Twitter issues CSP header based on UA string

1. #cURL request with a User Agent set to the latest Chrome, CSP header is issued.
2.  
3. scott@securityheaders:~$ curl -A "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36" -I https://twitter.com
4. HTTP/1.1 200 OK
5. cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
6. content-length: 253757
7. content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com 'nonce-pNzQrZTmFhM6POFomnBfRw==' https://analytics.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://media4.giphy.com https://media0.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://media.giphy.com https://media3.giphy.com https://upload.twitter.com https://media2.giphy.com https://media1.giphy.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://twitter.com https://*.twimg.com https://media4.giphy.com data: https://media0.giphy.com https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://media.giphy.com https://stats.g.doubleclick.net https://media3.giphy.com https://www.google-analytics.com blob: https://media2.giphy.com https://media1.giphy.com 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
8. content-type: text/html;charset=utf-8
9. date: Sun, 31 Jan 2016 17:08:18 GMT
10. expires: Tue, 31 Mar 1981 05:00:00 GMT
11. last-modified: Sun, 31 Jan 2016 17:08:18 GMT
12. pragma: no-cache
13. server: tsa_a
14. set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCMUVqJhSAToMY3NyZl9p%250AZCIlYzUyNGI0YTcyYmRjZGExYjAzYzY0MTQwYmY0NzE0Nzc6B2lkIiUxNjA3%250AOGI3MGVhZDdjNTc5ZjQyMzM4ZDg1OWIyMmQyOA%253D%253D--d2c9c515146d2e926be03d570b51979950a649b7; Path=/; Domain=.twitter.com; Secure; HTTPOnly
15. set-cookie: ua="f5,m2,m5,rweb,msw"; Expires=Sun, 31 Jan 2016 18:08:18 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
16. set-cookie: guest_id=v1%3A145426009850068460; Domain=.twitter.com; Path=/; Expires=Tue, 30-Jan-2018 17:08:18 UTC
17. status: 200 OK
18. strict-transport-security: max-age=631138519
19. x-connection-hash: 34303e4dc987e1c2cab38932a411cc13
20. x-content-type-options: nosniff
21. x-frame-options: SAMEORIGIN
22. x-response-time: 150
23. x-transaction: 6187b9cf660ea18d
24. x-twitter-response-tags: BouncerCompliant
25. x-ua-compatible: IE=edge,chrome=1
26. x-xss-protection: 1; mode=block
27.  
28.  
29. #cURL request with a custom User Agent set, CSP header is not issued.
30.  
31. scott@securityheaders:~$ curl -A "Mozilla/5.0 (compatible; SecurityHeaders/1.0; +https://securityheaders.io/about/)" -I https://twitter.com
32. HTTP/1.1 200 OK
33. cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
34. content-length: 253735
35. content-type: text/html;charset=utf-8
36. date: Sun, 31 Jan 2016 17:08:57 GMT
37. expires: Tue, 31 Mar 1981 05:00:00 GMT
38. last-modified: Sun, 31 Jan 2016 17:08:57 GMT
39. pragma: no-cache
40. server: tsa_a
41. set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCAKtqJhSAToMY3NyZl9p%250AZCIlNjhiZjdmNWFkN2ViNjRiMGM2NmMxMzE4ZTlmOTZlY2U6B2lkIiUyZTcz%250AOTk2OGJlOTFiZDQyNDQzMGY4ZjNkODIzZjk1Mw%253D%253D--cc35ace2184c6e4b3787ca7af2811c7bb0aa8115; Path=/; Domain=.twitter.com; Secure; HTTPOnly
42. set-cookie: ua="m2,msw"; Expires=Sun, 31 Jan 2016 18:08:57 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
43. set-cookie: guest_id=v1%3A145426013717532576; Domain=.twitter.com; Path=/; Expires=Tue, 30-Jan-2018 17:08:57 UTC
44. status: 200 OK
45. strict-transport-security: max-age=631138519
46. x-connection-hash: 25ab8fd22ca280589690ab5a168960a0
47. x-content-type-options: nosniff
48. x-frame-options: SAMEORIGIN
49. x-response-time: 228
50. x-transaction: dec22fc2ea127fd8
51. x-twitter-response-tags: BouncerCompliant
52. x-ua-compatible: IE=edge,chrome=1
53. x-xss-protection: 1; mode=block