Threat Level: green Handler on Duty: Rick Wanner

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
Content-Location
X-UA-Compatible
Via
X-Adblock-Key
X-Varnish
CF-RAY
X-Frame-Options
Keep-Alive
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Cacheable
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
MS-Author-Via
Status
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Geo
X-Geo-Port
X-Request-Id
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Mod-Pagespeed
X-Rack-Cache
X-XRDS-Location
MicrosoftSharePointTeamServices
Strict-Transport-Security
Content-Encoding
X-Cache-Hits
X-UA-Device
Ngpass-All
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-Via
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-INKT-SITE
X-INKT-URI
X-Varnish-Cache
X-Robots-Tag
X-Tumblr-Pixel-1
X-Webserver
X-CF-Powered-By
X-Request-ID
X-PhApp
X-Forwarded-For
X-Iinfo
X-Cnection
X-Url
X-Firenze-Processing-Times
Composed-By
Served-By
X-ServedBy
X-Tumblr-Pixel-2
X-Page-Speed
X-MS-InvokeApp
X-Accel-Version
Access-Control-Allow-Headers
X-Served-By
X-Backend
X-Hostname
X-ContextId
Access-Control-Allow-Methods
X-CDN
X-XN-Trace-Token
X-XN-XNHTML
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Xss-Protection
X-AH-Environment
X-Tumblr-Pixel-3
X-Powered-By-360WZB
X-Stats-Unique-Token
X-Stats-Visit-Token
Liferay-Portal
Content-Style-Type
X-PC-Hit
X-PC-Key
Content-Script-Type
X-PC-AppVer
X-PC-Date
X-PC-Host
X-Umbraco-Version
X-Ua-Compatible
X-Server-Name
X-Cache-Info
X-FRAME-OPTIONS
X-Mobilized-By
Powered-By-ChinaCache
X-HeyJason
X-From
Refresh
X-Spip-Cache
Cartoon
X-Cache-Server
X-Amz-Id-2
SPRequestDuration
Request-Id
SPIisLatency
X-Ac
X-Outils-CS
Cf-Railgun
X-Amz-Request-Id
TCN
X-Content-Digest
Magicmarker
Rating
X-W3TC-Minify
X-FB-Debug
X-Amz-Cf-Id
Thanks
X-Px
Real-Hostname
X-TN-ServedBy
X-PHP-Engine
X-Loop
X-VCache
X-Cache-Status
Page-Completion-Status
X-Device
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-TNCMS-Version
Imagetoolbar
X-Original-Content-Length
NS-RTIMER-COMPOSITE
X-Content-Encoded-By
X-Powered-By-Anquanbao
X-Cached-By
X-Generated-By
IBM-Web2-Location
X-Tumblr-Pixel-4
X-Matrix-Server
X-Matrix-Proxy
PICS-Label
X-SERVER
X-Served-From-Cache
X-URL
X-Firenze-Processing-Time
X-PersistenceNode
IISExport
X-Tumblr-Content-Rating
X-Cached
X-Timer
X-Node
X-Art-Request-Id
Set-Cookie2
X-Varnish-Cacheable
X-Cache-Result
Retry-After
X-Varnish-TTL
X-Age
X-Safe-Firewall
X-Trace-App
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
Product
X-Port
CF-Cache-Status
Access-Control-Max-Age
X-Backend-Server
X-CMS-Version
X-SDS
X-PERF
X-ApacheServer
Generator
X-Processed-By
X-PF-Uncompressing
SID
X-DynaTrace
X-Cache-Hit
X-FORWARDED-FOR
X-Drectory-Script
X-ATG-Version
X-I
X-DynaTrace-JS-Agent
X-Nitra-Side
X-Cache-Enabled
DynaTrace
X-Director
X-Duration
Pics-Label
Charset
X-UD-Host
Powered-By
RTSS
X-UD-Method
X-Cache-Debug
X-Purge-Host
X-NoCache
X-Varnish-Backend
Lsrequestid
Access-Control-Request-Method
ServerName
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
