Hacker News new | past | comments | ask | show | jobs | submit login
Next dream job can be in an HTTP header (frenxi.com)
374 points by frenxi 12 months ago | hide | past | favorite | 171 comments

Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer?

Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"

Real "be sure to drink your Ovaltine" moment.

A perfect "be sure to drink your Ovaltine" moment! If anyone is unfamiliar, it refers to the movie "A Christmas Story". The moment here: https://www.youtube.com/watch?v=zdA__2tKoIU

I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.

This is great, thanks. I haven't seen this movie or heard of it. This scene is delivered very well and really explains the 'be sure to drink your ovaltine' concept

A Christmas Story is classic Americana

The movie was a childhood staple, but the book is even better - literally LOL'ed, snorted, etc. "In God We Trust: All Others Pay Cash" by Jean Shepherd. There are lots of additional short stories there not featured in the movie.

Growing up in the 90's my family would make it a point to watch this every year around the holidays, good times. If you are ever in Cleveland, OH, you can actually tour the house they filmed most of it in.

It was a reference to an actual ad campaign, I believe, for a real product

Seems meta. As far as references to ads in movies I enjoy Demolition Man. I loop the classy cover of the jingle for Jolly Green Giant from time to time to endear me to my (close) colleagues. It's burnt deep, whelp time for a listen.

Fascinating aside on Demolition Man: some versions have all restaurants as Pizza Hut rather than Taco Bell [1]. The version I saw as a kid was Pizza Hut, so when I said “in the future all restaurants are Pizza Hut”, a friend said “you mean Taco Bell” and we both learned something :).

> For some non-American releases, references to Taco Bell were changed to Pizza Hut. This includes dubbing, plus changing the logos during post-production. Taco Bell remains in the closing credits. In the Swedish release the subtitles still use Taco Bell while the sound and picture has been altered as above. The original version released in Australia (on VHS) contained Taco Bell, yet the newer version on DVD was changed both in logo and dubbing to Pizza Hut (in the scene where the restaurant patrons are looking through the glass windows to the fight scene outside, Taco Bell can be seen etched into the glass, even in the modified version).

[1] https://tacobell.fandom.com/wiki/Demolition_Man

Indeed, in my youth I downloaded a version that had this and I was alarmed at first. Some further research showed that it was an international release as Pizza Hut has a broader brand globally. The scene in San Angles where Westley Snipes attacks a bunch of police and he learns of his programming was filmed in Irvine, CA. I've got a few photos of the location and now would be a good time to take some shots since it isn't as busy. Also tripped out that the Mall scene in Kindergarten Cop was shot at the Main Place Mall in Santa Ana.

> Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer? Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"

That reminds me of MI5’s Coding Challenge [1][2][3].

[1] https://cixtor.com/blog/mi5-coding-challenge

[2] https://www.mi5.gov.uk/careers/opportunities/coding-challeng...

[3] https://www.mi5.gov.uk/sites/default/files/styles/puzzal_ima...

One of the defence agencies in Australia made a puzzle quite a long time ago; I can't find it now. It was a bunch of hex in a banner advert; the hex was actually x86 assembly, which if 'run' would write a string into memory.

The string was just the URL of their recruitment portal. I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!

>I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!

They probably need a lot of people with some tech knowledge. This way they can probably gain the widest audience that is still useful.

If it's too hard to crack, it's unlikely your investment of time in this recruitment measure will actually yield results.

The point is that if you crack it, they should send you to some unique link. Even if it's not super hard, it at least proved some level of technical competency and do should allow you to prioritised interview access (maybe at least skipping initial screening).

It works in reverse - you probably wouldn't want to work in such an environment with frustrating practices towards developers.

What frustrating practices? I'm a developer (and mathematician), and I love puzzles :)

Not everyone is working on awesome stuff at an intelligence agency. They still need people to work on their 20 year old hellscape of an ERP system in hated language(java,ada,cobol, etc).

sure, but how much of the actual job will be solving puzzles? Seems unlikely to be representative of the work so the people who enjoy the actual work might begrudge the interview and the people who enjoy the interview might not enjoy the work.

