blog.thomasorlita.com

HTTP header easter egg

I think HTTP headers are underappreciated and I like playing around with them.[1] And sometimes, I like to put tiny easter eggs in the websites I make.

In 2019, I configured my server to add an X-Secret-URL header to all HTTP responses. It contained a shortened URL to a Google Form where you could type a message.

Within the following six months, two people submitted the form. That is until May 2020, when I woke up to over 200 unread new Google Forms response emails. Turns out someone posted an article about unexpected HTTP headers, which went viral on Hacker News.

A lot of people submitted the form, wanting to leave their mark on this corner of the internet: saying hi from their country, sending 42, or an NSFW message (it's an anonymous form on the internet, after all[2]). I thought it would be fun to include the list of responses in the body of the form itself, so people could see the previous responses.[3] It turned into a kind of weird public Google Forms message board.[4]

When people started submitting the responses, I was wondering how many people are just clicking the link in the article vs actually inspecting the HTTP response headers themselves. I updated the live X-Secret-URL header value to a new secret URL to a different form. Within the next few days, only 15 people submitted this new form, compared to over 400 responses in the first form, which was featured in the article.

  1. Another thing I did was putting an XSS payload in the Server header, which got triggered in a few different places (including an internal Google site). ↩︎

  2. I did remove the spam responses to keep it nice for everyone. ↩︎

  3. I kept copy-pasting the responses manually to include them in the form body, but I do appreciate all the XSS and SQLi payloads people submitted. ↩︎

  4. I particularly liked someone using @ to respond to a previous message. Also, someone copy-pasted the list of all previous responses as response... ↩︎