I know http headers order is not significant (or at least, should not be) for the web servers to handle requests. However, I’m wondering how it is likely for servers (especially reverse-proxies or CDN) to check the headers position to legitimate a request.
Let me explain. When I do a simple http request with firefox, these are my headers:
GET / HTTP/1.1
Host: stackoverflow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: yummy=yes_they_are
Connection: keep-alive
Cache-Control: max-age=0
With Chrome:
GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are
Not exactly the same, right? Then, if I change the user agent to Firefox:
GET / HTTP/1.1
Host: stackoverflow.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Cookie: yummy=yes_they_are
Because the headers positions don’t match with Firefox “headers position habits”, servers can know something fishy is going on (the user might use a Chrome extension to spoof its user-agent).
Do some http servers actually check that sort of thing? At least, is it likely they do (cloudfront and whatnot)? Or is it something I should totally not bother of? And if I should, where could I find exhaustives headers order list for the main browsers?
In general, order does not (and should not) matter.
But based on this answer, there are exceptions. So, to anwser the question: yes, servers (like incapsula) can use http header order to catch a browser signature.