At an intelligence agency? Possibly quite a bit.

A valid stance. Incidentally, that's why I've never had any interest in working at a certain couple of FAANG companies.

I assume the solutions to these can be found publicly pretty quickly. So your secret bypass first filter loses utility after the first couple of people.

The reason you put this riddles online is to get to know people who love this kind of challenge. This is still the case if the solutions are available online, even though I would include a plead into my job ad not to post solutions online for fairness with respect to other potential applicants who mananged to solve the riddle.

When in a job interview, it should be very easy to find out whether the person found the solution online or he "cheated"; simple ask some detailed questions how the person came up with this and that part of the approach.

The person that knows how to Google for solutions may be the right person for the job.

Perhaps filtering out the people who can neither solve it nor Google it is enough of a filter by itself. Not suggesting it should bypass more than initial screening, naturally.

Why do they call it Ovaltine?

The mug is round. The jar is round.

They should call it Roundtine.

I know you're joking, but I looked it up :)

'Ovaltine was developed in Bern, Switzerland, where it is known by its original name, Ovomaltine (from ovum, Latin for "egg", and malt, which were originally its key ingredients).' [1]

[1] https://en.wikipedia.org/wiki/Ovaltine

Ha, as a Swiss, from the Bern region, I was thinking whether this strange sounding Ovaltine has anything to do with Ovomaltine and was about to look it up.

In Switzerland, Ovomaltine is among the products with highest brand recognition ever and has a cult status because of their advertisement in the 80s and 90s.

Never knew it was a thing outside of Switzerland

I am from South America and I drink Ovomaltine every day. It has a lot less sugar than the local brands, which is a plus in my book. More actual taste than just sugary overload.

Used to be pretty big in Italy in late 70s/early 80s, then Nestlé destroyed all competition with their Nesquick. You can still find Ovomaltine in large supermarkets but it's clearly a bit player.

I wonder if it's a generational thing as well?

It is still sold as Ovomaltine in Germany and some other countries[1].

[1] https://www.ovomaltine.com/country-locator

And oval also comes from ovum. So it's a sibling rather than parent relationship.

Oh! That explains why I’d always get really sick after drinking/eating Ovaltine based products!

Because of the malt? Egg and egg products are no longer used.

It's a Jerry Seinfeld bit.

cerved was referencing an episode of Seinfeld

That's gold, cerved! Gold!

Google Foobar does it right and lets you skip to actually be considered, which is nice.

Has Google even bothered with Foobar for like past 2-3 years? It appears so frequently on non-incognito searches that surely every developer must have seen it by now.

I've never seen it, I assume it's just a US thing

I've never got it and I've been googling programming stuff for almost a decade now.

However, maybe I'm remembering wrong, but a few years ago I was reading an article about it and someone showed a search term that brought it up for them and I tried that term and got it. Dont remember what the search term was, but I think it was something related to one of the popular leetcode-esque algorithms I've never had to do in my hobbyist or professional work.

I've never seen it, but other people in my (non-US) country claim to have seen it. I always assumed it was either my taste in porn or the fact that I'm usually logged out and regularly clear tracking cookies.

FooBar is still being considered. I solved some problems few months ago and was contacted by their recruiter one month after that, they did mention FooBar as the main signal.

I’ve never seen it on any of my searches. I got sent a link…

I’ve never seen it, live in the US, and I google developer things all the time. Maybe it’s because I work in Ruby and not one of the more googley languages?

I've never seen it, but I assume they only target people in the US.

I've had it hit me twice over the years.

Can't say I've seen it. Guess Google isn't hiring in my country.

I've seen it in the UK last November.

fwiw, a few of them say "mention this header"—so perhaps there is some accelerated path that it goes on.

Alternatively, they're tracking how many applications they get through that path.

When Google was working on the first Chromebook, they decided to give away some prototype Chromebooks to developers for free. There was a web form to request one. A small portion of the requests were granted.

But they also took a more targeted approach: If you appeared to be a frequent user of the Dev release channel of Chrome (unstable), an offer would appear on the New Tab page to immediately claim a prototype Chromebook for free.

