Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

I have found a non-documented parameter called headers which allows me to set custom headers on the given batch requests.

Unfortunately, it seems like the Host headers you can specify in these batch requests also behave the same way if you are not sending batch requests, but directly setting the Host header to these domains when sending requests to the server hosting this batching service.

It feels like these requests are not leaving the machine itself, and are just hitting different “virtual hosts” that are available on this IP. I wasn’t able to access infrastructure via this batch endpoint, it seems to be on a different infrastructure. Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs