Letterhead
A small print-on-demand stationery shop. Their pages load fine; the headers, less so.
The Scenario
Letterhead is a print shop in Bristol that ships custom letterheads, business cards, and folded note-cards. The new platform engineer added some "performance hints" to the response headers. One of them isn't a hint so much as a door.
Challenge Intel
Synopsis
Every response carries a Link: rel=preload header pointing at an unauthenticated /__metrics/v2 endpoint that returns the flag in its JSON body.
What It Is
The Sinatra app sets a `Link: </__metrics/v2>; rel=preload; as=fetch` header on every response, intended as a perf hint. The /__metrics/v2 endpoint requires no auth and returns a JSON object including a `flag` field with the value of the FLAG env var. The recon vector is reading response headers (`curl -I` / Burp Repeater / dev-tools Network panel).
Who It's For
Players who routinely scroll through response bodies but haven't yet built the habit of reading every response header, including the ones that look performance-related.
Skills You'll Practice
- Reading response headers for hidden endpoints (Link, X-Powered-By, Server, etc.)
- Following preload / prefetch hints during recon
What You'll Gain
- An instinct to `curl -I` every distinct response during recon
- Awareness that 'meta' endpoints (/metrics, /health, /__internal) often skip auth
Ready to hack Letterhead?
Upgrade to Pro to unlock this challenge and the full library.