'Extract or generate X-Client-TraceId for header in GET-request

I would like to retrieve some historical stock prices via a REST API from the following site:

https://www.boerse-frankfurt.de/zertifikat/de0007873291-open-end-zertifikat-auf-dow-jones-industrial-average

The response is a JSON.

Basically, the query can be done as follows: An OPTIONS call is sent without parameters and then a GET request with header parameters.

Both calls are sent to the following address:

https://api.boerse-frankfurt.de/v1/data/quote_history_derivatives?isin=DE0007873291&mic=XSC&from=2021-11-12T07%3A00%3A00.000Z&to=2021-11-12T21%3A00%3A00.000Z&offset=0&limit=25

The following two parameters are included in the header:

  • Client-Date: 2021-11-16T23:02:29.529Z
  • X-Client-TraceId: d2d6911d81ebbbff7a7549555a2c26d6

And now my question: how do you get the X-Client-TraceId? It looks like a UUID, but it doesn't seem to be one. The value changes with every page view in the browser. But you can't just enter any value.

Many greetings,

Trebor

jsonrestheaderreverse-engineering


Solution 1:[1]

Since this question was asked, someone has written a blog post about this exact topic. The algorithm detailed there still seems to be in use (as of 2022-03-12).

An excerpt of the relevant parts:

Client-Date

This is the current time, converted to a string with Javascript’s toISOString() function.

[...]

X-Client-TraceId

[...]

  • salt is a fixed string, in this case w4icATTGtnjAZMbkL3kJwxMfEAKDa3MN. Apparently it appears in the source code as-is so it must be constant.
  • X-Client-TraceId is the md5 of time + url + salt.

Note: time is the string sent in the Client-Date header.

The blog post has some additional information around the process of reverse engineering this algorithm and the X-Security header.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Elias Holzmann

Related Questions

Export and Import documents with UUID from MongoDB Compass Windows Application

How to fix JSON indentation in vim?

Can a JSON value contain a multiline string

How to unrealize a json using GSON? Get an error

Javascript: How to generate formatted easy-to-read JSON straight from an object? [duplicate]

Filter jsonb results in subselect

How do I iterate an array of JSON data to always get the first JSON object

MongoDB BsonDocument - Serialize JSON as key-object

POJO Json object wrapped in double quotes doesn't deserialize to Java

How to reliably get the image used in the Wikipedia Infobox?

can't watch multiple files with json-server

send json parameters to webservices

Posting a File and Associated Data to a RESTful WebService preferably as JSON

LocalDateTime - deserialization with LocalDateTime.parse

How can I get data from PHP to Android TextView?