Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Cacheable
X-Check
P3p
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
Access-Control-Allow-Origin
WP-Super-Cache
X-Drupal-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo-Port
X-Geo
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Cache-Lookup
X-Type
X-Cache-Group
X-Host
Access-Control-Allow-Credentials
X-Ac
Strict-Transport-Security
X-Logged-In
X-UA-Device
Ngpass-All
X-Xss-Protection
X-Ua-Compatible
X-Tumblr-User
X-Rack-Cache
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-XRDS-Location
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
Content-Encoding
X-Tumblr-Pixel-2
X-Via
X-Robots-Tag
X-CF-Powered-By
X-INKT-SITE
X-INKT-URI
X-Varnish-Cache
X-Iinfo
X-Url
X-Accel-Version
X-Forwarded-For
X-ServedBy
X-Cnection
X-PhApp
Access-Control-Allow-Headers
X-Webserver
X-MS-InvokeApp
X-Backend
Composed-By
X-Served-By
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-ContextId
X-Page-Speed
Served-By
Access-Control-Allow-Methods
X-CDN
X-Tumblr-Pixel-3
X-Firenze-Processing-Times
X-XN-Trace-Token
X-XN-XNHTML
X-Hostname
X-PC-Key
X-PC-Hit
X-AH-Environment
X-PC-AppVer
X-PC-Date
X-PC-Host
X-Served-With
X-Powered-By-360WZB
X-FRAME-OPTIONS
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-Age
X-Server-Name
X-Umbraco-Version
X-Port
X-Spip-Cache
Refresh
X-Cache-Info
X-Safe-Firewall
Rating
X-Cache-Server
Cf-Railgun
X-Amz-Id-2
SPRequestDuration
SPIisLatency
Request-Id
Cartoon
X-Cache-Result
Powered-By-ChinaCache
X-Amz-Request-Id
X-Mobilized-By
X-Content-Digest
X-Tumblr-Pixel-4
X-Amz-Cf-Id
X-FB-Debug
X-BC-Is-HA
X-HeyJason
X-Pass-Why
X-Outils-CS
TCN
X-TN-ServedBy
Real-Hostname
X-PHP-Engine
X-W3TC-Minify
X-Loop
Thanks
X-Generated-By
X-VCache
X-Tumblr-Content-Rating
X-HOST
IBM-Web2-Location
X-Cache-Status
Magicmarker
X-Px
X-Device
X-Node
X-Hyper-Cache
X-TNCMS-Render-Time
X-PersistenceNode
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-Cached-By
X-Tumblr-Pixel-5
Page-Completion-Status
Imagetoolbar
X-Content-Encoded-By
X-FORWARDED-FOR
NS-RTIMER-COMPOSITE
X-Styx-Build-Sha
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Styx-Build-Num
X-Styx-Build-Date
X-Pantheon-Endpoint
X-Styx-Version
Content-Security-Policy
X-Cached
X-Matrix-Proxy
X-Matrix-Server
X-Original-Content-Length
X-Served-From-Cache
Time
CF-Cache-Status
X-Timer
X-URL
X-Varnish-Cacheable
Product
X-CMS-Version
X-Powered-By-Anquanbao
X-From
X-DynaTrace
X-HOSTNAME
Retry-After
X-SERVER
X-Varnish-TTL
X-Cache-Enabled
Generator
X-Firenze-Processing-Time
X-Request-ID
X-Backend-Server
X-DDC-Arch-Trace
DynaTrace
Powered-By
IISExport
Set-Cookie2
ServedBy
Node
X-Rendering-Engine
X-Xrds-Location
X-App-Hosting
Pics-Label
Access-Control-Max-Age
X-I
X-CDN-Geo-IP
X-CDN-Geo
X-CDN-Any-IP
X-Cache-Hit
PICS-Label
X-Original-Request
X-Cache-Debug
X-Passed-To-PostProcessResponse
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Returned-From-BeforeDispatch
X-Returned-From
X-Passed-To-DLL
X-Handled-By
X-Passed-To
X-Actual-URL
X-Passed-To-BeforeDispatch
X-UD-Method
Lsrequestid
X-SDS
X-UD-Host
X-Varnish-IP
Ngpass-Vcall
X-PF-Uncompressing
X-Purge-Host
MIME-Version
X-Processed-By
X-Content-Options
X-Drectory-Script
Charset
Vacache
Access-Control-Request-Method
X-Nitra-Side
X-ATG-Version
Proxy-Agent
Content-Encoding-Handler
X-NoCache
X-Trace-App
X-DynaTrace-JS-Agent
X-Duration
Response
ServerName
S
X-Purge-URL
X-Cache-Expires
Accept-Encoding
X-Hits
X-Cookie-Domain
Cache
X-Sol
X-CJ-Soft
X-PERF
X-ApacheServer
Machine
COMMERCE-SERVER-SOFTWARE
Fhost
X-PwB-Node
X-Varnish-Forwarded-For
X-BackEnd
Host
X-Director
X-Speed-Cache
X-Varnish-Backend
X-Speed-Cache-Key
X-GeoIP-Country-Code
X-LiteSpeed-Cache
X-Micro-Cache
AMF-Ver
X-Microcachable
X-Front
X-FW
Edge-Control
X-GeoIP-Country-Name
X-Yadis-Location
X-Hosted-By
Filter-Revision
X-Srv
X-Orig-Vary
X-Middleton-Response
X-FW-Static
X-Content-Security-Policy
X-Expires-Orig
X-Whom
X-FIRSTBase
SID
WWW-Authenticate
X-Track
Cm-Server
RTSS
Server-Info
X-Vary-Options
X-Beep
Website-Info
Surrogate-Control
X-Varnish-Host
X-DNS-Prefetch-Control
SEOMOZ
X-Cache-Control-Orig
MJ12bot
X-Permitted-Cross-Domain-Policies
X-Art-Request-Id
X-Ttl
Content-Disposition
Accept-Charset
X-WebKit-CSP
VAR-Cache
X-Varnish-Hits
X-ServerName
X-ServerID
X-Cocoon-Version
SN
X-Grid-Server
X-Distil-CS
ServerID
Grace
X-Source-Host
X-Blog
X-Session-Reinit
X-User-Agent
X-AOL-SNH
X-LIGHTHTTP-PCDID
X-ACMCache
X-Trace-Cache
X-AspNetWebPages-Version
X-WebServer
X-Server-ID
X-Gamma-Serve
X-App-Start
X-Pangea-Version
UniqueName
X-Ar-Debug
Id
X-TTL
X-Cache-Rule
NtCoent-Length
X-Directory-Script
MW-Webserver
X-SRV
A-Powered-By
CT
X-Varnish-Object-Age
X-Cache-TTL
NetMindSessionID
Server-Name
X-Ms-Invokeapp
Hamster
X-Time
X-App
X-S
X-N
X-Geo-IP
X-ID
X-MJ-Upstream-Addr
X-CHSN
X-Ar-Forwarded-For
X-WR-Flags
X-Sys-Req-ID
X-Server-IP
X-Cluster-Node
X-Highwire-SessionId
Server2
Cteonnt-Length
X-Highwire-RequestId
X-StoreSense
X-Domain-Checked
X-Bettercache-Proxy
X-Provisioner-Version
X-App-Status
Req-Id
X-ProStores-StoreApiEntryPoint
X-Engine
X-Varnish-Server
X-CacheHits
X-Outils-Cs
X-Trace
Apache
Srv
Nodo
X-Id
X-Wily-Servlet
X-Cache-Action
NODE
X-Swift-SaveTime
X-Wily-Info
Pool-Info
X-Swift-CacheTime
X-Developer
X-ServerCache-Info
X-Cache-Operation
X-Empowered-By
From
X-Connection-Hash
X-MJ-Serve-Req-Time
Content-Security-Policy-Report-Only
Ms
X-Transaction
X-Atraveo-Cache-Control
X-WEBSERVER
QOR-Cache
X-VARNISH-Cache
X-Atraveo-From-Varnish-Cache
X-TempDebug
X-Atraveo-NC
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
Proxy-Connection
Webluker-Edge
Origin
Backend
X-Object-Id
SiteName
X-Object-Type
MIH-PUBLIC-IDENTIFIER
X-Device-Type
MIH-PLATFORM
X-UPSTREAM
X-Microcache-Status
X-Country-Code
MIH-CLIENT-FARM
X-Header
Edgecast
X-Cache-Config
CommunityServer
X-FW-Hash
X-FreeTag-Count
Cache-By-Node
X-Cached-Status
X-LB
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
Content-MD5
X-Varnish-Cache-Hits
ORIGIN
X-Machine-Name
Location
Provider
X-Src-Webcache
SS
X-Source-ID
Web-Server
X-Recruiting
X-Jphone-Copyright
X-Turbo-Control
X-Amz-Id-1
X-Dev
Buuteeq-Source
X-Expires
Worker
X-Cms-Mode
X-ROUTE-DATA
WP-Cache
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
X-Phpwcms-Release
Progma
X-Force
Powered
Content-Transfer-Encoding
Author
X-WR-MODIFICATION
LBVIS
X-PRAM
X-Origin
X-Phpwcms-Page-Processed-In
Copyright
-GCR
X-T3CacheInfo
X-Version
SRV
Mime-Version
X-Frontend
X-Amz-Meta-S3cmd-Attrs
X-Cache-Set
X-Old-Content-Length
MirrorName
X-Varnish-ID
X-BackendServer
Provided-Host
X-Translation
X-Tumblr-Pixel-6
X-ACCELERATE
X-Cache-Age
X-App-Server
Server-IP
X-Origin-Id
X-OPNET-Transaction-Trace
Be-Ip
X-GeoIP
Be-Va
X-Response-Time
Beyond-Iis
X-Host-Url
X-Cache-Ttl
X-Catalyst
X-GSL-Server
RequestTime
PageSpeed
X-Varnish-Age
Aoestatic
Front
X-LI-UUID
X-ORACLE-DMS-ECID
F-In-Cache
X-Upstream
X-DeliveryServer
X-Uid
X-Li-Pop
X-Magento-Action
X-Li-Fabric
X-FS-UUID
X-Magento-Lifetime
X-Info
X-GC-App
X-Haiku
X-Flex-Lastmod
X-GLaDOS
X-GC-Read
X-Flex-Tags
X-Cluster-ID
X-Geo-IP-Region
X-Flex-Community
X-Geo-IP-Metro
X-Geo-IPV
X-GC-Write
X-Vtex-Processado-Em
X-Cache-Lifetime
X-Geo-IP-Country
X-Frames-Options
LBC
X-Dynatrace-Js-Agent
X-REDIRECTSERVER
X-Powered-By-Server
REFRESH
X-Flex-Evstart
X-Server-Id
X-Flex-Evend
X-Flex-Lang
X-Flex-Tag
Pagely
Warning
X-Kirra-SiteId
X-MidCOM-Meta-Cache
X-Varnish-Cache-Server
ExecutionTime
Compression-Control
X-Debug
X-Mod-Oboe-PS
X-Varnish-Cache-Local
SIP
X-Vivastreet-KiwiiPage
X-JSL
X-JAL
X-Varnish-Debug-Hits
X-Vhost-ID
No
X-Framework
X-ASTRO-REWRITE
X-Vivastreet
Il-Cl
X-SN
X-TISSERVER
X-VarnCache
X-Powered
Rt-Server
X-Nginx-Server
X-Response
X-Cache-On
X-Varnish-Device
X-ATM-RServer
Test.Executivepeople.Se
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
Www.Myjob.Se
P3P:CP
