3

I know http headers order is not significant (or at least, should not be) for the web servers to handle requests. However, I’m wondering how it is likely for servers (especially reverse-proxies or CDN) to check the headers position to legitimate a request.

Let me explain. When I do a simple http request with firefox, these are my headers:

GET / HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
DNT: 1    
Cookie: yummy=yes_they_are
Connection: keep-alive
Cache-Control: max-age=0

With Chrome:

GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are

Not exactly the same, right? Then, if I change the user agent to Firefox:

GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are

Because the headers positions don’t match with Firefox “headers position habits”, servers can know something fishy is going on (the user might use a Chrome extension to spoof its user-agent).

Do some http servers actually check that sort of thing? At least, is it likely they do (cloudfront and whatnot)? Or is it something I should totally not bother of? And if I should, where could I find exhaustives headers order list for the main browsers?

Gui-Don
  • 1,366
  • 11
  • 25
  • I do not know any server caring about header ordering. If the connection is in plain text proxies may change the header order, making this detection method unreliable. There are many btetter options to check if the User-Agent is really what he claims to be. – Pyfisch Jun 30 '15 at 18:06
  • @Pyfisch By “better options”, you mean with javascript? Aside from Javascript, what are thoses better options? – Gui-Don Jul 01 '15 at 09:15
  • Yes mainly JavaScript but also the header values. For example the Accept header. You don't want webp in Firefox but Chrome always sends it. – Pyfisch Jul 03 '15 at 16:33
  • Better options might be IP address. The server has established a TCP connection with the browser, so it knows, for this request, that it is talking to A.B.C.D. It can zip that up in a cookie or save it against username or put it in a JWT, and then compare to the next request for the same user. It can add in user agent and then you have a signature like "Brian on ABCD using Firefox", which is only going to be subverted if another Firefox tab nicks the data. Which can happen. – Steve Hibbert Aug 04 '17 at 07:55

1 Answers1

0

In general, order does not (and should not) matter.

But based on this answer, there are exceptions. So, to anwser the question: yes, servers (like incapsula) can use http header order to catch a browser signature.

Gui-Don
  • 1,366
  • 11
  • 25