hacktricks/src/network-services-pentesting/pentesting-web/special-http-headers.md

# Special HTTP headers

{{#include ../../banners/hacktricks-training.md}}

## Wordlists & Tools

- [https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/Web/http-request-headers](https://github.com/danielmiessler/SecLists/tree/master/Miscellaneous/Web/http-request-headers)
- [https://github.com/rfc-st/humble](https://github.com/rfc-st/humble)

## Headers to Change Location

Rewrite **IP source**:

- `X-Originating-IP: 127.0.0.1`
- `X-Forwarded-For: 127.0.0.1`
- `X-Forwarded: 127.0.0.1`
- `Forwarded-For: 127.0.0.1`
- `X-Forwarded-Host: 127.0.0.1`
- `X-Remote-IP: 127.0.0.1`
- `X-Remote-Addr: 127.0.0.1`
- `X-ProxyUser-Ip: 127.0.0.1`
- `X-Original-URL: 127.0.0.1`
- `Client-IP: 127.0.0.1`
- `X-Client-IP: 127.0.0.1`
- `X-Host: 127.0.0.1`
- `True-Client-IP: 127.0.0.1`
- `Cluster-Client-IP: 127.0.0.1`
- `Via: 1.0 fred, 1.1 127.0.0.1`
- `Connection: close, X-Forwarded-For` (Check hop-by-hop headers)

Rewrite **location**:

- `X-Original-URL: /admin/console`
- `X-Rewrite-URL: /admin/console`

## Hop-by-Hop headers

A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.

- `Connection: close, X-Forwarded-For`

{{#ref}}
../../pentesting-web/abusing-hop-by-hop-headers.md
{{#endref}}

## HTTP Request Smuggling

- `Content-Length: 30`
- `Transfer-Encoding: chunked`

{{#ref}}
../../pentesting-web/http-request-smuggling/
{{#endref}}

## Cache Headers

**Server Cache Headers**:

- **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached
- Similar behaviour in the header **`Cf-Cache-Status`**
- **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
- **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed.
- **`Age`** defines the times in seconds the object has been in the proxy cache.
- **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached

{{#ref}}
../../pentesting-web/cache-deception/
{{#endref}}

**Local Cache headers**:

- `Clear-Site-Data`: Header to indicate the cache that should be removed: `Clear-Site-Data: "cache", "cookies"`
- `Expires`: Contains date/time when the response should expire: `Expires: Wed, 21 Oct 2015 07:28:00 GMT`
- `Pragma: no-cache` same as `Cache-Control: no-cache`
- `Warning`: The **`Warning`** general HTTP header contains information about possible problems with the status of the message. More than one `Warning` header may appear in a response. `Warning: 110 anderson/1.3.37 "Response is stale"`

## Conditionals

- Requests using these headers: **`If-Modified-Since`** and **`If-Unmodified-Since`** will be responded with data only if the response header**`Last-Modified`** contains a different time.
- Conditional requests using **`If-Match`** and **`If-None-Match`** use an Etag value so the web server will send the content of the response if the data (Etag) has changed. The `Etag` is taken from the HTTP response.
- The **Etag** value is usually **calculated based** on the **content** of the response. For example, `ETag: W/"37-eL2g8DEyqntYlaLp5XLInBWsjWI"` indicates that the `Etag` is the **Sha1** of **37 bytes**.

## Range requests

- **`Accept-Ranges`**: Indicates if the server supports range requests, and if so in which unit the range can be expressed. `Accept-Ranges: <range-unit>`
- **`Range`**: Indicates the part of a document that the server should return. For example, `Range:80-100` will return the bytes 80 to 100 of the original response with a status code of 206 Partial Content. Also remember to remove the `Accept-Encoding` header from the request.
- This could be useful to get a response with arbitrary reflected javascript code that otherwise could be escaped. But to abuse this you would need to inject this headers in the request.
- **`If-Range`**: Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
- **`Content-Range`**: Indicates where in a full body message a partial message belongs.

## Message body information

- **`Content-Length`:** Ukubwa wa rasilimali, katika nambari ya desimali ya bytes.
- **`Content-Type`**: Inaonyesha aina ya media ya rasilimali
- **`Content-Encoding`**: Inatumika kubainisha algorithm ya compression.
- **`Content-Language`**: Inaelezea lugha za kibinadamu zinazokusudiwa kwa hadhira, ili kuruhusu mtumiaji kutofautisha kulingana na lugha anayoipendelea.
- **`Content-Location`**: Inaonyesha mahali mbadala kwa data iliyorejeshwa.

