Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
X-AspNet-Version
P3P
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Language
X-UA-Compatible
Content-Location
Via
X-Varnish
CF-RAY
P3p
Keep-Alive
X-Frame-Options
X-Cacheable
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Geo-Port
X-Geo
X-Runtime
MicrosoftOfficeWebServer
X-Request-Id
X-Powered-CMS
X-Server
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Rack-Cache
X-XRDS-Location
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-UA-Device
Content-Encoding
Strict-Transport-Security
X-Cache-Hits
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Host-Header
X-Tumblr-Pixel-1
SPRequestGuid
X-SharePointHealthScore
X-INKT-URI
X-INKT-SITE
X-CACHE
X-Robots-Tag
X-Via
X-Tumblr-Pixel-2
X-Url
X-Webserver
X-Varnish-Cache
X-CF-Powered-By
X-PhApp
X-Accel-Version
Composed-By
X-Forwarded-For
X-Cnection
X-Iinfo
X-Page-Speed
X-Firenze-Processing-Times
X-ServedBy
Served-By
X-MS-InvokeApp
X-Served-By
X-Ua-Compatible
Access-Control-Allow-Headers
X-XN-Trace-Token
X-XN-XNHTML
X-Backend
X-ContextId
X-Hostname
X-CDN
Access-Control-Allow-Methods
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Stats-Unique-Token
X-Stats-Visit-Token
X-Tumblr-Pixel-3
X-AH-Environment
Content-Style-Type
Content-Script-Type
X-Umbraco-Version
X-PC-Key
X-PC-Hit
Liferay-Portal
X-PC-AppVer
X-PC-Host
X-PC-Date
X-Powered-By-360WZB
X-Mobilized-By
X-FRAME-OPTIONS
X-Server-Name
X-Cache-Info
X-W3TC-Minify
Cartoon
Powered-By-ChinaCache
X-Spip-Cache
X-From
Refresh
X-Amz-Id-2
X-Outils-CS
X-HeyJason
TCN
X-FB-Debug
Request-Id
SPIisLatency
SPRequestDuration
X-Content-Digest
X-Amz-Request-Id
Cf-Railgun
Magicmarker
Rating
X-Px
X-Cache-Server
X-Amz-Cf-Id
Real-Hostname
X-TN-ServedBy
X-VCache
X-PHP-Engine
X-Loop
NS-RTIMER-COMPOSITE
Thanks
X-Device
Page-Completion-Status
X-Original-Content-Length
X-Varnish-Cacheable
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Version
X-TNCMS-Render-Time
X-Generated-By
X-Cache-Status
X-Content-Encoded-By
Imagetoolbar
PICS-Label
X-Matrix-Server
X-Cached-By
X-Matrix-Proxy
X-Powered-By-Anquanbao
X-Tumblr-Content-Rating
IBM-Web2-Location
X-Varnish-TTL
Time
X-Tumblr-Pixel-4
Set-Cookie2
X-Firenze-Processing-Time
X-Timer
X-CMS-Version
CF-Cache-Status
X-SERVER
Retry-After
X-DynaTrace-JS-Agent
X-Art-Request-Id
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
X-Node
X-Tumblr-Pixel-5
X-Age
X-Trace-App
Product
IISExport
X-FORWARDED-FOR
X-Cached
Access-Control-Max-Age
X-ATG-Version
X-PF-Uncompressing
X-Processed-By
X-Drectory-Script
Generator
ServedBy
X-I
X-Duration
X-DDC-Arch-Trace
MIME-Version
X-Served-From-Cache
Access-Control-Request-Method
Powered-By
X-PERF
Lsrequestid
X-Cache-Debug
X-ApacheServer
X-Cache-Hit
X-Backend-Server
X-Request-ID
SID
X-Purge-Host
RTSS
X-Content-Options
Charset
COMMERCE-SERVER-SOFTWARE
X-Vtex-Remote-Cache
X-Director
X-Vtex-Cache-Key
X-App-Hosting
S
NODE
X-FIRSTBase
Surrogate-Control
X-Nitra-Side
X-SRV
ServerName
X-Cache-Enabled
Accept-Encoding
X-Speed-Cache-Key
X-UD-Host
X-UD-Method
X-Cookie-Domain
X-DNS-Prefetch-Control
