
Next dream job can be in an HTTP header - frenxi
https://frenxi.com/http-headers-you-dont-expect/
======
hombre_fatal
Just telling people to apply to domain.com/jobs is pretty lame. So, basically
the same door that anyone else goes through when they click the "Careers" link
in your site's footer?

Reminds me of when I solved one of the CTF challenges for a website only for
my reward to be "We're hiring! Apply at jobs.example.com!"

Real "be sure to drink your Ovaltine" moment.

~~~
dylanz
A perfect "be sure to drink your Ovaltine" moment! If anyone is unfamiliar, it
refers to the movie "A Christmas Story". The moment here:
[https://www.youtube.com/watch?v=zdA__2tKoIU](https://www.youtube.com/watch?v=zdA__2tKoIU)

I first saw that movie a only a couple years ago and quickly realized how many
pop culture references come from it. It does such a good job of capturing a
period of time in North America. Even before I saw the movie, eating out at a
Chinese restaurant was a thing for me and my family. I had no idea it may have
been related! Also... one day I'll own that lamp.

~~~
mosselman
This is great, thanks. I haven't seen this movie or heard of it. This scene is
delivered very well and really explains the 'be sure to drink your ovaltine'
concept

~~~
dgzl
A Christmas Story is classic Americana

------
m0dest
When Google was working on the first Chromebook, they decided to give away
some prototype Chromebooks to developers for free. There was a web form to
request one. A small portion of the requests were granted.

But they also took a more targeted approach: If you appeared to be a frequent
user of the Dev release channel of Chrome (unstable), an offer would appear on
the New Tab page to immediately claim a prototype Chromebook for free.

I only know this because that’s how I got mine. A coworker of mine was
interested in developing a ChromeOS app, tried switching to the Chrome Dev
channel like me, and received a similar offer in a few days.

It was great targeting. We both ended up making ChromeOS-specific improvements
to a popular web app. When you compare this to the cost of paying a company to
port their app to your platform, this was a good deal for them.

~~~
isiahl
Ah, the CR-48! I was watching the Google I/O when it was announced, and they
shared a link to request the prototype. I filled it out right as they showed
it and a couple weeks later I had a new laptop on my doorsteps. I was around
11 at the time so my mom so it first and thought it was like a bomb. The
packaging for it was really cool, I won't forget it and it came with a bunch
of dope stickers.

I'm even still in the Google Group for the testers, but now and days it's
mostly people talking about how the hinges broke on theirs.

~~~
otachack
My then-roommate got one and I remember being impressed at the lack of
branding. All laptops until then have had a company logo.

------
tarasmatsyk
I stumbled across "we hire" messages across Paypal, Techcrunch, and dozen of
other websites, even no-name startups. You can find them in headers, CSS,
HTML, JS and all over different places.

The thing is: the message neither changes the recruiting process nor company
values, so it does not matter if you come from X-Header or company/careers.
This cryptic message thing will only get you "oh cool" reply from recruiters.
If you are a good engineer you'll be hired no matter of these messages, if you
don't fit the company because of who knows why - you'll not get there anyway.

Engineers, thank you for giving me a bit of hope or fun ¯\\(°_o)/¯

~~~
fragmede
_> If you are a good engineer you'll be hired no matter of these messages_

That's a bit idealistic. When one job has 100 applicants, the unfortunate
reality is not all 100 resumes will get read. If you've already got a couple
years to a decade of experience under your belt, your resume will naturally
surface to the top of the pile, but if you're just starting out, it can be
impossible.

