Bug Bounty Hunting — Complete Guide (Part-92)

The Device-Memory HTTP request header helps websites understand the approximate amount of RAM a user’s device has. It’s part of a set of features called “Client Hints,” which allow browsers to share information about the user’s device and preferences with the server. This information can be used to optimize the website’s performance and user experience.

Because this header could potentially be used for fingerprinting, the values are intentionally broad: 0.25GB, 0.5GB, 1GB, 2GB, 4GB, or 8GB. A server can’t just start receiving this header. It must first explicitly request it by sending the Accept-CH response header with Device-Memory included. This tells the browser that the server is interested in this information.

After the server has opted in, the browser may then send the Device-Memory header in subsequent requests. For example, it might send Device-Memory: 1 to indicate the device has approximately 1GB of RAM.

Since the server’s response might vary based on the Device-Memory header, it should also include Device-Memory in the Vary header. This is important for caching so that different versions of the page can be stored and served appropriately based on the device memory.

While some browsers support this header, others do not. You can check a browser compatibility chart to see which browsers currently support the Device-Memory header. It’s important to note that Client Hints, including Device-Memory, are only available on secure websites (HTTPS).

The DNT (Do Not Track) HTTP request header was intended to let users express their preference regarding online tracking. A DNT: 1 signal meant the user preferred not to be tracked, while DNT: 0 indicated they were okay with it, and DNT: null meant no preference was stated. This preference could also be accessed via JavaScript using navigator.doNotTrack.

However, the DNT specification has been discontinued and is now considered deprecated. While some browsers might still support it, it’s not recommended for use in new websites and might stop working at any time. It was never standardized and had inconsistent implementation across browsers.

The functionality of DNT has been superseded by the Global Privacy Control (GPC), which uses the Sec-GPC header and is accessible through navigator.globalPrivacyControl. GPC is the current recommended approach for signaling user tracking preferences.

Therefore, developers should avoid using the DNT header and instead implement GPC for respecting user privacy choices. Information on enabling GPC can be found in browser documentation (e.g., Firefox).