Hacker News new | past | comments | ask | show | jobs | submit login
HTTP Headers For Fun & Profit (loopj.com)
50 points by foobar2k on Dec 7, 2012 | hide | past | favorite | 50 comments

curl -I www.reddit.com

    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    Server: '; DROP TABLE servertypes; --
    Date: Fri, 07 Dec 2012 10:30:26 GMT
    Connection: keep-alive

Haha, brilliant!

I don't get it - What am I missing?

    Server: '; DROP TABLE servertypes; --
It's a mysql injection. If someone was scraping headers and logging them and wasn't validating the input -- and their database was named "servertypes" -- it would delete the database.

Am i getting too old? When I see "for fun and profit" I don't think I'm going to read about some easter eggs hiding in http headers.

No, you're not. That headline was abusing that time-honored tradition.

But it's true in this case, there's a job posting in Interstate's headers.

My favorite is Zappos.com

    % curl -I www.zappos.com
    HTTP/1.1 200 OK
    Server: nginx/1.1.17
    Content-Type: text/html; charset=utf-8
    X-ZFC-Metadata: KiMIExILCgNuaWQSBDU5NjQSEgoGbGF5b3V0Eghob21lcGFnZQ==
    X-Powered-By: Ponies!
    X-Varnish-TTL: 60m
    X-Varnish: 251047185 251045936
    X-Cache-Hits: 87
    X-Varnish-Host: varnish04.zappos.net
    X-Varnish-ID: drupal
    X-Core-Value: 1. Deliver WOW Through Service
    X-Recruiting: If you're reading this, maybe you should be working at Zappos instead.  Check out jobs.zappos.com
    X-UUID: ecbb72d2-40c0-11e2-b1b3-0010184bda34
    Cache-Control: max-age=2004
    Date: Fri, 07 Dec 2012 23:19:43 GMT
    Connection: keep-alive
"Powered by Ponies!"

There's also a lot of fun robots.txt. I forget where it was mentioned (I didn't find it myself) but this one always made me laugh:

    # robots.txt for http://www.palm.com/ modified 7/28/09 
    User-agent: Vampires
    Disallow: /neck

From reddit.com:

    User-Agent: bender
    Disallow: /my_shiny_metal_ass

    User-Agent: Gort
    Disallow: /earth

Better still: http://www.last.fm/robots.txt

    Disallow: /harming/humans
    Disallow: /ignoring/human/orders
    Disallow: /harm/to/self

OMFG. That is hilarious!

Made my day


Here is a blog post with some classic HTTP headers (2005): http://www.nextthing.org/archives/2005/08/07/fun-with-http-h...

The cool thing is that the approach to find these unusual headers was pretty systematic.

What the hell is going on with those expand-on-hover boxes that you need to move your mouse to see? Who thought that was a good idea?

Agreed. It took me about 30 seconds to work out how to view the content (so long I nearly gave up and closed the page.

The problem I had was that I couldn't scroll. I ended up having to maximize my browser (Opera) to read them as every time I move my mouse to the scroll bar, they'd shrink again (same problem with using the mouse scroll wheel).

I can't image trying to read those boxes on a tablet where I don't even have a cursor to hover.

I tried on my Android. If you click on the boxen they embiggen. It's not much better than having to mouseover.

Why don't they just break and add a new line? These are really annoying.

Interestingly IETF discourages the use of X prefixed headers but they might still suite this kind of behavior http://tools.ietf.org/html/rfc6648

I'm sorry if this is obvious. What does the verb "to suite" mean?

*I'm not trying to be pedantic, genuinely curious if it is a word I do not know.

I think "suit" was intended.

It's a very recent RFC from June 2012.

It was promoted from Draft with great celerity. I think they'd like it if folk stopped using X- sort of nowish.

Edit: on second thoughts, it's the IETF, they always move quick. And it's not as though this was a particularly thorny protocol or anything.

I have a RESTful Symfony2 bundle that sends an X-Men header with a random X-Person from the comic books:


Is this not a terrible waste of bandwidth though ? At about 10 bytes per header (on the low end..) and say 100 million requests per day, that amounts to 1Gb of outbound bandwidth, if you count inbound bandwidth then that comes to 2gb in total. Not to mention the cumulative time spent by users downloading those bytes, thereby delaying resource display.