Recruiters may only say "oh cool" to you, but, especially if your resume shows
zero years of professional experience, there's a tiny bit more effort that
goes on behind the scenes. You're right that you still go through the exact
same flow, but it's a (tiny) shibboleth that helps show that the candidate
fits the mold.

~~~
shoo
I agree, & it's even worse than that: hiring pipeline will only measure how
well you do on the day, which is a noisy measurement of underlying ability.

If you get asked a coding problem in an interview and don't go so well, it
doesn't matter if you would have had a strong answer for the 10 alternative
interview problems that weren't asked.

------
jedberg
For a while we had a recruiting message in the reddit headers. We also had
this for many years:

    
    
        x-Bender: Bite my shiny metal ass
    

We also had this for a long time:

    
    
        Server: '; DROP TABLE servertypes; --

Sadly, it looks like it was removed when they switched from haproxy to
varnish. They did put this in though:

    
    
        x-moose: majestic
    

So that's something I guess.

~~~
arethuza
Maybe custom response header would be the ideal place to insert output from
something like Emacs spook:

[http://www.cypherspace.org/adam/shirt/spook.html](http://www.cypherspace.org/adam/shirt/spook.html)

~~~
jaywalk
Well, now I'm on a bunch of lists. Thanks for that link.

------
achillean
There are quite a few things that people put in their HTTP headers. You can
search for these types of jobs:

[https://beta.shodan.io/search?query=x-recruiting](https://beta.shodan.io/search?query=x-recruiting)

[https://beta.shodan.io/search?query=x-hacker](https://beta.shodan.io/search?query=x-hacker)

You can also find tributes to people such as Terry Pratchett:

[https://beta.shodan.io/search?query=x-clacks-
overhead](https://beta.shodan.io/search?query=x-clacks-overhead)

------
davio
We worked at a megacorp rental car company. Top-notch risk guy noticed the
x-hacker header on our wordpress.com blog and launched a CSIRT. Automattic
corp was trying to hack us. I had the infosec director sitting on my desk in
minutes. They fired up a conference bridge with a half dozen VPs while we
waited for the CIO.

"Get our wordpress account executive on the phone!" \- yeah, don't have one,
we pay 9.99 a month for a blog, they also don't have a phone number

"Open up a SEV1 support ticket" \- yeah, it says their support team is on
vacation this week

After about 90 minutes of hand-wringing on the conference call, I guess enough
of them googled the message to figure out it was a recruiting pitch. I got
confirmation from the community support forum a week later that we were indeed
not hacked.

------
twicetwice
Is anyone else annoyed this is being publicized? It pretty much destroys any
value that noticing the header might have as a signal. Granted the signal
strength was probably pretty low already, as other commenters have pointed
out, but blog posts like this must decrease it even further.

~~~
WilliamEdward
It didn't have any value to begin with, honestly. Websites have the exact same
message in their code simply by inspecting source or opening a console, and
that certainly doesn't show you have any sort of skill or curiosity.

It's not like the sites are offering you a job, they're saying you should
interview with them. I have not heard of anyone getting hired because of this.

~~~
sokoloff
I agree it’s not a marker of skill, but I do see it as evidence of curiosity.

------
runemadsen
I once made a Chrome extension called HeaderHunter to automatically notify
users when a recruitment header is detected. It still works:

[https://chrome.google.com/webstore/detail/headerhunter/almeo...](https://chrome.google.com/webstore/detail/headerhunter/almeoedichpmgpjhobhenfacacpohbma)

------
austincheney
I remember several years ago when I still had a Reddit account I found
internship opportunity advertisements in web socket payloads. I asked about
that on the reddit channel on Freenode, I think, and was politely told to not
mention it on r/JavaScript.

------
im3w1l
A long time ago my friend was one of the first to adopt ipv6. Some company had
a special page for him saying he was the first to connect over ipv6 and
instructions for claiming his prize. Called them up, and they had no idea they
had that page, they had to check and "oh huh we really do have that page". Had
had it up for so long that it had slipped from institutional memory.

------
galaxyLogic
I had a similar idea for financing Open Source software projects. The
contributing sponsors would get their URL and add-text into a comment at the
top of the source-code. The bigger your sponsorship the higher up in the list
your company will be.

The adds would of course be targeted at hackers, such as come work for us,
since only hackers read source-code. So it would be a very targeted ad (like
the http-header thing).

I don't know if this has been tried out in practice but why not, if even HTTP-
headers are used for a similar purpose?