I only know this because that’s how I got mine. A coworker of mine was interested in developing a ChromeOS app, tried switching to the Chrome Dev channel like me, and received a similar offer in a few days.

It was great targeting. We both ended up making ChromeOS-specific improvements to a popular web app. When you compare this to the cost of paying a company to port their app to your platform, this was a good deal for them.

Ah, the CR-48! I was watching the Google I/O when it was announced, and they shared a link to request the prototype. I filled it out right as they showed it and a couple weeks later I had a new laptop on my doorsteps. I was around 11 at the time so my mom so it first and thought it was like a bomb. The packaging for it was really cool, I won't forget it and it came with a bunch of dope stickers.

I'm even still in the Google Group for the testers, but now and days it's mostly people talking about how the hinges broke on theirs.

My then-roommate got one and I remember being impressed at the lack of branding. All laptops until then have had a company logo.

If you do a lot of searching for development keywords on Google, you get invited to https://www.google.com/foobar/

ive been searching development keywords for the guts of 5 years now, no invite.... i guess im not worthy

When you have to google for web development keywords, you are certainly not worthy. ;-)

I profoundly disagree with that sentiment.

I stumbled across "we hire" messages across Paypal, Techcrunch, and dozen of other websites, even no-name startups. You can find them in headers, CSS, HTML, JS and all over different places.

The thing is: the message neither changes the recruiting process nor company values, so it does not matter if you come from X-Header or company/careers. This cryptic message thing will only get you "oh cool" reply from recruiters. If you are a good engineer you'll be hired no matter of these messages, if you don't fit the company because of who knows why - you'll not get there anyway.

Engineers, thank you for giving me a bit of hope or fun ¯\(°_o)/¯

> If you are a good engineer you'll be hired no matter of these messages

That's a bit idealistic. When one job has 100 applicants, the unfortunate reality is not all 100 resumes will get read. If you've already got a couple years to a decade of experience under your belt, your resume will naturally surface to the top of the pile, but if you're just starting out, it can be impossible.

Recruiters may only say "oh cool" to you, but, especially if your resume shows zero years of professional experience, there's a tiny bit more effort that goes on behind the scenes. You're right that you still go through the exact same flow, but it's a (tiny) shibboleth that helps show that the candidate fits the mold.

I agree, & it's even worse than that: hiring pipeline will only measure how well you do on the day, which is a noisy measurement of underlying ability.

If you get asked a coding problem in an interview and don't go so well, it doesn't matter if you would have had a strong answer for the 10 alternative interview problems that weren't asked.

For a while we had a recruiting message in the reddit headers. We also had this for many years:

    x-Bender: Bite my shiny metal ass
We also had this for a long time:

    Server: '; DROP TABLE servertypes; --
Sadly, it looks like it was removed when they switched from haproxy to varnish. They did put this in though:

    x-moose: majestic
So that's something I guess.

Maybe custom response header would be the ideal place to insert output from something like Emacs spook:


Well, now I'm on a bunch of lists. Thanks for that link.

It's also in the robots.txt file.

  User-Agent: bender
  Disallow: /my_shiny_metal_ass

X-Bender came from slashdot.org didn't it? I recall it being present in the early 2000s.

Yes I believe we blatantly stole it from them.

There was a whole thread on reddit about it a decade ago when someone first discovered the drop table header: https://www.reddit.com/r/programming/comments/c0m9v/reddits_...

There are quite a few things that people put in their HTTP headers. You can search for these types of jobs:



You can also find tributes to people such as Terry Pratchett:


We worked at a megacorp rental car company. Top-notch risk guy noticed the x-hacker header on our wordpress.com blog and launched a CSIRT. Automattic corp was trying to hack us. I had the infosec director sitting on my desk in minutes. They fired up a conference bridge with a half dozen VPs while we waited for the CIO.

"Get our wordpress account executive on the phone!" - yeah, don't have one, we pay 9.99 a month for a blog, they also don't have a phone number

"Open up a SEV1 support ticket" - yeah, it says their support team is on vacation this week

After about 90 minutes of hand-wringing on the conference call, I guess enough of them googled the message to figure out it was a recruiting pitch. I got confirmation from the community support forum a week later that we were indeed not hacked.

Is anyone else annoyed this is being publicized? It pretty much destroys any value that noticing the header might have as a signal. Granted the signal strength was probably pretty low already, as other commenters have pointed out, but blog posts like this must decrease it even further.

No, because all these headers just lead to the stock standard hiring page. It literally has no effect.

I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.

So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.

What I'm actually annoyed by is that companies are still doing this stupid thing.

The audience for blog posts like these is probably pretty similar anyway.

Low signal strength for sure - all it says is "I know how to open Dev Tools." Rather than worry about trying to retain some value, I looks at these posts as an educational opportunity. They can encourage people who don't know how the web works to dig deeper, learn more.

It didn't have any value to begin with, honestly. Websites have the exact same message in their code simply by inspecting source or opening a console, and that certainly doesn't show you have any sort of skill or curiosity.

It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.

I agree it’s not a marker of skill, but I do see it as evidence of curiosity.

> Is anyone else annoyed this is being publicized?

I don't know about annoyed, but I wouldn't want to talk about any movies I haven't seen with the author, or involve them in planning a surprise party.

I once made a Chrome extension called HeaderHunter to automatically notify users when a recruitment header is detected. It still works:


I remember several years ago when I still had a Reddit account I found internship opportunity advertisements in web socket payloads. I asked about that on the reddit channel on Freenode, I think, and was politely told to not mention it on r/JavaScript.

A long time ago my friend was one of the first to adopt ipv6. Some company had a special page for him saying he was the first to connect over ipv6 and instructions for claiming his prize. Called them up, and they had no idea they had that page, they had to check and "oh huh we really do have that page". Had had it up for so long that it had slipped from institutional memory.

I had a similar idea for financing Open Source software projects. The contributing sponsors would get their URL and add-text into a comment at the top of the source-code. The bigger your sponsorship the higher up in the list your company will be.

The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).

I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?

Don't do it.

People will hate you for it... and never, ever let you live it down. :-/

Other than the Caddy debacle, there was a short-lived attempt to run ads in the output of npm install, which also backfired spectacularly: https://news.ycombinator.com/item?id=20786981.

I think if there was a magic button to remove any and all advertising from the internet, most people would press it, consequences be damned. You really need to think hard before hitching your cart to that horse.

He's speaking from experience. But, if your circumstances aren't exactly the same, the outcome may be different.

Credits pages in software, accessible from the main UI, used to be very common, and having names there -- or embedded in source code -- doesn't violate a user expectation.

Server software sending 'Server:' headers also doesn't violate user expectation, though some people prefer to turn these off.

Custom headers that cannot be turned off have a higher likelihood of violating user expectation.

To the OP: in open source projects, some users will attempt to remove undesired behavior, within the rights afforded by the license, but these exercises of copyright can interact adversely with trademarks and other brand protections, and with the surrounding (human) infrastructure and information-space around a project (e.g. names, URLs, references to services, secrets).

Your attempts to reconcile such a situation are nontrivial, and both inaction and action have a high likelihood of resulting in bad press (e.g. user confusion about fork, or heavy-handed enforcement). The harm will persist long after the original situation has been resolved or mitigated.

> some users will attempt to remove undesired behavior,

Surely. But a link in a comment to a supporter who helped finance the project is not really "behavior" is it? It is not part of the program that executes.

So it is not "undesired behavior" since it is not behavior at all.

But is it "undesired" in other ways?

If you put in a copyright notice into the source code, that is a kind of advertising for whoever's name is in it. Often comments contain links to the website of whoever maintains the source-code. Is that undesired? If not then what would be so undesirable about putting in a link to the website of whoever supported the project financially.

And if they paid for that, they would be supporting the project financially. And in the end isn't that what we want, financial support for Open Source projects?

Back when dinosaurs roamed the earth, BSD License literally had an "advertising clause".

The only question would be whether it should be used only for non-transferable "moral" authorship or transferable as the author chooses.

