Glitch needs a custom header

For security, glitch needs a custom header. The reasoning behind this is that projects with custom domains can get around being reported as it is very tricky to tell if the project is on glitch or not. A custom header would reveal that the website uses glitch as a host. Glitch could possibly use a header such as X-Hosted-By or maybe use a X-Powered-By (although Express uses this, it would not be that hard to remove)

Due to Glitch’s reverse-proxy they could easily overwrite any headers sent by your project :wink:

Anyway, you have my vote! I’m currently limited, might change up my votes later :wink:


This would be a very good idea!

1 Like

Just added this feature to Glix:


Looking pretty good! I use the headers on my site for easter eggs, not legit purposes :rofl:

1 Like

I actually also added a request header incase the user’s project would like to check if Glix is the reverse-proxy. However this is spoofable.


during a loading page the url __glitch_loading_status is accessed(if I remeber). however that only works for loading screens

Here’s the proxied by Glix header in action!

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Content-Length: 1597
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Aug 2020 19:25:10 GMT
Etag: W/"63d-161ddb754b8"
Last-Modified: Wed, 28 Feb 2018 18:40:35 GMT
Server: Caddy
Strict-Transport-Security: max-age=31536000;
X-Powered-By: Express
X-Proxied-By: Glix

Looking good!

1 Like

This is actually not true. It can be very easy to catch which website is a Glitch project. For instance, unless you have an extremely active project, every Glitch project has a loading screen which also contains a status I don’t remember it, but it is a 300 (redirect) status. Also, an even better way would be to add a cookie. Even though people can remove it, Glitch could make a pop-up if a cookie is missing.

A lot more people than you think you underground ping services.

Here’s a glitch ‘header’ (really a notification) w/ toastifyJS:

Nothing happened for me, sorry.

It returns a 404 I am guessing based on the console.

I think we are talking about Server Headers, not JavaScript ones :smile:

Ok. Also I fixed it (it was an compression issue) :grinning:

What is it supposed to do?

oops it still doesnt work

I added this because for some reason I couldnt get toastifyJS to work.