~~~
mholt
Don't do it.

People will hate you for it... and never, ever let you live it down. :-/

~~~
niftich
He's speaking from experience. But, if your circumstances aren't exactly the
same, the outcome may be different.

Credits pages in software, accessible from the main UI, used to be very
common, and having names there -- or embedded in source code -- doesn't
violate a user expectation.

Server software sending 'Server:' headers also doesn't violate user
expectation, though some people prefer to turn these off.

Custom headers that cannot be turned off have a higher likelihood of violating
user expectation.

To the OP: in open source projects, some users will attempt to remove
undesired behavior, within the rights afforded by the license, but these
exercises of copyright can interact adversely with trademarks and other brand
protections, and with the surrounding (human) infrastructure and information-
space around a project (e.g. names, URLs, references to services, secrets).

Your attempts to reconcile such a situation are nontrivial, and both inaction
and action have a high likelihood of resulting in bad press (e.g. user
confusion about fork, or heavy-handed enforcement). The harm will persist long
after the original situation has been resolved or mitigated.

~~~
galaxyLogic
> some users will attempt to remove undesired behavior,

Surely. But a link in a comment to a supporter who helped finance the project
is not really "behavior" is it? It is not part of the program that executes.

So it is not "undesired behavior" since it is not behavior at all.

But is it "undesired" in other ways?

If you put in a copyright notice into the source code, that is a kind of
advertising for whoever's name is in it. Often comments contain links to the
website of whoever maintains the source-code. Is that undesired? If not then
what would be so undesirable about putting in a link to the website of whoever
supported the project financially.

And if they paid for that, they would be supporting the project financially.
And in the end isn't that what we want, financial support for Open Source
projects?

------
AegirLeet
I like adding "Server: Windows 95", "X-Powered-By: PHP 2.0" or something like
that. You know, just to mess with people. Make them wonder what the fuck they
just stumbled upon.

------
voltagex_
[https://xclacksoverhead.org/home/about](https://xclacksoverhead.org/home/about)
is the best one.

------
ruffrey
Most systems I work on, I find a way to put a fun X-header into the server.
Favorite so far was: `X-MrSkeltal: thank`

~~~
saagarjha
doot doot

------
tyingq
I noticed a16z.com has this header:

x-hacker: If you're reading this, you should visit wpvip.com/careers and apply
to join the fun, mention this header.

So Wordpress is advertising via end users of it's software.

Edit: Ahh, as mentioned in the article...

------
praptak
I saw a job ad in the output on the JavaScript console. Very good targeting -
someone poking around the JS for the site is likely to be a good fit for the
frontend dev role for that site.

Well, maybe not super likely in absolute terms but still infinitely more
likely than a random person reading a dev job board.

------
esjr
So no one has heard of RFC6648 ?
[https://tools.ietf.org/html/rfc6648](https://tools.ietf.org/html/rfc6648)

~~~
wlll
> "…in practice the benefits [of the "X-" convention] have been outweighed by
> the costs associated with the leakage of unstandardized parameters into the
> standards space."

Honestly, prefixing silly, fun or extra headers with X- like in this scenario
seems pretty harmless.

------
pfranz
Slashdot.org used to have a random Futurama quote and Reddit.com used to
contain '; DROP TABLE servertypes; --

------
kumarm
>>That specific header seems to be a "default" one if you host your site on
WordPress VIP, the enterprise WordPress hosting solution managed by
Automattic.

