Hello and welcome to the Tuesday, March 25th, 2025 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, after yesterday's issue with Next.js and the interesting headers around that. I decided today to look a little bit

closer at some of the headers being sent by bots against our honeypots and notice the use

of a couple particular little bit odd headers. The first one, SEC dash GPC, this is a header that's specifically assigned to

indicate your privacy preferences. This is, I see it as a replacement for the do not track header,

which of course we all know kind of spectacularly failed. This new header is a little bit more

aligned with GDPR and other regulations like this.

So apparently they hope that in doing so, there will be more acceptance of that header.

At this point, only Firefox actually adds it. There are a couple other headers as

saw all of them start with the SEC Dash prefix,

which just indicates that, hey, this is not great by JavaScript.

That's really all that means there's nothing so particular secure kind of other than that fact about these headers.

Makes it a little bit easier for browser developments to decide what they should allow JavaScript to set and what, well, JavaScript must not set.

The reason that bots at these headers is typically in trying to impersonate real browsers better.

Now, the SECGPC header is a little bit odd here

because, well, it is only by Firefox.

And they're using user agents that are not Firefox.

So in some ways, they're actually giving away

that this is not a normal browser.

And of course, for the attacks,

they're trying to attempt here. Well,

...