The HTTP headers you don't expect
13 May 2020
A few days ago, I was poking around Creditkarma's blog and I noticed this HTTP header:
X-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
My first thought was: "Wow, back in the days we had the Millennium Bug to save a few bits on a date, and now companies have an entire job offers in an HTTP header!"
This made me very curious, so I did some research!
That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic. You can find the same header on many famous websites like:
- many thousands more
Devs and website owners could disable it, but to be honest, I doubt they even know to have that header in every website HTTP response. And of course, my second idea was to check if other companies have any sort of creative headers.
The results are surprising!
You can find more than one job offer in HTTP headers
Yes! The World's coolest companies seem to have job offers in this HTTP header:
Some examples are:
x-recruiting: If you are reading this, maybe you should be working at PayPal instead! Check out www.paypal.com/us/webapps/mpp/paypal-jobs
x-recruiting: Like HTTP headers? Come write ours: careers.booking.com
x-recruiting: Is code your craft? www.etsy.com/careers
x-recruiting: Seems you like http headers. To write ours, apply at job.otto.de and mention this header.
Want the complete list? I created a GitHub repo about it: https://github.com/francescocarlucci/job-offers-http-headers
Job offers apart, in my research I also found more creative things that got me excited as I am a big fan of mysterious-non-sense.
Mysterious HTTP headers
9kw.eu, a website that seems to distribute a captcha system, tell us that 42 is the secret message:
Istreetview.com is unmaintained, but they have a web form hidden in a header.
I submitted it...
Thetradersdomain.com has a hidden sauce in the headers, but it is confidential:
Images-dnxlive.com has some more "secret" links in one of his HTTP headers:
If you like luxury cars, jaguar.ro has a header to detect bots:
But it does not work very well, it fails if you spoof the user-agent (sorry Jaguar).
And yet... have you ever seen a server with a nickname? Here there are a couple:
X-ServerNickName: The Internet
Least but not least, our friends at m.bidorbuy.co.ke show us all their passion in HTTP headers:
x-powered-by: Passion and tiny cute kittens x-servernickname: The Beast x-hacker: If you are reading this, maybe you should be working at bidorbuy instead
It seems that a good amount of fascinating IT companies have extra HTTP headers, most of them containing job offers.
So, I thought it would be cool to add an extra header to this website as well!
Curious? Check it yourself!
Update on Aug 21, 2020
After this post went viral on Hacker News, many people reached via email and Twitter to ask me to include one more header, in memory of Sir Terry Pratchett.
x-clacks-overhead: GNU Terry Pratchett
You can read more about this project here - xclacksoverhead.org - and find this header in many popular websites!
Thanks for reading!