Now thats terabytes of data moving around :)

------
wenbin
It's very common to find recruiting messages in browser dev console, for
Chinese companies, e.g.,

\- [https://www.baidu.com/](https://www.baidu.com/)

\- [https://www.zhihu.com/](https://www.zhihu.com/)

\- [https://www.douban.com/](https://www.douban.com/)

\- [https://www.jd.com/](https://www.jd.com/)

...

~~~
kevindeasis
I see this in a lot of websites i visit. I usually inspect them just out of
curiosity.

Some of them get pretty clever, like a hidden element that says something
funny

The funniest thing I saw, is I was looking at an API from a top-tier tech
company and the person who wrote the software had message in it containing
words of frustration. Like swear words.

But, the weirdest thing I usually see is how the flagship of some top tech
company can't make their website responsive when all you have to do is change
a few of lines of code.

Or when they upgrade their UI/UX and they just broke a lot of features.

------
rajeshrajappan
[https://gusto.com/](https://gusto.com/) has something in the dev console. Its
like a treasure hunt.

~~~
eyelidlessness
I was curious about this one, so I took a look.

    
    
             _____ _    _  _____ _______ ____
            / ____| |  | |/ ____|__   __/ __ \
           | |  __| |  | | (___    | | | |  | |
           | | |_ | |  | |\___ \   | | | |  | |
           | |__| | |__| |____) |  | | | |__| |
            \_____|\____/|_____/   |_|  \____/
    
        Hello from Gusto! Curious about how we work?
    
        "Peek" through the "window" to find out.
    

Okay, weird, but might be cool.

    
    
        window
    

Right at the top there's a bunch of junk that their third party scripts add...
yuck, but totally common. But there's a bunch of other stuff that they clearly
add to the global namespace for normal operations too. Yuck! Is this how you
work?

Anyway, not fully caffeinated yet so I just scroll randomly (a standard
`window` is enormous as it is, so there are surely needles in this haystack
but I'm not getting methodical just yet).

    
    
        method: "trackPii"
    

This appears to be a part of their internal analytics. D:

I'm gonna stop right here because I don't really want to learn more, and I'll
just continue my personal preference of never visiting Gusto unless my
employer requires me to.

------
thinkingkong
Another good one is when teams print console messages in the browser. Poke
around on a few systems and youll see hiring messages there too.

~~~
tommoor
[https://linear.app/](https://linear.app/) even puts a link to the changelog
in there, they know our type.

------
nmpennypacker
I've seen job links in HTML comments, too. Imgur used to do it. They may still
do it, but I'm too lazy to check :)

------
ageofwant
The only one that matters is

X-Clacks-Overhead "GNU Terry Pratchett"

------
kevinguay
The New York Times has a job link in the console (including a nice ASCII logo
that doesn't render well in HN):

    
    
          NYTimes.com: All the code that's fit to printf()
          We're hiring: https://nytimes.wd5.myworkdayjobs.com/Tech

------
PebblesHD
SoundCloud used to have something similar in the JS console, which I’ve seen
in a few other places as well. Quite clever as a way of filtering but as
pointed out they usually point to the regular front door so no magic queue
skip which seems like a lost opportunity...

------
nurettin
Reminds me of the time google mined my search data in order to redirect me to
their recruiting pages, but instead of abusing my data in unforeseeable ways,
these guys only require that you are able to switch to the network tab of your
browser. Pretty neat.

~~~
adrianN
Maybe engineers who are not concerned about Google mining their search data
for recruitment purposes are exactly the kind of engineer Google wants to
hire.

~~~
nurettin
Yeah, hosing people passing from in front of your garden hoping to get one who
appreciates it because he's thirsty or something.

------
giorgioz
The robots.txt of tripadvisor.com has a message like that:

[https://www.tripadvisor.com/robots.txt](https://www.tripadvisor.com/robots.txt)

Hi there, If you're sniffing around this file, and you're not a robot, we're
looking to meet curious folks such as yourself. Think you have what it takes
to join the best white-hat SEO growth hackers on the planet? Run - don't crawl
- to apply to join TripAdvisor's elite SEO team Email
seoRockstar@tripadvisor.com Or visit [https://careers.tripadvisor.com/search-
results?keywords=seo](https://careers.tripadvisor.com/search-
results?keywords=seo)

------
mister_hn
I've just opened the Firefox developer console as Nd was flashed by so many
errors in the website.

Before asking to curl it, maybe fixing those errors will leave a better sense
of polishness

------
userbinator
I haven't seen any of these yet, but ironically, working for the company is
probably the last thing on my mind if I'm looking at HTTP headers from a site
since I usually do that when I must use it for some reason and need to figure
out why it's not working or how to more easily access it (it is often a SPA
which shouldn't be, or otherwise something designed with "Chrome is the only
browser you should use" mentality.)

~~~
austincheney
That is probably because you are occasionally looking at the headers using
browser developer tools, but it’s a whole different experience when you are
running something like Snort or Wireshark.

~~~
neatze
Personally, I prefer MITMProxy the most, because of bonus effect; if not lazy
then you can automate web life.

------
Ayesh
[https://ayesh.me/go/XSS](https://ayesh.me/go/XSS)

HTTP Headers are user-input for the recipient. I delivered a few security-
related talks where my website sends XSS payloads in its HTTP headers. There
are many "HTTP Headers checker" websites that fail to sanitize HTTP headers,
and they make a good punchline for the talk about sanitizing user-input.

The same goes for DNS records too.

------
giancarlostoro
I got one similar message when trying a known exploit of PHP on Facebook. I
forgot the bug / exploit it may of even been a easter egg for a single version
of PHP but basically you added an argument to a URL path and it showed the PHP
files code. Come to think of it, I think someone mentioned it here on HN but I
can't remember what it was.

------
znpy
I've found similar headers in emails.

For example, I was setting up a sieve-based filter for Groupon emails and
there was this x-recruiting header.

That was nice.

~~~
robin_reala
A job building HTML emails for Groupon? I guess someone has to do it, but I
don’t envy them.

~~~
znpy
nah, it was something like: "interested in headers? check out
[http://jobs.xxxx.whatever"](http://jobs.xxxx.whatever")

------
alexmic
We have a nice one at Plum :)
[https://api.withplum.com](https://api.withplum.com)

------
amasad
[https://repl.it/jobs](https://repl.it/jobs) might be relevant here.

~~~
saagarjha
It's nice that they actually spin up a while GCP instance for you instead of a
fake shell!

------
pistoriusp
X- prefixes in for non standard headers are deprecated because too many X-
headers eventually became standards.

------
koz_
It's pretty clever advertising really. I don't imagine that having noticed an
HTTP header would really give an applicant much of a boost in the interview
process, but to some it probably feels like finding a ticket to Willy Wonka's
factory and may motivate them to apply in the first place.

~~~
Polylactic_acid
They always just tell you to apply through the normal process.

------
ricardo81
Trying to recall where I first seen this being done, it was definitely a long
time ago, perhaps Google?

Seems slightly less effective nowadays what with the standard browsers tools
available, ctrl + shift + K

Not that using telnet, curl or some such was much of a higher barrier, just
you had to go out of your way to use them.

~~~
Animats
Google used to have job ads which showed if you searched for CS topics such as
"proof of correctness".

------
adiscretion
The job note in the header of [https://www.mozilla.org/en-
US/](https://www.mozilla.org/en-US/) contains a little fire spitting dragon. A
nice touch to grab the attention.

------
Inversechi
My favourite for this kinda thing was how bandcamp promoted their engineering
jobs.

[https://bandcamp.com/jobs](https://bandcamp.com/jobs)

They don't have any at the moment but it was always fun to solve.