> only hackers read source-code

maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.

Inside the community, a hacker (as opposed to "cracker" or "security hacker") is someone who uses technology in a creative way.

My understanding of hacker is specifically someone who exploits vulnerabilities in code. Regular programmers are like building architects, hackers are like people holding up a mask so that the facial recognition powered NEST lock will let them inside the building.

so what do we call undesirables like anonymous and so on?

"crackers" or "security hackers". I'm sure most people on this site would consider themselves to be some form of "hacker", after all, this is "Hacker News".

"cracker" or "security hacker"

Every programmer of course reads some source-code because they must read their own source-code. But such a programmer might use an Open Source library without reading its course. Whereas if you are truly hacker you are interested in how things work and you would more likely be reading such source.

I agree that definition of "hacker" is somewhat vague but mostly people understand it the same way depending on context.

I assume that reason dedicated programmers are called hackers is that earlier the the word "hack" referred to writers.


What the hack, there's even a pub called "Old Hack"


You're actually too far ahead of the times.


It has been tried And The Results Will Surprise You: https://news.ycombinator.com/item?id=15237923

I like adding "Server: Windows 95", "X-Powered-By: PHP 2.0" or something like that. You know, just to mess with people. Make them wonder what the fuck they just stumbled upon.

Most systems I work on, I find a way to put a fun X-header into the server. Favorite so far was: `X-MrSkeltal: thank`

doot doot

I noticed a16z.com has this header:

x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.

So Wordpress is advertising via end users of it's software.

Edit: Ahh, as mentioned in the article...

I saw a job ad in the output on the JavaScript console. Very good targeting - someone poking around the JS for the site is likely to be a good fit for the frontend dev role for that site.

Well, maybe not super likely in absolute terms but still infinitely more likely than a random person reading a dev job board.

So no one has heard of RFC6648 ? https://tools.ietf.org/html/rfc6648

> "…in practice the benefits [of the "X-" convention] have been outweighed by the costs associated with the leakage of unstandardized parameters into the standards space."

Honestly, prefixing silly, fun or extra headers with X- like in this scenario seems pretty harmless.

Slashdot.org used to have a random Futurama quote and Reddit.com used to contain '; DROP TABLE servertypes; --

>>That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic.

Now thats terabytes of data moving around :)

It's very common to find recruiting messages in browser dev console, for Chinese companies, e.g.,

- https://www.baidu.com/

- https://www.zhihu.com/

- https://www.douban.com/

- https://www.jd.com/


I see this in a lot of websites i visit. I usually inspect them just out of curiosity.

Some of them get pretty clever, like a hidden element that says something funny

The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.

But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.

Or when they upgrade their UI/UX and they just broke a lot of features.

https://gusto.com/ has something in the dev console. Its like a treasure hunt.

I was curious about this one, so I took a look.

         _____ _    _  _____ _______ ____
        / ____| |  | |/ ____|__   __/ __ \
       | |  __| |  | | (___    | | | |  | |
       | | |_ | |  | |\___ \   | | | |  | |
       | |__| | |__| |____) |  | | | |__| |
        \_____|\____/|_____/   |_|  \____/

    Hello from Gusto! Curious about how we work?

    "Peek" through the "window" to find out.
Okay, weird, but might be cool.

Right at the top there's a bunch of junk that their third party scripts add... yuck, but totally common. But there's a bunch of other stuff that they clearly add to the global namespace for normal operations too. Yuck! Is this how you work?

Anyway, not fully caffeinated yet so I just scroll randomly (a standard `window` is enormous as it is, so there are surely needles in this haystack but I'm not getting methodical just yet).

    method: "trackPii"
This appears to be a part of their internal analytics. D:

I'm gonna stop right here because I don't really want to learn more, and I'll just continue my personal preference of never visiting Gusto unless my employer requires me to.

It's less fun when devtools just shows you the code for the whole thing. Maybe there's a source map that shouldn't be there?

Another good one is when teams print console messages in the browser. Poke around on a few systems and youll see hiring messages there too.

https://linear.app/ even puts a link to the changelog in there, they know our type.

