Glitch needs a custom header

RiversideRocks · August 11, 2020, 7:41pm

For security, glitch needs a custom header. The reasoning behind this is that projects with custom domains can get around being reported as it is very tricky to tell if the project is on glitch or not. A custom header would reveal that the website uses glitch as a host. Glitch could possibly use a header such as X-Hosted-By or maybe use a X-Powered-By (although Express uses this, it would not be that hard to remove)

ihack2712 · August 11, 2020, 7:50pm

Due to Glitch’s reverse-proxy they could easily overwrite any headers sent by your project

Anyway, you have my vote! I’m currently limited, might change up my votes later

youngchief · August 11, 2020, 8:10pm

This would be a very good idea!

ihack2712 · August 11, 2020, 8:32pm

Just added this feature to Glix:

RiversideRocks · August 11, 2020, 8:33pm

Looking pretty good! I use the headers on my site for easter eggs, not legit purposes

ihack2712 · August 11, 2020, 8:37pm

I actually also added a request header incase the user’s project would like to check if Glix is the reverse-proxy. However this is spoofable.

javaarchive · August 12, 2020, 4:11am

during a loading page the url __glitch_loading_status is accessed(if I remeber). however that only works for loading screens

ihack2712 · August 12, 2020, 6:25pm

Here’s the proxied by Glix header in action!

RiversideRocks · August 12, 2020, 7:25pm

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Content-Length: 1597
Content-Type: text/html; charset=UTF-8
Date: Wed, 12 Aug 2020 19:25:10 GMT
Etag: W/"63d-161ddb754b8"
Last-Modified: Wed, 28 Feb 2018 18:40:35 GMT
Server: Caddy
Strict-Transport-Security: max-age=31536000;
X-Powered-By: Express
X-Proxied-By: Glix

Looking good!

chessebuilderman · August 12, 2020, 7:49pm

This is actually not true. It can be very easy to catch which website is a Glitch project. For instance, unless you have an extremely active project, every Glitch project has a loading screen which also contains a status I don’t remember it, but it is a 300 (redirect) status. Also, an even better way would be to add a cookie. Even though people can remove it, Glitch could make a pop-up if a cookie is missing.

RiversideRocks · August 12, 2020, 7:49pm

A lot more people than you think you underground ping services.

mayank1234cmd · August 12, 2020, 7:51pm

Here’s a glitch ‘header’ (really a notification) w/ toastifyJS:
mayank1234cmd.glitch.me/glitchPowered.html

RiversideRocks · August 12, 2020, 7:52pm

Nothing happened for me, sorry.

chessebuilderman · August 12, 2020, 7:54pm

It returns a 404 I am guessing based on the console.

RiversideRocks · August 12, 2020, 7:55pm

I think we are talking about Server Headers, not JavaScript ones

mayank1234cmd · August 12, 2020, 7:56pm

Ok. Also I fixed it (it was an compression issue)

RiversideRocks · August 12, 2020, 7:58pm

What is it supposed to do?

ihack2712 · August 12, 2020, 7:58pm

mayank1234cmd · August 12, 2020, 8:00pm

oops it still doesnt work

mayank1234cmd · August 12, 2020, 8:15pm

I added this because for some reason I couldnt get toastifyJS to work.
console.log(‘░p░o▒w▒e▓r▓e█d█’)
console.log(‘░b░y▒g▒l▓i▓t█c█h’)
console.log(‘w░░e░░l▒▒c▒▒o▓▓m▓▓e██’)