{"id":12060,"date":"2019-03-05T15:50:24","date_gmt":"2019-03-05T20:50:24","guid":{"rendered":"https:\/\/rud.is\/b\/?p=12060"},"modified":"2019-03-05T15:50:24","modified_gmt":"2019-03-05T20:50:24","slug":"heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/","title":{"rendered":"Head&#8217;s Up! Roll Your Own HTTP Headers Investigations with the &#8216;hdrs&#8217; Package"},"content":{"rendered":"<p>I blathered <em>alot<\/em> about HTTP headers in <a href=\"https:\/\/rud.is\/b\/2019\/03\/03\/cran-mirror-security\/\">the last post<\/a>.<\/p>\n<p>In the event you wanted to dig deeper I <a href=\"https:\/\/git.rud.is\/hrbrmstr\/hdrs\">threw together<\/a> a small package that will let you grab HTTP headers from a given URL and take a look at them. The README has examples for most things but we&#8217;ll go through a bit of them here as well.<\/p>\n<p>For those that just want to play, you can do:<\/p>\n<pre><code class=\"language-r\">install.packages(\"hdrs\", repos = \"https:\/\/cinc.rud.is\/\")\n\nhdrs::explore_app()\n<\/code><\/pre>\n<p><a href=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"12061\" data-permalink=\"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/shiny-headers\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?fit=2808%2C2260&amp;ssl=1\" data-orig-size=\"2808,2260\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"shiny-headers\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?fit=510%2C410&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?resize=510%2C410&#038;ssl=1\" alt=\"\" width=\"510\" height=\"410\" class=\"aligncenter size-full wp-image-12061\" \/><\/a><\/p>\n<p>and use the diminutive Shiny app to explore a site&#8217;s security headers or look at all the headers they return. (<em>Oh, yeah&hellip;if you read the previous post then looked at the above screenshot you&#8217;ll notice how completely useless IP blocking is to determined <strike>attackers<\/strike> individuals.<\/em>)<\/p>\n<p>NOTE: There are binaries for macOS and Windows at my CINC repo for <code>hdrs<\/code> so you&#8217;ll be getting those if you use the above method. Use <code>type='source'<\/code> on that call or use various <code>remotes<\/code> package functions to install the source package (after reading it b\/c you really shouldn&#8217;t trust any package, ever) from:<\/p>\n<ul>\n<li><a href=\"https:\/\/git.sr.ht\/~hrbrmstr\/hdrs\">SourceHut<\/a><\/li>\n<li><a href=\"https:\/\/gitlab.com\/hrbrmstr\/hdrs\">GitLab<\/a><\/li>\n<li>if you must <a href=\"https:\/\/github.com\/hrbrmstr\/hdrs\">GitHub<\/a><\/li>\n<\/ul>\n<h3>Moving Ahead<\/h3>\n<p>Let&#8217;s use the command-line to poke at my newfound most favorite site to use in security-related examples:<\/p>\n<pre><code class=\"language-r\">library(hdrs)\n\nassess_security_headers(\"https:\/\/cran.r-project.org\/\") %&gt;% \n  dplyr::select(-url)\n## # A tibble: 13 x 4\n##    header                            value                  status_code message            \n##  * &lt;chr&gt;                             &lt;chr&gt;                  &lt;chr&gt;       &lt;chr&gt;              \n##  1 access-control-allow-origin       NA                     WARN        Header not set     \n##  2 content-security-policy           NA                     WARN        Header not set     \n##  3 expect-ct                         NA                     WARN        Header not set     \n##  4 feature-policy                    NA                     WARN        Header not set     \n##  5 public-key-pins                   NA                     WARN        Header not set     \n##  6 referrer-policy                   NA                     WARN        Header not set     \n##  7 server                            Apache\/2.4.10 (Debian) NOTE        Server header found\n##  8 strict-transport-security         NA                     WARN        Header not set     \n##  9 x-content-type-options            NA                     WARN        Header not set     \n## 10 x-frame-options                   NA                     WARN        Header not set     \n## 11 x-permitted-cross-domain-policies NA                     WARN        Header not set     \n## 12 x-powered-by                      NA                     WARN        Header not set     \n## 13 x-xss-protection                  NA                     WARN        Header not set     \n<\/code><\/pre>\n<p>Ouch. Not exactly a great result (so, perhaps it matters little how poorly maintained the downstream mirrors are after all, or maybe it&#8217;s <em>perfectly fine<\/em> to run a <a href=\"http:\/\/mail-archives.apache.org\/mod_mbox\/httpd-announce\/201407.mbox\/%3C650BABAF-9B03-4EEB-94EC-D6DD833C248F@apache.org%3E\">five year old web server<\/a> with some fun <a href=\"https:\/\/httpd.apache.org\/security\/vulnerabilities_24.html\">vulns<\/a>).<\/p>\n<p>Anyway&hellip;<\/p>\n<p>The <code>assess_security_headers()<\/code> function looks at 13 modern &#8220;security-oriented&#8221; HTTP headers, performs a very light efficacy assessment and returns the results.<\/p>\n<ul>\n<li><code>access-control-allow-origin<\/code><\/li>\n<li><code>content-security-policy<\/code><\/li>\n<li><code>expect-ct<\/code><\/li>\n<li><code>feature-policy<\/code><\/li>\n<li><code>server<\/code><\/li>\n<li><code>public-key-pins<\/code><\/li>\n<li><code>referrer-policy<\/code><\/li>\n<li><code>strict-transport-security<\/code><\/li>\n<li><code>x-content-type-options<\/code><\/li>\n<li><code>x-frame-options<\/code><\/li>\n<li><code>x-permitted-cross-domain-policies<\/code><\/li>\n<li><code>x-powered-by<\/code><\/li>\n<li><code>x-xss-protection<\/code><\/li>\n<\/ul>\n<p>Since you likely do not have every HTTP header&#8217;s name, potential values, suggested values, and overall purpose memorized, you can also pass in <code>include_ref = TRUE<\/code> to the function to get more information with decent textual descriptions like you saw in the screenshot (the Shiny app omits many fields).<\/p>\n<p>The full reference is available in a data element:<\/p>\n<pre><code class=\"language-r\">data(\"http_headers\")\n\ndplyr::glimpse(http_headers)\n## Observations: 184\n## Variables: 14\n## $ header_field_name    &lt;chr&gt; \"A-IM\", \"Accept\", \"Accept-Additions\", \"Accept-Charset\", \"Accept-Datetime\", \"Accept-Encoding\u2026\n## $ type_1               &lt;chr&gt; \"Permanent\", \"Permanent\", \"Permanent\", \"Permanent\", \"Permanent\", \"Permanent\", \"Permanent\", \u2026\n## $ protocol             &lt;chr&gt; \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"http\", \"ht\u2026\n## $ status               &lt;chr&gt; \"\", \"standard\", \"\", \"standard\", \"informational\", \"standard\", \"\", \"standard\", \"\", \"standard\"\u2026\n## $ reference            &lt;chr&gt; \"https:\/\/tools.ietf.org\/html\/rfc3229#section-10.5.3\", \"https:\/\/tools.ietf.org\/html\/rfc7231#\u2026\n## $ type_2               &lt;chr&gt; \"Request\", \"Request\", \"Request\", \"Request\", \"Request\", \"Request\", \"Request\", \"Request\", \"Re\u2026\n## $ enable               &lt;lgl&gt; FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE, TRUE, FALSE, TRUE, FALSE, FAL\u2026\n## $ required             &lt;lgl&gt; NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, NA,\u2026\n## $ https                &lt;lgl&gt; NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, NA,\u2026\n## $ security_description &lt;chr&gt; \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"Sometimes an HTTP intermediary might try to detect viruses\u2026\n## $ security_reference   &lt;chr&gt; \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"https:\/\/tools.ietf.org\/html\/rfc5789#section-5\", \"https:\/\/t\u2026\n## $ recommendations      &lt;chr&gt; \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"Antivirus software scans for viruses or worms.\", \"Servers \u2026\n## $ cwe                  &lt;chr&gt; \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"CWE-509: Replicating Malicious Code (Virus or Worm)\", \"CWE\u2026\n## $ cwe_url              &lt;chr&gt; \"\\r\", \"\\r\", \"\\r\", \"\\r\", \"\\r\", \"\\r\", \"\\r\", \"\\r\", \"https:\/\/cwe.mitre.org\/data\/definitions\/509\u2026\n<\/code><\/pre>\n<p>There will eventually be a lovely vignette with well-formatted sections that include the above information so you can reference it at your leisure (it&#8217;s <em>great<\/em> bedtime reading).<\/p>\n<p>The <code>http_headers<\/code> object is fully documented but here&#8217;s what those fields mean:<\/p>\n<ul>\n<li><code>header_field_name<\/code>: header field<\/li>\n<li><code>type_1<\/code>: <code>Permanent<\/code> (in a standard); <code>Provisional<\/code> (experimental); <code>Personal<\/code> (unofficial)<\/li>\n<li><code>protocol<\/code>: should always be <code>http<\/code> for now but may be different (e.g. <code>quic<\/code>)<\/li>\n<li><code>status<\/code>: blank == unknown; otherwise the value describes the status well<\/li>\n<li><code>reference<\/code>: where to look for more info<\/li>\n<li><code>type_2<\/code>: <code>Request<\/code> (should only be found in requests); <code>Response<\/code> (should only be found in responses); <code>Request\/Response<\/code> found in either; <code>Reserved<\/code> (not in use yet)<\/li>\n<li><code>enable<\/code>: should you have this enabled<\/li>\n<li><code>required<\/code>: Is this header required<\/li>\n<li><code>https<\/code>: HTTPS-specific header?