服务器可以使用http标头命令来捕获浏览器签名吗? [英] Can servers use http headers order to catch a browser signature?
问题描述
我知道http标头顺序对于Web服务器处理请求并不重要(或者至少不应该)。但是,我想知道服务器(特别是反向代理或CDN)检查标头位置以合法请求的可能性。
I know http headers order is not significant (or at least, should not be) for the web servers to handle requests. However, I’m wondering how it is likely for servers (especially reverse-proxies or CDN) to check the headers position to legitimate a request.
让我解释一下。当我用firefox做一个简单的http请求时,这些是我的标题:
Let me explain. When I do a simple http request with firefox, these are my headers:
GET / HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: yummy=yes_they_are
Connection: keep-alive
Cache-Control: max-age=0
使用Chrome:
GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are
不完全相同,对吧?然后,如果我将用户代理更改为Firefox:
Not exactly the same, right? Then, if I change the user agent to Firefox:
GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are
因为标题位置与Firefox不匹配标题定位习惯,服务器可以知道正在发生的事情(用户可能会使用Chrome扩展来欺骗其用户代理)。
Because the headers positions don’t match with Firefox "headers position habits", servers can know something fishy is going on (the user might use a Chrome extension to spoof its user-agent).
实际上有些http服务器检查那种事情?至少,它们是否可能(云端和诸如此类)?或者这是我应该完全不打扰的事情?如果我应该,我在哪里可以找到主浏览器的穷举标题顺序列表?
Do some http servers actually check that sort of thing? At least, is it likely they do (cloudfront and whatnot)? Or is it something I should totally not bother of? And if I should, where could I find exhaustives headers order list for the main browsers?
推荐答案
一般来说,订单不会(也不应该)重要。
但是基于这个答案,也有例外。所以,回答问题:是的,服务器(如incapsula)可以使用http标头顺序来捕获浏览器签名。
But based on this answer, there are exceptions. So, to anwser the question: yes, servers (like incapsula) can use http header order to catch a browser signature.
这篇关于服务器可以使用http标头命令来捕获浏览器签名吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
