← Back to Topics

HTTP Headers

The cluster focuses on discussions about HTTP headers, including their use in requests and responses, browser and proxy behaviors, custom implementations, limitations, and security implications like referer policies and HSTS.

➡️ Stable 0.6x Web Development
2,924
Comments
20
Years Active
5
Top Authors
#2597
Topic ID

Activity Over Time

2007
3
2008
18
2009
39
2010
78
2011
98
2012
183
2013
159
2014
180
2015
154
2016
139
2017
177
2018
161
2019
181
2020
198
2021
261
2022
243
2023
188
2024
225
2025
210
2026
29

Top Contributors

tyingq (12) MichaelGG (11) tptacek (10) chrismorgan (10) 1vuio0pswjnm7 (10)

Keywords

e.g PHP proxy.conf CloudFront HEAD RequestHeader HTTPS GET sse.conf google.com headers header http request proxies proxy https client 400 conf

Sample Comments

easrng Nov 3, 2022 View on HN

That's only if you have headers outside a default-allowed list set.

antigirl May 15, 2020 View on HN

x-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/

rank0 Jan 25, 2021 View on HN

I can't tell if you're joking or not but this clearly already exists via HTTP headers.

rank0 Mar 5, 2021 View on HN

I don't understand. A browser could choose to include or not include the header in question.

jakebasile May 2, 2024 View on HN

Ah yeah, that's just the HTTP headers, not the HTML head. Whoops!

denton-scratch Aug 1, 2023 View on HN

I see no amusing request headers. I guess Cloudflare dropped them.

twapi Jul 11, 2025 View on HN

Seems like they are using these headers only for google.com requests.

mholt Mar 30, 2023 View on HN

Aside from technical limitations of HTTP headers, why do you need a header-based solution?

Ndymium Feb 4, 2020 View on HN

Checked that Vivaldi doesn't seem to be sending this header.

homakov May 18, 2013 View on HN

further more: this is one and the only proper protection.Referer: not reliable, proxies omit it Origin: not supported yet Additional header: could be tricked with Flash vuln