Even some electron apps have this. Discord is one I can think of off the top of my head.

I've seen job links in HTML comments, too. Imgur used to do it. They may still do it, but I'm too lazy to check :)

The only one that matters is

X-Clacks-Overhead "GNU Terry Pratchett"

The New York Times has a job link in the console (including a nice ASCII logo that doesn't render well in HN):

      NYTimes.com: All the code that's fit to printf()
      We're hiring: https://nytimes.wd5.myworkdayjobs.com/Tech

SoundCloud used to have something similar in the JS console, which I’ve seen in a few other places as well. Quite clever as a way of filtering but as pointed out they usually point to the regular front door so no magic queue skip which seems like a lost opportunity...

Reminds me of the time google mined my search data in order to redirect me to their recruiting pages, but instead of abusing my data in unforeseeable ways, these guys only require that you are able to switch to the network tab of your browser. Pretty neat.

Maybe engineers who are not concerned about Google mining their search data for recruitment purposes are exactly the kind of engineer Google wants to hire.

Yeah, hosing people passing from in front of your garden hoping to get one who appreciates it because he's thirsty or something.

The robots.txt of tripadvisor.com has a message like that:


Hi there, If you're sniffing around this file, and you're not a robot, we're looking to meet curious folks such as yourself. Think you have what it takes to join the best white-hat SEO growth hackers on the planet? Run - don't crawl - to apply to join TripAdvisor's elite SEO team Email seoRockstar@tripadvisor.com Or visit https://careers.tripadvisor.com/search-results?keywords=seo

I've just opened the Firefox developer console as Nd was flashed by so many errors in the website.

Before asking to curl it, maybe fixing those errors will leave a better sense of polishness

I haven't seen any of these yet, but ironically, working for the company is probably the last thing on my mind if I'm looking at HTTP headers from a site since I usually do that when I must use it for some reason and need to figure out why it's not working or how to more easily access it (it is often a SPA which shouldn't be, or otherwise something designed with "Chrome is the only browser you should use" mentality.)

That is probably because you are occasionally looking at the headers using browser developer tools, but it’s a whole different experience when you are running something like Snort or Wireshark.

Personally, I prefer MITMProxy the most, because of bonus effect; if not lazy then you can automate web life.


HTTP Headers are user-input for the recipient. I delivered a few security-related talks where my website sends XSS payloads in its HTTP headers. There are many "HTTP Headers checker" websites that fail to sanitize HTTP headers, and they make a good punchline for the talk about sanitizing user-input.

The same goes for DNS records too.

I got one similar message when trying a known exploit of PHP on Facebook. I forgot the bug / exploit it may of even been a easter egg for a single version of PHP but basically you added an argument to a URL path and it showed the PHP files code. Come to think of it, I think someone mentioned it here on HN but I can't remember what it was.

I've found similar headers in emails.

For example, I was setting up a sieve-based filter for Groupon emails and there was this x-recruiting header.

That was nice.

A job building HTML emails for Groupon? I guess someone has to do it, but I don’t envy them.

nah, it was something like: "interested in headers? check out http://jobs.xxxx.whatever"

This made me curious. I'm going to look through my email archive and see if I can find anything of interest. Will update this post when I do.

We have a nice one at Plum :) https://api.withplum.com

https://repl.it/jobs might be relevant here.

It's nice that they actually spin up a while GCP instance for you instead of a fake shell!

Quite nice

X- prefixes in for non standard headers are deprecated because too many X- headers eventually became standards.

It's pretty clever advertising really. I don't imagine that having noticed an HTTP header would really give an applicant much of a boost in the interview process, but to some it probably feels like finding a ticket to Willy Wonka's factory and may motivate them to apply in the first place.

They always just tell you to apply through the normal process.

Trying to recall where I first seen this being done, it was definitely a long time ago, perhaps Google?

Seems slightly less effective nowadays what with the standard browsers tools available, ctrl + shift + K

Not that using telnet, curl or some such was much of a higher barrier, just you had to go out of your way to use them.

Google used to have job ads which showed if you searched for CS topics such as "proof of correctness".