------
bdcravens
I found one in my favorite niche streaming audio site. I actually went through
the process - there were actually a few steps to get to the actual email
address. I sent them an email even though I wasn’t on the market :-)

------
asebold
How did you find quirky headers on other websites? Did you use a script?

~~~
saagarjha

      $ curl -s -o /dev/null -D - https://frenxi.com/http-headers-you-dont-expect/
        HTTP/1.1 200 OK
      Content-Type: text/html
      Content-Length: 47608
      Connection: keep-alive
      Last-Modified: Fri, 15 May 2020 01:35:43 GMT
      x-amz-server-side-encryption: AES256
      Accept-Ranges: bytes
      Server: AmazonS3
      Via: 1.1 ddaf46a95abcfc80e8eae76235e2127c.cloudfront.net (CloudFront), 1.1 37d64bca4c93552139fb3a85c9c4a119.cloudfront.net (CloudFront)
      Strict-Transport-Security: max-age=31536000; includeSubDomains
      X-Frame-Options: SAMEORIGIN
      X-XSS-Protection: 1; mode=block
      X-Content-Type-Options: nosniff
      X-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/
      X-Amz-Cf-Pop: SEA19-C2
      Date: Fri, 15 May 2020 04:48:24 GMT
      ETag: "194d54c969aad10b9c74ca6d591ae3e7"
      Cache-Control: public, must-revalidate, max-age=0
      Vary: Accept-Encoding
      X-Cache: RefreshHit from cloudfront
      X-Amz-Cf-Pop: SFO20-C1
      X-Amz-Cf-Id: J_OaNOGn_a8oZRQzKfe9spXbuDp-V-zhmlX1tQJSLNM1BD4EFTYERg==

~~~
throw_away

      curl -I https://frenxi.com/http-headers-you-dont-expect/
    

also works for this.

~~~
tyingq
Sends a HEAD request instead of a GET, and the output goes to STDERR, so I
prefer the parent's suggestion.

~~~
throw_away

      curl -IXGET https://frenxi.com/http-headers-you-dont-expect/
    

then. All three pop out on STDOUT & this one is shorter with less to remember.

~~~
tyingq
Yep, better. -sIXGET omits the progress bar stuff.

------
avipars
Very funny. reminds me of the Google Foo-Bar interview process.

------
city41
Can someone share what header the author added to their site? I only have my
iPhone for the next 6 days. Anyone know of a way to see headers on an iPhone
out of curiosity?

~~~
antigirl
x-hack: Like HTTP headers? Check this blog post [https://frenxi.com/http-
headers-you-dont-expect/](https://frenxi.com/http-headers-you-dont-expect/)

~~~
chrismorgan
Um, that’s the article this whole thread is about. And it doesn’t answer the
question you’re replying to at all.

~~~
antigirl
Thats the custom header on his blog.

~~~
chrismorgan
Oops, I read that as prose rather than a header. It had been some minutes
since I had actually looked at the header value myself. Sorry.

------
plerpin
I saw this in a response from Crackle's CDN. Nothanks

------
Torkel
We did this in our binary - adding a message in there which would be seen if
attempting to reverse engineer or crack it. No emails from that yet though :)

------
nnd
Airbnb used to have a header X-Hi-Airbnb with a hiring manager's email a while
ago. I imagine they got rid of it because of the volume of emails.

------
fullstop
I found a something in Pinterest headers once. It was something simple, like
base64 encoding though, and pointed to a job listing.

------
edwinyzh
About ten years ago I discovered tencent was doing a similar thing in the
console of Chrome's DevTools

------
gallego2007
Nice write-up with some interesting findings! I might have to start poking
around headers more often...

------
mmcclimon
I noticed recently that all the API responses from Twilio have an
X-Shenanigans: none header.

~~~
abulman
I'd expect they would also ensure the Evil bit was set to 0.
[https://tools.ietf.org/html/rfc3514](https://tools.ietf.org/html/rfc3514)

------
arberavdullahu
I was expecting some hidden message from his website headers too, but there
was none :(

------
bigintjin
Quizlet.com has a huge message in their console about directing you to their
jobs page.

------
tsukurimashou
these are pretty low effort and these don't even give an indication you found
their SUPER HIDDEN /career page by typing "shitty company open positions" on a
search engine or by analyzing their header

------
csours
I love to see the mix of caps and non-caps in the header names.

------
greendestiny_re
This is a very clever native ad.

------
jordache
a developer checking out a response payload is considered l33t these days?

