Some people collect coins, DVDs or comic books. Others collect cars or Star Wars toys. Among other things, I like to collect HTTP headers. They take up a lot less space than cars, and can have a much higher return value than Mark McGwire's rookie card--as long as you something interesting.

From time to time I like to look through my collection for rare gems... like these, which caught my eye this week:

• x-real-server
• real-hostname

These are the two most popular of a few slight variations. The header name itself is generally useless (more on that some other day)--it is, of course, the value that matters. Unfortunately, the vast majority of these are boring as heck--the server's name with (or without) the www. In a few cases, however, they reveal something interesting--something other than the server's name.

At least one of them in my collection is likely the host's internal or "real" hostname (a cartoon character). Another is a completely different host/domain combination (perhaps the hosting company's machine name which the virtual host is running on?). And yet another reveals that it's actually "cgi01"--maybe a good indication there's a "cgi02" and that they'd be good places to look for... lots of CGI programs.

Earth shattering? No. Interesting, and with the potential to reveal a bit about your servers? Yes.

As always when building your web infrastructure, stop every bit of useless information that heads outbound--no matter how innocuous it may seem. You never know what an attacker may be able to leverage for attacks or social engineering, and you never know what future holds for new attacks or exploits.

And just for a bit of a product plug, WebInspect will now check for these variations.

For some fun headers, see Andrew Wooster's post from nearly 4 years ago.