Advertisement
ScottHelme

Twitter issues CSP header based on UA string

Jan 31st, 2016
570
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #cURL request with a User Agent set to the latest Chrome, CSP header is issued.
  2.  
  3. scott@securityheaders:~$ curl -A "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36" -I https://twitter.com
  4. HTTP/1.1 200 OK
  5. cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
  6. content-length: 253757
  7. content-security-policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com 'nonce-pNzQrZTmFhM6POFomnBfRw==' https://analytics.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://media4.giphy.com https://media0.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media.riffsy.com https://media.giphy.com https://media3.giphy.com https://upload.twitter.com https://media2.giphy.com https://media1.giphy.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://twitter.com https://*.twimg.com https://media4.giphy.com data: https://media0.giphy.com https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://media.giphy.com https://stats.g.doubleclick.net https://media3.giphy.com https://www.google-analytics.com blob: https://media2.giphy.com https://media1.giphy.com 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
  8. content-type: text/html;charset=utf-8
  9. date: Sun, 31 Jan 2016 17:08:18 GMT
  10. expires: Tue, 31 Mar 1981 05:00:00 GMT
  11. last-modified: Sun, 31 Jan 2016 17:08:18 GMT
  12. pragma: no-cache
  13. server: tsa_a
  14. set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCMUVqJhSAToMY3NyZl9p%250AZCIlYzUyNGI0YTcyYmRjZGExYjAzYzY0MTQwYmY0NzE0Nzc6B2lkIiUxNjA3%250AOGI3MGVhZDdjNTc5ZjQyMzM4ZDg1OWIyMmQyOA%253D%253D--d2c9c515146d2e926be03d570b51979950a649b7; Path=/; Domain=.twitter.com; Secure; HTTPOnly
  15. set-cookie: ua="f5,m2,m5,rweb,msw"; Expires=Sun, 31 Jan 2016 18:08:18 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
  16. set-cookie: guest_id=v1%3A145426009850068460; Domain=.twitter.com; Path=/; Expires=Tue, 30-Jan-2018 17:08:18 UTC
  17. status: 200 OK
  18. strict-transport-security: max-age=631138519
  19. x-connection-hash: 34303e4dc987e1c2cab38932a411cc13
  20. x-content-type-options: nosniff
  21. x-frame-options: SAMEORIGIN
  22. x-response-time: 150
  23. x-transaction: 6187b9cf660ea18d
  24. x-twitter-response-tags: BouncerCompliant
  25. x-ua-compatible: IE=edge,chrome=1
  26. x-xss-protection: 1; mode=block
  27.  
  28.  
  29. #cURL request with a custom User Agent set, CSP header is not issued.
  30.  
  31. scott@securityheaders:~$ curl -A "Mozilla/5.0 (compatible; SecurityHeaders/1.0; +https://securityheaders.io/about/)" -I https://twitter.com
  32. HTTP/1.1 200 OK
  33. cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
  34. content-length: 253735
  35. content-type: text/html;charset=utf-8
  36. date: Sun, 31 Jan 2016 17:08:57 GMT
  37. expires: Tue, 31 Mar 1981 05:00:00 GMT
  38. last-modified: Sun, 31 Jan 2016 17:08:57 GMT
  39. pragma: no-cache
  40. server: tsa_a
  41. set-cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCAKtqJhSAToMY3NyZl9p%250AZCIlNjhiZjdmNWFkN2ViNjRiMGM2NmMxMzE4ZTlmOTZlY2U6B2lkIiUyZTcz%250AOTk2OGJlOTFiZDQyNDQzMGY4ZjNkODIzZjk1Mw%253D%253D--cc35ace2184c6e4b3787ca7af2811c7bb0aa8115; Path=/; Domain=.twitter.com; Secure; HTTPOnly
  42. set-cookie: ua="m2,msw"; Expires=Sun, 31 Jan 2016 18:08:57 UTC; Path=/; Domain=.twitter.com; Secure; HTTPOnly
  43. set-cookie: guest_id=v1%3A145426013717532576; Domain=.twitter.com; Path=/; Expires=Tue, 30-Jan-2018 17:08:57 UTC
  44. status: 200 OK
  45. strict-transport-security: max-age=631138519
  46. x-connection-hash: 25ab8fd22ca280589690ab5a168960a0
  47. x-content-type-options: nosniff
  48. x-frame-options: SAMEORIGIN
  49. x-response-time: 228
  50. x-transaction: dec22fc2ea127fd8
  51. x-twitter-response-tags: BouncerCompliant
  52. x-ua-compatible: IE=edge,chrome=1
  53. x-xss-protection: 1; mode=block
Advertisement
RAW Paste Data Copied
Advertisement