177 comments

[ 5.5 ms ] story [ 324 ms ] thread
Nice write-up with some interesting findings! I might have to start poking around headers more often...
Another good one is when teams print console messages in the browser. Poke around on a few systems and youll see hiring messages there too.
Even some electron apps have this. Discord is one I can think of off the top of my head.
It's very common to find recruiting messages in browser dev console, for Chinese companies, e.g.,

- https://www.baidu.com/

- https://www.zhihu.com/

- https://www.douban.com/

- https://www.jd.com/

...

I see this in a lot of websites i visit. I usually inspect them just out of curiosity.

Some of them get pretty clever, like a hidden element that says something funny

The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.

But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.

Or when they upgrade their UI/UX and they just broke a lot of features.

How did you find quirky headers on other websites? Did you use a script?

  $ curl -s -o /dev/null -D - https://frenxi.com/http-headers-you-dont-expect/
    HTTP/1.1 200 OK
  Content-Type: text/html
  Content-Length: 47608
  Connection: keep-alive
  Last-Modified: Fri, 15 May 2020 01:35:43 GMT
  x-amz-server-side-encryption: AES256
  Accept-Ranges: bytes
  Server: AmazonS3
  Via: 1.1 ddaf46a95abcfc80e8eae76235e2127c.cloudfront.net (CloudFront), 1.1 37d64bca4c93552139fb3a85c9c4a119.cloudfront.net (CloudFront)
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  X-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/
  X-Amz-Cf-Pop: SEA19-C2
  Date: Fri, 15 May 2020 04:48:24 GMT
  ETag: "194d54c969aad10b9c74ca6d591ae3e7"
  Cache-Control: public, must-revalidate, max-age=0
  Vary: Accept-Encoding
  X-Cache: RefreshHit from cloudfront
  X-Amz-Cf-Pop: SFO20-C1
  X-Amz-Cf-Id: J_OaNOGn_a8oZRQzKfe9spXbuDp-V-zhmlX1tQJSLNM1BD4EFTYERg==

  curl -I https://frenxi.com/http-headers-you-dont-expect/
also works for this.
Sends a HEAD request instead of a GET, and the output goes to STDERR, so I prefer the parent's suggestion.

  curl -IXGET https://frenxi.com/http-headers-you-dont-expect/
then. All three pop out on STDOUT & this one is shorter with less to remember.
Yep, better. -sIXGET omits the progress bar stuff.
Slashdot.org used to have a random Futurama quote and Reddit.com used to contain '; DROP TABLE servertypes; --
I haven't seen any of these yet, but ironically, working for the company is probably the last thing on my mind if I'm looking at HTTP headers from a site since I usually do that when I must use it for some reason and need to figure out why it's not working or how to more easily access it (it is often a SPA which shouldn't be, or otherwise something designed with "Chrome is the only browser you should use" mentality.)
That is probably because you are occasionally looking at the headers using browser developer tools, but it’s a whole different experience when you are running something like Snort or Wireshark.
Personally, I prefer MITMProxy the most, because of bonus effect; if not lazy then you can automate web life.
(comment deleted)
I remember several years ago when I still had a Reddit account I found internship opportunity advertisements in web socket payloads. I asked about that on the reddit channel on Freenode, I think, and was politely told to not mention it on r/JavaScript.
>>That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic.

Now thats terabytes of data moving around :)

(comment deleted)
I saw this in a response from Crackle's CDN. Nothanks
Airbnb used to have a header X-Hi-Airbnb with a hiring manager's email a while ago. I imagine they got rid of it because of the volume of emails.
Quizlet.com has a huge message in their console about directing you to their jobs page.
It's pretty clever advertising really. I don't imagine that having noticed an HTTP header would really give an applicant much of a boost in the interview process, but to some it probably feels like finding a ticket to Willy Wonka's factory and may motivate them to apply in the first place.
They always just tell you to apply through the normal process.
Most systems I work on, I find a way to put a fun X-header into the server. Favorite so far was: `X-MrSkeltal: thank`
Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer?

Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"

Real "be sure to drink your Ovaltine" moment.

Google Foobar does it right and lets you skip to actually be considered, which is nice.
Has Google even bothered with Foobar for like past 2-3 years? It appears so frequently on non-incognito searches that surely every developer must have seen it by now.
I've never seen it, I assume it's just a US thing
I've never seen it, but other people in my (non-US) country claim to have seen it. I always assumed it was either my taste in porn or the fact that I'm usually logged out and regularly clear tracking cookies.
I've never got it and I've been googling programming stuff for almost a decade now.

However, maybe I'm remembering wrong, but a few years ago I was reading an article about it and someone showed a search term that brought it up for them and I tried that term and got it. Dont remember what the search term was, but I think it was something related to one of the popular leetcode-esque algorithms I've never had to do in my hobbyist or professional work.

I’ve never seen it on any of my searches. I got sent a link…
Can't say I've seen it. Guess Google isn't hiring in my country.
FooBar is still being considered. I solved some problems few months ago and was contacted by their recruiter one month after that, they did mention FooBar as the main signal.
I've never seen it, but I assume they only target people in the US.
I’ve never seen it, live in the US, and I google developer things all the time. Maybe it’s because I work in Ruby and not one of the more googley languages?
I've had it hit me twice over the years.
> Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer? Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"

That reminds me of MI5’s Coding Challenge [1][2][3].

[1] https://cixtor.com/blog/mi5-coding-challenge

[2] https://www.mi5.gov.uk/careers/opportunities/coding-challeng...

[3] https://www.mi5.gov.uk/sites/default/files/styles/puzzal_ima...

One of the defence agencies in Australia made a puzzle quite a long time ago; I can't find it now. It was a bunch of hex in a banner advert; the hex was actually x86 assembly, which if 'run' would write a string into memory.

The string was just the URL of their recruitment portal. I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!

>I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!

They probably need a lot of people with some tech knowledge. This way they can probably gain the widest audience that is still useful.

If it's too hard to crack, it's unlikely your investment of time in this recruitment measure will actually yield results.

The point is that if you crack it, they should send you to some unique link. Even if it's not super hard, it at least proved some level of technical competency and do should allow you to prioritised interview access (maybe at least skipping initial screening).
I assume the solutions to these can be found publicly pretty quickly. So your secret bypass first filter loses utility after the first couple of people.
The person that knows how to Google for solutions may be the right person for the job.
The reason you put this riddles online is to get to know people who love this kind of challenge. This is still the case if the solutions are available online, even though I would include a plead into my job ad not to post solutions online for fairness with respect to other potential applicants who mananged to solve the riddle.

When in a job interview, it should be very easy to find out whether the person found the solution online or he "cheated"; simple ask some detailed questions how the person came up with this and that part of the approach.

Perhaps filtering out the people who can neither solve it nor Google it is enough of a filter by itself. Not suggesting it should bypass more than initial screening, naturally.
It works in reverse - you probably wouldn't want to work in such an environment with frustrating practices towards developers.
A valid stance. Incidentally, that's why I've never had any interest in working at a certain couple of FAANG companies.
What frustrating practices? I'm a developer (and mathematician), and I love puzzles :)
sure, but how much of the actual job will be solving puzzles? Seems unlikely to be representative of the work so the people who enjoy the actual work might begrudge the interview and the people who enjoy the interview might not enjoy the work.
At an intelligence agency? Possibly quite a bit.
Not everyone is working on awesome stuff at an intelligence agency. They still need people to work on their 20 year old hellscape of an ERP system in hated language(java,ada,cobol, etc).
A perfect "be sure to drink your Ovaltine" moment! If anyone is unfamiliar, it refers to the movie "A Christmas Story". The moment here: https://www.youtube.com/watch?v=zdA__2tKoIU

I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.

This is great, thanks. I haven't seen this movie or heard of it. This scene is delivered very well and really explains the 'be sure to drink your ovaltine' concept
A Christmas Story is classic Americana
Growing up in the 90's my family would make it a point to watch this every year around the holidays, good times. If you are ever in Cleveland, OH, you can actually tour the house they filmed most of it in.
It was a reference to an actual ad campaign, I believe, for a real product
Seems meta. As far as references to ads in movies I enjoy Demolition Man. I loop the classy cover of the jingle for Jolly Green Giant from time to time to endear me to my (close) colleagues. It's burnt deep, whelp time for a listen.
Fascinating aside on Demolition Man: some versions have all restaurants as Pizza Hut rather than Taco Bell [1]. The version I saw as a kid was Pizza Hut, so when I said “in the future all restaurants are Pizza Hut”, a friend said “you mean Taco Bell” and we both learned something :).

