[256_]

As an example of this sort of thing, Let's Encrypt adds a randomly generated field to its ACME responses, to force clients to properly ignore unrecognised fields: https://acme-v02.api.letsencrypt.org/directory

The contents of this field link here: https://community.letsencrypt.org/t/adding-random-entries-to...

I think Let's Encrypt have the right idea. I honestly don't think that trying to tip-toe around poorly written code is generally the right thing to do; it seems more like the UK Government is prioritising short-term security (trying to block "bad data", whatever that even is) over long-term security (forcing people to write better code).

[noitpmeder]

Reminds me of when I used to write a CSV for some critical business function, and consumers refused to read by column name instead of by index, even after promising they had fixed their code.

Only took a day or two of randomly shuffling around column orders on every write for them to see sense!

[semanticc]

Ehh, I don't know about that. CSV header row is more of a metadata for humans to me.

[noitpmeder]

This is insane! If I remove a column, or add a new one, why should users care (that did not use said column)?

[theptip]

Great example. I do think it’s a grey area to knowingly cause some potentially untrustworthy site to be loaded as the OP did (even if it’s a white hat domain now, that might not always be true).

.gov should offer these detection services, and NSA should be providing an ambient baseline of pentesting.

Absent government action I think it’s a net-positive action though.