The Octothorpes Protocol defends against seven categories of misrepresentation attack. Each demo below fires a real request against https://octothorp.es/ and shows the server rejecting the attempt.
| # | Attack | Category | Expected defense |
|---|---|---|---|
| 1 | Remote harmonizer, no origin header | Harmonizer | Requires confirmed origin header |
| 2 | Non-whitelisted harmonizer domain | Harmonizer | Rejects non-whitelisted domains |
| 3 | indexPolicy override attempt | Harmonizer | Opt-in check uses default harmonizer |
| 4 | SSRF via harmonizer URL | Harmonizer | Blocks private IPs and metadata endpoints |
| 5 | Non-participating page | Opt-in | Requires on-page opt-in markup |
| 6 | Cross-origin indexing | Origin | Rejects different-origin requests |
| 7 | Rate limit exceeded | Rate limit | 10 requests per origin per minute |
Each linked page explains one or more attacks with plain-English descriptions, the exact request that triggers them, and a button that fires the attack so you can see the server’s response.