Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
X-Cache
Age
Alternate-Protocol
Content-Language
Content-Location
X-UA-Compatible
Via
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Check
X-Cacheable
P3p
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
Access-Control-Allow-Origin
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
X-Geo-Port
X-Geo
MicrosoftOfficeWebServer
X-Request-Id
X-Powered-CMS
X-Server
X-Xss-Protection
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
Strict-Transport-Security
Ngpass-All
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-UA-Device
X-Rack-Cache
X-XRDS-Location
X-Ua-Compatible
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
Host-Header
X-Cache-Hits
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-Pixel-1
X-Robots-Tag
X-Via
X-Url
X-INKT-SITE
X-INKT-URI
X-Forwarded-For
X-Webserver
X-Tumblr-Pixel-2
X-CF-Powered-By
X-Iinfo
X-PhApp
X-Accel-Version
X-Varnish-Cache
X-Cnection
X-MS-InvokeApp
X-ServedBy
Composed-By
Served-By
X-Served-By
Access-Control-Allow-Headers
X-Page-Speed
X-Firenze-Processing-Times
X-Ac
X-Backend
X-Hostname
X-ContextId
X-CDN
X-ShardId
X-Alternate-Cache-Key
X-ShopId
Access-Control-Allow-Methods
X-XN-Trace-Token
X-XN-XNHTML
X-Tumblr-Pixel-3
X-AH-Environment
X-Powered-By-360WZB
X-PC-Key
X-PC-Hit
Content-Style-Type
Content-Script-Type
X-PC-AppVer
X-PC-Date
X-PC-Host
Liferay-Portal
X-Request-ID
X-Umbraco-Version
X-Server-Name
X-Cache-Info
Refresh
Cartoon
X-Spip-Cache
X-Mobilized-By
Powered-By-ChinaCache
X-HeyJason
X-Amz-Id-2
X-Cache-Server
SPRequestDuration
X-Age
SPIisLatency
Request-Id
X-Content-Digest
X-From
X-Port
X-Cache-Result
Rating
X-Amz-Request-Id
Cf-Railgun
TCN
X-FB-Debug
X-Px
X-Amz-Cf-Id
X-Outils-CS
X-W3TC-Minify
Real-Hostname
X-TN-ServedBy
X-PHP-Engine
X-Loop
Page-Completion-Status
Magicmarker
X-Cache-Status
Thanks
X-VCache
X-Generated-By
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Version
X-PersistenceNode
IBM-Web2-Location
X-Content-Encoded-By
X-Device
X-Original-Content-Length
Imagetoolbar
X-Cached-By
X-Tumblr-Pixel-4
NS-RTIMER-COMPOSITE
X-Tumblr-Content-Rating
X-Cached
X-Node
X-Safe-Firewall
X-Served-From-Cache
X-Matrix-Proxy
X-Matrix-Server
X-Pantheon-Styx-Hostname
X-Varnish-Cacheable
X-Pantheon-Endpoint
X-Powered-By-Anquanbao
Retry-After
PICS-Label
X-Xrds-Location
X-Timer
X-Firenze-Processing-Time
Product
X-CMS-Version
X-Cache-Enabled
Set-Cookie2
X-DynaTrace
X-Pass-Why
X-Tumblr-Pixel-5
Time
IISExport
X-Hyper-Cache
Generator
X-Varnish-TTL
X-Backend-Server
X-Art-Request-Id
DynaTrace
Powered-By
X-DynaTrace-JS-Agent
Content-Security-Policy
MIME-Version
X-SDS
CF-Cache-Status
X-PF-Uncompressing
X-App-Hosting
X-Cache-Hit
Access-Control-Max-Age
X-UD-Method
X-UD-Host
X-DDC-Arch-Trace
X-Processed-By
X-Trace-App
Access-Control-Request-Method
X-Cache-Debug
X-Rendering-Engine
Lsrequestid
X-Microcachable
X-Duration
ServedBy
S
X-SERVER
X-ATG-Version
X-Drectory-Script
X-I
Pics-Label
X-Nitra-Side
Node
X-Purge-Host
X-Director
X-Content-Options
X-ApacheServer
X-PERF
X-DNS-Prefetch-Control
X-Cookie-Domain
X-CDN-Geo
X-CDN-Any-IP
X-CDN-Geo-IP
X-NoCache
AMF-Ver
X-BackEnd
X-Stats-Unique-Token
X-Stats-Visit-Token
Charset
X-Expires-Orig
X-Orig-Vary
X-Purge-URL
COMMERCE-SERVER-SOFTWARE
X-Cache-Expires
X-Sol
Content-Encoding-Handler
RTSS
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
Ngpass-Vcall
X-Srv
X-Hits
Accept-Encoding
Cache
X-Cache-Control-Orig
Fhost
X-Original-Request
X-Yadis-Location
X-Varnish-Backend
Proxy-Agent
X-ServerID
Host
Vacache
Filter-Revision
SEOMOZ
MJ12bot
X-Speed-Cache-Key
X-Speed-Cache
NODE
Content-Disposition
X-Server-ID
ServerName
X-Passed-To
X-Passed-To-DLL
X-Passed-To-BeforeDispatch
X-Vary-Options
X-Passed-To-PostProcessResponse
X-Returned-From
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-GeoIP-Country-Code
X-Handled-By
X-FIRSTBase
Surrogate-Control
X-Actual-URL
X-VARNISH-Cache
X-PwB-Node
X-FW-Static
X-GeoIP-Country-Name
X-CJ-Soft
X-LiteSpeed-Cache
X-ServerName
Edge-Control
X-HOST
X-Cluster-Node
X-MJ-Upstream-Addr
Cm-Server
Response
NtCoent-Length
X-App-Start
X-Cache-TTL
X-Pangea-Version
Webluker-Edge
Accept-Charset
X-AOL-SNH
UniqueName
Id
X-Hosted-By
X-URL
WWW-Authenticate
X-ACMCache
X-Directory-Script
SID
MIH-CLIENT-FARM
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
Machine
X-Trace-Cache
X-Geo-IP
X-AspNetWebPages-Version
X-Distil-CS
Req-Id
CT
X-MJ-Serve-Req-Time
VAR-Cache
X-Ttl
X-Gamma-Serve
X-FW
X-TTL
X-FORWARDED-FOR
NetMindSessionID
X-ACCELERATE
X-Micro-Cache
SN
X-Id
X-SRV
X-CHSN
X-Time
X-UPSTREAM
X-LIGHTHTTP-PCDID
X-StoreSense
X-Content-Security-Policy
X-Machine-Name
X-ProStores-StoreApiEntryPoint
X-Source-Host
CommunityServer
X-HOSTNAME
X-Sys-Req-ID
Hamster
Server-Info
Website-Info
X-Front
Proxy-Connection
X-Permitted-Cross-Domain-Policies
X-Middleton-Response
X-Device-Type
X-Microcache-Status
X-Track
X-Cocoon-Version
X-Blog
X-Session-Reinit
X-Varnish-Host
Srv
X-Info
X-Styx-Version
X-Wily-Info
X-Styx-Build-Num
X-Styx-Build-Sha
X-Styx-Req-Id
X-Wily-Servlet
X-Styx-Build-Date
X-Turbo-Control
Cache-By-Node
A-Powered-By
X-Object-Id
Pool-Info
X-Object-Type
X-Translation
X-Bettercache-Proxy
X-Highwire-RequestId
QOR-Cache
X-Highwire-SessionId
From
Server-Name
Nodo
X-Transaction
Ms
Content-Security-Policy-Report-Only
MW-Webserver
X-User-Agent
X-FreeTag-Count
Location
Content-MD5
Worker
X-Cache-Action
X-Src-Webcache
ServerID
Cteonnt-Length
X-Varnish-Hits
X-Jphone-Copyright
X-Engine
X-CacheHits
X-Dev
X-Cms-Mode
F-In-Cache
X-Old-Content-Length
X-Expires
Apache
Server2
X-ManagedFusion-Rewriter-Version
X-Country-Code
X-Source-ID
OriginServer
X-Rewritten-By
X-Varnish-Server
-GCR
X-ROUTE-DATA
REFRESH
Pool
X-ServerCache-Info
X-Cache-Rule
X-Varnish-IP
X-Trace
X-Provisioner-Version
Author
X-WebKit-CSP
Bs-Header
ScoreTracker
X-Geo-IP-Country
X-Geo-IP-Region
X-Geo-IP-Metro
X-Geo-IPV
X-Domain-Checked
X-T3CacheInfo
X-Varnish-Cache-Hits
CountryCode
Backend
SynthaSite-ID
X-EdgeRouter
X-MobileDetected
X-Hrouter
X-Response-Time
ORIGIN
X-N
X-Artvisual-Server
X-App-Server
X-App
X-Amz-Id-1
X-Frontend
X-REDIRECTSERVER
X-Channel-Maxage
Aoestatic
Allow
X-Powered-By-Server
X-Magento-Lifetime
X-Magento-Action
X-Yqk-Set
X-B2f-Cache-Load
SRV
X-Outils-Cs
X-Powered-By-Yqk
7e-Page-Cache
X-Debug
X-Cache-Term
X-PageCached
Ec
RequestTime
NLCacheNote
X-Conf
LBVIS
X-Actindo-RS
CDN
X-Farm-Server
X-NGINX-CACHED
X-DTC
X-Nginx-Backend
Cluster-ID
X-Ocache
SS
X-T
X-Test
X-Cache-Me-Harder
X-Atraveo-From-Varnish-Cache
X-T3CacheTags
X-Atraveo-NC
X-ERM-ServerName
X-ERM-ServerName-AppPage
X-T3Cache
Be-Ip
Be-Va
X-Monstercache-Timeout
X-WP
X-NGINX-CACHED-AT
X-Cache-Config
A1B2C3
X-GeoIP
X-Atraveo-Cache-Control
X-B
X-MidCOM-Meta-Cache
X-Empowered-By
X-Cache-Ttl
Copyright
Debug
X-S
Debug-Begin-IP
X-MCB-Server
X-Grid-Server
Powered
X-Cache-Age
X-ChromeLogger-Data
X-Vhost-ID
X-Varnish-Cache-Local
No
X-Vtex-Processado-Em
Progma
X-GSL-Server
Powered-By-VeryCDN
Cache-Ctrol
Ksid
Cdate
X-Phpwcms-Page-Processed-In
X-ATM-RTime
X-ATM-RServer
X-Cache-Set
X-ERM-RunTime
X-Varnish-Cache-Server
X-Phpwcms-Release
X-Cache-On
X-Vivastreet
X-Vivastreet-KiwiiPage
X-Developer
Debug-IP-Cntry
Il-Cl
X-NID
Rt-Server
MASTERWEBLET
X-CS
Cmsid
X-Enhanced-By
PageSpeed
X-Accelerated-By
Cmstype
X-Cache-Operation
X-Atraveo-TTL
X-Frames-Options
X-Atraveo-Varnish-Server-Id
Buuteeq-Source
X-Content-Age
X-NginX-Server
SFY
LFY
X-Haiku