From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.**\
For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests:

- A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`

## Server Info

- `Server: Apache/2.4.1 (Unix)`
- `X-Powered-By: PHP/5.3.3`

## Controls

- **`Allow`**: Header hii inatumika kuwasiliana mbinu za HTTP ambazo rasilimali inaweza kushughulikia. Kwa mfano, inaweza kuainishwa kama `Allow: GET, POST, HEAD`, ikionyesha kwamba rasilimali inasaidia mbinu hizi.
- **`Expect`**: Inatumika na mteja kuwasilisha matarajio ambayo seva inahitaji kutimiza ili ombi lilipwe kwa mafanikio. Matumizi ya kawaida yanahusisha kichwa cha `Expect: 100-continue`, ambacho kinadhihirisha kwamba mteja anatarajia kutuma mzigo mkubwa wa data. Mteja anatazamia jibu la `100 (Continue)` kabla ya kuendelea na uhamasishaji. Mekanism hii inasaidia kuboresha matumizi ya mtandao kwa kusubiri uthibitisho wa seva.

## Downloads

- The **`Content-Disposition`** header in HTTP responses directs whether a file should be displayed **inline** (within the webpage) or treated as an **attachment** (downloaded). For instance:
```
Content-Disposition: attachment; filename="filename.jpg"
```
Hii inamaanisha faili iliyo na jina "filename.jpg" inakusudiwa kupakuliwa na kuhifadhiwa.

## Vichwa vya Usalama

### Sera ya Usalama wa Maudhui (CSP) <a href="#csp" id="csp"></a>

{{#ref}}
../../pentesting-web/content-security-policy-csp-bypass/
{{#endref}}

### **Aina Zinazotolewa**

Kwa kutekeleza Aina Zinazotolewa kupitia CSP, programu zinaweza kulindwa dhidi ya mashambulizi ya DOM XSS. Aina Zinazotolewa zinahakikisha kwamba ni vitu vilivyoundwa kwa usahihi tu, vinavyokubaliana na sera za usalama zilizowekwa, vinaweza kutumika katika wito hatari wa API za wavuti, hivyo kulinda msimbo wa JavaScript kwa default.
```javascript
// Feature detection
if (window.trustedTypes && trustedTypes.createPolicy) {
// Name and create a policy
const policy = trustedTypes.createPolicy('escapePolicy', {
createHTML: str => str.replace(/\</g, '&lt;').replace(/>/g, '&gt;');
});
}
```

```javascript
// Assignment of raw strings is blocked, ensuring safety.
el.innerHTML = "some string" // Throws an exception.
const escaped = policy.createHTML("<img src=x onerror=alert(1)>")
el.innerHTML = escaped // Results in safe assignment.
```
### **X-Content-Type-Options**

Kichwa hiki kinazuia upimaji wa aina ya MIME, mbinu ambayo inaweza kusababisha udhaifu wa XSS. Kinahakikisha kwamba vivinjari vinaheshimu aina za MIME zilizotajwa na seva.
```
X-Content-Type-Options: nosniff
```
### **X-Frame-Options**

Ili kupambana na clickjacking, kichwa hiki kinapunguza jinsi hati zinaweza kuingizwa katika `<frame>`, `<iframe>`, `<embed>`, au `<object>` vitambulisho, kikipendekeza hati zote kufafanua ruhusa zao za kuingizwa waziwazi.
```
X-Frame-Options: DENY
```
### **Cross-Origin Resource Policy (CORP) and Cross-Origin Resource Sharing (CORS)**

CORP ni muhimu kwa kubaini ni rasilimali zipi zinaweza kupakuliwa na tovuti, ikipunguza uvujaji wa taarifa kati ya tovuti. CORS, kwa upande mwingine, inaruhusu mfumo wa kubadilishana rasilimali za asili tofauti kwa njia ya kubadilika zaidi, ikirelax sera ya asili sawa chini ya hali fulani.
```
Cross-Origin-Resource-Policy: same-origin
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Credentials: true
```
### **Cross-Origin Embedder Policy (COEP) and Cross-Origin Opener Policy (COOP)**

