Dumping HTTP Headers

Dec 9, 2011 Published by Tony Primerano

How to display HTTP headers from server pages. AOL Server, Java Server Pages, Ruby on Rails, PHP, etc.

XSS Security Note

It was brought to my attention that by linking to these scripts from a page with script tags in the url, you could do some XSS.

ex: http://someserver/referrertest/dump.php?<script>alert(document.cookie);</script>" From this page link to the dump headers page. When you click the link this referrertest/dump.php url is sent as the referer.

Firefox will correctly encode the URL but IE passes it "as is" in the referer header. So when I display the referer header I execute the script.

This is easy enough to fix in the examples below by escaping the header name and value. (If you are using Rails3 it will automatically be escaped).

And yes, I know I misspelled referrer. The HTTP spec had the misspelling so it lives to this day.  :-)

Ruby on Rails rhtml code to dump HTTP headers.

The request.env has the HTTP headers prefixed with HTTP_. It also has other environment variables. This code pulls just the items starting with HTTP_ and then strips the HTTP_ portion for easy reading.

<table border="1">
<% for header in request.env.select {|k,v| k.match("^HTTP.*")} %>
<% end %>

AOL Server adp code to dump HTTP headers.

for { set i 0 } { $i < [ns_set size [ns_conn headers]] } { incr i } {
    ns_puts "[ns_set key [ns_conn headers] $i]: [ns_set \
                value [ns_conn headers] $i]"

PHP code to dump HTTP Headers

I think the quality/implementation of this code varies depending on how you are running php.

My site uses cgi and I use this

   foreach($_SERVER as $h=>$v)
       echo "<li>$h = $v</li>\n";
   header('Content-type: text/html');


XSS Change:

   echo "<li>" . htmlspecialchars("$h = $v") . " </li>\n";

JSP/Java code to dump HTTP Headers



 java.util.Enumeration names = request.getHeaderNames();
 while (names.hasMoreElements()) {
   String name = (String) names.nextElement();
   String value = request.getHeader(name);
   out.println(" <li>     <b>" + name + "=</b>" + value +"</li>");