S
X-Hits
NODE
MIME-Version
X-DDC-Arch-Trace
Proxy-Agent
ServedBy
X-DNS-Prefetch-Control
X-Srv
X-ServerID
Surrogate-Control
Accept-Encoding
X-Rendering-Engine
AMF-Ver
Cache
X-Content-Options
Edge-Control
X-Purge-URL
X-App-Hosting
COMMERCE-SERVER-SOFTWARE
X-Cookie-Domain
X-CDN-Geo
X-Orig-Vary
X-CDN-Geo-IP
Content-Encoding-Handler
X-CDN-Any-IP
X-Expires-Orig
X-Trace-Cache
Cm-Server
X-Vary-Options
CT
Filter-Revision
X-Cache-Expires
Host
Content-Security-Policy
VAR-Cache
X-Sol
LFY
SFY
X-Xrds-Location
X-ServerName
X-Distil-CS
WWW-Authenticate
Content-Disposition
X-Yadis-Location
X-Server-ID
X-Cdn
X-App-Start
UniqueName
X-Cache-Control-Orig
X-AOL-SNH
X-Pangea-Version
X-Speed-Cache
X-BackEnd
X-Speed-Cache-Key
X-Front
X-Original-Request
X-Cluster-Node
X-Gamma-Serve
MIH-CLIENT-FARM
MIH-PUBLIC-IDENTIFIER
X-TTL
MIH-PLATFORM
Website-Info
Server-Info
Id
Accept-Charset
X-CJ-Soft
MW-Webserver
Node
X-FW-Static
X-Handled-By
X-Actual-URL
X-Cache-Action
X-Engine
X-Passed-To
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Returned-From-BeforeDispatch
X-Returned-From
X-Directory-Script
X-Time
MJ12bot
SEOMOZ
X-Hosted-By
X-FIRSTBase
X-SRV
X-WR-Flags
QOR-Cache
X-Microcachable
X-ACMCache
X-CHSN
NetMindSessionID
X-GeoIP-Country-Code
NtCoent-Length
Pool
X-Source-Host
X-GeoIP-Country-Name
X-Cache-TTL
X-PwB-Node
X-Pass-Why
X-HOSTNAME
Machine
X-Sys-Req-ID
Pool-Info
X-LiteSpeed-Cache
X-Track
Proxy-Connection
X-Cache-Rule
X-LIGHTHTTP-PCDID
X-Blog
X-Session-Reinit
Debug-IP-Cntry
Debug
Debug-Begin-IP
X-Highwire-RequestId
X-Hyper-Cache
X-Highwire-SessionId
A-Powered-By
X-Permitted-Cross-Domain-Policies
X-Cocoon-Version
Webluker-Edge
Cache-By-Node
X-Version
X-Atraveo-From-Varnish-Cache
CommunityServer
X-Atraveo-Cache-Control
X-Micro-Cache
ORIGIN
X-Atraveo-NC
X-Atraveo-Varnish-Server-Id
X-Id
X-MJ-Upstream-Addr
X-FW
X-Atraveo-TTL
X-Turbo-Control
X-Ms-Invokeapp
X-ID
X-ProStores-StoreApiEntryPoint
F-In-Cache
X-Info
X-ACCELERATE
X-StoreSense
X-Bettercache-Proxy
Req-Id
X-ASTRO-REWRITE
X-UPSTREAM
X-Varnish-Hits
ServerID
X-Country-Code
From
SN
X-User-Agent
Fhost
X-Ttl
Nodo
X-AspNetWebPages-Version
X-Object-Type
X-Object-Id
X-ServerCache-Info
X-Source-ID
X-Src-Webcache
X-B2f-Cache-Load
X-Cache-Operation
X-Trace
X-ROUTE-DATA
X-Expires
Cteonnt-Length
MirrorName
X-Varnish-Action
X-Force
X-Magento-Action
X-Magento-Lifetime
X-MJ-Serve-Req-Time
X-PRAM
Hamster
Content-Security-Policy-Report-Only
X-Hrouter
X-Machine-Name
X-Cms-Mode
X-Varnish-Host
Location
Backend
Mime-Version
X-Jphone-Copyright
X-Provisioner-Version
X-Dev
Worker
X-Amz-Id-1
X-FS-UUID
SynthaSite-ID
X-Powered-By-Yqk
X-Li-Fabric
X-Li-Pop
X-LI-UUID
X-EdgeRouter
X-Yqk-Set
X-Frontend
X-App
ScoreTracker
X-Rewritten-By
X-Oracle-DMS-ECID
LBVIS
X-FreeTag-Count
X-Upstream
X-ManagedFusion-Rewriter-Version
X-Haiku
X-GLaDOS
X-Varnish-ID
X-Monstercache-Timeout
X-WP
X-T3CacheInfo
X-Channel-Maxage
X-GeoIP
X-Frames-Options
X-App-Server
Server-Name
NLCacheNote
X-VE-IsRobot
X-Response-Time
X-Domain-Checked
X-Database-Slave-Connection
