CLIENT & PROXY GENERATED REQUEST HEADERS THAT VIOLATE PRIVACY

The headers that were noted by * may reveal your IP address. The headers that were noted by * may generate privacy violations. In the most general terms your paramount concern should be whether your IP address or host name is revealed. From this information your ISP may be directly identified and indirectly your regional location. An authority may gain access to your ISPs records and with both the IP number and date & time of use gain access to your real name, phone number and address.

One of the benefits of proxy servers is that they can hide the actual client's IP address (the origin server will see the proxy server's IP address only). However corporations may internally pass the client's IP address in the CLIENT-IP: header. This header is used for internal logging and possible internal access control based on the IP address of the originating requesting client. Normally this header is stripped out when the request leaves the corporate intranet. However since you are accessing the proxy server from outside the intended environment and/or due to misconfiguration inside that environment there are rare times when your IP address will be passed on to the origin server (the site you requested) in the CLIENT-IP: header. Please take note of this possibility and look for it in the ENV test page. For a better understanding SEE: How browsers betray you FAQ (this header is not discussed below)

In addition the FROM: request header contains the requesting user's E-mail address. For privacy reasons this header is rarely present in the request. Modern browsers do not automatically send this field. Netscape Navigator will automatically send a generic "Mozilla@" email address if requested by an origin server in an FTP request. However vigilance is recommended during FTP client-origin server negotiation so as to insure that your actual E-mail address is not disclosed.(this header is not discussed below)

For a variety of reasons your IP address may be revealed to the requested origin server in one of the first five headers discussed below.

