Tuesday, March 22, 2011

You cannot trust HTTP.

Our current project uses HTTP to communicate with the game server. Part of our code requires some custom metadata to be sent with the HTTP headers down to the client.

Did you know you cannot rely on custom headers being delivered to your HTTP client? I didn't. It turns out some firewalls will only allow a whitelisted set of headers through to their clients, which I imagine will break many different web applications. To get around this, we've had to munge the metadata into the HTTP body, and pass things around with query strings, turning something that was looking rather elegant, into a total abuse of HTTP.

Sad face.

1 comment:

kdsfjaskldf said...

This is the case even when your header is X- prefixed. I've run into a number of routers that stripped headers but I've never seen one configured to drop X-* by default.

Popular Posts