<\/li>\n<li><code>security_description<\/code>: Information on the header<\/li>\n<li><code>security_reference<\/code>: Extra external reference information on the header<\/li>\n<li><code>recommendations<\/code>: Recommended setting(s)<\/li>\n<li><code>cwe<\/code>: Associated Common Weakness Enumeration (CWE) identifier<\/li>\n<li><code>cwe_url<\/code>: Associated CWE URL<\/li>\n<\/ul>\n<h3>Even Moar Headers<\/h3>\n<p>HTTP servers can spit out tons of headers and we can catch&#8217;em all with <code>hdrs::explain_headers()<\/code>. That function grabs the headers, merges in the full metadata from <code>http_headers<\/code> and returns a big ol&#8217; data frame. We&#8217;ll only pull out the security reference URL for this last example:<\/p>\n<pre><code class=\"language-r\">explain_headers(\"https:\/\/community.rstudio.com\/\") %&gt;% \n  dplyr::select(header, value, security_reference)\n## # A tibble: 18 x 3\n##    header               value                                                         security_reference                   \n##    &lt;chr&gt;                &lt;chr&gt;                                                         &lt;chr&gt;                                \n##  1 cache-control        no-cache, no-store                                            https:\/\/tools.ietf.org\/html\/rfc7234#\u2026\n##  2 connection           keep-alive                                                    \"\"                                   \n##  3 content-encoding     gzip                                                          https:\/\/en.wikipedia.org\/wiki\/BREACH\u2026\n##  4 content-security-po\u2026 base-uri 'none'; object-src 'none'; script-src 'unsafe-eval'\u2026 https:\/\/www.owasp.org\/index.php\/List\u2026\n##  5 content-type         text\/html; charset=utf-8                                      https:\/\/tools.ietf.org\/html\/rfc7231#\u2026\n##  6 date                 Tue, 05 Mar 2019 20:40:31 GMT                                 \"\"                                   \n##  7 referrer-policy      strict-origin-when-cross-origin                               NA                                   \n##  8 server               nginx                                                         https:\/\/tools.ietf.org\/html\/rfc7231#\u2026\n##  9 strict-transport-se\u2026 max-age=31536000                                              https:\/\/tools.ietf.org\/html\/rfc6797  \n## 10 vary                 Accept-Encoding                                               \"\"                                   \n## 11 x-content-type-opti\u2026 nosniff                                                       https:\/\/www.owasp.org\/index.php\/List\u2026\n## 12 x-discourse-route    list\/latest                                                   NA                                   \n## 13 x-download-options   noopen                                                        NA                                   \n## 14 x-frame-options      SAMEORIGIN                                                    https:\/\/tools.ietf.org\/html\/rfc7034  \n## 15 x-permitted-cross-d\u2026 none                                                          NA                                   \n## 16 x-request-id         12322c6e-b47e-4960-b384-32138097886c                          NA                                   \n## 17 x-runtime            0.106664                                                      NA                                   \n## 18 x-xss-protection     1; mode=block                                                 https:\/\/www.owasp.org\/index.php\/List\u2026\n<\/code><\/pre>\n<h3>FIN<\/h3>\n<p>Have some fun and poke at some headers. Perhaps even use this to do a survey of key web sites in your field of work\/study and see how well they rate. As usual, post PRs &amp; issues at your fav social coding site.