HEADERS	WHAT VARIBLES IT WILL SHOW
REMOTE_ADDR:192.211.16.8	Your actual IP address MUST always be sent from your client browser. Without it the origin server will not know where to send the requested content. If no proxy server is used (i.e. if the request is made direct) your actual IP address will be revealed here when an ENV test page is used. In that instance (and in all others where a proxy sever is not used your privacy is compromised. If a proxy server is used the IP address of the proxy server (rather than the real IP), which acts as the client browser's agent in negotiating requests, will be revealed here.
REMOTE_HOST: bogachiel.evergreen.edu	The discussion concerning REMOTE_ADDR: is directly applicable here, differing only with regard to revealing the IP number's corresponding host name.
HTTP_FORWARDED:by http://bogachiel.evergreen.edu:8080 (Netscape-Proxy/3.52)	While all proxies substitute their own IP address for the client in making requests to the origin server some may forward the client's actual IP address in this request header. See VIA: Some intermediate proxy servers use the FORWARDED: header which was an experimental feature but was never included in the specification in favor of Via:. The format is: Forwarded: by http://proxy-host:port (Demo-Proxy/2.5) SEE: How browsers betray you FAQ
VIA:	While all proxies substitute their own IP address for the client in making requests to the origin server some may forward the client's actual IP address in this request header. This header was implemented to indicate the proxy chain (internal network configured) that the request was passed through. The format is: Via: protocol pseudonym where protocol is the protocol name (optional if HTTP) and version of the received request. The pseudonym value is the hostname or a symbolic name of the proxy server (security reasons may dictate the use of a symbolic name instead of the intermediate proxy server hostname). A comment may be appended & enclosed in parentheses with the proxy server software name and version included. Example: Via: 1.1 first-proxy, 1.1 second proxy (Demo-Proxy/4.0) In HTTP/1.0 where no Via header was defined the USER-AGENT: field was (and sometimes still is) used by some proxy servers to indicate intermediate proxy servers by appending the proxy server information after the client software string. Example: User_Agent: Mozilla/3.0 via proxy gateway CERN-HTTPD/3.0 libwww/2.17 See also FORWARDED: SEE: How browsers betray you FAQ
X-FORWARDED-FOR:	While all proxies substitute their own IP address for the client in making requests to the origin server some may forward the client's actual IP address in this request header. SEE: How browsers betray you FAQ
HTTP_REFERER: ENV.html	This request header contains the URL of the document that contained the reference to the requested URL. This header may create many privacy intrusions depending on where you are visiting the origin server from. As an example of a web site's ability to record REFERER: data from its visitors as well as privacy intrusions on several other levels please take a look at: Open letter from the administrators of Cryptome at: http://www.jya.com/crypto.htm. Note that the visitor to the site had been previously searching for bomb making information at the Infoseek search engine. Examples of the type of data that is available to requesting web sites via this header (Generously provided by AnonyMouse) include: from a POP3 email account: mailbox:/C\|/Program Files/Netscape/Users/dennisp/mail/Inbox?id=12852.990628%40worldnet.fr&number=54239145 from a search engine: http://search.excite.com/search.gw?search=dirty+pictures&trace=1&src=nsl&sorig=netscape from a file on a PC, probably a zip drive: file:/D\|/!research/info/snooz.htm from bookmarks: file:///C\|/Programme/Netscape/Users/KZinsky/bookmark.htm from a webpage: http://www.dis.org/erehwon/anonymity.html from a usenet post: news://usenet.pitt.edu/199903222302.AAA30739@mail.replay.com from an ICQ bookmark: file://D:/Program Files/ICQ/ICQ/Bookmark/11111170.html This header variable may be changed by using software such as Proxomitron.
HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 5.0; MSN 2.5; Windows 98)	This request header reports the requesting client (browser) software name and version number. Note that "Mozilla" is the code name of Netscape Navigator and it is used in the User-Agent: field to identify it. Historically, in the absence of a more sophisticated format negotiation scheme, the User-Agent: field was commonly used to determine the feature level of the client software. For example, new features introduced by the Navigator, such as HTML tables and frames would be triggered by the origin server software if the User-Agent: field indicated that the client software was Netscape Navigator. Unfortunately, this mechanism hindered the deployment of these features on other client software, such as Microsoft Internet Explorer. For this reason, some client software other than Netscape Navigator such as Microsoft Internet Explorer also uses the magic word "Mozilla" as an indication of their software and further identify the software in the comment section. This header variable may be changed by using software such as Proxomitron.
HTTP_ACCEPT: application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /	This request header specifies what media types are acceptable to the requesting client (browser). Note that the * is a wildcard character so Accept: / would indicate that all formats are acceptable. Quality parameters (q) may be used to specify the preference for media types. The value of q is between 0 (not preferred) and 1 (preferred). As an example: Accept: text/html; q=1, image/gif; q=1, text/; q=0.5, /*; q=0.1 This gives preference to HTML text files and GIF and JPEG images; intermediate preference to any other text files; and low preference for all others. The default value for q is 1 so that q=1 may be left out to indicate the highest preference. Quality parameters are separated by a semicolon from the media type and media types are separated by a comma from each other. Notice that by default Microsoft reveals that you have Excel, Word & Powerpoint applications on your system. There is no practical need for this disclosure. Your privacy is violated through this header. This header variable may be changed by using software such as Proxomitron.
HTTP_ACCEPT_LANGUAGE: en-us	This request header is used to specify the language preference of the user. Note that a quality parameter (q) may be used just as with the ACCEPT: header. Example:Accept-Language:en-us, fr=0.5 This would give preference to English but also accept French. Most web sites do not create translated pages written in multiple languages. The only choice is often English and yet this header does violate your privacy by identifying your country. This header variable may be changed by using software such as Proxomitron.

With three exceptions the headers that are noted by * do not constitute client or server Request or Response headers. The information contained in these headers are specifically related to the CGI script of the ENVIRONMENTAL TEST page and the server on which these scripts run. These headers are of no importance as they do not relate to information passed between client and server.

With regard to the three exceptions ("REQUEST_METHOD:", "HTTP_ACCEPT_ENCODING:", "HTTP_HOST:") they do contain information which is passed between client and server however the information contained therein is of little importance with regard to protecting the client user's privacy.

Each header, beginning with the SERVER_PROTOCOL and the three exceptions, is discussed below.