COEP na COOP ni muhimu kwa kuwezesha kutengwa kwa mipaka ya asili, kupunguza kwa kiasi kikubwa hatari ya mashambulizi kama ya Spectre. Wanadhibiti upakiaji wa rasilimali za mipaka tofauti na mwingiliano na madirisha ya mipaka tofauti, mtawalia.
```
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin-allow-popups
```
### **HTTP Strict Transport Security (HSTS)**

Mwisho, HSTS ni kipengele cha usalama ambacho kinawalazimisha vivinjari kuwasiliana na seva tu kupitia muunganisho salama wa HTTPS, hivyo kuboresha faragha na usalama.
```
Strict-Transport-Security: max-age=3153600
```
## Header Name Casing Bypass

HTTP/1.1 inafafanua majina ya uwanja wa kichwa kama **hayana tofauti ya herufi** (RFC 9110 §5.1). Hata hivyo, ni kawaida sana kukutana na middleware maalum, filters za usalama, au mantiki ya biashara ambayo inalinganisha *jina halisi* la kichwa kilichopokelewa bila kulinganisha herufi kwanza (kwa mfano, `header.equals("CamelExecCommandExecutable")`). Ikiwa ukaguzi huo unafanywa **kwa kuzingatia herufi**, mshambuliaji anaweza kuupita kwa kutuma kichwa hicho hicho na uandishi tofauti wa herufi.

Mifano ya kawaida ambapo makosa haya yanaonekana:

* Orodha maalum za ruhusa/zuio ambazo zinajaribu kuzuia vichwa vya ndani "hatari" kabla ombi halijafikia kipengele nyeti.
* Utekelezaji wa ndani wa pseudo-vichwa vya reverse-proxy (kwa mfano, usafi wa `X-Forwarded-For`).
* Mifumo ambayo inafichua mwisho wa usimamizi / upelelezi na inategemea majina ya vichwa kwa uthibitishaji au uchaguzi wa amri.

### Abusing the bypass

1. Tambua kichwa ambacho kinachujwa au kuthibitishwa upande wa seva (kwa mfano, kwa kusoma msimbo wa chanzo, nyaraka, au ujumbe wa makosa).
2. Tuma **kichwa hicho hicho na uandishi tofauti wa herufi** (herufi mchanganyiko au herufi kubwa). Kwa sababu HTTP stacks kawaida hufanya kanuni vichwa tu *baada* ya msimbo wa mtumiaji kukimbia, ukaguzi unaoweza kuathiriwa unaweza kupuuziliwa mbali.
3. Ikiwa kipengele cha chini kinachukulia vichwa kwa njia isiyo na tofauti ya herufi (zaidi ya wengi hufanya hivyo), kitakubali thamani inayodhibitiwa na mshambuliaji.

### Example: Apache Camel `exec` RCE (CVE-2025-27636)

Katika toleo hatarishi la Apache Camel, njia za *Command Center* zinajaribu kuzuia maombi yasiyoaminika kwa kuondoa vichwa `CamelExecCommandExecutable` na `CamelExecCommandArgs`. Ulinganisho ulifanywa kwa `equals()` hivyo majina ya herufi ndogo pekee ndiyo yaliyoondolewa.
```bash
# Bypass the filter by using mixed-case header names and execute `ls /` on the host
curl "http://<IP>/command-center" \
-H "CAmelExecCommandExecutable: ls" \
-H "CAmelExecCommandArgs: /"
```
Vichwa vinawafikia kipengele cha `exec` bila kuchujwa, na kusababisha utekelezaji wa amri za mbali kwa haki za mchakato wa Camel.

### Ugunduzi & Kupunguza

* Sanitize majina yote ya vichwa kuwa katika hali moja (kawaida herufi ndogo) **kabla** ya kufanya kulinganisha kuruhusu/kukataa.
* Kata duplicates za kutatanisha: ikiwa `Header:` na `HeAdEr:` zote zipo, itendee kama anomali.
* Tumia orodha ya kuruhusiwa chanya inayotekelezwa **baada** ya canonicalisation.
* Linda mwisho wa usimamizi kwa uthibitisho na segmentation ya mtandao.


## Marejeleo

- [CVE-2025-27636 – RCE in Apache Camel via header casing bypass (OffSec blog)](https://www.offsec.com/blog/cve-2025-27636/)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
- [https://web.dev/security-headers/](https://web.dev/security-headers/)
- [https://web.dev/articles/security-headers](https://web.dev/articles/security-headers)

{{#include ../../banners/hacktricks-training.md}}