X-GLaDOS
X-Recruiting
X-NginX-Cache
Origin
X-Origin-Id
X-7d-Version
X-Via-Kemp
Web-Server
Hostname
LBC
X-Nginx-Server
X-Hosting-Env
X-Amz-Meta-S3cmd-Attrs
X-7dig
X-B2f-Not-Route
WEBO
X-UD-Loopcounter
X-PM-ID
X-Kirra-SiteId
At-Isb
X-UD-Target
X-Request-Duration
X-Venda-Hitid
X-UD-REMOTE-ADDR
X-Database-Slave-Connection
X-Vhost
X-FS-UUID
Front
X-Hash
X-DeliveryServer
X-GC-Read
X-ORACLE-DMS-ECID
MirrorName
X-SN
Hash
Dispatcher
X-Force
X-PRAM
X-GC-Write
X-Varnish-Action
Head
X-Loc
X-LB
X-Response
Provided-Host
X-GC-App
Www.Myjob.Se
X-Varnish-Debug-Hits
X-Varnish-Debug-Age
Content-Transfer-Encoding
X-SilverStripe-Cache
X-Remote-Addr
Www.Mirrorgate.Se
Servername
X-Client-Addr
X-Whom
X-IDS-WS
X-Li-Pop
Atp-Isdpp
Ssl-Enabled
X-PvInfo
CachedXSLT
X-Uplex
X-Header
X-Cached-Status
X-App-Status
X-Varnish-Debug-Fetch-Host
X-Fett
X-Agentscape-Info
X-DELIVERYSERVER
X-LI-UUID
At-Shoptype
Provider
P3P:CP
Www.Mabracertifiering.Se
Compression-Control
X-Li-Fabric
Test.Executivepeople.Se
Open.Jobgate.Se
Jobb.Assistentpoolen.Se
Jobb.Passal.Se
Jobb.Gil.Se
X-Route
Http
X-TLServer
INCOMING-TIME
X-WR-Flags
XX
Publisher
X-Version
Content-Instance
X-Swift-CacheTime
X-Swift-SaveTime
WP-Cache
X-User-Id
X-JAL
X-Cache-Lifetime
X-JSL
X-WHOIS-Cached
X-Origin
X-V
Edgecast
B-Powered-By
X-Locale
Server-IP
X-Framework
X-VarnPar2
X-Seschat-URL
X-Varnish-Hashed-On
X-ASTRO-REWRITE
X-Powered
SIP
X-Mobile
SVR
X-VarnCache
X-Real-IP
X-Goog-Hash
PowerCDN
X-TISSERVER
X-WorkerInstancename
Tpt.Renderer
Esi-Enabled
X-AISO-Cache
X-SeschatLayout
X-FCMS-Cache
HostGen
Tpt.Renderer1
X-AISO-Server
X-RSS-CACHE-STATUS
X-SeschatTemplateID
ServerConfigManager.WebBugTracker
X-SeschatRedID
Render
IsFullSiteRequest
After
Before
Content-Cache
Hej
Accept-Language
X-Server-IP
Telligent-Evolution
Tpt
X-S-Misc
X-PP
X-Platform
X-Life
X-SeschatDID
X-CCM
X-Execution-Time
X-Binarysec-Via
UNIQUE-ID
Accept
X-Host-Url
X-Generation-Time
X-D-Time
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-V-I-TTL
OGHopCount
TMP
X-Varnish-Beresp-Grace
X-Time-Microsecs
MachineName
User-Cache-Control
X-Hit
X-Author
X-Would-Your-GrandPa-Wait
X-HITS
D
X-TTL-Age
X-Req-Host
X-Created
Expire
X-Pixelsilk-Server
X-Servername
NnCoection
X-Req-Url
X-Hc-Host
X-Your-GrandPa-Would-Wait
X-JSON-API-AGE
X-Flex-Community
Content
X-Flex-Evend
X-Flex-Evstart
X-Flex-Lang
ExecutionTime
X-Oracle-DMS-ECID
X-WR-MODIFICATION
X-Garden-Version
X-Dokk-PortalId
Access-Control-Expose-Headers
X-Flex-Lastmod
X-Flex-Tag
X-Monstercache-Host
X-Powered-Developer
X-V-TTL
X-V-Outer
X-Monstercache-Hash
X-Monstercache
X-Flex-Tags
X-Ratelimit
Pagely
X-Kermit
X-Page-Generation-Time
X-Pixelsilk-Version
Svr
RATING
X-Max-Age
X-JSON-API-LATENCY
X-UserAgent
X-Wm-VIP
X-ProcessESI
X-Wm-1
X-CMS-Server
X-RemovedCookies
X-Node-Name
No-Cookie
X-Page-Generated-At
X-JSON-API-TTL
X-Jcms-Ajax-Id
X-Box
X-Varnish-Id
X-Dynatrace-Js-Agent
X-Web-Node
X-Tumblr-Pixel-6
X-Header-Set-Id
X-Caching-Rule-Id
POOL
X-Nocache
SiteName
X-Nginx-Cache
X-Upstream
X-Cookie-Store
X-Url-Store
X-ID
X-Backend-Status
Ozcache
X-Nucleus-Cache
Beyond-Iis
X-MSEdge-Ref
BM-Cache-Key
BM-Cache-Node
X-EPiphany-Vid
X-VTEX-Router-Powered-By
AcceptLangage
X-Proxy
Foglight-Request-UUID
X-VTEX-Router-JanusNet-BackEndLatency
X-Uid
Public-Extension
X-VTEX-Router-Backend-App
X-Nginx-Host
X-Location-Id
X-VTEX-Router-JanusNet-JanusLatency
ResourceTag
X-Webstats-RespID
X-VTEX-Cache
X-VTEX-Router-JanusNet-AspNetLatency
X-MadeOn
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
Host-Service
X-Internal-IP
X-Webapp
BM-Cache-Status
X-UseReverse-Proxy
X-DC-Origin-IP
X-SV
X-Hop-By
Requested-Host
X-VG-WebCache
X-Process-Time
Web-Head
X-Router-Backend
Test
X-Router
Front-End-Https
CacheControlHeader
Language
X-RequesterIP
X-Server-By
AV1080
WebDevSrc
X-PoweredBy
X-Location
X-Varnish-HitMiss
X-Varnish-Object-Age
X-Beep
X-Continum-Server
X-Gondor-Server
X-Varnish-Count
X-Config-By
X-XHR-Current-Location
X-Client-Vid
X-RE-Ref
X-CMS-State
X-CMS-Tid
SLB
X-CMS-Stage
X-CMS-Sid
X-CMS-CRMSet
X-CMS-Live
X-CMS-Nid
X-DefendeR-Runtime
X-Varnish-Hit
WebServer
Noahs-Classifieds
X-Yottaa-Optimizations
X-WLD-LB
X-Source
X-FarmId
X-Bcwwwid
X-CMS-Collection
X-BackendServer
ServerId
X-NewRelic-App-Data
X-UA
ErrorCodeCount
X-USERNAME
Backend-Host
EI-UNIQUE-ID
X-HOSTTYPE
TypeOfContent
OriginalHost
X-Secret
X-XFPC-Cache
X-XFPC-Cache-Active
CacheDuration
CacheInfo
Optimizer
CacheInfoFetch
Rt-Fastcgi-Cache
Application-Version
ProxiaInstanceId
X-Pagecache
X-Real-Server
X-Varnish-Age
X-Allow-Redis
SAVVIS
X-Fortrabbit
X-Purge-Level
X-Varnish-Debug-Varnish-TTL-Set-From-Server
CP
X-Device-Group
X-Mii-Cache-Hit
X-Pb-Mii
X-ATP-Server
X-Client-IP
Server-Optimized-By
Ttl
X-PoolMember
Warning
X-Server-Id
ExecuteNonQuerySQLParam
HCVer
X-View
Mobiquo-Is-Login
X-Back
X-Yottaa-Metrics
HAVer
X-GitHub-Request-Id
X-Varnish-Device
X-Varnish-ID
X-Server-Node
HTTP
X-Catalyst
X-Panel-Id
X-Panel-Name
Www.Aujourdhui.Com