The job note in the header of https://www.mozilla.org/en-US/ contains a little fire spitting dragon. A nice touch to grab the attention.

My favourite for this kinda thing was how bandcamp promoted their engineering jobs.


They don't have any at the moment but it was always fun to solve.

I found one in my favorite niche streaming audio site. I actually went through the process - there were actually a few steps to get to the actual email address. I sent them an email even though I wasn’t on the market :-)

How did you find quirky headers on other websites? Did you use a script?

  $ curl -s -o /dev/null -D - https://frenxi.com/http-headers-you-dont-expect/
    HTTP/1.1 200 OK
  Content-Type: text/html
  Content-Length: 47608
  Connection: keep-alive
  Last-Modified: Fri, 15 May 2020 01:35:43 GMT
  x-amz-server-side-encryption: AES256
  Accept-Ranges: bytes
  Server: AmazonS3
  Via: 1.1 ddaf46a95abcfc80e8eae76235e2127c.cloudfront.net (CloudFront), 1.1 37d64bca4c93552139fb3a85c9c4a119.cloudfront.net (CloudFront)
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  X-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/
  X-Amz-Cf-Pop: SEA19-C2
  Date: Fri, 15 May 2020 04:48:24 GMT
  ETag: "194d54c969aad10b9c74ca6d591ae3e7"
  Cache-Control: public, must-revalidate, max-age=0
  Vary: Accept-Encoding
  X-Cache: RefreshHit from cloudfront
  X-Amz-Cf-Pop: SFO20-C1
  X-Amz-Cf-Id: J_OaNOGn_a8oZRQzKfe9spXbuDp-V-zhmlX1tQJSLNM1BD4EFTYERg==

  curl -I https://frenxi.com/http-headers-you-dont-expect/
also works for this.

Sends a HEAD request instead of a GET, and the output goes to STDERR, so I prefer the parent's suggestion.

  curl -IXGET https://frenxi.com/http-headers-you-dont-expect/
then. All three pop out on STDOUT & this one is shorter with less to remember.

Yep, better. -sIXGET omits the progress bar stuff.

Very funny. reminds me of the Google Foo-Bar interview process.

Can someone share what header the author added to their site? I only have my iPhone for the next 6 days. Anyone know of a way to see headers on an iPhone out of curiosity?

x-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/

Um, that’s the article this whole thread is about. And it doesn’t answer the question you’re replying to at all.

Thats the custom header on his blog.

Oops, I read that as prose rather than a header. It had been some minutes since I had actually looked at the header value myself. Sorry.

Install iSH. Then

  curl -D- https://example.com/

For headers alone, use a HEAD request with `curl --head`, short form `curl -I`. `curl -D-` emits the body as well, which is just noise if you’re only interested in the headers.

A HEAD request doesn’t necessarily return the same headers as the corresponding GET request. Just use -o/dev/null to suppress the body (which I omitted for brevity).

I saw this in a response from Crackle's CDN. Nothanks

We did this in our binary - adding a message in there which would be seen if attempting to reverse engineer or crack it. No emails from that yet though :)

Airbnb used to have a header X-Hi-Airbnb with a hiring manager's email a while ago. I imagine they got rid of it because of the volume of emails.

I found a something in Pinterest headers once. It was something simple, like base64 encoding though, and pointed to a job listing.

About ten years ago I discovered tencent was doing a similar thing in the console of Chrome's DevTools

Nice write-up with some interesting findings! I might have to start poking around headers more often...

I noticed recently that all the API responses from Twilio have an X-Shenanigans: none header.

I'd expect they would also ensure the Evil bit was set to 0. https://tools.ietf.org/html/rfc3514

I was expecting some hidden message from his website headers too, but there was none :(

Quizlet.com has a huge message in their console about directing you to their jobs page.

these are pretty low effort and these don't even give an indication you found their SUPER HIDDEN /career page by typing "shitty company open positions" on a search engine or by analyzing their header

I love to see the mix of caps and non-caps in the header names.

This is a very clever native ad.

a developer checking out a response payload is considered l33t these days?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact