Skip to content

;

The HTTP headers you don't expect

hacking, www1 min read

A few days ago, I was poking around Creditkarma's blog and I noticed this HTTP header:

1X-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.

My first thought was: "Wow, back in the days we had the Millennium Bug to save a few bits on a date, and now companies have an entire job offers in an HTTP header!"

This made me very curious, so I did some research!

That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic. You can find the same header on many famous websites like:

Devs and website owners could disable it, but to be honest, I doubt they even know to have that header in every website HTTP response. And of course, my second idea was to check if other companies have any sort of creative headers.

The results are surprising!

You can find more than one job offer in HTTP headers

Yes! The World's coolest companies seem to have job offers in this HTTP header: x-recruiting.

Some examples are:

Paypal.me

1x-recruiting: If you are reading this, maybe you should be working at PayPal instead! Check out www.paypal.com/us/webapps/mpp/paypal-jobs

Booking.com

1x-recruiting: Like HTTP headers? Come write ours: careers.booking.com

Etsy.com

1x-recruiting: Is code your craft? www.etsy.com/careers

Otto.de

1x-recruiting: Seems you like http headers. To write ours, apply at job.otto.de and mention this header.

Want the complete list? I created a GitHub repo about it: https://github.com/francescocarlucci/job-offers-http-headers

Job offers apart, in my research I also found more creative things that got me excited as I am a big fan of mysterious-non-sense.

Mysterious HTTP headers

9kw.eu, a website that seems to distribute a captcha system, tell us that 42 is the secret message:

1X-Secret-Message: 42

Istreetview.com is unmaintained, but they have a web form hidden in a header.

1X-Secret-URL: https://appio.link/secret

I submitted it...

Thetradersdomain.com has a hidden sauce in the headers, but it is confidential:

1x-secret-sauce: Confidential

Images-dnxlive.com has some more "secret" links in one of his HTTP headers:

1X-Secret-Message: camscv.dnxnetwork.lu

If you like luxury cars, jaguar.ro has a header to detect bots:

1X-Bot: false

But it does not work very well, it fails if you spoof the user-agent (sorry Jaguar).

And yet... have you ever seen a server with a nickname? Here there are a couple:

X-men.com

1X-ServerNickName: clint

Howgoodisyourseo.com

1X-ServerNickName: The Internet

Least but not least, our friends at m.bidorbuy.co.ke show us all their passion in HTTP headers:

1x-powered-by: Passion and tiny cute kittens
2x-servernickname: The Beast
3x-hacker: If you are reading this, maybe you should be working at bidorbuy instead

Bonus

It seems that a good amount of fashinating IT companies have extra HTTP headers, most of them containing job offers.

So, I thought it would be cool to add an extra header to this website as well!

Curious? Check it yourself!

Thanks for reading!

frenxi

;