Open.Jobgate.Se
A1B2C3
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Jobb.Passal.Se
X-Actindo-RS
X-Stage
X-WP
X-Yqk-Set
X-Conf
Pool
ScoreTracker
X-Powered-By-Yqk
Cluster-ID
CDN
X-Monstercache-Timeout
X-Cache-Term
X-CacheServer
X-Kermit
Ksid
Hash
Dispatcher
X-Varnish-Debug-Age
X-ATM-RTime
X-Farm-Server
X-Enhanced-By
X-CS
X-Pixelsilk-Server
X-Pixelsilk-Version
X-Varnish-Action
X-Vhost
X-Via-Kemp
X-DTC
X-Nginx-Backend
X-T3CacheTags
X-Secret
X-PageCached
X-T3Cache
X-B2f-Not-Route
X-User-Id
Rt-Fastcgi-Cache
Allow
X-FCMS-Cache
X-Venda-Hitid
NLCacheNote
X-Hash
Cache-Ctrol
X-Stale
INCOMING-TIME
X-Content-Age
X-Route
OriginServer
UNIQUE-ID
X-EdgeRouter
X-Hrouter
X-MobileDetected
WEBO
SynthaSite-ID
Cmsid
Cmstype
At-Isb
X-Real-Server
At-Shoptype
Atp-Isdpp
CP
MASTERWEBLET
X-Binarysec-Via
X-7dig
X-Locale
X-Back
X-Web-Node
X-Benchmark-Sphinx
X-Jcms-Ajax-Id
X-Location
X-Varnish-HitMiss
X-NGINX-CACHED
X-NGINX-CACHED-AT
X-Benchmark-Db
X-Varnish-Count
Esi-Enabled
X-Seschat-URL
Source
X-Node-Name
X-Generation-Time
Content-Instance
X-Channel-Maxage
X-PM-ID
7e-Page-Cache
X-Yottaa-Optimizations
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
X-Yottaa-Metrics
X-Benchmark-Total
X-B2f-Cache-Load
X-D-Time
X-UserAgent
X-Varnish-Beresp-Grace
X-PvInfo
X-SeschatDID
X-Benchmark-Sphinx-Count
X-Remote-Addr
X-S-Misc
X-7d-Version
BM-Cache-Node
X-MSEdge-Ref
BM-Cache-Status
IsFullSiteRequest
BM-Cache-Key
Before
X-Purge-Level
X-Accelerated-By
X-Max-Age
X-NID
ServerConfigManager.WebBugTracker
Tpt
X-Allow-Redis
POOL
Render
Tpt.Renderer
X-Artvisual-Server
X-Client-Vid
Tpt.Renderer1
X-SeschatRedID
X-Benchmark-Cache
X-SeschatTemplateID
X-SATserver
X-SeschatLayout
X-EPiphany-Vid
After
X-Internal-IP
Servername
X-Uplex
SVR
X-Hosting-Env
X-SERVER-ID
X-SilverStripe-Cache
X-Varnish-Debug-Fetch-Host
Http
If-Modified-Since
SLB
X-CMS-Nid
X-DefendeR-Runtime
HCVer
Accept
Noahs-Classifieds
X-Life
HAVer
Hej
X-Http-Host
X-Time-Microsecs
X-UD-Loopcounter
X-T
X-Loc
Accept-Language
X-Status
X-Test
X-PBY
X-Hit
X-GitHub-Request-Id
X-VarnPar1
BKREF
X-Ocache
X-CMS-Live
X-UD-REMOTE-ADDR
X-CMS-Server
Host-Service
Disaptch-Cache-Rule
X-Box
X-AISO-Cache
X-AISO-Server
Ttl
X-Bcwwwid
EI-UNIQUE-ID
X-WLD-LB
X-Server-Instance
X-ProcessESI
X-XFPC-Cache-Active
X-CMS-Tid
X-Varnish-Cookie-Debug
X-Mobile
X-VG-WebCache
X-XFPC-Cache
Requested-Host
ExecuteNonQuerySQLParam
X-HOSTTYPE
X-CMS-Sid
X-CMS-Collection
X-RemovedCookies
X-BKSrc
X-CMS-CRMSet
X-USERNAME
X-ChromeLogger-Data
X-CMS-Stage
X-UD-Target
X-WorkerInstancename
PowerCDN
X-CMS-State
X-Gondor-Server
XX
Content-ID
Server-N
X-Client-IP
X-VarnPar2
X-VTEX-Router-Backend-App
X-B
X-VTEX-Router-JanusNet-BackEndLatency
X-Pb-Mii
X-Nucleus-Cache
X-Device-Group
X-Goog-Hash
X-Mii-Cache-Hit
X-Nginx-Cache
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
WEB-CLUSTER-NODE
X-Continum-Server
X-ERM-RunTime
X-ERM-ServerName
SFY
SBMCLOUD
Content
DCGI-Server
Expire
LFY
X-Cache-Key
X-ATP-Server
X-RequesterIP
X-CCM
X-Client-Addr
X-IDS-WS
D
X-CacheTTL
X-SERVERID
Front-End-Https
X-Platform
X-PP
Cneonction
X-MCB-Server
ProxiaInstanceId
X-Fett
No-Cookie
Www.Aujourdhui.Com
B-Powered-By
CacheControl
X-NginX-Cache
X-NginX-Server
X-Server-By
X-Server-Node
X-ERM-ServerName-AppPage
X-VTEX-Router-JanusNet-AspNetLatency
Xc
X-DC-Origin-IP
X-Feed
OGHopCount
X-Cache-Backend
X-Your-GrandPa-Would-Wait
X-PoolMember
SAVVIS
Publisher
X-Varnish-Abtest-Expires
X-Monstercache-Hash
X-ACLR-Version
X-Monstercache-Host
X-Monstercache
BALANCEDTO
X-Garden-Version
X-Ratelimit
X-Powered-Developer
XDomainRequestAllowed
Ec
X-Nginx-Host
X-Oracle-DMS-ECID
X-Original-IP
X-JSON-API-TTL
X-JSON-API-AGE
X-JSON-API-LATENCY
X-Page-Generated-At
X-Page-Generation-Time
X-Stackable-Node
X-TTL-Age
X-XHR-Current-Location
X-Would-Your-GrandPa-Wait
X-Reject
X-Author
X-ServerId
X-Nocache
X-TLServer
X-Time-Spent
X-Cache-Extended
XDisk
X-Varnish-Mode
Backend-Host
X-VTEX-Cache-Status-Janus-Edge
X-Extra-Header
X-MadeOn
X-Config-By
X-PHP-Cache
Server-Optimized-By
X-Powered-By-VTEX-Janus-Edge
X-Obvious-Tid
X-Cookie-Store
X-Environment
X-Backend-Status
CountryCode
AcceptLangage
X-Dokk-PortalId
X-MiniProfiler-Ids
X-HITS
X-PoweredBy
X-V-TTL
X-UA
X-DSMX-Rewrite-MS
X-Cached-Page
X-Varnish-URL
W
Mark
X-Hc-Host
X-Varnish-Id
X-V-Outer
Hishop
X-Req-Host
X-Req-Url
X-Created
X-Url-Store
X-GL-SRV
X-V-I-TTL
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Varnish-Set-Cookie
No-Cache
AV1080
X-Webstats-RespID
X-Obvious-Info
CacheControlHeader
X-VTEX-Cache
X-Cluster
X-Real-IP
X-Cluster-Host
X-Adobe-Content
X-ErrorPage
X-ServerID-App
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-CASE-NORMALIZATION
X-IP-Address
X-Cache-Me-Harder
X-R4L-VHOST
X-Header-Set-Id
Foglight-Request-UUID
HostName
X-RSS-CACHE-STATUS
X-APP
Powered-By-VeryCDN
Redirect
X-Execution-Time
X-Caching-Rule-Id
X-User-Login-Url
X-User-Authenticated
X-Location-Id
X-WAP
HTTP
X-TTFB
X-TTFB-L
X-SmugMug-Values
X-SmugMug-Hiring
Smug-Env
X-Panel-Id
X-Panel-Name
X-VHOST
X-DELIVERYSERVER
X-Varnish-Hashed-On
X-Resolver-IP
X-PROCESSED-BY
X-JG-Page-Cache
X-FarmId
Web-Head
Bs-Header
X-Varnish-Max-Age
User-Cache-Control
MachineName
Svr
X-SDE-Name
Telligent-Evolution
Ngpass-Static
HostGen
Head
X-DSMX-Render-MS