associated with the cause. Provided for grouping and sorting purposes.
causeIp	string	If applicable, the IP address associated with the cause. Provided for grouping and sorting purposes.
open*	boolean	Indicates if this issue is open or closed.
status*	string	Describes the current issue status. Issues that are automatically created will use the `active` and `completed` statuses. An issue may become orphaned of the subject disappears or monitoring ceases.
auto*	boolean	If true, this issue was automatically created from a network observation, and will be automatically resolved once the problem has been addressed.
autoOpen	boolean	This field is used only with auto issue and tracks the status of the detected problem. Unlike issues themselves, which can be manually closed, this field always reflects what is observed at network level.
autoPreservedStatus	string	This field is used to preserve the status of an issue that is auto-closed. If we need to reopen the issue later, we will restore the correct status.
createdOn*	string(date-time)	Indicates when this issue was created.
lastClosed	string(date-time)	Indicates when this issue was last closed. An issue may have more than one timestamp in this field if it's closed then reopened.
lastUpdated*	string(date-time)	Indicates when this issue was last updated. This field will also be set immediately after an issue is created and the timestamp will be the same as in `createdOn`.
lastChecked	string(date-time)	Indicates when this issue was last checked. Always set for automatic issues.
lastConfirmed	string(date-time)	Indicates when this issue was last confirmed. Always set for automatic issues.
snoozedUntil	string(date-time)	If an issue is snoozed, this field contains an optional timestamp after which the issue will automatically be restored back to active status.
details	object	Contains issue-specific information. Issues are designed to track a variety of problems as well as notifications and other event types. For this reason, the main fields are generic in nature, but that's where this field comes in, to carry additiona data custom-tailored for the problem at hand. To interpret this object, examine the `@type` property and process it accordingly.

Enumerated Values

Property	Value
severity	info
severity	low
severity	medium
severity	high
severity	critical
severity	urgent
status	abandoned
status	active
status	bogus
status	completed
status	deprecated
status	ignored
status	orphaned
status	snoozed

ListAuditEventsResponse

{
  "events": [
    {
      "id": 10001,
      "actorType": "u",
      "actorId": "userId:12090749",
      "actorName": "Emma H. Webb <emma.h.webb@hardenize.com>",
      "timestamp": "2018-09-03T14:09:59.000Z",
      "remoteAddr": "18.233.176.231",
      "sessionId": "4F434AB4CCC199695C85DE2BC7A023AE",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36",
      "resourceType": "user",
      "resourceId": "12090749",
      "action": "user.auth.succeeded",
      "status": 200,
      "details": {
        "method": "password"
      }
    }
  ]
}

Properties

Name	Type	Description
events	[AuditEvent]	[Contains information about one audit log event. ]

ListCertsResponse

{
  "certs": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2023-09-22T15:34:49.723Z",
      "notAfter": "2023-09-22T15:34:49.723Z",
      "effectiveNotAfter": "2023-09-22T15:34:49.723Z",
      "revokedOn": "2023-09-22T15:34:49.723Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2023-09-22T15:34:49.723Z",
      "lastSeen": "2023-09-22T15:34:49.723Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true
    }
  ]
}

Properties

Name	Type	Description
certs*	[Certificate]	[Contains information about one certificate. ]

ListEventDestinationsResponse

{
  "eventDestinations": [
    {
      "destinationId": "pubsub://events/1/1005",
      "type": "pubsub",
      "project": "hz-events-pubsub",
      "topic": "projects/hz-events-pubsub/topics/ep-1-1005",
      "subscription": "ep-1-1005",
      "subscriberCredentials": "{\"type\": \"service_account\", \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\", \"client_id\": \"213792179274932\", \"token_uri\": \"https://oauth2.googleapis.com/token\", \"project_id\": \"hz-events-pubsub\", \"private_key\": \"-----BEGIN PRIVATE KEY-----\\n[REMOVED]\\n-----END PRIVATE KEY-----\\n\", \"client_email\": \"ep-1-1005@hz-events-pubsub.iam.gserviceaccount.com\", \"private_key_id\": \"b407bd79213dc1867aa45ab41e4e955961504f37\", \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/ep-1-1005%40hz-events-pubsub.iam.gserviceaccount.com\", \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\"}"
    }
  ]
}

Properties

Name	Type	Description
eventDestinations*	[EventDestination]	[Contains information about one destination that can be used to receive events. ]

ListEventHooksResponse

{
  "eventHooks": [
    {
      "id": "bfc384726b6447a4b70a171de49e466f",
      "hookType": "webhook",
      "eventTypes": [
        "ct.entry"
      ],
      "status": "enabled",
      "destination": "https://hardenize.com/webhooks/receive",
      "secret": "3685c06a966e4d0ea625d0b475719661"
    }
  ]
}

Properties

Name	Type	Description
eventHooks*	[EventHook]	[Event hook objects contain information pertaining to a destination to which events are delivered (pushed). ]

ListEventsResponse

{
  "events": [
    {
      "id": 10001,
      "type": "ct",
      "createdOn": "2023-09-22T15:34:49.724Z",
      "apiVersion": "0.14.0",
      "data": "{ \"field\": \"value\" }"
    }
  ]
}

Properties

Name	Type	Description
events*	[Event]	[Event objects are created in response to various things of interest that happen in your account. They are designed to be a generic storage and retrieval system that can carry arbitrary embedded objects, which are encoded in JSON format. The `type` fields is used as indicator as to which embedded object is stored in the `data` field. We also record the version of the API at the time the data object was created. Should there be differences in the format, you can use the `apiVersion` field to determine exactly how the data should be handled. ]

ListEventTypesResponse

{
  "eventTypes": [
    {
      "name": "ct",
      "available": true,
      "enabled": true
    }
  ]
}

Properties

Name	Type	Description
eventTypes*	[EventType]	[Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them. ]

GetHostResponse

{
  "host": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2023-09-22T15:34:49.724Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2023-09-22T15:34:49.724Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2023-09-22T15:34:49.724Z",
      "lastRegLookupTime": "2023-09-22T15:34:49.724Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2023-09-22T15:34:49.724Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2023-09-22T15:34:49.724Z",
      "lastAssessmentTime": "2023-09-22T15:34:49.724Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2023-09-22T15:34:49.724Z",
      "groups": [
        "my_group"
      ],
      "tags": [
        "production"
      ],
      "config": {}
    }
  ]
}

Properties

Name	Type	Description
host*	[Host]	[The Host object represents one of your hosts that resides in our database.]

ListHostsResponse

{
  "hosts": [
    {
      "hostname": "🔥.hardenize.com",
      "punyHostname": "xn--4v8h.hardenize.com",
      "createdOn": "2023-09-22T15:34:49.725Z",
      "status": "archived",
      "axfr": "enabled",
      "axfrHost": "stealth.ns.example.com",
      "axfrTsig": {
        "algorithm": "HMAC_MD5",
        "name": "thename"
      },
      "lastAxfrTime": "2023-09-22T15:34:49.725Z",
      "axfrError": "string",
      "lastAxfrErrorTime": "2023-09-22T15:34:49.725Z",
      "lastRegLookupTime": "2023-09-22T15:34:49.725Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "nx": true,
      "nxTime": "2023-09-22T15:34:49.725Z",
      "regRegistry": true,
      "regPublic": true,
      "regNx": false,
      "regNxTime": "2023-09-22T15:34:49.725Z",
      "lastAssessmentTime": "2023-09-22T15:34:49.725Z",
      "assessmentError": "Host not found",
      "lastAssessmentAttemptTime": "2023-09-22T15:34:49.725Z",
      "groups": [
        "my_group"
      ],
      "tags": [
        "production"
      ],
      "config": {}
    }
  ]
}

Properties

Name	Type	Description
hosts*	[Host]	[The Host object represents one of your hosts that resides in our database.]

ListHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2023-09-22T15:34:49.725Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2023-09-22T15:34:49.725Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveries*	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

ListHostDiscoveryKeywordsResponse

{
  "hostDiscoveryKeywords": [
    {
      "keyword": "hard",
      "enabled": true,
      "matchScope": "all",
      "matchPosition": "anywhere",
      "matchExact": true,
      "matchFuzzy": true,
      "matchConfusables": true,
      "exclusions": [
        "chard"
      ],
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveryKeywords*	[HostDiscoveryKeyword]	[A keyword used for host discovery.]

ListHostDiscoveryNameserversResponse

{
  "hostDiscoveryNameservers": [
    {
      "hostname": "ns1.hardenize.com",
      "punyHostname": "ns1.hardenize.com",
      "createdOn": "2020-06-10T15:36:49.044Z",
      "enabled": false,
      "error": "Disabled due to too many matches: 10000",
      "errorTime": "2020-06-12T15:00:00.011Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveryNameservers*	[HostDiscoveryNameserver]	[A keyword used for host discovery.]

ListIdentitiesResponse

{
  "identities": [
    {
      "identityId": 11113,
      "type": "dns_soa_rname",
      "enabled": true,
      "identity": "postmaster@example.com",
      "createdOn": "2023-09-22T15:34:49.726Z",
      "lastSeen": "2023-09-22T15:34:49.726Z",
      "lastCheck": "2023-09-22T15:34:49.726Z",
      "error": "Not a unique identity.",
      "errorTime": "2023-09-22T15:34:49.726Z"
    }
  ]
}

Properties

Name	Type	Description
identities*	[Identity]	[This object represents an identity.]

ListIntegrationsResponse

{
  "integrations": [
    {
      "integrationId": 1,
      "name": "My Test Integration",
      "ref": "348394209898",
      "type": "aws",
      "enabled": true,
      "tags": [
        "production"
      ],
      "error": "Invalid credentials for logging in to integration",
      "errorTime": "2023-09-22T15:34:49.726Z",
      "nextRunTime": "2023-09-22T15:34:49.726Z",
      "lastRunTime": "2023-09-22T15:34:49.726Z",
      "lastRunErrors": [
        "Unable to obtain list of registered domain names."
      ],
      "config": {
        "accountId": "string"
      }
    }
  ]
}

Properties

Name	Type	Description
integrations*	[Integration]	[Represents a third-party integration. ]

ListIssuesResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      }
    }
  ]
}

Properties

Name	Type	Description
issues	[Issue]	none

ListOrgsResponse

{
  "orgs": [
    {
      "id": "hardenize",
      "name": "Hardenize",
      "status": "active",
      "commercialStatus": "internal",
      "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
      "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
      "hostDiscoveryAutoimportSubdomains": true,
      "hostDiscoveryEnabled": true,
      "hostDiscoveryError": "string",
      "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
      "hostDiscoveryExcludeSuffixes": [
        "sub.example.com"
      ],
      "hostLimitHard": 10000,
      "hostDiscoveryLimitHard": 10000,
      "certLimitHard": 75000,
      "featureHostDiscovery": false,
      "featureMfa": false,
      "featureSaml": false
    }
  ]
}

Properties

Name	Type	Description
orgs*	[Organization]	none

ZoneTransferResponse

"string"

Zone data in plain text format.

Properties

Name	Type	Description
anonymous	string	Zone data in plain text format.