Vacache
X-Content-Age
X-Uid
Ngpass-Vcall
X-Request-Duration
X-Wily-Info
Server2
X-Wily-Servlet
SS
Author
Aoestatic
X-Cache-Config
Srv
X-Transaction
Bs-Header
X-Phpwcms-Release
X-SN
X-Amz-Meta-S3cmd-Attrs
X-Phpwcms-Page-Processed-In
Ms
X-Varnish-Cache-Hits
X-Kirra-SiteId
Be-Ip
X-T3Cache
Be-Va
X-UD-REMOTE-ADDR
X-Cache-Me-Harder
X-UD-Loopcounter
X-Powered-By-Server
X-T3CacheTags
X-UD-Target
X-Vivastreet
X-Vhost
X-B2f-Not-Route
Ssl-Enabled
X-Varnish-Device
Apache
SIP
X-Geo-IP
X-Powered
X-Via-Kemp
A1B2C3
X-CacheHits
X-Cache-On
Compression-Control
Rt-Server
Cdate
X-Vivastreet-KiwiiPage
Il-Cl
Web-Server
Www.Mirrorgate.Se
CDN
X-T
X-DTC
X-Actindo-RS
X-Ocache
X-Jcms-Ajax-Id
X-Nginx-Backend
X-B
RequestTime
X-Conf
X-Cache-Term
Cluster-ID
X-Debug
X-VarnPar1
X-Varnish-Debug-Age
X-Varnish-Debug-Hits
CountryCode
Response
OriginServer
Content-MD5
Www.Myjob.Se
X-Varnish-Cache-Server
Www.Mabracertifiering.Se
Test.Executivepeople.Se
X-ATM-RTime
X-ATM-RServer
X-MidCOM-Meta-Cache
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Open.Jobgate.Se
X-Farm-Server
P3P:CP
Jobb.Passal.Se
X-NGINX-CACHED
X-CS
X-NGINX-CACHED-AT
Ksid
X-PageCached
Content-Transfer-Encoding
CP
X-Content-Security-Policy
WEBO
X-TISSERVER
X-Varnish-Server
X-VarnCache
X-JSL
-GCR
X-Accelerated-By
X-User-Id
X-Old-Content-Length
X-JAL
X-Flex-Evstart
WP-Cache
Buuteeq-Source
X-Flex-Lang
X-Origin-Id
X-Flex-Tags
X-Flex-Evend
X-Flex-Community
X-Flex-Lastmod
X-Flex-Tag
X-Varnish-Debug-Fetch-Host
X-Swift-CacheTime
Pagely
Front
X-N
Http
X-MobileDetected
Ibm-Web2-Location
Provided-Host
Warning
X-Kermit
X-Swift-SaveTime
X-DeliveryServer
X-Uplex
X-Recruiting
X-Monstercache
X-Benchmark-Cache
X-Monstercache-Hash
X-Monstercache-Host
X-Varnish-IP
X-Created
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-CMS-Server
Sql-Debug
X-Purge-Level
X-Allow-Redis
X-Benchmark-Sphinx
X-Caching-Rule-Id
X-Grid-Server
X-Benchmark-Db
LBC
X-Empowered-By
X-PM-ID
X-Header-Set-Id
SiteName
X-V-Outer
D
X-Microcache-Status
X-REDIRECTSERVER
7e-Page-Cache
X-ERM-RunTime
Cache-Ctrol
Origin
X-V-TTL
X-Device-Type
X-Response
X-Developer
X-Cached-Status
X-Varnish-Age
X-ERM-ServerName
X-ERM-ServerName-AppPage
OHS-WebNode
X-Test
X-Req-Url
Hash
Dispatcher
X-Req-Host
MASTERWEBLET
X-V-I-TTL
X-ORACLE-DMS-ECID
X-Nginx-Server
X-Header
X-Hosting-Env
Powered-By-VeryCDN
Hostname
X-Max-Age
X-Web-Node
X-Node-Name
X-SilverStripe-Cache
Content-Instance
XX
Publisher
X-Route
X-Hash
SRV
X-Nginx-Cache
REFRESH
At-Isb
X-WorkerInstancename
X-GC-Write
At-Shoptype
Fw-Via
PowerCDN
ServerId
X-GC-Read
X-GC-App
Atp-Isdpp
X-Bcwwwid
X-Geo-IP-Metro
Progma
X-Geo-IP-Region
X-Geo-IPV
X-Cache-Set
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
Tpt.Renderer
Tpt
Tpt.Renderer1
X-Enhanced-By
X-Varnish-Beresp-Grace
X-Geo-IP-Country
X-Artvisual-Server
TMP
NnCoection
Ec
X-HOSTTYPE
X-USERNAME
X-Secret
BM-Cache-Status
X-GSL-Server
X-Vtex-Processado-Em
BM-Cache-Key
BM-Cache-Node
ServerConfigManager.WebBugTracker
Render
X-CMS-CRMSet
X-CMS-Collection
X-CMS-Live
X-CMS-Nid
X-CMS-Sid
X-CMS-Tid
X-XFPC-Cache-Active
X-D-Time
X-Generation-Time
X-S-Misc
X-XFPC-Cache
X-CMS-Stage
X-CMS-State
After
X-BackendServer
Before
ExecuteNonQuerySQLParam
IsFullSiteRequest
X-S
HostGen
Accept
X-LB
X-NID
Hej
Accept-Language
Telligent-Evolution
X-Ratelimit
X-Powered-Developer
X-PoolMember
X-RE-Ref
CachedXSLT
X-Remote-Addr
User-Cache-Control
MachineName
X-Author
Custom
X-Hit
X-Time-Microsecs
PageSpeed
X-Agentscape-Info
X-Varnish-Cache-Local
X-Real-Server
X-Pagecache
Expire
Content
ExecutionTime
ProxiaInstanceId
X-Dokk-PortalId
X-UA
Beyond-Iis
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Webstats-RespID
X-Framework
Time
SAVVIS
X-Box
X-MCB-Server
X-Servername
X-PHP-Cache
X-Translation
-Onnection
SVR
X-Venda-Hitid
X-7dig
X-7d-Version
Backend-Host
X-Vhost-ID
No-Cookie
X-Pixelsilk-Version
Noahs-Classifieds
X-WLD-LB
X-Pixelsilk-Server
X-Hc-Host
X-HITS
Cmstype
Provider
X-Whom
Cmsid
Commerce-Server-Software
X-ServerId
X-NginX-Server
X-NginX-Cache
Svr
X-Nucleus-Cache
X-JSON-API-AGE
X-Url-Store
X-Cookie-Store
X-Cache-Key
AcceptLangage
X-Locale
X-JSON-API-TTL
X-Page-Generated-At
X-Page-Generation-Time
X-UserAgent
Server-Optimized-By
X-JSON-API-LATENCY
Ttl
X-Backend-Status
X-Origin
X-Continum-Server
X-Stackable-Node
X-Nginx-Host
SBMCLOUD
If-Modified-Since
X-Cluster-Host
X-CMS
X-XHR-Current-Location
X-Internal-IP
WEB-CLUSTER-NODE
X-Extra-Header
DCGI-Server
Source
X-ProcessESI
X-TTL-Age
X-DefendeR-Runtime
X-Nocache
Ozcache
X-Garden-Version
X-Source
X-Varnish-Hit
X-Wm-1
X-Yottaa-Optimizations
RATING
X-R4L-VHOST
EI-UNIQUE-ID
X-Wm-VIP
CacheDuration
TypeOfContent
X-NewRelic-App-Data
X-Varnish-Id
OriginalHost
Optimizer
CacheInfo
CacheInfoFetch
ErrorCodeCount
X-Rewrite
X-Life
HTTP
OGHopCount
Access-Control-Expose-Headers
X-WR-MODIFICATION
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
AV1080
X-GitHub-Request-Id
X-RemovedCookies
X-Yottaa-Metrics
X-TLServer
Mobiquo-Is-Login
Head
HAVer
HCVer
X-Loc
X-Tiny
X-Varnish-HitMiss
X-RSS-CACHE-STATUS
X-Binarysec-Via
X-Varnish-Count
No-Cache
Application-Version
X-Back
WSCPUB-Version
B-Powered-By
X-RequesterIP
X-Papaya-Gzip
X-Papaya-Cache
Keywords
X-PP
X-Host-Url
UNIQUE-ID
X-Platform
INCOMING-TIME
Rt-Fastcgi-Cache
X-MiniProfiler-Ids
WP-AdvCache-MemCached
X-LTM-ID
X-Varnish-Cookie-Debug
X-Server-Id
X-Cache-NHIT
X-SV
X-LAvg
X-Server-IP
X-Http-Host
X-Dynatrace-Js-Agent
Front-End-Https
Esi-Enabled
Robots
Test
X-HW
SLB
Description
Cneonction
X-Client-Addr
X-IDS-WS
X-Fortrabbit
X-CCM
Servername
X-Proxy
X-WebFarmNode
Expect:
X-DELIVERYSERVER
X-Fett
X-Real-IP
X-VTEX-Cache
X-VTEX-Router-Backend-App
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-JanusLatency
No
X-VTEX-Router-JanusNet-BackEndLatency
X-DSMX-Rewrite-MS
X-PvInfo
X-SeschatDID
X-SeschatLayout
X-SeschatRedID
X-Seschat-URL
X-Varnish-Hashed-On
X-Cache-Age
X-Cache-Lifetime
X-SeschatTemplateID
Language
Foglight-Request-UUID
X-Execution-Time
X-DSMX-Render-MS
X-Client-Vid
X-EPiphany-Vid
X-Server-By
OHS-LoadBalancer
X-VTEX-Router-JanusNet-AspNetLatency