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I blathered alot about HTTP headers in the last post. In the event you wanted to dig deeper I threw together a small package that will let you grab HTTP headers from a given URL and take a look at them. The README has examples for most things but we&#8217;ll go through a bit of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[91],"tags":[],"class_list":["post-12060","post","type-post","status-publish","format-standard","hentry","category-r"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Head&#039;s Up! Roll Your Own HTTP Headers Investigations with the &#039;hdrs&#039; Package - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Head&#039;s Up! Roll Your Own HTTP Headers Investigations with the &#039;hdrs&#039; Package - rud.is\" \/>\n<meta property=\"og:description\" content=\"I blathered alot about HTTP headers in the last post. In the event you wanted to dig deeper I threw together a small package that will let you grab HTTP headers from a given URL and take a look at them. The README has examples for most things but we&#8217;ll go through a bit of [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2019-03-05T20:50:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Head&#8217;s Up! Roll Your Own HTTP Headers Investigations with the &#8216;hdrs&#8217; Package\",\"datePublished\":\"2019-03-05T20:50:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/\"},\"wordCount\":545,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/shiny-headers.png\",\"articleSection\":[\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/\",\"name\":\"Head's Up! Roll Your Own HTTP Headers Investigations with the 'hdrs' Package - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/shiny-headers.png\",\"datePublished\":\"2019-03-05T20:50:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/shiny-headers.png?fit=2808%2C2260&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2019\\\/03\\\/shiny-headers.png?fit=2808%2C2260&ssl=1\",\"width\":2808,\"height\":2260},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2019\\\/03\\\/05\\\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Head&#8217;s Up! Roll Your Own HTTP Headers Investigations with the &#8216;hdrs&#8217; Package\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Head's Up! Roll Your Own HTTP Headers Investigations with the 'hdrs' Package - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/","og_locale":"en_US","og_type":"article","og_title":"Head's Up! Roll Your Own HTTP Headers Investigations with the 'hdrs' Package - rud.is","og_description":"I blathered alot about HTTP headers in the last post. In the event you wanted to dig deeper I threw together a small package that will let you grab HTTP headers from a given URL and take a look at them. The README has examples for most things but we&#8217;ll go through a bit of [&hellip;]","og_url":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/","og_site_name":"rud.is","article_published_time":"2019-03-05T20:50:24+00:00","og_image":[{"url":"https:\/\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png","type":"","width":"","height":""}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Head&#8217;s Up! Roll Your Own HTTP Headers Investigations with the &#8216;hdrs&#8217; Package","datePublished":"2019-03-05T20:50:24+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/"},"wordCount":545,"commentCount":3,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png","articleSection":["R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/","url":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/","name":"Head's Up! Roll Your Own HTTP Headers Investigations with the 'hdrs' Package - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#primaryimage"},"thumbnailUrl":"https:\/\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png","datePublished":"2019-03-05T20:50:24+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?fit=2808%2C2260&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2019\/03\/shiny-headers.png?fit=2808%2C2260&ssl=1","width":2808,"height":2260},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2019\/03\/05\/heads-up-roll-your-own-http-headers-investigations-with-the-hdrs-package\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Head&#8217;s Up! Roll Your Own HTTP Headers Investigations with the &#8216;hdrs&#8217; Package"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-38w","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":12811,"url":"https:\/\/rud.is\/b\/2020\/08\/08\/quick-hit-speeding-up-data-frame-creation\/","url_meta":{"origin":12060,"position":0},"title":"Quick Hit: Speeding Up Data Frame Creation","author":"hrbrmstr","date":"2020-08-08","format":false,"excerpt":"(This is part 2 of n \"quick hit\" posts, each walking through some approaches to speeding up components of an iterative operation. Go here for part 1). Thanks to the aforementioned previous post, we now have a super fast way of reading