SERVER_PROTOCOL: HTTP/1.0 Although this variable identifies the name (HTTP) and revision (1.0) of the Web protocol in use by the ENV test page server it is brought to your attention for the reason that it ONLY applies to the ENV test page and does not identify the HTTP revision employed on the tested proxy server. Note that because of the backwards compatibility of HTTP a proxy server utilizing HTTP/1.1 will revert to HTTP/1.0 when communicating with a client or origin server utilizing HTTP/1.0. Thus even if the client (browser) is utilizing HTTP/1.0, if the proxy is capable it will communicate upstream (carrying the client request) in HTTP/1.1 and revert to HTTP/1.0 (and alter what is necessary) when conveying to the client (responding with the contents of the request).

REQUEST_METHOD: GET The first word in an HTTP request is the method. This variable identifies the method, which indicates the action of the request. GET is used to retrieve a resource. HEAD is a method to retrieve metadata. POST is used for form submission. Methods supported only by revision 1.1 are: PUT (to upload files), DELETE (to delete a resource), TRACE (to trace a proxy chain) and OPTION (to query server options). The GET method is the most commonly used HTTP method used to retrieve a single resource. Multiple GET requests are used to retrieve multiple inline content (gif, jpeg, etc.) constituting a web page.

HTTP_HOST: alindsay.www.media.mit.edu This request header variable identifies the Host of the requested URL. It will only be passed when HTTP version 1.0 is used. Under HTTP/1.1 the full URL is passed following GET in the method line for requests made via a proxy server and for requests made directly to the origin server. However under HTTP/1.0 the full URL was only passed when requests were made through a proxy server. The host portion, thought unnecessary, was not passed when requests were made directly to the origin server. Due to multiple alias hosts now being housed on the same real host the HOST header was created to pass the necessary host portion of the URL. Again the HOST header should not be present when using a proxy server under either version (HTTP/1.0 & HTTP/1.1) or when making requests directly under HTTP/1.1. It will be present when direct requests are made using HTTP/1.0.

HTTP_ACCEPT_ENCODING: gzip, deflate This request header variable specifies the acceptable encodings that the server may use. Note that if actual encoding is used it is returned in the CONTENT-ENCODING: response header.

SERVER_SOFTWARE: Apache/1.2b4 This ENV test page variable permits disclosure of the type of Web server software running the ENV test page CGI program. In this example Apache/1.2b4.

GATEWAY_INTERFACE: CGI/1.1 This ENV test page variable permits disclosure of the version of the CGI specification with which the ENV test page server complies.

DOCUMENT_ROOT: /mi/http This ENV test page variable permits disclosure of the directory housing the ENV test page.

QUERY_STRING: This ENV test page variable permits disclosure of the search part of the ENV test page URL. This string holds everything following the first question mark (ex. in this URL "http://hoohoo.uiuc.ncsa.edu/cgi-bin/finger.pl?smith@idgbooks.com", "smith@idgbooks.com" is the QUERY_STRING).

PATH: /sbin:/usr/sbin:/usr/bin This ENV test page variable permits disclosure of the value of the path in the ENV test page URL. This is the part of the URL following the name of the CGI program or script, but preceding the question mark (which begins the QUERY STRING).

REMOTE_PORT: 26633 This ENV test page variable permits disclosure of the port in use with specific regard to the ENV test page. It is often variable.

SCRIPT_NAME: /atl-bin/env.cgi This ENV test page variable permits disclosure of the name of the CGI program or script specified in the ENV test page URL. This is represented by the portion of the URL that follows the host, port and file including the name of the executable CGI program.

SCRIPT_FILENAME: /ti/u/alindsay/public_html/atl-bin/env.cgi This ENV test page variable permits disclosure of both the SCRIPT NAME and the FILE PATH in which the script specified in the ENV test page URL is located.

SERVER_NAME: sound.media.mit.edu This ENV test page variable permits disclosure of the host name of the server machine that is calling the CGI program or script.

SERVER_PORT: 80 This ENV test page variable permits disclosure of the port of the server machine that is calling the CGI program or script.

SERVER_ADMIN: bvg-admin@media.mit.edu This ENV test page variable permits disclosure of the email address of the administrator of the server which houses the ENV test page program or script.