Page MenuHomePhabricator
Create Task
Maniphest T70982

Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic)
Closed, ResolvedPublic
Actions

Description

curl -vs blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker

X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

We should recruit for WMF instead of automattic. :-D

This currently is served on:

  • blog.wikimedia.org diff.wikimedia.org
  • soundlogo.wikimedia.org
  • wikimediafoundation.org
  • wikimediaendowment.org
  • techblog.wikimedia.org

See also https://wpvip.com/documentation/x-hacker-and-x-powered-by-http-headers/

Add this to the them functions.php to remove:

/**
 * Filter X-hacker output.
 */
add_filter( 'wp_headers', function( $headers ) {
    if ( isset( $headers['X-hacker'] ) ) {
        unset( $headers['X-hacker'] );
    }
    return $headers;
}, 999 );

Details

Reference
bz68982

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:26 AM
bzimport added a project: Diff-blog.
bzimport set Reference to bz68982.
bzimport added a subscriber: Unknown Object (MLST).
jeremyb created this task.Aug 1 2014, 2:56 AM
jeremyb-phone added a project: WMF-Human-Resources.Jan 1 2015, 12:28 AM
jeremyb-phone set Security to None.
Ricordisamoa subscribed.Jan 1 2015, 12:29 AM
Krenair added a comment.Jan 1 2015, 12:31 AM

I can't help but wonder if they're allowed to use that header at all...

jayvdb awarded a token.Jan 1 2015, 1:55 AM
Florian subscribed.Jan 1 2015, 2:43 PM
scfc subscribed.Jan 1 2015, 3:20 PM
Theopolisme subscribed.Jan 1 2015, 6:02 PM
Nemo_bis awarded a token.Jan 2 2015, 9:59 PM
yuvipanda subscribed.Jan 3 2015, 8:41 AM

Everyone's allowed to use any header :)

Krenair added a comment.Jan 3 2015, 3:01 PM

Well, this is my personal opinion, but I would expect WMF to completely disallow such advertising on Wikimedia sites in the contract.

Nnemo subscribed.Mar 1 2015, 6:56 AM
Qgil edited projects, added WMF-Legal; removed WMF-Human-Resources.Aug 14 2015, 9:01 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 9:01 AM
jrbs subscribed.Sep 12 2015, 3:53 AM
Krinkle mentioned this in T132104: Consider moving policy.wikimedia.org away from WordPress.com .Apr 7 2016, 10:34 PM
ZhouZ added subscribers: MBrar.WMF, ZhouZ.Apr 14 2016, 12:55 AM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptApr 14 2016, 12:55 AM
ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Apr 14 2016, 12:55 AM
EdErhart-WMF subscribed.Sep 27 2016, 7:02 PM

@Krenair @yuvipanda is this still an issue?

Krenair added a comment.Sep 27 2016, 7:05 PM

Yes:

alex@alex-laptop:~$ curl -vs https://blog.wikimedia.org 2>&1 >/dev/null | fgrep X-hacker
< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:58 PM
revi subscribed.Aug 20 2017, 12:06 PM
Bawolff added a project: wikimediafoundation.org.Aug 31 2018, 1:37 PM
Bawolff added a subscriber: JBennett.

@JBennett just pointed out that this also applies to wikimediafoundation.org

Krenair renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org to Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org.Aug 31 2018, 1:54 PM
chasemp updated the task description. (Show Details)Aug 31 2018, 2:39 PM
chasemp added a project: Security-Team.
chasemp renamed this task from Recruit for WMF instead of Automattic in X-Hacker value of blog.wikimedia.org and wikimediafoundation.org to Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic .Aug 31 2018, 3:26 PM
chasemp updated the task description. (Show Details)
chasemp subscribed.Aug 31 2018, 3:29 PM

Is this gone now? I can no longer reproduce atm.

Jgreen subscribed.Aug 31 2018, 4:05 PM
In T70982#4548927, @chasemp wrote:

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

chasemp added a comment.Aug 31 2018, 5:35 PM
In T70982#4549007, @Jgreen wrote:
In T70982#4548927, @chasemp wrote:

Is this gone now? I can no longer reproduce atm.

I see it still on both blog and wikimediafoundation sites, but the header shows up lowercase in curl output:

jgreen@weasel:~> curl -vs https://wikimediafoundation.org 2>&1 |grep -i X-hacker
< x-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.

Ah yes, thanks @Jgreen

Addshore awarded a token.Sep 4 2018, 9:51 AM
Addshore subscribed.
chasemp moved this task from Incoming to To Follow Up on the Security-Team board.Sep 4 2018, 3:27 PM
Varnent moved this task from Incoming to Maintenance on the wikimediafoundation.org board.Sep 5 2018, 9:54 PM
Krinkle subscribed.Sep 8 2018, 11:51 PM

Naturally, this applies to policy.wikimedia.org as well.

Krinkle updated the task description. (Show Details)Sep 8 2018, 11:52 PM
Krinkle removed a subscriber: wikibugs-l-list.
Varnent moved this task from Maintenance to Radar on the wikimediafoundation.org board.Sep 21 2018, 9:31 PM
Varnent subscribed.

This has been resolved on wikimediafoundation.org. It will be resolved on blog.wikimedia.org when we archive the site in the coming months.

Jcross moved this task from To Follow Up to Waiting on the Security-Team board.Sep 23 2019, 4:12 PM
sbassett subscribed.EditedSep 23 2019, 4:20 PM

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

Varnent added a comment.Sep 24 2019, 8:08 PM
In T70982#5516652, @sbassett wrote:

@Varnent -

I know this task is probably low-priority, but is there any update on blog.wikimedia.org and/or policy.wikimedia.org? Both still have the x-hacker: If you're reading this... header. Additionally, blog.wikimedia.org has an amusing but possibly inappropriate x-nananana: Batcache header and policy.wikimedia.org has x-powered-by: WordPress.com VIP <https://wpvip.com> and x-pingback: https://policy.wikimedia.org/xmlrpc.php headers, which provide some information disclosure and probably shouldn't be sent if they do not have to be.

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site. The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

sbassett added a comment.Sep 25 2019, 2:40 PM

Thanks for the reply, @Varnent:

The policy site is managed by the Legal team - although I could probably help them with a patch if I can dig up what we did for the Foundation site.

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

EdErhart-WMF added a comment.EditedSep 25 2019, 6:06 PM

The blog site is intended to be archived and moved to the Foundation's servers. The task was something Technology was working on, but I think got delayed with the leadership transitions.

Ok. Is there an open task for it?

Yup! It's T193912.

jrbs added a subscriber: Slaporte.Sep 25 2019, 6:10 PM
In T70982#5522799, @sbassett wrote:

Is there a technical contact on WMF-Legal for that site? Otherwise, we probably want to be proactive here and create and deploy the patch for them. Happy to help, though I obviously do not have access to the Automattic servers.

Best person to poke would probably be @Slaporte. He has a more involved role these days than when he was the "tech guy" for Legal :) so may be harder to reach him now.

Florian unsubscribed.Sep 26 2019, 7:06 PM
revi added a comment.May 9 2020, 8:49 PM

TechBlog has slightly modified version of this.

x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
RhinosF1 added a project: Technical Blog.May 9 2020, 8:55 PM
RhinosF1 subscribed.
Krinkle updated the task description. (Show Details)May 20 2020, 7:47 PM
Addshore added a comment.May 20 2020, 10:53 PM

Per the link that @Krinkle just added this seems super easy to remove.
Or to decide that we are not going to remove it?
Perhaps the team in control could make that decision and remove it or close this task? :)

CKoerner_WMF renamed this task from Remove inappropriate X-Hacker HTTP header served on sites hosted by Automattic to Remove X-Hacker HTTP header served on sites hosted by WordPress VIP (Automattic).May 27 2020, 7:52 PM
CKoerner_WMF updated the task description. (Show Details)
CKoerner_WMF updated the task description. (Show Details)
CKoerner_WMF subscribed.May 27 2020, 7:58 PM

I updated the task with the current status of blogs hosted by VIP. I've submitted a pull request for the techblog. (https://github.com/wikimedia/wpvip-wikimedia-techblog/pull/2).

Why the heck am I here? We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space) so I wanted to make sure I did this for our own development going forward. :)

Aklapper added a comment.May 29 2020, 10:48 AM
In T70982#6170566, @CKoerner_WMF wrote:

We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space)

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

CKoerner_WMF added a comment.May 29 2020, 3:30 PM
In T70982#6176378, @Aklapper wrote:

@CKoerner_WMF: That raises some questions (e.g. what happens to its current content). Is there a related technical task about this which has more info?

I'm starting to document more. A few tasks in WMF-Communications and https://meta.wikimedia.org/wiki/Diff_(blog)

The old blog.wikimeida.org content will remain.

CKoerner_WMF removed projects: wikimediafoundation.org, Diff-blog.Jul 28 2020, 5:29 PM

Updating project tags to reflect current state.

Krinkle updated the task description. (Show Details)Jul 28 2020, 6:30 PM
bd808 moved this task from Backlog to Code changes on the Technical Blog board.Aug 1 2020, 11:12 PM
bd808 updated the task description. (Show Details)Aug 4 2020, 11:02 PM
bd808 subscribed.
In T70982#6170566, @CKoerner_WMF wrote:

I updated the task with the current status of blogs hosted by VIP. I've submitted a pull request for the techblog. (https://github.com/wikimedia/wpvip-wikimedia-techblog/pull/2).

Why the heck am I here? We're reusing the blog.wikimedia.org installation for the future of the community blog (previously Wikimedia Space) so I wanted to make sure I did this for our own development going forward. :)

This has been merged as https://github.com/wpcomvip/wikimedia-techblog/pull/13/commits/4bc2d8e2c7838c464d7acaf7ea996acdd70750ee and deployed to the live blog.

bd808 moved this task from Code changes to Watching on the Technical Blog board.Aug 4 2020, 11:03 PM
sbassett moved this task from Waiting to Watching on the Security-Team board.May 17 2021, 4:11 PM

Just noting the x-hacker header still exists for policy.wikimedia.org.

BCornwall closed this task as Resolved.Mar 2 2023, 7:55 PM
BCornwall claimed this task.
BCornwall subscribed.

Looks like policy.wikimedia.org now redirects to https://wikimediafoundation.org/advocacy/, of which the domain already excludes that header. The newer soundlogo.wikimedia.org site also lacks the header, so it looks like this can be closed.

BCornwall updated the task description. (Show Details)Mar 2 2023, 7:55 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Mar 2 2023, 8:00 PM
sbassett added a project: SecTeam-Processed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits