webRequest.SecurityInfo

An object describing the security properties of a particular web request. An object of this type is returned from the webRequest.getSecurityInfo() API.

If the request is not secured using TLS, then this object will contain only the property state, whose value will be "insecure".

Type

Values of this type are objects. They contain the following properties:

certificates
Array of CertificateInfo. If webRequest.getSecurityInfo() was called with the certificateChain option present and set to true, this will contain a CertificateInfo object for every certificate in the chain, from the server certificate up to and including the trust root.
Otherwise it will contain a single CertificateInfo object, for the server certificate.
certificateTransparencyStatus Optional

String. Indicates the Certificate Transparency status for the connection. This may take any one of the following values:

  • "not_applicable"
  • "policy_compliant"
  • "policy_not_enough_scts"
  • "policy_not_diverse_scts"
cipherSuite Optional
String. Cipher suite used for the connection, formatted as per the TLS specification: for example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
errorMessage Optional

String. If there was a problem with the TLS handshake (for example, the certificate had expired, or a trusted root could not be found, or a certificate was revoked) then status will be "broken" and the errorMessage property will contain a string describing the error, taken from Firefox's internal list of error codes.

Note though that at present you can only call getSecurityInfo() in the onHeaderReceived listener, and the onHeaderReceived event is not fired when the handshake fails. So in practice this will never be set. 

hpkp Optional
Boolean. true if the host uses Public Key Pinning, false otherwise.
hsts Optional
Boolean. true if the host uses Strict Transport Security, false otherwise.
isDomainMismatch Optional
Boolean. true if the server's domain name does not match the domain name in its certificate, false otherwise.
isExtendedValidation Optional
Boolean. true if the server has an Extended Validation Certificate, false otherwise.
isNotValidAtThisTime Optional
Boolean. true if the current time falls outside the server certificate's validity period (i.e. the certificate has expired or is not yet valid), false otherwise.
isUntrusted Optional
Boolean. true if a chain back to a trusted root certificate could not be constructed, false otherwise.
keaGroupName Optional
String. If state is "secure" this describes the key exchange algorithm used in this request.
protocolVersion Optional

String. Version of the TLS protocol used. One of:

  • "TLSv1"
  • "TLSv1.1"
  • "TLSv1.2"
  • "TLSv1.3"
  • "unknown" (if the version is not valid)
signatureSchemeName Optional
String. If state is "secure" this describes the signature scheme used in this request.
state

String. State of the connection. One of:

  • "broken": the TLS handshake failed (for example, the certificate had expired)
  • "insecure": the connection is not a TLS connection
  • "secure": the connection is a secure TLS connection
  • "weak": the connection is a TLS connection but is considered weak. You can examine weaknessReasons to find out the problem.

Note though that at present you can only call getSecurityInfo() in the onHeaderReceived listener, and the onHeaderReceived event is not fired when the handshake fails. So in practice this will never be set to "broke".

weaknessReasons Optional
String. If state is "weak", this indicates the reason. Currently this may contain only a single value "cipher", indicating that the negotiated cipher suite is considered weak.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxOperaFirefox for Android
Basic supportChrome No support NoEdge No support NoFirefox Full support 62Opera No support NoFirefox Android Full support 62

Legend

Full support  
Full support
No support  
No support

Document Tags and Contributors

Contributors to this page: wbamberg
Last updated by: wbamberg,