'Which request headers can be used for a browser/client fingerprint?
For added security our server keeps track of the browser fingerprint. At the moment we use the following headers:
- 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' (take the first non-empty as the client-IP)
- HTTP_ACCEPTxxxx
- HTTP_USER_AGENT
Are there any more (optional) headers that can be used?
What in general is the best 'algorithm' to calculate the client fingerprint?
Solution 1:[1]
To answer the question of which naming for the header:
I used on my side X-Fingerprint but I didn't find any standard way. You can make it more "obscure" so people don't guess that's a field to tamper.
At the end from what I saw headers like X-... are supposed to be free of use (less chance to conflict), but the last years more and more tools use them, and this kind of naming appears to become "standard" or a "convention" (like x-request-id for example).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Thomas Ramé |