# Octothorpes Demo
Documentation
Protocol Source
Neocities Demo
Wordpress Demo
Contact
Site Index
Octothorp.es

#

Defenses: Harmonizer Attacks

Live demos of how the OP server defends against harmonizer-based misrepresentation attacks.

v0.6

This page has been octothorped with these terms




BACKLINKS

These demos fire real requests against https://octothorp.es/ and show the server’s defenses in action. Each attack attempts to misuse the harmonizer system; each defense rejects the attempt.

Remote harmonizer, no origin header

What it tries to do: Trick the server into using an attacker-supplied remote harmonizer by omitting the Origin and Referer headers that would trigger the domain allowlist check.

Trigger (curl — browsers always send Origin/Referer):

curl 'https://octothorp.es/index?uri=https://www.ideastore.dev/plain-page.html&as=https://www.ideastore.dev/evil-harmonizer.json'

Expected defense: Remote harmonizers require a confirmed origin header.

Test by running the curl command above. A clickable button would lie — a browser’s fetch always attaches Origin on cross-origin requests.

Remote harmonizer from non-whitelisted domain

What it tries to do: Use a harmonizer hosted on an attacker-controlled domain (not octothorp.es, not localhost, not same-origin with the requesting page).

Trigger:

fetch('https://octothorp.es/index?uri=https://www.ideastore.dev/plain-page.html&as=https://www.ideastore.dev/evil-harmonizer.json')

Expected defense: Harmonizer not allowed for this origin.

Remote harmonizer attempting indexPolicy override

What it tries to do: Supply a harmonizer schema that extracts indexPolicy from <body> textContent, trying to make a non-participating page appear opted in.

Trigger:

fetch('https://octothorp.es/index?uri=https://www.ideastore.dev/plain-page.html&as=https://www.ideastore.dev/indexpolicy-override-harmonizer.json')

Expected defense: Page has not opted in to indexing.

The server runs the opt-in check with the default harmonizer when a remote URL is requested, so the attacker’s schema never influences that decision.

SSRF via harmonizer URL

What it tries to do: Point the harmonizer URL at a cloud-metadata endpoint or private IP, attempting to make the OP server fetch internal resources.

Trigger:

fetch('https://octothorp.es/?uri=https://www.ideastore.dev/plain-page.html&as=http://169.254.169.254/harmonizer.json')

Expected defense: The server refuses to fetch the metadata endpoint (blocked inside remoteHarmonizer()), so harmonization fails with Invalid harmonizer structure. That generic message is how SSRF rejection currently surfaces — the block reason is explained here rather than in the response body.