Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Tor server de-anonymization via Etag

ETag is a server response header that allows browsers to make conditional requests and perform cache validation efficiently. On the other hand, it poses security risks in case it gets leaked by your code, and can result in cache poisoning attack on your website.

Make sure you disable Entity Tags on your webserver if you’re running Tor hidden services, else you could be de-anonymized.

Nginx (in nginx.conf):

http {
   etag off;

Apache (in .htaccess):

<IfModule mod_headers.c> 
    Header unset ETag 
FileETag None

Searching for specific Etags on Shodan/Censys will expose the real host in case of misconfigurations (if the webserver is configured to accept Clearnet connections in addition to Tor ones).