Okay, I see that I sucked the fun out of it :P

Yeah it is a waste, but then so is sending CSS and Javascript that hasn't been minified. Or having multiple CSS / Javascript files when they could be consolidated. Or having long variable / class names in CSS / Javascript. Or constantly referring to Javascript as Javascript and not JS.

At some point you have to question whether you're being too stingy with bandwidth. Particularly when easter eggs like this could potentially bring you a few new visitors from the free advertising that happens when your site is discussed on blogs and forums like these.

But if nothing else; I think fun should be encouraged. After all, that's what Wozniak set out to do when he co-founded Apple :P

I wouldn't say a terrible waste of bandwidth given the novelty trade off it provides to people like us.

Besides, there's more wasted bandwidth from dubious user generated content per second floating around the internet at any second.

If you have 100 million requests per day, then you definitely have bigger problems such as your monthly CDN bill. :)

Maybe they're just sending the headers for user-agent "curl"?

Nope, tried with Chrome latest and Firefox latest. I wondered the same.

How many software engineers do you need to recruit via your http headers to offset the bandwidth costs?

pinterest.com seems to download ~700kB. Adding amusing http headers seems negligible.

1994 called, they want their bandwidth back! :)

curl -I www.pinboard.in

    HTTP/1.1 200 OK
    Vary: Accept-Encoding
    Content-Type: text/html; charset=utf8
    Connection: keep-alive
    Server: You got SERVED!
    X-Cache: MISS

Only one I know that hasn't been mentioned:


    X-Recruiting: If you're reading this, maybe you should be working at SEOmoz instead. Check out www.seomoz.org/about/jobs

I want to say this was copied/ inspired by Automattic's

I know Wordpress.org sends a header called X-Hacker or something, telling people who see the header to look at their jobs page and tell them about the header.

    # curl -I http://automattic.com
    HTTP/1.1 200 OK
    Server: nginx
    Date: Fri, 07 Dec 2012 12:53:44 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Vary: Accept-Encoding
    Last-Modified: Fri, 07 Dec 2012 12:51:57 GMT
    Cache-Control: max-age=193, must-revalidate
    X-nananana: Batcache
    Vary: Cookie
    X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
    X-Pingback: http://automattic.com/xmlrpc.php
    Link: <http://wp.me/Pe4R-am2>; rel=shortlink

It's not that hard to check and it seems they don't. But they have this other X-nc header:

  $ curl -I wordpress.org
  HTTP/1.1 200 OK
  Server: nginx
  Date: Fri, 07 Dec 2012 12:15:43 GMT
  Content-Type: text/html; charset=utf-8
  Connection: close
  Vary: Accept-Encoding
  X-nc: HIT luv 139

The X-nc header is related to the cache. The GP is correct in that these headers used to be sent on wordpress.org and wordpress.com, but it appears they are now only sent on automattic.com

Sorry, it was automattic.com, dangrossman posted the headers.

I set this one up a while ago. The header is on most of our sites.

curl -I webmaster.appstate.edu

    X-Robot-3: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweetie, or C: a large properly formatted data file?

curl -I https://www.instapaper.com/api/1/bookmarks/list

  X-Powered-By: a lot of coffee and Phish

curl -I https://localsense.com/

  HTTP/1.1 200 OK
  x-powered-by: blood, sweat, and tears.

Slashdot used to have x-fry and x-bender (Futurama) but it looks like even those headers are gone from slashdot now.

All signs of intelligent life at /. disappeared years ago, as their parent company was repeatedly lobotamized.

Slashdot used to have Futurama quotes in their (X-Bender and X-Fry iirc). Don't seem to any more however.

Another great place for job adverts is deep inside your minified JS code or binary packages.

Some thought from a developer (me) : curl -I www.rendip.com

Some "though" from a developer by the looks of it.

I'm a bit disappointed there are no fun headers on xkcd :/

  > X-mas: Almost there.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact