The HTTP headers you don't expect

A few days ago, I was poking around Creditkarma's blog and I noticed this HTTP header:

X-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.

My first thought was: "Wow, back in the day we had the Millennium Bug to save a few bits on a date, and now companies have an entire job offers in an HTTP header!"

This made me very curious, so I did some research!

That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic. You can find the same header on many famous websites like:

• https://nypost.com/
• https://techcrunch.com/
• https://www.nbcolympics.com/
• https://www.thesun.co.uk/
• many thousands more

Devs and website owners could disable it, but to be honest, I doubt they even know to have that header in every website HTTP response. And of course, my second idea was to check if other companies have any sort of creative headers.

The results are surprising!

You can find more than one job offer in HTTP headers

Yes! The World's coolest companies seem to have job offers in this HTTP header: x-recruiting.

Some examples are:

Paypal.me

x-recruiting: If you are reading this, maybe you should be working at PayPal instead! Check out www.paypal.com/us/webapps/mpp/paypal-jobs

Booking.com

x-recruiting: Like HTTP headers? Come write ours: careers.booking.com

Etsy.com

x-recruiting: Is code your craft? www.etsy.com/careers

Otto.de

x-recruiting: Seems you like http headers. To write ours, apply at job.otto.de and mention this header.

Want the complete list? I created a GitHub repo about it: https://github.com/francescocarlucci/job-offers-http-headers

Job offers apart, in my research I also found more creative things that got me excited as I am a big fan of mysterious-non-sense.

Mysterious HTTP headers

9kw.eu, a website that seems to distribute a captcha system, tells us that 42 is the secret message:

X-Secret-Message: 42

Istreetview.com is unmaintained, but they have a web form hidden in a header.

X-Secret-URL: https://appio.link/secret

I submitted it...

Thetradersdomain.com has a hidden sauce in the headers, but it is confidential:

x-secret-sauce: Confidential

Images-dnxlive.com has some more "secret" links in one of his HTTP headers:

X-Secret-Message: camscv.dnxnetwork.lu

If you like luxury cars, jaguar.ro has a header to detect bots:

X-Bot: false

But it does not work very well, it fails if you spoof the user-agent (sorry Jaguar).

And yet... have you ever seen a server with a nickname? Here there are a couple:

X-men.com

X-ServerNickName: clint

Howgoodisyourseo.com

X-ServerNickName: The Internet

Last but not least, our friends at m.bidorbuy.co.ke show us all their passion in HTTP headers:

x-powered-by: Passion and tiny cute kittens
x-servernickname: The Beast
x-hacker: If you are reading this, maybe you should be working at bidorbuy instead

Update on Aug 21, 2020

After this post went viral on Hacker News, many people reached out via email and Twitter to ask me to include one more header, in memory of Sir Terry Pratchett.

x-clacks-overhead: GNU Terry Pratchett

You can read more about this project here - xclacksoverhead.org - and find this header in many popular websites!

Thanks for reading!

Francesco