> For some non-American releases, references to Taco Bell were changed to Pizza Hut. This includes dubbing, plus changing the logos during post-production. Taco Bell remains in the closing credits. In the Swedish release the subtitles still use Taco Bell while the sound and picture has been altered as above. The original version released in Australia (on VHS) contained Taco Bell, yet the newer version on DVD was changed both in logo and dubbing to Pizza Hut (in the scene where the restaurant patrons are looking through the glass windows to the fight scene outside, Taco Bell can be seen etched into the glass, even in the modified version).

[1] https://tacobell.fandom.com/wiki/Demolition_Man

Indeed, in my youth I downloaded a version that had this and I was alarmed at first. Some further research showed that it was an international release as Pizza Hut has a broader brand globally. The scene in San Angles where Westley Snipes attacks a bunch of police and he learns of his programming was filmed in Irvine, CA. I've got a few photos of the location and now would be a good time to take some shots since it isn't as busy. Also tripped out that the Mall scene in Kindergarten Cop was shot at the Main Place Mall in Santa Ana.
The movie was a childhood staple, but the book is even better - literally LOL'ed, snorted, etc. "In God We Trust: All Others Pay Cash" by Jean Shepherd. There are lots of additional short stories there not featured in the movie.
fwiw, a few of them say "mention this header"—so perhaps there is some accelerated path that it goes on.
Alternatively, they're tracking how many applications they get through that path.
Why do they call it Ovaltine?

The mug is round. The jar is round.

They should call it Roundtine.

I know you're joking, but I looked it up :)

'Ovaltine was developed in Bern, Switzerland, where it is known by its original name, Ovomaltine (from ovum, Latin for "egg", and malt, which were originally its key ingredients).' [1]

[1] https://en.wikipedia.org/wiki/Ovaltine

Oh! That explains why I’d always get really sick after drinking/eating Ovaltine based products!
Because of the malt? Egg and egg products are no longer used.
And oval also comes from ovum. So it's a sibling rather than parent relationship.
Ha, as a Swiss, from the Bern region, I was thinking whether this strange sounding Ovaltine has anything to do with Ovomaltine and was about to look it up.

In Switzerland, Ovomaltine is among the products with highest brand recognition ever and has a cult status because of their advertisement in the 80s and 90s.

Never knew it was a thing outside of Switzerland

I am from South America and I drink Ovomaltine every day. It has a lot less sugar than the local brands, which is a plus in my book. More actual taste than just sugary overload.
Used to be pretty big in Italy in late 70s/early 80s, then Nestlé destroyed all competition with their Nesquick. You can still find Ovomaltine in large supermarkets but it's clearly a bit player.
I wonder if it's a generational thing as well?
It's a Jerry Seinfeld bit.
cerved was referencing an episode of Seinfeld
I had a similar idea for financing Open Source software projects. The contributing sponsors would get their URL and add-text into a comment at the top of the source-code. The bigger your sponsorship the higher up in the list your company will be.

The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).

I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?

Don't do it.

People will hate you for it... and never, ever let you live it down. :-/

He's speaking from experience. But, if your circumstances aren't exactly the same, the outcome may be different.

Credits pages in software, accessible from the main UI, used to be very common, and having names there -- or embedded in source code -- doesn't violate a user expectation.

Server software sending 'Server:' headers also doesn't violate user expectation, though some people prefer to turn these off.

Custom headers that cannot be turned off have a higher likelihood of violating user expectation.

To the OP: in open source projects, some users will attempt to remove undesired behavior, within the rights afforded by the license, but these exercises of copyright can interact adversely with trademarks and other brand protections, and with the surrounding (human) infrastructure and information-space around a project (e.g. names, URLs, references to services, secrets).

Your attempts to reconcile such a situation are nontrivial, and both inaction and action have a high likelihood of resulting in bad press (e.g. user confusion about fork, or heavy-handed enforcement). The harm will persist long after the original situation has been resolved or mitigated.

> some users will attempt to remove undesired behavior,

Surely. But a link in a comment to a supporter who helped finance the project is not really "behavior" is it? It is not part of the program that executes.

So it is not "undesired behavior" since it is not behavior at all.

But is it "undesired" in other ways?

If you put in a copyright notice into the source code, that is a kind of advertising for whoever's name is in it. Often comments contain links to the website of whoever maintains the source-code. Is that undesired? If not then what would be so undesirable about putting in a link to the website of whoever supported the project financially.

