
HTTP Headers For Fun & Profit - foobar2k
http://loopj.com/2012/12/07/http-headers-for-fun-and-profit/
======
citricsquid
curl -I www.reddit.com

    
    
        HTTP/1.1 200 OK
        Content-Type: text/html; charset=UTF-8
        Server: '; DROP TABLE servertypes; --
        Date: Fri, 07 Dec 2012 10:30:26 GMT
        Connection: keep-alive

~~~
cpsales
Haha, brilliant!

~~~
Selfcommit
I don't get it - What am I missing?

~~~
citricsquid

        Server: '; DROP TABLE servertypes; --
    

It's a mysql injection. If someone was scraping headers and logging them and
wasn't validating the input -- and their database was named "servertypes" --
it would delete the database.

------
dfc
Am i getting too old? When I see "for fun and profit" I don't think I'm going
to read about some easter eggs hiding in http headers.

~~~
jasonkostempski
But it's true in this case, there's a job posting in Interstate's headers.

------
mahmoudimus
My favorite is Zappos.com

    
    
        % curl -I www.zappos.com
        HTTP/1.1 200 OK
        Server: nginx/1.1.17
        Content-Type: text/html; charset=utf-8
        X-ZFC-Metadata: KiMIExILCgNuaWQSBDU5NjQSEgoGbGF5b3V0Eghob21lcGFnZQ==
        X-Powered-By: Ponies!
        X-Varnish-TTL: 60m
        X-Varnish: 251047185 251045936
        X-Cache-Hits: 87
        X-Varnish-Host: varnish04.zappos.net
        X-Varnish-ID: drupal
        X-Core-Value: 1. Deliver WOW Through Service
        X-Recruiting: If you're reading this, maybe you should be working at Zappos instead.  Check out jobs.zappos.com
        X-UUID: ecbb72d2-40c0-11e2-b1b3-0010184bda34
        Cache-Control: max-age=2004
        Date: Fri, 07 Dec 2012 23:19:43 GMT
        Connection: keep-alive
    

"Powered by Ponies!"

------
nwh
There's also a lot of fun robots.txt. I forget where it was mentioned (I
didn't find it myself) but this one always made me laugh:

    
    
        # robots.txt for http://www.palm.com/ modified 7/28/09 
        User-agent: Vampires
        Disallow: /neck

~~~
buttscicles
From reddit.com:

    
    
        User-Agent: bender
        Disallow: /my_shiny_metal_ass
    
        User-Agent: Gort
        Disallow: /earth

~~~
Boldewyn
Better still: <http://www.last.fm/robots.txt>

    
    
        Disallow: /harming/humans
        Disallow: /ignoring/human/orders
        Disallow: /harm/to/self

~~~
hiddenfeatures
OMFG. That is hilarious!

Made my day

------
molf
Here is a blog post with some classic HTTP headers (2005):
[http://www.nextthing.org/archives/2005/08/07/fun-with-
http-h...](http://www.nextthing.org/archives/2005/08/07/fun-with-http-headers)

The cool thing is that the approach to find these unusual headers was pretty
systematic.

------
afandian
What the hell is going on with those expand-on-hover boxes that you need to
move your mouse to see? Who thought that was a good idea?

~~~
laumars
Agreed. It took me about 30 seconds to work out how to view the content (so
long I nearly gave up and closed the page.

The problem I had was that I couldn't scroll. I ended up having to maximize my
browser (Opera) to read them as every time I move my mouse to the scroll bar,
they'd shrink again (same problem with using the mouse scroll wheel).

I can't image trying to read those boxes on a tablet where I don't even have a
cursor to hover.

~~~
afandian
I tried on my Android. If you click on the boxen they embiggen. It's not much
better than having to mouseover.

------
jorde
Interestingly IETF discourages the use of X prefixed headers but they might
still suite this kind of behavior <http://tools.ietf.org/html/rfc6648>

~~~
dfc
I'm sorry if this is obvious. What does the verb "to suite" mean?

*I'm not trying to be pedantic, genuinely curious if it is a word I do not know.

~~~
DanWaterworth
I think "suit" was intended.

------
leftnode
I have a RESTful Symfony2 bundle that sends an X-Men header with a random
X-Person from the comic books:

[https://github.com/brightmarch/BrightmarchRestfulBundle/blob...](https://github.com/brightmarch/BrightmarchRestfulBundle/blob/master/Controller/RestfulController.php)

------
ashray
Is this not a terrible waste of bandwidth though ? At about 10 bytes per
header (on the low end..) and say 100 million requests per day, that amounts
to 1Gb of outbound bandwidth, if you count inbound bandwidth then that comes
to 2gb in total. Not to mention the cumulative time spent by users downloading
those bytes, thereby delaying resource display.

Okay, I see that I sucked the fun out of it :P

~~~
olalonde
Maybe they're just sending the headers for user-agent "curl"?

~~~
Fletch137
Nope, tried with Chrome latest and Firefox latest. I wondered the same.

------
srijan4
curl -I www.pinboard.in

    
    
        HTTP/1.1 200 OK
        Vary: Accept-Encoding
        Content-Type: text/html; charset=utf8
        Connection: keep-alive
        Server: You got SERVED!
        X-Cache: MISS

------
SquareWheel
Only one I know that hasn't been mentioned:

<http://www.seomoz.org/>

    
    
        X-Recruiting: If you're reading this, maybe you should be working at SEOmoz instead. Check out www.seomoz.org/about/jobs

~~~
whalesalad
I want to say this was copied/ inspired by Automattic's

------
mokash
I know Wordpress.org sends a header called X-Hacker or something, telling
people who see the header to look at their jobs page and tell them about the
header.

~~~
mapleoin
It's not that hard to check and it seems they don't. But they have this other
X-nc header:

    
    
      $ curl -I wordpress.org
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 07 Dec 2012 12:15:43 GMT
      Content-Type: text/html; charset=utf-8
      Connection: close
      Vary: Accept-Encoding
      X-nc: HIT luv 139

~~~
rmccue
The X-nc header is related to the cache. The GP is correct in that these
headers used to be sent on wordpress.org and wordpress.com, but it appears
they are now only sent on automattic.com

------
notzach
I set this one up a while ago. The header is on most of our sites.

curl -I webmaster.appstate.edu

    
    
        X-Robot-3: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweetie, or C: a large properly formatted data file?

------
arcatan
curl -I <https://www.instapaper.com/api/1/bookmarks/list>

    
    
      X-Powered-By: a lot of coffee and Phish

------
martindale
curl -I <https://localsense.com/>

    
    
      HTTP/1.1 200 OK
      x-powered-by: blood, sweat, and tears.

------
xyzzyb
Slashdot used to have x-fry and x-bender (Futurama) but it looks like even
those headers are gone from slashdot now.

~~~
netllama
All signs of intelligent life at /. disappeared years ago, as their parent
company was repeatedly lobotamized.

------
dschep
Slashdot used to have Futurama quotes in their (X-Bender and X-Fry iirc).
Don't seem to any more however.

------
JonnieCache
Another great place for job adverts is deep inside your minified JS code or
binary packages.

------
Joyfield
Some thought from a developer (me) : curl -I www.rendip.com

~~~
philbarr
Some "though" from a developer by the looks of it.

------
znowi
I'm a bit disappointed there are no fun headers on xkcd :/

------
rimantas

      > X-mas: Almost there.

