hacktricks/pentesting/pentesting-web/special-http-headers.md

# Special HTTP headers

## Wordlists

* [https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers](https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/web/http-request-headers)

## Headers to Change Location

Rewrite **IP source**:

* `X-Originating-IP: 127.0.0.1` 
* `X-Forwarded-For: 127.0.0.1`
* `X-Forwarded:  127.0.0.1`
* `Forwarded-For: 127.0.0.1`
* `X-Remote-IP: 127.0.0.1` 
* `X-Remote-Addr: 127.0.0.1`
* `X-ProxyUser-Ip: 127.0.0.1`
* `X-Original-URL: 127.0.0.1`
* `Client-IP: 127.0.0.1`
* `True-Client-IP: 127.0.0.1`
* `Cluster-Client-IP: 127.0.0.1`
* `X-ProxyUser-Ip: 127.0.0.1`
* `Via: 1.0 fred, 1.1 127.0.0.1`
* `Connection: close, X-Forwarded-For` \(Check hop-by-hop headers\)

Rewrite **location**:

* `X-Original-URL: /admin/console`
* `X-Rewrite-URL: /admin/console`

## Hop-by-Hop headers

A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.

* `Connection: close, X-Forwarded-For`

{% page-ref page="../../pentesting-web/abusing-hop-by-hop-headers.md" %}

## HTTP Request Smuggling

* `Content-Length: 30`
* `Transfer-Encoding: chunked`

{% page-ref page="../../pentesting-web/http-request-smuggling.md" %}

## Cache Headers

**Server Cache Headers**:

* **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached
* **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
*  **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed.
* **`Age`** defines the times in seconds the object has been in the proxy cache.

{% page-ref page="../../pentesting-web/cache-deception.md" %}

**Local Cache headers**:

* `Clear-Site-Data`: Header to indicate the cache that should be removed: `Clear-Site-Data: "cache", "cookies"`
* `Expires`: Contains date/time when the response should expire: `Expires: Wed, 21 Oct 2015 07:28:00 GMT`
* `Pragma: no-cache` same as `Cache-Control: no-cache`
* `Warning`: The **`Warning`** general HTTP header contains information about possible problems with the status of the message. More than one `Warning` header may appear in a response. `Warning: 110 anderson/1.3.37 "Response is stale"`

## Conditionals

* Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header**`Last-Modified`** contains a different time.
* Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data \(Etag\) has changed. The `Etag` is taken from the HTTP response.
  * The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.

## Range requests

* **`Accept-Ranges`**: Indicates if the server supports range requests, and if so in which unit the range can be expressed. `Accept-Ranges: <range-unit>`
* **`Range`**: Indicates the part of a document that the server should return.
* **`If-Range`**: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
* **`Content-Range`**: Indicates where in a full body message a partial message belongs.

## Message body information

* **`Content-Length`:** The size of the resource, in decimal number of bytes.
* **`Content-Type`**: Indicates the media type of the resource
* **`Content-Encoding`**: Used to specify the compression algorithm.
* **`Content-Language`**: Describes the human language\(s\) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
* **`Content-Location`**: Indicates an alternate location for the returned data.

From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.**   
For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests:

* A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`

## Server Info

* `Server: Apache/2.4.1 (Unix)`
* `X-Powered-By: PHP/5.3.3`

## Controls

* **`Allow`:** Lists the set of methods supported by a resource. `Allow: GET, POST, HEAD`
* **`Expect`**: The **`Expect`** HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.
  * No other expectations except `Expect: 100-continue` are specified currently.  Informs recipients that the client is about to send a \(presumably large\) message body in this request and wishes to receive a [`100`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/100) \(Continue\) interim response.

## Downloads

* **`Content-Disposition`**:  In a regular HTTP response, the **`Content-Disposition`** response header is a header indicating if the content is expected to be displayed _inline_ in the browser, that is, as a Web page or as part of a Web page, or as an _attachment_, that is downloaded and saved locally.
  * `Content-Disposition: attachment; filename="filename.jpg"`

## Resources

* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)