And if they paid for that, they would be supporting the project financially. And in the end isn't that what we want, financial support for Open Source projects?

Other than the Caddy debacle, there was a short-lived attempt to run ads in the output of npm install, which also backfired spectacularly: https://news.ycombinator.com/item?id=20786981.

I think if there was a magic button to remove any and all advertising from the internet, most people would press it, consequences be damned. You really need to think hard before hitching your cart to that horse.

Back when dinosaurs roamed the earth, BSD License literally had an "advertising clause".

The only question would be whether it should be used only for non-transferable "moral" authorship or transferable as the author chooses.

> only hackers read source-code

maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.

Inside the community, a hacker (as opposed to "cracker" or "security hacker") is someone who uses technology in a creative way.
so what do we call undesirables like anonymous and so on?
"crackers" or "security hackers". I'm sure most people on this site would consider themselves to be some form of "hacker", after all, this is "Hacker News".
My understanding of hacker is specifically someone who exploits vulnerabilities in code. Regular programmers are like building architects, hackers are like people holding up a mask so that the facial recognition powered NEST lock will let them inside the building.
Every programmer of course reads some source-code because they must read their own source-code. But such a programmer might use an Open Source library without reading its course. Whereas if you are truly hacker you are interested in how things work and you would more likely be reading such source.

I agree that definition of "hacker" is somewhat vague but mostly people understand it the same way depending on context.

I assume that reason dedicated programmers are called hackers is that earlier the the word "hack" referred to writers.

https://en.wikipedia.org/wiki/Hack_writer

What the hack, there's even a pub called "Old Hack"

https://www.tripadvisor.com/Restaurant_Review-g188644-d10512...

Can someone share what header the author added to their site? I only have my iPhone for the next 6 days. Anyone know of a way to see headers on an iPhone out of curiosity?
x-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/
Um, that’s the article this whole thread is about. And it doesn’t answer the question you’re replying to at all.
Thats the custom header on his blog.
Oops, I read that as prose rather than a header. It had been some minutes since I had actually looked at the header value myself. Sorry.
Install iSH. Then

  curl -D- https://example.com/
https://ish.app/
For headers alone, use a HEAD request with `curl --head`, short form `curl -I`. `curl -D-` emits the body as well, which is just noise if you’re only interested in the headers.
A HEAD request doesn’t necessarily return the same headers as the corresponding GET request. Just use -o/dev/null to suppress the body (which I omitted for brevity).
I've found similar headers in emails.

For example, I was setting up a sieve-based filter for Groupon emails and there was this x-recruiting header.

That was nice.

A job building HTML emails for Groupon? I guess someone has to do it, but I don’t envy them.
This made me curious. I'm going to look through my email archive and see if I can find anything of interest. Will update this post when I do.
I found one in my favorite niche streaming audio site. I actually went through the process - there were actually a few steps to get to the actual email address. I sent them an email even though I wasn’t on the market :-)
Is anyone else annoyed this is being publicized? It pretty much destroys any value that noticing the header might have as a signal. Granted the signal strength was probably pretty low already, as other commenters have pointed out, but blog posts like this must decrease it even further.
The audience for blog posts like these is probably pretty similar anyway.
It didn't have any value to begin with, honestly. Websites have the exact same message in their code simply by inspecting source or opening a console, and that certainly doesn't show you have any sort of skill or curiosity.

It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.

I agree it’s not a marker of skill, but I do see it as evidence of curiosity.
No, because all these headers just lead to the stock standard hiring page. It literally has no effect.

I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.

So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.

What I'm actually annoyed by is that companies are still doing this stupid thing.

Low signal strength for sure - all it says is "I know how to open Dev Tools." Rather than worry about trying to retain some value, I looks at these posts as an educational opportunity. They can encourage people who don't know how the web works to dig deeper, learn more.
> Is anyone else annoyed this is being publicized?

I don't know about annoyed, but I wouldn't want to talk about any movies I haven't seen with the author, or involve them in planning a surprise party.

For a while we had a recruiting message in the reddit headers. We also had this for many years:

    x-Bender: Bite my shiny metal ass
We also had this for a long time:

    Server: '; DROP TABLE servertypes; --
Sadly, it looks like it was removed when they switched from haproxy to varnish. They did put this in though:

    x-moose: majestic
So that's something I guess.
(comment deleted)
It's also in the robots.txt file.

  User-Agent: bender
  Disallow: /my_shiny_metal_ass