Header Hunt
Arc Logistics ships a shiny new tracking portal. Marketing loves it. A developer didn't quite clean up after themselves before launch.
The Scenario
Arc Logistics — a mid-sized regional freight carrier — just launched their public shipment tracking site. The build team rushed to hit the Q2 deadline and merged a debugging branch the night before launch. Nobody asked what got left behind.
Challenge Intel
Synopsis
An introductory challenge that teaches you to read what the server actually sends, not just what the browser renders.
What It Is
Arc Logistics' tracking site looks ordinary in the browser, but every HTTP response carries an internal debug header (`X-Internal-Order-Ref`) that a developer left enabled in production. The flag is in that header. The lesson is that browsers hide most of the conversation between client and server — the body is only part of the story.
Who It's For
Brand-new web hackers — anyone who has never opened a Network tab or run `curl -I` against a website.
Skills You'll Practice
- Reading HTTP response headers in browser dev tools
- Using `curl -I` / `curl -v` to inspect server-side output
- Recognising that pages and HTTP responses are not the same thing
- Treating every response as evidence
What You'll Gain
- First real proof that the browser hides things from you
- A reflex to check headers before tearing apart bodies
- Vocabulary for talking about HTTP responses
- Confidence that your tools see more than the page does