Extract or generate X-Client-TraceId for header in GET-request

Question

I would like to retrieve some historical stock prices via a REST API from the following site:

https://www.boerse-frankfurt.de/zertifikat/de0007873291-open-end-zertifikat-auf-dow-jones-industrial-average

The response is a JSON.

Basically, the query can be done as follows: An OPTIONS call is sent without parameters and then a GET request with header parameters.

Both calls are sent to the following address:

https://api.boerse-frankfurt.de/v1/data/quote_history_derivatives?isin=DE0007873291&mic=XSC&from=2021-11-12T07%3A00%3A00.000Z&to=2021-11-12T21%3A00%3A00.000Z&offset=0&limit=25

The following two parameters are included in the header:

• Client-Date: 2021-11-16T23:02:29.529Z
• X-Client-TraceId: d2d6911d81ebbbff7a7549555a2c26d6

And now my question: how do you get the X-Client-TraceId? It looks like a UUID, but it doesn't seem to be one. The value changes with every page view in the browser. But you can't just enter any value.

Many greetings,

Trebor

Answer 1

Making use of the blog post in the answer posted by @Elias Holzmann

please note

• the salt appears to have changed from w4icATTGtnjAZMbkL3kJwxMfEAKDa3MN to w4ivc1ATTGta6njAZzMbkL3kJwxMfEAKDa3MNr
• you can omit X-Security header and it still works

C# implementation

var baseUrl = "https://api.boerse-frankfurt.de";
var now = _dateTimeService.UtcNow;
var minDate = now.AddYears(-2).ToString("yyyy-MM-dd");
var maxDate = now.ToString("yyyy-MM-dd");
var path = $"/v1/data/price_history?limit=2000&offset=0&isin={isin}&mic=XFRA&minDate={minDate}&maxDate={maxDate}&cleanSplit=false&cleanPayout=false&cleanSubscriptionRights=false";
var url = baseUrl + path;

using (var client = new HttpClient())
{
    var contentType = "application/json";
    client.BaseAddress = new Uri(baseUrl);
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(contentType));
    
    var request = new HttpRequestMessage(HttpMethod.Get, path);
    
    
    var clientDate = now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ");//now is DateTime.UtcNow
    var salt = "w4ivc1ATTGta6njAZzMbkL3kJwxMfEAKDa3MNr";
    var input = clientDate + url + salt;
    var clientTraceId = "";
    using (System.Security.Cryptography.MD5 md5 = System.Security.Cryptography.MD5.Create())
    {
        byte[] hash = md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(input));

        clientTraceId = Convert.ToHexString(hash).ToLower();
    }

    request.Headers.Add("client-date", clientDate);
    request.Headers.Add("x-client-traceId", clientTraceId);

    var response = await client.SendAsync(request);
    var json = await response.Content.ReadAsStringAsync();
}

Answer 2

Since this question was asked, someone has written a blog post about this exact topic. The algorithm detailed there still seems to be in use (as of 2022-03-12).

An excerpt of the relevant parts:

Client-Date

This is the current time, converted to a string with Javascript’s toISOString() function.

[...]

X-Client-TraceId

[...]

• salt is a fixed string, in this case w4icATTGtnjAZMbkL3kJwxMfEAKDa3MN. Apparently it appears in the source code as-is so it must be constant.
• X-Client-TraceId is the md5 of time + url + salt.

Note: time is the string sent in the Client-Date header.

---

The blog post has some additional information around the process of reverse engineering this algorithm and the X-Security header.