ListMonitorLocationsResponse

{
  "locations": [
    "atlanta",
    "frankfurt",
    "london",
    "miami",
    "sanjose",
    "saopaulo",
    "singapore",
    "sydney",
    "tokyo"
  ]
}

Properties

Name	Type	Description
locations*	[string]	none

ListNetworkRangesResponse

{
  "networkRanges": [
    {
      "label": "DC01 Public",
      "description": "Public IP range for London data center",
      "range": "192.168.1.0/24",
      "scan": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name	Type	Description
networkRanges*	[NetworkRange]	none

ListReports0Response

{
  "reports": [
    {
      "hostname": "example.com",
      "status": "completed",
      "reportTime": "2018-10-10T15:36:49.044Z",
      "hasDnssec": true,
      "hasSmtp": true,
      "hasSmtpTls": true,
      "hasSmtpDane": true,
      "hasSpf": true,
      "hasDmarc": true,
      "hasHttp": true,
      "hasHttps": true,
      "hasHttpsDane": true,
      "hasHttpsRedirection": true,
      "hasHttpsTls12OrBetter": true,
      "hasSsl2": true,
      "hasSsl3": true,
      "hasTls10": true,
      "hasTls11": true,
      "hasTls12": true,
      "hasTls13": true,
      "supportsSsl2": true,
      "supportsSsl3": true,
      "supportsTls10": true,
      "supportsTls11": true,
      "supportsTls12": true,
      "supportsTls13": true,
      "hasHsts": true,
      "hasHstsPreloaded": true,
      "nameServers": "string",
      "dnssec": "string",
      "emailTls": "string",
      "emailDane": "string",
      "spf": "string",
      "dmarc": "string",
      "wwwTls": "string",
      "wwwDane": "string",
      "wwwXssProtection": "string",
      "wwwXssProtectionEnabled": true,
      "hsts": "string",
      "hpkp": "string",
      "cookies": "string",
      "mixedContent": "string",
      "securityHeaders": "string",
      "csp": "string"
    }
  ]
}

Properties

Name	Type	Description
reports*	[Report0]	[Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, `hasTls` and `hasHsts`. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as `error`, `warning`, and `good`. The complete explanation of the possible values is available in the Report0Quality component. It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the `hasHsts` field will not be in the report. ]

ListGroupsResponse

{
  "groups": [
    {
      "id": "production",
      "name": "Production",
      "auto": true,
      "tags": [
        "production"
      ]
    }
  ]
}

Properties

Name	Type	Description
groups*	[Group]	[The Group object represents one account group.]

MatchedCtEntry

{
  "log": "ct.googleapis.com/icarus",
  "index": 251676662,
  "timestamp": 1538747492396,
  "sha256": "7b72bbe8b7faeea24d9bd8ded5f057114a14ad503b33022b54b16603a8b074b7",
  "tbsSha256": "3b5893340f0b241c599b27a8e74a13177d5ba6e87f30f6fc5ddc2c3f069e6546",
  "precert": false,
  "subject": "CN=www.example.com",
  "issuer": "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3",
  "hosts": [
    "example.com"
  ],
  "chain": [
    "MIIGJTCCBQ2gAwIBAgISA9CTYlAcEi7o1Cyk3RM9D6/JMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MDIxMTA2NTdaFw0xODA3MzExMTA2NTdaMBwxGjAYBgNVBAMTEWJvbm4tMDYucWx1ZWQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy+muYgsZOUD2epeJwP6ToDmE6YeO9T+gsf9ACuLbrQqC5JZPy+AmREuo3dU3dkmBRoU9Brpmo/KMQavKueGVW3DpAIJKemGBC0yWNFgTho4+DAOvSM4odcB96HPFIh0vp13LH5og/wsNZwt+n56mrUTrcqnZYbUwugBghb0QCptwCnHnKOk2/YdRRraasgmiFWYeNjCqBUR5iKqmubgBoCqqkBYzWUhjWc7aySKYQFpSlZ2d3t0IilJp5sZq5pDiHa58G6fGZSh9TIAZvuvozW762cghBZgEF3wlvKy1joSAWLalPYQcsd0v2G9F7vJOu6Rf9HAbmdKqnu0i8TExjwIDAQABo4IDMTCCAy0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQlgfnFoFLAegwCUrKiuz+Nu61SCDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDMGA1UdEQQsMCqCEWJvbm4tMDYucWx1ZWQubmV0ghV3d3cuYm9ubi0wNi5xbHVlZC5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYyC/mssAAAQDAEgwRgIhAMnyq3/kzpvp7LcXm3JqeCjh1dMB0fZTv9pIvpPCS4GPAiEA9f+JLP1KKuaXnwr3rin4Y8tBG8a10YGaKT3RnJOs7wIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWMgv5reAAAEAwBHMEUCIA1jzhkoel+MFmVIdspCwyKVdzZZsBwx8WiJixPju9ELAiEA4Xw2ABUkt3IK67G+GrABu1Ik+R/7BVFjo3GvMIRBJ+AwDQYJKoZIhvcNAQELBQADggEBAHKPt1cq8LEy0wmtmBoThNL6AevJz2WM/KRKBYvEHiXcLN3Z9a1eQ6c8g4A84AARBDgXUfkc3W29AIW0A5wTLVazUE5H7bIoiQJXT2Z6KMXxFqwx5pRu8f1oXUx3xLhJoHkDEGrbD5uy7j9bI25pI9g5obAY88es8ZFJz25PEozA2R/NpXZEnHVbvyOHx4Pr6z3ctuH+WWpK96jWEMBP5pAx5qXBYI5g9bHGy2nYuuq0ZIuOPVK1k7SlctBrrBJx2q1ANUaEfIyPjd2qsjfoI5//6Jn+jHDM1XrdvZ+7S60SDqXktwHS98o5jRZnGWLu1S6nVcHWQzjPBhiSvAukuJw=",
    "MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsFAAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=="
  ],
  "matchedHosts": [
    "example.com"
  ]
}

Contains information extracted from a CT log entry that had been matched against an account and imported.

Properties

Name	Type	Description
log*	string	CT log URL, with the scheme omitted.
index*	integer(int64)	Milliseconds since January 1, 1970, excluding leap seconds, per CT RFC.
timestamp*	integer(int64)	This certificate's index in the referenced CT log.
sha256*	string	SHA256 hash of the leaf certificate/precertificate.
tbsSha256*	string	Hex-encoded SHA256 hash of the `TBSCertificate` structure. This value will be the same in the precertificate/certificate combo.
precert*	boolean	Indicator of whether the leaf is a precertificate.
subject*	string	Certificate subject Distinguished Name in text format.
issuer*	string	Certificate issuer Distinguished Name in text format.
hosts*	[string]	Hostnames and IP addresses extracted from the leaf certificate.
chain*	[string]	Certificate chain stored in the matched CT log entry.
matchedHosts*	[string]	List of account hosts that were matched against the CT log entry.

MatchInfo

{
  "certdno": {
    "o": "Cloudflare, Inc."
  },
  "integration": {
    "name": "AWS Production",
    "type": "aws",
    "ref": "string"
  },
  "keyword": {
    "matches": [
      {
        "encoding": "ascii",
        "keyword": "string",
        "matchPosition": "anywhere",
        "matchScope": "all",
        "search": "bitSquatting"
      }
    ]
  },
  "mx": {
    "mx": "mail.example.com"
  },
  "nameserver": {
    "matches": [
      {
        "name": "ns1.hardenize.com",
        "firstSeen": "2021-09-21T15:32:02.322Z"
      }
    ]
  },
  "rname": {
    "email": "postmaster@example.com"
  },
  "whois": {
    "keywords": [
      "example.com"
    ]
  }
}

Information describing how the discovery came about.

Properties

Name	Type	Description
certdno	MatchInfoCertDNO	none
integration	MatchInfoIntegration	none
keyword	MatchInfoKeyword	none
mx	MatchInfoMx	none
nameserver	MatchInfoNameserver	none
rname	MatchInfoRname	none
whois	MatchInfoWhois	none

MatchInfoCertDNO

{
  "o": "Cloudflare, Inc."
}

Properties

Name	Type	Description
o	string	Certificate DN, O field to use when searching for matching certs

MatchInfoIntegration

{
  "name": "AWS Production",
  "type": "aws",
  "ref": "string"
}

Properties

Name	Type	Description
name	string	Integration name, copied from the configuration.
type	string	Integration type.
ref	string	Integration reference (e.g., account ID), copied from the configuration.

MatchInfoKeyword

{
  "matches": [
    {
      "encoding": "ascii",
      "keyword": "string",
      "matchPosition": "anywhere",
      "matchScope": "all",
      "search": "bitSquatting"
    }
  ]
}

Properties

Name	Type	Description
matches	[MatchInfoKeywordMatch]	none

MatchInfoKeywordMatch

{
  "encoding": "ascii",
  "keyword": "string",
  "matchPosition": "anywhere",
  "matchScope": "all",
  "search": "bitSquatting"
}

Properties

Name	Type	Description
encoding	string	Whether match was made against an ASCII version of the name or the Unicode version.
keyword	string	The keyword that matched.
matchPosition	string	Where in the name the keyword matched.
matchScope	string	Keyword scope.
search	string	Indication of which algorithm caused the match.

Enumerated Values

Property	Value
encoding	ascii
encoding	unicode
matchPosition	anywhere
matchPosition	label
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd
matchScope	all
matchScope	domains
search	bitSquatting
search	confusables
search	hyphenation
search	insertion
search	omission
search	repetition
search	replacement
search	substring
search	transposition
search	vowelSwap

MatchInfoMx

{
  "mx": "mail.example.com"
}

Properties

Name	Type	Description
mx	string	MX hostname to use when searching for matching MX records

MatchInfoNameserver

{
  "matches": [
    {
      "name": "ns1.hardenize.com",
      "firstSeen": "2021-09-21T15:32:02.322Z"
    }
  ]
}

Properties

Name	Type	Description
matches	[MatchInfoNameserverMatch]	none

MatchInfoNameserverMatch

{
  "name": "ns1.hardenize.com",
  "firstSeen": "2021-09-21T15:32:02.322Z"
}

Properties

Name	Type	Description
name	string	Nameserver name.
firstSeen	string(date-time)	Timestamp of the first observation of this name.

MatchInfoRname

{
  "email": "postmaster@example.com"
}

Properties

Name	Type	Description
email	string	Email to use when searching for matching DNS SOA records

MatchInfoWhois

{
  "keywords": [
    "example.com"
  ]
}

Properties

Name	Type	Description
keywords	[string]	List of keywords used when search the whois

OriginInfo

{
  "net": {
    "host": "aspmx.l.google.com",
    "address": "2a00:1450:400c:c00:0:0:0:1b",
    "port": 25,
    "protocol": "smtp"
  }
}

Further information about the origin. For example, if the origin is cert, then this field will identify the actual certificate.

Properties

Name	Type	Description
net	OriginInfoNet	none

OriginInfoNet

{
  "host": "aspmx.l.google.com",
  "address": "2a00:1450:400c:c00:0:0:0:1b",
  "port": 25,
  "protocol": "smtp"
}

Properties

Name	Type	Description
host	string	Network hostname, when available.
address*	string	Network IPv4 or IPv6 address.
port*	integer	Network port.
protocol*	string	Network protocol.

Organization

{
  "id": "hardenize",
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
  "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryEnabled": true,
  "hostDiscoveryError": "string",
  "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostLimitHard": 10000,
  "hostDiscoveryLimitHard": 10000,
  "certLimitHard": 75000,
  "featureHostDiscovery": false,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
id*	string	Unique ID of an organization. The value stored in this field is always relative to that of the parent organization. For example, if the parent's ID is `hardenize` and you created a new nested organization called `prod`, you will observe this shorter identifier in the API responses. If you wish to access the nested organization via the API, you will need to specify its full identifier, which would be `hardenize.prod`.
name*	string	Human-readable organization name.
status*	string	By default, an organization will be active immediately after it is created. If the status is changed to dormant, all operations and features in the account will be disabled, however the users will still be able to access the organization and the data in the account. If the status is changed to suspeneded, the organization will effectively become deleted from an external perspective. The deleted status is made available to enable delayed deletion of accounts. An organization with this status is expected to be deleted in the near future; for example, there could be a weekly process that obtains a list of all organizations scheduled for deletion and actually deletes them.
commercialStatus*	string	The `commercialStatus` field is used to track how a suborganization is used, for accounting and billing purposes. When creating a suborganization, select the value that's the most appropriate. Update the value as the status changes (e.g., from `trial` to `paying`).
apiUsername	string	The username that can be used to access this organization's API.
apiPassword	string	The password that can be used to access this organization's API. Because we don't store plaintext in our database, this field is available only immediately after the organization is created.
hostDiscoveryAutoimportSubdomains*	boolean	Determines if newly discovered subdomains (of known organization hosts) will be automatically added to the inventory.
hostDiscoveryEnabled*	boolean	Indicates if host discovery is enabled.
hostDiscoveryError	string	When host discovery is disabled because of an error (e.g., too many hosts discovered), this field contains the error message.
hostDiscoveryErrorTime	string(date-time)	Indicates the time of error.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostLimitHard*	integer	Determines if there is a limit on the number of monitored hosts in the account. Set to -1 when there is no limit.
hostDiscoveryLimitHard*	integer	Hard limit on the number of host discoveries in the organization. Default: -1 (unlimited).
certLimitHard*	integer	Hard limit on the number of certificates in the organization.
featureHostDiscovery*	boolean	If set, host discovery is enabled for this organization.
featureMfa*	boolean	If set, multi-factor authentication is enabled for this organization.
featureSaml*	boolean	If set, SAML is enabled for this organization.

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

NetworkRange

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "range": "192.168.1.0/24",
  "scan": true,
  "tags": [
    "production"
  ]
}

Properties

Name	Type	Description
label*	string	A short label to identify the network range.
description	string	A longer description of the purposes of the network range.
range*	string	The network range in CIDR format.
scan	boolean	Whether or not this network should be scanned.
tags	[string]	none

Report0

{
  "hostname": "example.com",
  "status": "completed",
  "reportTime": "2018-10-10T15:36:49.044Z",
  "hasDnssec": true,
  "hasSmtp": true,
  "hasSmtpTls": true,
  "hasSmtpDane": true,
  "hasSpf": true,
  "hasDmarc": true,
  "hasHttp": true,
  "hasHttps": true,
  "hasHttpsDane": true,
  "hasHttpsRedirection": true,
  "hasHttpsTls12OrBetter": true,
  "hasSsl2": true,
  "hasSsl3": true,
  "hasTls10": true,
  "hasTls11": true,
  "hasTls12": true,
  "hasTls13": true,
  "supportsSsl2": true,
  "supportsSsl3": true,
  "supportsTls10": true,
  "supportsTls11": true,
  "supportsTls12": true,
  "supportsTls13": true,
  "hasHsts": true,
  "hasHstsPreloaded": true,
  "nameServers": "string",
  "dnssec": "string",
  "emailTls": "string",
  "emailDane": "string",
  "spf": "string",
  "dmarc": "string",
  "wwwTls": "string",
  "wwwDane": "string",
  "wwwXssProtection": "string",
  "wwwXssProtectionEnabled": true,
  "hsts": "string",
  "hpkp": "string",
  "cookies": "string",
  "mixedContent": "string",
  "securityHeaders": "string",
  "csp": "string"
}

Contains a summary of one Hardenize assessment. The available fields fall into one of two categories. In the first category are boolean fields that indicate if a particular feature is present, for example, hasTls and hasHsts. In the second category are the fields that describe the quality of the configuration. These fields will take self-descriptive values such as error, warning, and good. The complete explanation of the possible values is available in the Report0Quality component.

It is possible that a field is not present, which happens when the neither true nor false make sense. For example, if a host doesn't support TLS, the hasHsts field will not be in the report.

Properties

Name	Type	Description
hostname*	string	none
status*	string	none
reportTime	string(date-time)	none
hasDnssec	boolean	none
hasSmtp	boolean	none
hasSmtpTls	boolean	none
hasSmtpDane	boolean	none
hasSpf	boolean	none
hasDmarc	boolean	none
hasHttp	boolean	none
hasHttps	boolean	none
hasHttpsDane	boolean	none
hasHttpsRedirection	boolean	none
hasHttpsTls12OrBetter	boolean	none
hasSsl2	boolean	none
hasSsl3	boolean	none
hasTls10	boolean	none
hasTls11	boolean	none
hasTls12	boolean	none
hasTls13	boolean	none
supportsSsl2	boolean	none
supportsSsl3	boolean	none
supportsTls10	boolean	none
supportsTls11	boolean	none
supportsTls12	boolean	none
supportsTls13	boolean	none
hasHsts	boolean	none
hasHstsPreloaded	boolean	none
nameServers	string(v0quality)	none
dnssec	string(v0quality)	none
emailTls	string(v0quality)	none
emailDane	string(v0quality)	none
spf	string(v0quality)	none
dmarc	string(v0quality)	none
wwwTls	string(v0quality)	none
wwwDane	string(v0quality)	none
wwwXssProtection	string(v0quality)	none
wwwXssProtectionEnabled	boolean	none
hsts	string(v0quality)	none
hpkp	string(v0quality)	none
cookies	string(v0quality)	none
mixedContent	string(v0quality)	none
securityHeaders	string(v0quality)	none
csp	string(v0quality)	none

Enumerated Values

Property	Value
status	completed
status	failed
status	notAvailable

DmarcReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	array	If set, returns results which contain at least one of the specified tags.

Enumerated Values

Property	Value
format	json
format	csv

DmarcReportResponse

{
  "dmarc": [
    {
      "key": "example.com",
      "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
    }
  ]
}

Properties

Name	Type	Description
dmarc	[DmarcReport]	none

DmarcReport

{
  "key": "example.com",
  "policyText": "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
}

Properties

Name	Type	Description
key*	string	The domain name.
policyText*	string	The text of the DMARC policy.

DomainsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of domains.
format	string	If set, returns domains in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv

DomainsReportResponse

{
  "domains": [
    {
      "name": "example.com",
      "punyName": "example.com",
      "dnsNx": false,
      "regNx": false,
      "lookupStatus": "OK",
      "registrant": "Privacy service provided by Withheld for Privacy ehf",
      "registrar": "NameCheap, Inc.",
      "statuses": [
        "clientTransferProhibited"
      ],
      "statusGood": true,
      "registrarLock": true,
      "registryLock": false,
      "registration": "2019-04-16T09:13:56Z",
      "expiration": "2024-04-16T09:13:56Z",
      "contactAbuse": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactAdmin": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrar": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactRegistrant": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      },
      "contactTechnical": {
        "type": "CONTACT_ABUSE",
        "firstName": "Redacted for Privacy",
        "organization": "Privacy service provided by Withheld for Privacy ehf",
        "street1": "Kalkofnsvegur 2",
        "city": "Reykjavik",
        "state": "Capital Region",
        "postcode": "101",
        "country": "IS",
        "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
        "phone": "+354.4212434"
      }
    }
  ]
}

Properties

Name	Type	Description
domains	[DomainsReport]	none

DomainsReport

{
  "name": "example.com",
  "punyName": "example.com",
  "dnsNx": false,
  "regNx": false,
  "lookupStatus": "OK",
  "registrant": "Privacy service provided by Withheld for Privacy ehf",
  "registrar": "NameCheap, Inc.",
  "statuses": [
    "clientTransferProhibited"
  ],
  "statusGood": true,
  "registrarLock": true,
  "registryLock": false,
  "registration": "2019-04-16T09:13:56Z",
  "expiration": "2024-04-16T09:13:56Z",
  "contactAbuse": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactAdmin": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrar": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactRegistrant": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  },
  "contactTechnical": {
    "type": "CONTACT_ABUSE",
    "firstName": "Redacted for Privacy",
    "organization": "Privacy service provided by Withheld for Privacy ehf",
    "street1": "Kalkofnsvegur 2",
    "city": "Reykjavik",
    "state": "Capital Region",
    "postcode": "101",
    "country": "IS",
    "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
    "phone": "+354.4212434"
  }
}

Properties

Name	Type	Description
name*	string	The domain name.
punyName*	string	The punycode representation of the domain name.
dnsNx*	boolean	Indicates whether the domain has DNSNX.
regNx*	boolean	Indicates whether the domain has RegNX.
lookupStatus	string	The lookup status of the domain.
registrant	string	The registrant of the domain.
registrar	string	The registrar of the domain.
statuses	[string]	The statuses associated with the domain.
statusGood	boolean	Status indicator (Good).
registrarLock	boolean	Registrar lock indicator.
registryLock	boolean	Registry lock indicator.
registration	string(date-time)	Domain registration date and time.
expiration	string(date-time)	Domain expiration date and time.
contactAbuse	Contact	none
contactAdmin	Contact	none
contactRegistrar	Contact	none
contactRegistrant	Contact	none
contactTechnical	Contact	none

Contact

{
  "type": "CONTACT_ABUSE",
  "firstName": "Redacted for Privacy",
  "organization": "Privacy service provided by Withheld for Privacy ehf",
  "street1": "Kalkofnsvegur 2",
  "city": "Reykjavik",
  "state": "Capital Region",
  "postcode": "101",
  "country": "IS",
  "email": "f57d2b70eab74dd7b4adf4e1ff147e0a.protect@withheldforprivacy.com",
  "phone": "+354.4212434"
}

Properties

Name	Type	Description
type	string	Type of contact.
firstName	string	First name of the contact.
organization	string	Organization of the contact.
street1	string	Street address of the contact.
city	string	City of the contact.
state	string	State or region of the contact.
postcode	string	Postal code of the contact.
country	string	Country of the contact.
email	string	Email address of the contact.
phone	string	Phone number of the contact.

IssuesReportRequest

{
  "type": "active",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
type	string	if set, will filter the results with the specified type. Default: all
limit	integer	If set, returns only up to the specified number of issues.
format	string	If set, returns issues in the format specified. Default: JSON

Enumerated Values

Property	Value
type	all
type	active
type	orphaned
type	completed
type	ignored
type	snoozed
type	bogus
type	abandoned
type	deprecated
format	json
format	csv

IssuesReportResponse

{
  "issues": [
    {
      "issueId": 10001,
      "revision": 1,
      "definitionId": "DNS1001",
      "subject": "OPAQUE",
      "subjectDomain": "example.com",
      "title": "Dangling Resource Record",
      "category": "DNS",
      "severity": "high",
      "cause": "OPAQUE",
      "causeDomain": "nxdomain.example.com",
      "causeIp": "192.168.1.1",
      "open": true,
      "status": "active",
      "auto": true,
      "autoOpen": true,
      "autoPreservedStatus": "string",
      "createdOn": "2022-06-17T00:00:00Z",
      "lastClosed": "2022-06-17T00:00:00Z",
      "lastUpdated": "2022-06-17T00:00:00Z",
      "lastChecked": "2022-06-17T00:00:00Z",
      "lastConfirmed": "2022-06-17T00:00:00Z",
      "snoozedUntil": "2022-06-17T00:00:00Z",
      "details": {
        "@type": "hardenize/com.hardenize.schemas.dns.DanglingProblem",
        "rrDomain": "example.com",
        "rrEffectiveDomain": "_xmpp-server._tcp.example.com",
        "rrType": "SRV",
        "danglingType": "nxdomain",
        "causeDomain": "nxdomain.example.com"
      }
    }
  ]
}

Properties

Name	Type	Description
issues	[Issue]	none

IssuesReport

{
  "issueId": 0,
  "revision": 0,
  "definitionId": "string",
  "subject": "string",
  "subjectDomain": "string",
  "title": "string",
  "category": "string",
  "severity": "string",
  "cause": "string",
  "causeDomain": "string",
  "causeIp": {
    "holder": {
      "originalHostName": "string",
      "hostName": "string",
      "address": 0,
      "family": 0
    },
    "canonicalHostName": "string"
  },
  "open": true,
  "status": "string",
  "auto": true,
  "autoOpen": true,
  "autoPreservedStatus": "string",
  "createdOn": 0,
  "lastClosed": 0,
  "lastUpdated": 0,
  "lastChecked": 0,
  "lastConfirmed": 0,
  "snoozedUntil": 0,
  "details": {}
}

Properties

Name	Type	Description
issueId	integer	none
revision	integer	none
definitionId	string	none
subject	string	none
subjectDomain	string	none
title	string	none
category	string	none
severity	string	none
cause	string	none
causeDomain	string	none
causeIp	object	none
» holder	object	none
»» originalHostName	string	none
»» hostName	string	none
»» address	integer	none
»» family	integer	none
» canonicalHostName	string	none
open	boolean	none
status	string	none
auto	boolean	none
autoOpen	boolean	none
autoPreservedStatus	string	none
createdOn	integer	none
lastClosed	integer	none
lastUpdated	integer	none
lastChecked	integer	none
lastConfirmed	integer	none
snoozedUntil	integer	none
details	object	none

IpAddressReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv

IpAddressReportResponse

{
  "ipAddresses": [
    {
      "ip": "123.101.73.30",
      "cloudIntegrationAccountId": "1234567890",
      "cloudResourceType": "Virtual Machine",
      "cloudResourceId": "vm-12345",
      "cloudIntegrationName": "Azure Integration",
      "cloudIntegrationRef": "azure://subscription/123456",
      "cloudResourceName": "MyVM",
      "cloudResourceZone": "Zone-1",
      "cloudProvider": "Azure",
      "asNumber": "8075",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "locCountryCode": "NL",
      "cloudRegion": "East US"
    }
  ]
}

Properties

Name	Type	Description
ipAddresses	[IpAddressReport]	none

IpAddressReport

{
  "ip": "123.101.73.30",
  "cloudIntegrationAccountId": "1234567890",
  "cloudResourceType": "Virtual Machine",
  "cloudResourceId": "vm-12345",
  "cloudIntegrationName": "Azure Integration",
  "cloudIntegrationRef": "azure://subscription/123456",
  "cloudResourceName": "MyVM",
  "cloudResourceZone": "Zone-1",
  "cloudProvider": "Azure",
  "asNumber": "8075",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "locCountryCode": "NL",
  "cloudRegion": "East US"
}

Properties

Name	Type	Description
ip*	string	The IP address.
cloudIntegrationAccountId	string	The ID of the cloud integration account.
cloudResourceType	string	The type of cloud resource.
cloudResourceId	string	The ID of the cloud resource.
cloudIntegrationName	string	The name of the cloud integration.
cloudIntegrationRef	string	The reference to the cloud integration.
cloudResourceName	string	The name of the cloud resource.
cloudResourceZone	string	The availability zone of the cloud resource.
cloudProvider	string	The cloud provider (e.g., Azure, AWS).
asNumber	string	The Autonomous System (AS) number.
asName	string	The name of the Autonomous System (AS).
locCountryCode	string	The country code of the location.
cloudRegion	string	The cloud region where the resource is located.

NetworkRangesReportRequest

{
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	array	If set, returns results with the specified tags.

Enumerated Values

Property	Value
format	json
format	csv

NetworkRangesReportResponse

{
  "network-ranges": [
    {
      "range": "52.0.205.39/32",
      "label": "Lab DNS1",
      "description": "dns1-production-lab.hardenize.net"
    }
  ]
}

Properties

Name	Type	Description
network-ranges	[NetworkRangesReport]	none

NetworkRangesReport

{
  "range": "52.0.205.39/32",
  "label": "Lab DNS1",
  "description": "dns1-production-lab.hardenize.net"
}

Properties

Name	Type	Description
range*	string	The IP range in CIDR notation.
label*	string	A label or name for the IP range.
description	string	A description of the IP range.

OpenPortsReportRequest

{
  "address": "192.168.1.1",
  "port": 443,
  "transport": "tcp",
  "service": "other",
  "hostname": "example.com",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
address	string	If set, filters the response by the provided address. Address can be supplied as a network range in CIDR (192.168.10.1/24) form or as an individual IP address (192.168.10.1)
port	integer	If set, filters the response by the provided port.
transport	string	If set, filters the response by the provided transport.
service	string	If set, filters the response by the provided service.
hostname	string	If set, searching for "example.com" would find any open ports with a hostname being the same as "example.com" or a subdomain of it
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON

Enumerated Values

Property	Value
transport	tcp
transport	udp
format	json
format	csv

OpenPortsReportResponse

{
  "open-ports": [
    {
      "address": "123.234.73.24",
      "port": 25,
      "transport": "tcp",
      "service": "smtp",
      "hostname": "deavensoft-com.mail.protection.outlook.com"
    }
  ]
}

Properties

Name	Type	Description
open-ports	[OpenPortsReport]	none

OpenPortsReport

{
  "address": "123.234.73.24",
  "port": 25,
  "transport": "tcp",
  "service": "smtp",
  "hostname": "deavensoft-com.mail.protection.outlook.com"
}

Properties

Name	Type	Description
address*	string	The IP address.
port*	integer	The port number.
transport*	string	The transport protocol (e.g., tcp, udp).
service*	string	The service name.
hostname	string	The hostname associated with the address.

SpfReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "tags": [
    "test"
  ]
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of results.
format	string	If set, returns results in the format specified. Default: JSON
tags	array	If set, returns results with the specified tags.

Enumerated Values

Property	Value
format	json
format	csv

SpfReportResponse

{
  "spf": [
    {
      "key": "example.com",
      "policyText": "v=spf1 include:spf.protection.outlook.com -all"
    }
  ]
}

Properties

Name	Type	Description
spf	[SpfReport]	none

SpfReport

{
  "key": "example.com",
  "policyText": "v=spf1 include:spf.protection.outlook.com -all"
}

Properties

Name	Type	Description
key*	string	The domain name.
policyText*	string	The SPF policy text.

CertificateReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv",
  "active": true,
  "revoked": true,
  "expiring": true,
  "expiringDays": 10
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of certificates.
format	string	If set, returns certificates in the format specified. Default: JSON
active	boolean	If set, returns only active certificates.
revoked	boolean	If set, returns only revoked certificates.
expiring	boolean	If set, returns both expired certificates and the ones which expire in N days, where N is configurable at Settings -> Certificate Notifications -> When Certificates Become Overdue
expiringDays	integer	If set, overrides the default number of expiring days when 'expiring' is set to true.

Enumerated Values

Property	Value
format	json
format	csv

CertificateReportResponse

{
  "certificates": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "validation": "dv",
      "notBefore": "2023-09-22T15:34:49.733Z",
      "notAfter": "2023-09-22T15:34:49.733Z",
      "effectiveNotAfter": "2023-09-22T15:34:49.733Z",
      "revokedOn": "2023-09-22T15:34:49.733Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "sanCount": 1,
      "caPathLen": -1,
      "wildcard": true,
      "selfSigned": false,
      "firstSeen": "2023-09-22T15:34:49.733Z",
      "lastSeen": "2023-09-22T15:34:49.733Z",
      "seenInstalled": true,
      "active": true,
      "precert": false,
      "duplicate": false,
      "managed": true,
      "ownership": "own",
      "matchesOrgHost": true,
      "symantecStatus": "symantecExcluded",
      "ctRequired": true,
      "ctCompliant": true,
      "ctLogs": [
        {
          "log": "ct.googleapis.com/rocketeer",
          "timestamp": 1533791245857,
          "index": 232455,
          "type": "cert",
          "sources": [
            "log",
            "tls"
          ]
        }
      ],
      "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
      "origin": "ct",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "parentHashes": [
        "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
        "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
      ],
      "parentHashesSource": "ct",
      "parentHashesComplete": true
    }
  ]
}

Properties

Name	Type	Description
certificates	[Certificate]	[Contains information about one certificate. ]

CertificateExpiringEndpointsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "integration": "Entrust Dev",
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of expired certificates.
integration	string	If set, filters the response with expired certificates which belong to an integration.
format	string	If set, returns expired certificates in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv

CertificateExpiringEndpointsReportResponse

{
  "expiringEndpoints": [
    {
      "host": "example.com",
      "serviceHostname": "service.example.com",
      "serviceDomain": "example.com",
      "serviceLocation": "US-West",
      "port": 443,
      "certificateExpires": "2023-09-22T15:34:49.734Z",
      "serviceLastSeen": "2023-09-22T15:34:49.734Z",
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "issuerCa": "Let's Encrypt",
      "certificateSan": "*.hardenize.com",
      "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
      "asNumber": "12345"
    }
  ]
}

Properties

Name	Type	Description
expiringEndpoints	[CertificateExpiringEndpointsReport]	none

CertificateExpiringEndpointsReport

{
  "host": "example.com",
  "serviceHostname": "service.example.com",
  "serviceDomain": "example.com",
  "serviceLocation": "US-West",
  "port": 443,
  "certificateExpires": "2023-09-22T15:34:49.734Z",
  "serviceLastSeen": "2023-09-22T15:34:49.734Z",
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "certificateDn": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "certificateSerial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "issuerCa": "Let's Encrypt",
  "certificateSan": "*.hardenize.com",
  "asName": "MICROSOFT-CORP-MSN-AS-BLOCK",
  "asNumber": "12345"
}

Properties

Name	Type	Description
host	string	The hostname of the endpoint.
serviceHostname	string	The hostname of the service associated with the endpoint.
serviceDomain	string	The domain of the service associated with the endpoint.
serviceLocation	string	The location or region where the service is located.
port	integer	The port number of the endpoint.
certificateExpires	string(date-time)	ISO 8601 timestamp indicating when the certificate for the endpoint expires.
serviceLastSeen	string(date-time)	ISO 8601 timestamp indicating when the service was last seen.
sha256*	string	Hex-encoded SHA256 hash of the endpoint's certificate in DER format.
certificateDn	string	Distinguished name of the endpoint's certificate.
certificateSerial	string	Hex-encoded serial number of the endpoint's certificate.
issuer*	string	Distinguished name of the certificate issuer.
issuerCa	string	The name of the issuing CA for the endpoint's certificate, according to CCADB.
certificateSan	string	All hosts specified in the endpoint's certificate's SAN extension, as Unicode.
asName	string	The name of the Autonomous System (AS).
asNumber	string	The number of the Autonomous System (AS).

HostsReportRequest

{
  "group": "productgroup",
  "limit": 100,
  "format": "csv"
}

Properties

Name	Type	Description
group	string	If set, filters the response with the provided group label.
limit	integer	If set, returns only up to the specified number of domains.
format	string	If set, returns hosts in the format specified. Default: JSON

Enumerated Values

Property	Value
format	json
format	csv

HostsReportResponse

{
  "hosts": [
    {
      "assetId": 11117,
      "hostname": "example.com",
      "creationTime": "2023-09-14T12:59:25Z",
      "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": 1694696413407, \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"202309141259\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false}",
      "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
      "tags": [
        "test"
      ],
      "errorMessage": "Hostname not found",
      "errorTime": "2023-09-15T08:47:45Z",
      "nxTime": "2023-09-15T08:47:00Z"
    }
  ]
}

Properties

Name	Type	Description
hosts	[HostReport]	none

HostReport

{
  "assetId": 11117,
  "hostname": "example.com",
  "creationTime": "2023-09-14T12:59:25Z",
  "summary": "{\"csp\": \"good\", \"spf\": \"neutral\", \"hpkp\": \"good\", \"hsts\": \"neutral\", \"tags\": [\"tag1\", \"tag2\"], \"dmarc\": \"error\", \"dnssec\": \"neutral\", \"hasSpf\": true, \"status\": \"completed\", \"wwwTls\": \"warning\", \"cookies\": \"good\", \"hasHsts\": true, \"hasHttp\": true, \"hasSmtp\": false, \"hasSsl2\": false, \"hasSsl3\": false, \"wwwDane\": \"neutral\", \"emailTls\": \"good\", \"hasDmarc\": true, \"hasHttps\": true, \"hasTls10\": false, \"hasTls11\": true, \"hasTls12\": true, \"hasTls13\": true, \"hostname\": \"example.com\", \"emailDane\": \"neutral\", \"hasDnssec\": false, \"hasSmtpTls\": true, \"reportTime\": 1694696413407, \"hasSmtpDane\": false, \"nameServers\": \"error\", \"hasHttpsDane\": false, \"mixedContent\": \"good\", \"supportsSsl2\": false, \"supportsSsl3\": false, \"supportsTls10\": false, \"supportsTls11\": true, \"supportsTls12\": true, \"supportsTls13\": true, \"securityHeaders\": \"neutral\", \"unicodeHostname\": \"example.com\", \"hasHstsPreloaded\": false, \"siteCreationTime\": \"202309141259\", \"wwwXssProtection\": \"neutral\", \"hasHttpsRedirection\": true, \"hasHttpsTls12OrBetter\": true, \"wwwXssProtectionEnabled\": false}",
  "reportCard": "{\"sections\": [{\"id\": \"SECTION_DOMAIN\", \"name\": \"Domain\", \"items\": [{\"id\": \"ITEM_DOMAIN_REGISTRATION\", \"name\": \"Domain Registration\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNS_ZONE\", \"name\": \"DNS Zone\", \"status\": \"error\", \"remarks\": [{\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns1.example.com.\", \"Address\": \"2610:a1:1024::200\", \"Reverse name\": \"dns1.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}, {\"id\": \"DNS_ZONE_NAMESERVER_NOT_OPERATIONAL\", \"data\": {\"Name\": \"dns2.example.com.\", \"Address\": \"2610:a1:1025::200\", \"Reverse name\": \"dns2.example.com.\"}, \"title\": \"Nameserver is not operational\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_DNS_RR\", \"name\": \"DNS Resource Records\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_DNSSEC\", \"name\": \"DNSSEC\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_DOMAIN_CAA\", \"name\": \"CAA\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_EMAIL\", \"name\": \"Email\", \"items\": [{\"id\": \"ITEM_EMAIL_TLS\", \"name\": \"TLS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DANE\", \"name\": \"DANE\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_SPF\", \"name\": \"SPF\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_DMARC\", \"name\": \"DMARC\", \"status\": \"error\", \"remarks\": [{\"id\": \"EMAIL_DMARC_EXTERNAL_DESTINATION_NOAUTH\", \"data\": {\"External destination\": \"mailto:dmarcreports.example@gmail.com\", \"Expected permission record location\": \"example.com._report._dmarc.gmail.com\"}, \"title\": \"Invalid external destination\", \"severity\": \"error\"}, {\"id\": \"EMAIL_DMARC_INVALID\", \"data\": {}, \"title\": \"DMARC policy is invalid\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_EMAIL_MTA_STS\", \"name\": \"MTA-STS\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_EMAIL_TLS_RPT\", \"name\": \"TLS-RPT\", \"status\": \"none\", \"remarks\": []}]}, {\"id\": \"SECTION_WEB\", \"name\": \"Web\", \"items\": [{\"id\": \"ITEM_WEB_HTTP\", \"name\": \"HTTP\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HTTPS\", \"name\": \"HTTPS\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_TLS\", \"name\": \"TLS\", \"status\": \"warning\", \"remarks\": [{\"id\": \"TLS_SUITES_PFS_AND_AEAD_TOP_RECOMMEND\", \"title\": \"Reconfigure server to use forward secrecy and authenticated encryption\", \"severity\": \"warning\"}, {\"id\": \"WWW_TLS_CONN_FAILED\", \"data\": {\"Error message\": \"Network is unreachable (connect failed)\"}, \"title\": \"TLS connection failed\", \"severity\": \"error\"}]}, {\"id\": \"ITEM_WEB_PKI\", \"name\": \"Certificates\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_COOKIES\", \"name\": \"Cookies\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_MIXED_CONTENT\", \"name\": \"Mixed Content\", \"status\": \"good\", \"remarks\": []}, {\"id\": \"ITEM_WEB_HSTS\", \"name\": \"Strict Transport Security\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_CSP\", \"name\": \"Content Security Policy\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_WEB_SRI\", \"name\": \"Subresource Integrity\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XFO\", \"name\": \"Framing Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_XSS_PROTECTION\", \"name\": \"XSS Protection\", \"status\": \"none\", \"remarks\": []}, {\"id\": \"ITEM_CONTENT_TYPE_OPTIONS\", \"name\": \"Content Type Options\", \"status\": \"none\", \"remarks\": []}]}], \"available\": true, \"timestamp\": \"2023-09-14T13:00:13.407Z\", \"domainUnicode\": \"example.com\", \"reportVersion\": 1, \"domainPunycode\": \"example.com\", \"hardenizeVersion\": \"v1.1545.1\"}",
  "tags": [
    "test"
  ],
  "errorMessage": "Hostname not found",
  "errorTime": "2023-09-15T08:47:45Z",
  "nxTime": "2023-09-15T08:47:00Z"
}

Properties

Name	Type	Description
assetId*	integer	The unique identifier for the asset.
hostname*	string	The hostname associated with the asset.
creationTime*	string(date-time)	The timestamp indicating when the asset was created.
summary	string	A summary of the asset's security information in JSON format.
reportCard	string	A report card containing sections and items related to the asset's security.
tags	[string]	Tags associated with the asset, if any.
errorMessage	string	An error message associated with the asset (if applicable).
errorTime	string(date-time)	The timestamp indicating when the error occurred (if applicable).
nxTime	string(date-time)	The timestamp indicating when the asset became non-existent (if applicable).

Report0Quality

{
  "quality": "good"
}

This field describes the quality of configuration of particular element. The four most commonly seen values here are good, warning, error, and neutral. Out of these, the best is cleary good, but neutral is all right, depending on your policies (e.g., you might not want to deploy a particular security technology). Hardenize uses warnings and errors only when something is broken, misconfigured, or has a negative security implication. Neither of these qualities is used if you don't have a particular security feature. We use unknown if we don't have enough information to make a judgement. Finally, warningAbsent and errorAbsent are special statuses that we use to indicate when warnings and errors are indicated due to absence of feature. This might happen, for example, if a site supports plaintext HTTP but not encrypted HTTPS.

Properties

Name	Type	Description
quality	string	none

Enumerated Values

Property	Value
quality	good
quality	error
quality	errorAbsent
quality	neutral
quality	unknown
quality	warning
quality	warningAbsent

TestEventHookResponse

{
  "successful": false,
  "errorMessage": "Expected 202 or 204 status code",
  "durationMillis": 5814,
  "pubsub": {
    "destination": "pubsub://events/1/1005",
    "message": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}",
    "attributes": {
      "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
      "X-Hardenize-Org": "demo",
      "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
    },
    "messageId": "260486610038606"
  },
  "webook": {
    "request": {
      "method": "POST",
      "url": "https://hardenize.com/webhooks/receive",
      "headers": {
        "Content-Type": "application/json; charset=UTF-8",
        "User-Agent": "Hardenize (https://www.hardenize.com)",
        "X-Hardenize-EventHookId": "74bf16db59ef4d55aeeb7fe9f7d5171d",
        "X-Hardenize-Org": "demo",
        "X-Hardenize-Signature": "t=1539185809044; hmac-sha256=64d386808229f5c84fac665fb6f9376f24efca2971b51713032dca6b83566fd8"
      },
      "body": "{\"id\":0,\"createdOn\":\"2018-10-10T15:36:49.044Z\",\"type\":\"test\",\"data\":{\"message\":\"This is a webhook test.\"}}"
    },
    "response": {
      "statusCode": 302,
      "headers": {
        "Location": "https://hardenize.com/redirection",
        "Cache-Control": "no-cache",
        "Connection": "keep-alive",
        "Content-Type": "text/plain; charset=UTF-8",
        "Date": "Wed, 10 Oct 2018 15:36:54 GMT",
        "Server": "nginx/1.10.3",
        "Transfer-Encoding": "chunked",
        "Vary": "Accept-Encoding"
      },
      "body": "OK"
    }
  }
}

Embeds a transcript of an event hook test, providing request and response information, as well as an indication of whether the hook is operating correctly.

Properties

Name	Type	Description
successful	boolean	Indication of whether the event hook test was successful. If the HTTP request itself is successful, the status code must be in the 2xx range. If the test is not successful, the `errorMessage` field will contain an explanation.
errorMessage	string	Error message, in case of test failure only.
durationMillis	integer(int64)	Duration of the HTTP request submitted to the hook, in milliseconds.
pubsub	object	Webhook-specific diagnostic information.
» destination	string	PubSub destination.
» message	string	Message body.
» attributes	object	Message attributes.
» messageId	string	PubSub message ID.
webook	object	Webhook-specific diagnostic information.
» request	object	Information about the submitted HTTP request, including some selected request headers.
»» method	string	Request method; always POST.
»» url	string	Webhook URL used for the test.
»» headers	object	Selected HTTP request headers.
»» body	string	Raw request body, as a string.
» response	object	Information about the HTTP response recived from the remote server.
»» statusCode	integer	HTTP response status code obtained from the remote server.
»» headers	object	Complete HTTP response headers received from the remote server.
»» body	string	Raw response body, as a string.

UpdateCertRequest

{
  "muted": true
}

Updates one certificate. All fields are optional, but at least one field must be provided.

Properties

Name	Type	Description
muted	boolean	If set to true, certificate notifications will be disabled for this certificate, even if it's observed on the network near its expiration.

UpdateCertResponse

{
  "cert": {
    "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
    "tbsSha256": "7d63c93bbbf6d4f7aa492963dccd1ff14b35257b8eca4d912faa0ac1883a92da",
    "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
    "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
    "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
    "issuerCa": "Let's Encrypt",
    "validation": "dv",
    "notBefore": "2023-09-22T15:34:49.735Z",
    "notAfter": "2023-09-22T15:34:49.735Z",
    "effectiveNotAfter": "2023-09-22T15:34:49.735Z",
    "revokedOn": "2023-09-22T15:34:49.735Z",
    "keyAlg": "EC",
    "keyLen": 256,
    "keyStrength": 128,
    "sigAlg": "ECDSAwithSHA256",
    "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
    "hosts": [
      "*.hardenize.com"
    ],
    "sanCount": 1,
    "caPathLen": -1,
    "wildcard": true,
    "selfSigned": false,
    "firstSeen": "2023-09-22T15:34:49.735Z",
    "lastSeen": "2023-09-22T15:34:49.735Z",
    "seenInstalled": true,
    "active": true,
    "precert": false,
    "duplicate": false,
    "managed": true,
    "ownership": "own",
    "matchesOrgHost": true,
    "symantecStatus": "symantecExcluded",
    "ctRequired": true,
    "ctCompliant": true,
    "ctLogs": [
      {
        "log": "ct.googleapis.com/rocketeer",
        "timestamp": 1533791245857,
        "index": 232455,
        "type": "cert",
        "sources": [
          "log",
          "tls"
        ]
      }
    ],
    "pem": "MIID/TCCA6OgAwIBAgIRANDmW2f+WPSl1knPqjuzwvswCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xODAzMDEwMDAwMDBaFw0xODA5MDcyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IB/TCCAfkwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDebJoLRDhbiDQSDWAb8+C2IkT3sXuL7nH0BYuxHiO32AIgf9YXFRRrzis/p7HVd9X2pkP4CxvriyrLQwpB6s2RFQM=",
    "origin": "ct",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "parentHashes": [
      "25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d",
      "0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
    ],
    "parentHashesSource": "ct",
    "parentHashesComplete": true
  }
}

Properties

Name	Type	Description
cert*	Certificate	Contains information about one certificate.

UpdateNetworkRangeRequest

{
  "label": "DC01 Public",
  "description": "Public IP range for London data center",
  "scan": true,
  "tags": [
    "production"
  ]
}

Update the network range information. You must supply one or more of these values. The range itself can't be changed with this operation. Instead, delete the range and create it again.

Properties

Name	Type	Description
label	string	A short label to identify the network range
description	string	A longer description of the purposes of the network range
scan	boolean	Whether or not this network should be scanned
tags	[string]	none

UpdateIssueRequest

{
  "status": "snoozed",
  "snoozedUntil": "2022-06-17T00:00:00.000Z"
}

Updates an issue

Properties

Name	Type	Description
status	string	Set a new status.
snoozedUntil	string(date-time)	Set status back to active automatically after this time.

Enumerated Values

Property	Value
status	active
status	bogus
status	ignored
status	snoozed

UpdateUserRequest

{
  "name": "Bob",
  "deleteMfa": true,
  "resetPassword": true,
  "expirationTime": "2023-09-22T15:34:49.736Z",
  "status": "retired",
  "role": "observer"
}

Updates attributes for a user. All fields are optional, but at least one field must be provided.

Properties

Name	Type	Description
name	string	Change the users name or service account's description
deleteMfa	boolean	Will delete MFA for a user if it is enabled. Allowing them to log in using only their email address and password. Not for service accounts.
resetPassword	boolean	Changes the password to a new random one. For service accounts only
expirationTime	string(date-time)	Update expiration time. For service accounts only
status	string	Update user status
role	string	Update user role

Enumerated Values

Property	Value
status	active
status	retired
role	owner
role	admin
role	member
role	observer

UpdateEventHookRequest

{
  "eventTypes": [
    "ct.entry"
  ],
  "destination": "https://hardenize.com/webhooks/receive",
  "status": "disabled"
}

Provides new field values to update an existing event hook. No fields are required, but you need to provide at least of the supported fields.

Properties

Name	Type	Description
eventTypes	[string]	An updated list of event types to send to this event hook.
destination	string	Event hook destination; for webhooks, this must be a HTTPS URL.
status	string	New event hook status.

Enumerated Values

Property	Value
status	enabled
status	disabled
status	failed

UpdateEventHookResponse

{
  "eventHook": {
    "id": "bfc384726b6447a4b70a171de49e466f",
    "hookType": "webhook",
    "eventTypes": [
      "ct.entry"
    ],
    "status": "enabled",
    "destination": "https://hardenize.com/webhooks/receive",
    "secret": "3685c06a966e4d0ea625d0b475719661"
  }
}

Returned after a successful event hook update operation.

Properties

Name	Type	Description
eventHook*	EventHook	Event hook objects contain information pertaining to a destination to which events are delivered (pushed).

UpdateEventTypeRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled*	boolean	New setting for whether event type is enabled.

UpdateEventTypeResponse

{
  "eventType": {
    "name": "ct",
    "available": true,
    "enabled": true
  }
}

Properties

Name	Type	Description
eventType*	EventType	Every event we generate has a type, making it easier to distinguish one class of event from another, and to correctly process them.

UpdateHostDiscoveryResponse

{
  "hostDiscovery": {
    "discoveryId": 11113,
    "autoResolved": false,
    "hostname": "www.🔥.hardenize.com",
    "discoveredTime": "2023-09-22T15:34:49.737Z",
    "origin": "hdb",
    "originInfo": {
      "net": {
        "host": "aspmx.l.google.com",
        "address": "2a00:1450:400c:c00:0:0:0:1b",
        "port": 25,
        "protocol": "smtp"
      }
    },
    "matchInfo": {
      "certdno": {
        "o": "Cloudflare, Inc."
      },
      "integration": {
        "name": "AWS Production",
        "type": "aws",
        "ref": "string"
      },
      "keyword": {
        "matches": [
          {
            "encoding": "ascii",
            "keyword": "string",
            "matchPosition": "anywhere",
            "matchScope": "all",
            "search": "bitSquatting"
          }
        ]
      },
      "mx": {
        "mx": "mail.example.com"
      },
      "nameserver": {
        "matches": [
          {
            "name": "ns1.hardenize.com",
            "firstSeen": "2021-09-21T15:32:02.322Z"
          }
        ]
      },
      "rname": {
        "email": "postmaster@example.com"
      },
      "whois": {
        "keywords": [
          "example.com"
        ]
      }
    },
    "matchCertDNO": false,
    "matchIntegration": true,
    "matchKeyword": false,
    "matchMx": false,
    "matchNameserver": false,
    "matchSubdomain": false,
    "matchRname": false,
    "matchWhois": false,
    "resolution": "pending",
    "updatedTime": "2023-09-22T15:34:49.737Z"
  }
}

Properties

Name	Type	Description
hostDiscovery*	HostDiscovery	This object represents our discovery of a host which might be relevant to your organization.

UpdateHostsChanges

{
  "status": "monitored",
  "axfr": "enabled",
  "axfrHost": "stealth.ns.example.com",
  "axfrTsig": {
    "algorithm": "HMAC_MD5",
    "key": "base64key=",
    "name": "thename"
  },
  "groupOp": "add",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
status	string	Desired host status.
axfr	string	If we should attempt a daily AXFR transfer against the primary nameserver for this zone. By default, this field is set to auto which is a setting that is reserved for a future expansion and currently has the same meaning as disabled. To enable zone transfers, change the value of this field to enabled.
axfrHost	string	Instead of doing AXFRs from the primary nameserver as per the zones SOA record, use this hostname or IP address instead. Set to a blank string to remove.
axfrTsig	UpdateHostsChangesAxfrTsig	none
groupOp	string	This parameter selects one of three operations. The add operation will add the specified groups to the hosts. The remove operation will remove the specified groups from the hosts. The set operation will first remove all existing tags from the hosts, then apply the specified groups. This field is mandatory when at least one group is specified.
groups	[string]	List of tags that should be used in the requested tag operation.

Enumerated Values

Property	Value
status	monitored
status	idle
status	archived
axfr	auto
axfr	enabled
axfr	disabled
groupOp	add
groupOp	remove
groupOp	set

UpdateHostDiscoveryRequest

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
resolution*	string	If set, updates the discoveries resolution.
groups	[string]	When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

UpdateHostsChangesAxfrTsig

{
  "algorithm": "HMAC_MD5",
  "key": "base64key=",
  "name": "thename"
}

Properties

Name	Type	Description
algorithm	string	Axfr transfer algorithm
key	string	Axfr transfer key
name	string	Axfr transfer name

Enumerated Values

Property	Value
algorithm	HMAC_MD5
algorithm	HMAC_SHA1
algorithm	HMAC_SHA224
algorithm	HMAC_SHA256
algorithm	HMAC_SHA384
algorithm	HMAC_SHA512

UpdateHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true,
  "changes": {
    "resolution": "own",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name	Type	Description
ids*	[integer]	List of discovery ids to update.
preview	boolean	If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false
changes	UpdateHostDiscoveriesChanges	none

UpdateHostDiscoveriesResponse

{
  "hostDiscoveries": [
    {
      "discoveryId": 11113,
      "autoResolved": false,
      "hostname": "www.🔥.hardenize.com",
      "discoveredTime": "2023-09-22T15:34:49.738Z",
      "origin": "hdb",
      "originInfo": {
        "net": {
          "host": "aspmx.l.google.com",
          "address": "2a00:1450:400c:c00:0:0:0:1b",
          "port": 25,
          "protocol": "smtp"
        }
      },
      "matchInfo": {
        "certdno": {
          "o": "Cloudflare, Inc."
        },
        "integration": {
          "name": "AWS Production",
          "type": "aws",
          "ref": "string"
        },
        "keyword": {
          "matches": [
            {
              "encoding": "ascii",
              "keyword": "string",
              "matchPosition": "anywhere",
              "matchScope": "all",
              "search": "bitSquatting"
            }
          ]
        },
        "mx": {
          "mx": "mail.example.com"
        },
        "nameserver": {
          "matches": [
            {
              "name": "ns1.hardenize.com",
              "firstSeen": "2021-09-21T15:32:02.322Z"
            }
          ]
        },
        "rname": {
          "email": "postmaster@example.com"
        },
        "whois": {
          "keywords": [
            "example.com"
          ]
        }
      },
      "matchCertDNO": false,
      "matchIntegration": true,
      "matchKeyword": false,
      "matchMx": false,
      "matchNameserver": false,
      "matchSubdomain": false,
      "matchRname": false,
      "matchWhois": false,
      "resolution": "pending",
      "updatedTime": "2023-09-22T15:34:49.738Z"
    }
  ]
}

Properties

Name	Type	Description
hostDiscoveries*	[HostDiscovery]	[This object represents our discovery of a host which might be relevant to your organization.]

UpdateHostDiscoveriesChanges

{
  "resolution": "own",
  "groups": [
    "staging",
    "development"
  ]
}

Properties

Name	Type	Description
resolution	string	If set, updates the discoveries resolution.
groups	[string]	When setting resolution to 'own' hosts are imported. If you also wish them to be added to one or more groups, specify group labels here. Ignored if resolution is not 'own'

Enumerated Values

Property	Value
resolution	pending
resolution	own
resolution	supplier
resolution	unrelated
resolution	infringing
resolution	phishing

DeleteHostDiscoveriesRequest

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name	Type	Description
ids*	[integer]	List of discovery ids to delete.
preview	boolean	If set, doesn't carry out the operation, but returns a list of discoveries that would have been affected. Default: false

DeleteHostDiscoveriesResponse

{
  "ids": [
    1
  ],
  "preview": true
}

Properties

Name	Type	Description
ids*	[integer]	List of affected discovery ids.
preview*	boolean	Whether or not we ran in preview mode.

UpdateHostDiscoveryKeywordRequest

{
  "keyword": "hard",
  "enabled": true,
  "matchScope": "all",
  "matchPosition": "anywhere",
  "matchExact": true,
  "matchFuzzy": true,
  "matchConfusables": true,
  "exclusions": [
    "chard"
  ]
}

A keyword used for host discovery.

Properties

Name	Type	Description
keyword*	string	The text to match with. Must consist of only lowercase letters, digits, dashes, and periods. It also must contain at least 5 characters and not more than 32.
enabled*	boolean	Indicates if the keyword is currently active.
matchScope*	string	Determines what type of results the keyword will look for.
matchPosition*	string	Determines the desired position of the keyword within matched hostname. Matching a keyword anywhere in the hostname often results in too many results, so the idea is to reduce the number of matches by focusing only on the results that are more likely to be relevant.
matchExact*	boolean	If set, enables exact matching.
matchFuzzy*	boolean	If set, enables fuzzy matching.
matchConfusables*	boolean	If set, enables mathing of confusable characters and homographes.
exclusions*	[string]	Exclusions to use to remove unwanted matches. Hostnames that match any of the configured phrases will be ignored.

Enumerated Values

Property	Value
matchScope	all
matchScope	domains
matchPosition	anywhere
matchPosition	label,
matchPosition	labelStart
matchPosition	labelEnd
matchPosition	labelStartOrEnd

UpdateHostDiscoveryKeywordResponse

{
  "hostDiscoveryKeyword": {
    "keyword": "hard",
    "enabled": true,
    "matchScope": "all",
    "matchPosition": "anywhere",
    "matchExact": true,
    "matchFuzzy": true,
    "matchConfusables": true,
    "exclusions": [
      "chard"
    ],
    "error": "Disabled due to too many matches: 10000",
    "errorTime": "2020-06-12T15:00:00.011Z"
  }
}

Properties

Name	Type	Description
hostDiscoveryKeyword*	HostDiscoveryKeyword	A keyword used for host discovery.

UpdateIdentityRequest

{
  "enabled": true
}

Properties

Name	Type	Description
enabled	boolean	Enable/disable an identity.

UpdateIdentityResponse

{
  "identity": {
    "identityId": 11113,
    "type": "dns_soa_rname",
    "enabled": true,
    "identity": "postmaster@example.com",
    "createdOn": "2023-09-22T15:34:49.739Z",
    "lastSeen": "2023-09-22T15:34:49.739Z",
    "lastCheck": "2023-09-22T15:34:49.739Z",
    "error": "Not a unique identity.",
    "errorTime": "2023-09-22T15:34:49.739Z"
  }
}

Properties

Name	Type	Description
identity*	Identity	This object represents an identity.

TlsCheck

{
  "request": {
    "host": "hardenize.com",
    "port": 443,
    "location": "london",
    "resolverStrategy": "all"
  },
  "responses": [
    {
      "endpoint": {
        "host": "hardenize.com",
        "address": "104.17.158.13",
        "port": 443,
        "location": "london"
      },
      "status": "success",
      "connections": [
        {
          "remoteAddress": "104.17.158.13",
          "remotePort": 443,
          "tls": {
            "protocol": "TLSv1.3",
            "suite": "TLS_AES_256_GCM_SHA384",
            "certificates": [
              "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
              "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
              "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
            ]
          }
        }
      ]
    }
  ],
  "certificates": [
    {
      "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
      "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
      "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
      "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
      "notBefore": "2023-09-22T15:34:49.739Z",
      "notAfter": "2023-09-22T15:34:49.739Z",
      "keyAlg": "EC",
      "keyLen": 256,
      "keyStrength": 128,
      "sigAlg": "ECDSAwithSHA256",
      "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
      "hosts": [
        "*.hardenize.com"
      ],
      "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
    }
  ]
}

Properties

Name	Type	Description
request*	CreateTlsCheckRequest	TLS check parameters.
responses*	[TlsCheckResponse]	none
certificates*	[NetworkCertificate]	Certificates observed across all network operations.

TlsCheckResponse

{
  "endpoint": {
    "host": "hardenize.com",
    "address": "104.17.158.13",
    "port": 443,
    "location": "london"
  },
  "status": "success",
  "connections": [
    {
      "remoteAddress": "104.17.158.13",
      "remotePort": 443,
      "tls": {
        "protocol": "TLSv1.3",
        "suite": "TLS_AES_256_GCM_SHA384",
        "certificates": [
          "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
          "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
          "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
        ]
      }
    }
  ]
}

Properties

Name	Type	Description
endpoint	NetworkEndpoint	none
status	string	none
connections	[NetworkConnection]	none

Enumerated Values

Property	Value
status	success
status	failure

NetworkCertificate

{
  "sha256": "572908a23e5765a5e64fe06c775075133879ff9eed6e7135ced12e124edeca34",
  "subject": "CN=ssl760680.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated",
  "issuer": "CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "notBefore": "2023-09-22T15:34:49.739Z",
  "notAfter": "2023-09-22T15:34:49.739Z",
  "keyAlg": "EC",
  "keyLen": 256,
  "keyStrength": 128,
  "sigAlg": "ECDSAwithSHA256",
  "spkiSha256": "56c17eb4e3d510f7020e142cd36f617b38f93c26c72cc13dfebfbeed3e554382",
  "hosts": [
    "*.hardenize.com"
  ],
  "pem": "MIIE/zCCBKagAwIBAgIRAKyO7rKU3rBSU7hzFLVhkBUwCgYIKoZIzj0EAwIwgZIxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQDEy9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0EgMjAeFw0xOTEyMDUwMDAwMDBaFw0yMDA2MTIyMzU5NTlaMGwxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVsdGktRG9tYWluMSQwIgYDVQQDExtzc2w3NjA2ODAuY2xvdWRmbGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASjQmXlPI8fSFxAgBabWaZ/llDVh0Qvs6bEDqgu6Ny63HMiW6tXpBpnJs//B2Jysf4vFP2WaxHjD/CwhXyBiylso4IDADCCAvwwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFNsOUClkQN7Qw/9QyXJMVcU+NVA1MA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNvbW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2NydC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQuY29tMEYGA1UdEQQ/MD2CG3NzbDc2MDY4MC5jbG91ZGZsYXJlc3NsLmNvbYIPKi5oYXJkZW5pemUuY29tgg1oYXJkZW5pemUuY29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6GmnTohwAAAFu04k42gAABAMASDBGAiEA7A6j9BVR49t+V/hBKDXVPnBaKL+Sn+0Z2x6k0SK9ORACIQDQSiuC8H2gkE6HX5PRsHTVpIyPa5GOzAqWNjfulEanSgB2AF6nc/nfVsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABbtOJOMIAAAQDAEcwRQIgHc5giLeZq2s5miBPoBIOpLkPj/ZbT8qBvlfHWTRIeGMCIQDGIkCl4cRhCMZLU6Tzr+UyMhWDyb0g9s+nRQy5IZlnZjAKBggqhkjOPQQDAgNHADBEAiBl7pvVHNc90aXVpH4zihVzSVkjatXQTCDJX9edBTaO/QIgbacpBSfqazqWakton2I/5/ig2UUgUwty/tozdKLRLTc="
}

Properties

Name	Type	Description
sha256*	string	Hex-encoded SHA256 hash of the certificate in DER format.
subject*	string	Subject distinguished name.
issuer*	string	Issuer distinguished name.
serial*	string	Hex-encoded serial number.
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
keyAlg*	string	Private key algorithm, for example RSA or EC.
keyLen*	integer	Private key length, for example 256 for an ECDSA key or 2048 for an RSA key.
keyStrength*	integer	Estimated private key strength in symmetric bits. For example, a 256-bit ECDSA key is thought to provide 128 bits of security, whereas a 2048-bit RSA key provides about 112.
sigAlg*	string	Certificate signature algorithm.
spkiSha256*	string	Hex-encoded SHA256 of the certificate's SPKI component.
hosts*	[string]	All hosts specified in the certificate's SAN extension, as Unicode. This list includes both hostnames and IP addresses. Wildcard hostnames will be on the list if they are in the certificate.
pem*	string	none

Enumerated Values

Property	Value
sigAlg	RSAwithMD2
sigAlg	RSAwithMD5
sigAlg	RSAwithSHA1
sigAlg	RSAwithSHA256
sigAlg	RSAwithSHA384
sigAlg	RSAwithSHA512
sigAlg	RSAPSS
sigAlg	DSAwithSHA1
sigAlg	DSAwithSHA256
sigAlg	ECDSAwithSHA1
sigAlg	ECDSAwithSHA256
sigAlg	ECDSAwithSHA384
sigAlg	ECDSAwithSHA512

NetworkConnection

{
  "remoteAddress": "104.17.158.13",
  "remotePort": 443,
  "tls": {
    "protocol": "TLSv1.3",
    "suite": "TLS_AES_256_GCM_SHA384",
    "certificates": [
      "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
      "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
      "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
    ]
  }
}

Properties

Name	Type	Description
remoteAddress*	string	none
remotePort*	integer	none
tls	TlsConnection	none

TlsConnection

{
  "protocol": "TLSv1.3",
  "suite": "TLS_AES_256_GCM_SHA384",
  "certificates": [
    "65b4548a743ede456baa59051c992b36348aec493fd9234ab7290d9a0fdd004b",
    "cd6c108a0e641f2ca122aaa6d03f826759cae7c6f800eabf76dc48b67cd083ce",
    "9573862ac0b4b125168810ea3fd101ae2eb0bb15f61fc0e6da7a2a38b85a89e8"
  ]
}

Properties

Name	Type	Description
protocol	string	none
suite	string	none
certificates	[string]	none

Enumerated Values

Property	Value
protocol	TLSv1.3
protocol	TLSv1.2
protocol	TLSv1.0
protocol	SSLv3
protocol	SSLv2

NetworkEndpoint

{
  "host": "hardenize.com",
  "address": "104.17.158.13",
  "port": 443,
  "location": "london"
}

Properties

Name	Type	Description
host	string	none
address	string	none
port	integer	none
location	string	none

TestIntegrationResponse

{
  "success": false,
  "error": "Failed to authenticate"
}

Properties

Name	Type	Description
success*	boolean	Whether or not the test succeeded
error	string	If the test failed, a suitable error message

UpdateHostsRequest

{
  "hostnames": [
    "example.com"
  ],
  "preview": true,
  "subdomains": true,
  "changes": {
    "status": "monitored",
    "axfr": "enabled",
    "axfrHost": "stealth.ns.example.com",
    "axfrTsig": {
      "algorithm": "HMAC_MD5",
      "key": "base64key=",
      "name": "thename"
    },
    "groupOp": "add",
    "groups": [
      "staging",
      "development"
    ]
  }
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts to update.
preview	boolean	If set, doesn't carry out the operation, but returns a list of hosts that would have been affected. Default: false
subdomains	boolean	If set, indicates that the operation should apply to all the subdomains of the specified hosts. Default: false
changes	UpdateHostsChanges	none

UpdateHostsResponse

{
  "hostnames": [
    "example.com"
  ],
  "preview": true
}

Properties

Name	Type	Description
hostnames*	[string]	List of hosts that have been updated (or would have been updated, in preview mode).
preview*	boolean	Indicates if the action was executed or only previewed.

UpdateAccessControlConfigRequest

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": "disabled",
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": "disabled"
}

All fields are optional. Supply only the fields that need updating.

Properties

Name	Type	Description
apiNetworks	[cidr]	List of network address ranges from which access to the API should be allowed. Empty list means no restrictions.
apiNetworksCascade	string	If set to true, the configured API whitelist is enforced on all child organizations.
appNetworks	[cidr]	List of network address ranges from which access to the web application should be allowed. Empty list means no restrictions.
appNetworksCascade	string	If set to true, the configured web application whitelist is enforced on all child organizations.

Enumerated Values

Property	Value
apiNetworksCascade	disabled
apiNetworksCascade	enabled
appNetworksCascade	disabled
appNetworksCascade	enabled

UpdateAccessControlConfigResponse

{
  "apiNetworks": [
    "127.0.0.1/32"
  ],
  "apiNetworksCascade": true,
  "appNetworks": [
    "127.0.0.1/32"
  ],
  "appNetworksCascade": true
}

Management access restrictions configuration, after the requested changes have been applied.

Properties

Name	Type	Description
apiNetworks*	[cidr]	Network address range from which access to the API is allowed.
apiNetworksCascade*	boolean	Indicator of whether the API network access configuration should cascade to all child organizations.
appNetworks*	[cidr]	Network address range from which access to the web application is allowed.
appNetworksCascade*	boolean	Indicator of whether the web application network access configuration should cascade to all child organizations.

UpdateNetworkScanningConfigRequest

{
  "netscanStatic": true,
  "netscanDynamic": true,
  "monitorCloudIps": true,
  "netscanExclusions": [
    "127.0.0.1/32"
  ]
}

All fields are optional. Supply only the fields that need updating.

Properties

Name	Type	Description
netscanStatic	boolean	If set to true, scaning of static networks is enabled. For the scanning to take place, individual networks must be explicitly configured for scanning.
netscanDynamic	boolean	If set to true, scanning of dynamic IP addresses resolved from the organization's hostnames is enabled.
monitorCloudIps	boolean	If set to true, scanning of IP addresses discovered by cloud integrations is enabled.
netscanExclusions	[cidr]	Contains a list of network ranges that will be excluded from network scaning.

UpdateOrgRequest

{
  "name": "Hardenize",
  "status": "active",
  "commercialStatus": "internal",
  "generateApiCredentials": false,
  "hostDiscoveryAutoimportSubdomains": true,
  "hostDiscoveryExcludeSuffixes": [
    "sub.example.com"
  ],
  "hostDiscoveryEnabled": true,
  "hostDiscoveryLimitHard": 10000,
  "hostLimitHard": -1,
  "featureHostDiscovery": true,
  "featureMfa": false,
  "featureSaml": false
}

Properties

Name	Type	Description
name	string	Organization name is typically what will be shown in administrative user interfaces. If not provided in the request, the the `id` parameter will be used as the default value.
status	string	none
commercialStatus	string	none
generateApiCredentials	boolean	If set, creates new master API credentials for the organization. The generated password must be stored by the caller, otherwise it will be lost.
hostDiscoveryAutoimportSubdomains	boolean	If provided, updates the corresponding organization setting.
hostDiscoveryExcludeSuffixes	[string]	If provided, this field is a list of domain suffixes that should be ignored during discovery.
hostDiscoveryEnabled	boolean	If provided, enables or disables host discovery.
hostDiscoveryLimitHard	integer	If provided, updates the host discovery limit.
hostLimitHard	integer	If provided, updates the hard host limit.
featureHostDiscovery	boolean	If provided, updates the corresponding organization setting. The feature must be available in the parent organization to be enabled in a suborg.
featureMfa	boolean	If set, enables multi-factor authentication (MFA). The feature must be available in the parent organization. Default: false
featureSaml	boolean	If set, enables SAML. The feature must be available in the parent organization. Default: false

Enumerated Values

Property	Value
status	active
status	dormant
status	suspended
status	deleted
commercialStatus	free
commercialStatus	internal
commercialStatus	paying
commercialStatus	trial

UpdateOrgResponse

{
  "suborg": {
    "id": "hardenize",
    "name": "Hardenize",
    "status": "active",
    "commercialStatus": "internal",
    "apiUsername": "59b71e9801f56c84a1bd537a448cf25c",
    "apiPassword": "3ccb5136c4b584a483cb77cf7111232f",
    "hostDiscoveryAutoimportSubdomains": true,
    "hostDiscoveryEnabled": true,
    "hostDiscoveryError": "string",
    "hostDiscoveryErrorTime": "2019-08-24T14:15:22Z",
    "hostDiscoveryExcludeSuffixes": [
      "sub.example.com"
    ],
    "hostLimitHard": 10000,
    "hostDiscoveryLimitHard": 10000,
    "certLimitHard": 75000,
    "featureHostDiscovery": false,
    "featureMfa": false,
    "featureSaml": false
  }
}

Properties

Name	Type	Description
suborg	Organization	none

UnpackedCert

{
  "label": "www.example.com",
  "subject": "CN=www.example.com",
  "commonNames": [
    "www.example.com"
  ],
  "san": [
    "mail.example.com"
  ],
  "ski": "af47cb938e299991ec6538685ec20affbf817b2f",
  "issuerDn": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
  "issuer": "Let's Encrypt Authority X3",
  "serial": "d0e65b67fe58f4a5d649cfaa3bb3c2fb",
  "aki": "keyid:a84a6a63047dddbae6d139b7a64565eff3a8eca1",
  "notBefore": "2023-09-22T15:34:49.742Z",
  "notAfter": "2023-09-22T15:34:49.742Z",
  "issuerUrls": [
    "http://cert.int-x3.letsencrypt.org/"
  ],
  "crlUrls": [
    "http://crl.pki.goog/GTS1O1.crl"
  ],
  "ocspUrls": [
    "http://ocsp.pki.goog/gts1o1"
  ],
  "fingerprintSha1": "0b2ef51947ee290c4a013305bf7d25c09da2887e",
  "fingerprintSha256": "af877fdaba095d0ef9305c6a8d1eed2a7ad3fe05a193b702f9daa8a69a6533ec",
  "keyUsage": [
    "keyEncipherment"
  ],
  "extendedKeyUsage": [
    "serverAuth"
  ],
  "scts": [
    {
      "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
      "logName": "DigiCert Yeti2020 Log",
      "timestamp": "2023-09-22T15:34:49.742Z"
    }
  ],
  "mustStaple": true,
  "sigAlg": {
    "oid": "1.2.840.113549.1.1.11",
    "name": "SHA256withRSA"
  },
  "subjectKey": {
    "algName": "RSA",
    "bits": 2048,
    "strength": 112,
    "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
  },
  "ca": true,
  "caPathLen": 1
}

Various information parsed from the certificate.

Properties

Name	Type	Description
label*	string	Summary of the cert
subject*	string	Certificate subject Distinguished Name in text format.
commonNames	[string]	Common names of the certificate
san	[string]	Hostnames from the SAN field
ski	string	Subject Key Identifier
issuerDn*	string	Certificate issuer Distinguished Name in text format.
issuer*	string	Certificate issuer
serial*	string	Hex-encoded serial number.
aki	string	Authority Key Identifier
notBefore*	string(date-time)	ISO 8601 timestamp.
notAfter*	string(date-time)	ISO 8601 timestamp.
issuerUrls	[string]	Issuer URLs
crlUrls	[string]	Certificate Revocation List URL
ocspUrls	[string]	OCSP URLs
fingerprintSha1*	string	SHA1 Fingerprint
fingerprintSha256*	string	SHA256 Fingerprint
keyUsage*	[string]	Allowed usages for the cert
extendedKeyUsage*	[string]	Further allowed usages for the cert
scts	[UnpackedCertSct]	CT Signed Certificate Timestamps
mustStaple	boolean	Has the must-staple feature
sigAlg*	UnpackedCertSigAlg	Signature Algorithm
subjectKey*	UnpackedCertSubjectKey	Subject Key
ca	boolean	If this cert is a CA cert
caPathLen	integer	If CA cert, how deep a certification path may exist through it

UnpackedCertSct

{
  "logId": "f095a459f200d18240102d2f93888ead4bfe1d47e399e1d034a6b0a8aa8eb273",
  "logName": "DigiCert Yeti2020 Log",
  "timestamp": "2023-09-22T15:34:49.743Z"
}

CT Signed Certificate Timestamp

Properties

Name	Type	Description
logId*	string	The log ID
logName*	string	The name of the log
timestamp*	string(date-time)	ISO 8601 timestamp.

UnpackedCertSigAlg

{
  "oid": "1.2.840.113549.1.1.11",
  "name": "SHA256withRSA"
}

Signature Algorithm

Properties

Name	Type	Description
oid*	string	Signature algorithm OID
name*	string	String representation of signature algorithm

UnpackedCertSubjectKey

{
  "algName": "RSA",
  "bits": 2048,
  "strength": 112,
  "spkiSha256": "c488f58fd1e287f9ad3e56d0316626765beda2fb0788c39da439e024d0f4ca41"
}

Subject Key

Properties

Name	Type	Description
algName*	string	none
bits*	integer	none
strength*	integer	none
spkiSha256*	string	none

GetUserResponse

{
  "user": {
    "userId": 10001,
    "email": "postmaster@example.com",
    "name": "Bob",
    "status": "active",
    "serviceAccount": true,
    "expirationTime": "2023-09-22T15:34:49.743Z",
    "password": "61cec76600adc8b7aa522a5078f7c837",
    "mfaEnabled": false,
    "role": "observer"
  }
}

Properties

Name	Type	Description
user*	User	The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

ListUsersResponse

{
  "users": [
    {
      "userId": 10001,
      "email": "postmaster@example.com",
      "name": "Bob",
      "status": "active",
      "serviceAccount": true,
      "expirationTime": "2023-09-22T15:34:49.743Z",
      "password": "61cec76600adc8b7aa522a5078f7c837",
      "mfaEnabled": false,
      "role": "observer"
    }
  ]
}

Properties

Name	Type	Description
users*	[User]	[The User object represents one of your users that are members of the organization. They can be actual users, or service accounts. ]

CreateServiceAccountRequest

{
  "name": "Data fetcher",
  "role": "observer",
  "expirationTime": "2023-09-22T15:34:49.743Z"
}

Properties

Name	Type	Description
name*	string	Name of the service account
role*	string	Role of the service account
expirationTime	string(date-time)	Service accounts may have expiration times

Enumerated Values

Property	Value
role	owner
role	admin
role	member
role	observer

InviteUserRequest

{
  "name": "Bob",
  "email": "postmaster@example.com",
  "role": "observer"
}

Properties

Name	Type	Description
name*	string	The users name
email*	string	The users email address
role*	string	The users role

Enumerated Values

Property	Value
role	owner
role	admin
role	member
role	observer

User

{
  "userId": 10001,
  "email": "postmaster@example.com",
  "name": "Bob",
  "status": "active",
  "serviceAccount": true,
  "expirationTime": "2023-09-22T15:34:49.744Z",
  "password": "61cec76600adc8b7aa522a5078f7c837",
  "mfaEnabled": false,
  "role": "observer"
}

The User object represents one of your users that are members of the organization. They can be actual users, or service accounts.

Properties

Name	Type	Description
userId*	integer	Unique user identifier
email*	string	The user's email address. In case of service accounts, we generate a special email address on Hardenize's own domain name.
name*	string	The name of the user or service account.
status*	string	User status. Normal user accounts begin with `invitationSent` status, which later changes to `active`, after the invitation is accepted. If an invitation is cancelled, the user object is deleted. Later on, an account's status may change to `retired` and possibly back to `active`.
serviceAccount*	boolean	Indicates if this user is a service account.
expirationTime	string(date-time)	Indicates the account's expiration time, if any.
password	string	When creating service accounts, or resetting their passwords, the auto generated password will be returned in plain text. This is the only time it will be available.
mfaEnabled	boolean	Whether or not multi-factor authentication is enabled for an account. This field is not present for service accounts, as MFA is not available in that context.
role*	string	The users role

Enumerated Values

Property	Value
status	active
status	retired
status	invitationSent
role	owner
role	admin
role	member
role	observer