individual text files containing HTTP headers from HEAD\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12142,"url":"https:\/\/rud.is\/b\/2019\/04\/12\/a-note-to-our-community-on-how-to-hide-your-content-from-search-engines\/","url_meta":{"origin":12060,"position":1},"title":"A Note to Our Community On How To Hide Your Content From Search Engines","author":"hrbrmstr","date":"2019-04-12","format":false,"excerpt":"UPDATE 2019-04-17 \u2014 The example at the bottom which shows that the, er, randomly chosen site has the offending <meta> tag present is an old result. As of this update timestamp, that robots noindex tag is not on the site. Since the presence status of that tag is in flux,\u2026","rel":"","context":"In &quot;Leadership&quot;","block_context":{"text":"Leadership","link":"https:\/\/rud.is\/b\/category\/leadership\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":14213,"url":"https:\/\/rud.is\/b\/2023\/07\/09\/new-r-package-hhhash\/","url_meta":{"origin":12060,"position":2},"title":"New R Package For HTTP Headers Hashing","author":"hrbrmstr","date":"2023-07-09","format":false,"excerpt":"HTTP Headers Hashing (HHHash) is a technique developed by Alexandre Dulaunoy to gen\u00aderate a fingerprint of an HTTP server based on the headers it returns. It employs one-way hashing to generate a hash value from the list of header keys returned by the server. The HHHash value is calculated by\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12016,"url":"https:\/\/rud.is\/b\/2019\/03\/03\/cran-mirror-security\/","url_meta":{"origin":12060,"position":3},"title":"CRAN Mirror &#8220;Security&#8221;","author":"hrbrmstr","date":"2019-03-03","format":false,"excerpt":"In the \"Changes on CRAN\" section of the latest version of the The R Journal (Vol. 10\/2, December 2018) had this short blurb entitled \"CRAN mirror security\": Currently, there are 100 official CRAN mirrors, 68 of which provide both secure downloads via \u2018https\u2019 and use secure mirroring from the CRAN\u2026","rel":"","context":"In &quot;Cybersecurity&quot;","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":13824,"url":"https:\/\/rud.is\/b\/2023\/03\/18\/webr-wasm-r-package-load-library-benchmarking-rabbit-hole\/","url_meta":{"origin":12060,"position":4},"title":"WebR WASM R Package Load\/Library Benchmarking Rabbit Hole","author":"hrbrmstr","date":"2023-03-18","format":false,"excerpt":"I have a post coming on using base and {ggplot2} plots in VanillaJS WebR, but after posting some bits on social media regarding how slow {ggplot2} is to deal with, I had some \"performance\"-related inquiries, which led me down a rabbit hole that I'm, now, dragging y'all down into as\u2026","rel":"","context":"In &quot;Javascript&quot;","block_context":{"text":"Javascript","link":"https:\/\/rud.is\/b\/category\/javascript\/"},"img":{"alt_text":"Histogram of WASM R package load times. Most load in well under 1s","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/03\/pkgload.png?fit=1200%2C869&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/03\/pkgload.png?fit=1200%2C869&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/03\/pkgload.png?fit=1200%2C869&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/03\/pkgload.png?fit=1200%2C869&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/03\/pkgload.png?fit=1200%2C869&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3784,"url":"https:\/\/rud.is\/b\/2015\/11\/11\/using-monetdblite-with-real-world-csv-files\/","url_meta":{"origin":12060,"position":5},"title":"Using MonetDB[Lite] with real-world CSV files","author":"hrbrmstr","date":"2015-11-11","format":false,"excerpt":"[MonetDBLite](https:\/\/www.monetdb.org\/blog\/monetdblite-r) (for R) was announced\/released today and, while the examples they provide are compelling there's a \"gotcha\" for potential new folks using SQL in general and SQL + MonetDB + R together. The toy example on the site shows dumping `mtcars` with `dbWriteTable` and then doing things. Real-world CSV files\u2026","rel":"","context":"In &quot;monetdb&quot;","block_context":{"text":"monetdb","link":"https:\/\/rud.is\/b\/category\/monetdb\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/12060","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=12060"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/12060\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=12060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=12060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=12060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}