X-Original-Request
Content-Disposition
X-Cache-Expires
X-NoCache
Host
X-Speed-Cache
Pics-Label
AMF-Ver
X-Vary-Options
Edge-Control
X-Purge-URL
X-LiteSpeed-Cache
Node
X-ServerName
WWW-Authenticate
X-Yadis-Location
Content-Encoding-Handler
LFY
SFY
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Actual-URL
X-Handled-By
X-Returned-From-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Passed-To
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-GeoIP-Country-Code
X-Returned-From
X-Front
X-Orig-Vary
X-Hosted-By
X-Rendering-Engine
X-Expires-Orig
X-URL
DynaTrace
Server-Info
X-Trace-Cache
X-Varnish-Backend
X-MJ-Upstream-Addr
X-DynaTrace
Cm-Server
Website-Info
X-SDS
X-ServerID
X-Hits
X-Micro-Cache
X-GeoIP-Country-Name
X-Cache-Control-Orig
X-Microcachable
X-Cluster-Node
Proxy-Agent
X-Cache-TTL
X-CJ-Soft
Filter-Revision
X-Track
X-App-Start
UniqueName
X-MJ-Serve-Req-Time
Proxy-Connection
X-Gamma-Serve
X-AOL-SNH
X-ACMCache
CT
X-Pangea-Version
X-CDN-Geo-IP
X-CDN-Any-IP
X-CDN-Geo
Cache
X-Cocoon-Version
X-ProStores-StoreApiEntryPoint
X-StoreSense
X-Server-ID
Req-Id
X-Source-Host
X-Ttl
X-PwB-Node
X-Time
Webluker-Edge
X-TTL
MW-Webserver
X-Srv
X-Amz-Meta-S3cmd-Attrs
NetMindSessionID
ORIGIN
X-WR-Flags
CommunityServer
Pool-Info
X-Cache-Action
X-CHSN
X-Sys-Req-ID
QOR-Cache
X-HOSTNAME
X-AspNetWebPages-Version
REFRESH
SN
From
Nodo
X-Highwire-SessionId
X-Engine
X-FW
X-Highwire-RequestId
X-N
Hamster
X-Varnish-Hits
X-Device-Type
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
MIH-CLIENT-FARM
X-ID
ServerID
X-Microcache-Status
X-Trace
A-Powered-By
MJ12bot
Fhost
SEOMOZ
Location
X-ServerCache-Info
X-Turbo-Control
NtCoent-Length
Content-Security-Policy
X-ACCELERATE
X-Safe-Firewall
X-Machine-Name
X-Src-Webcache
X-Geo-IP
Microsoftsharepointteamservices
X-Cache-Rule
X-Permitted-Cross-Domain-Policies
X-Wily-Info
X-Varnish-Age
X-Wily-Servlet
X-T3CacheInfo
Srv
X-Magento-Lifetime
X-Blog
Id
X-Session-Reinit
X-Info
X-Cached-Status
X-Magento-Action
X-DeliveryServer
X-LIGHTHTTP-PCDID
X-UPSTREAM
Server2
X-Sharepointhealthscore
Accept-Charset
Sprequestguid
X-Varnish-Host
Beyond-Iis
NLCacheNote
X-Old-Content-Length
Content-MD5
X-Server-Web
X-Li-Fabric
Backend
Server-Name
X-FS-UUID
X-Bettercache-Proxy
X-Li-Pop
X-Powered-By-Yqk
X-Yqk-Set
X-LI-UUID
X-Expires
X-ASTRO-REWRITE
X-Ms-Invokeapp
X-Cf-Powered-By
X-Request-Duration
X-Amz-Id-1
X-Varnish-Action
X-Benchmark-Total
X-Atraveo-Varnish-Server-Id
X-Benchmark-Sphinx-Count
X-Benchmark-Sphinx
X-Benchmark-Cache
X-Benchmark-Db
X-Database-Slave-Connection
X-Pass-Why
X-Source-ID
X-Country-Code
X-PRAM
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Atraveo-Cache-Control
-Onnection
X-Atraveo-TTL
X-Directory-Script
Author
X-Force
X-SN
Machine
X-Vtex-Processado-Em
X-Object-Id
X-REDIRECTSERVER
X-FW-Static
X-Transaction
X-Accelerated-By
X-Distil-CS
X-Object-Type
No
Buuteeq-Source
X-Cache-Operation
WP-Cache
X-Enhanced-By
X-Frames-Options
X-Developer
X-Varnish-IP
X-Varnish-ID
MASTERWEBLET
X-WP
X-Monstercache-Timeout
X-Channel-Maxage
CountryCode
X-Jphone-Copyright
Debug-Begin-IP
Debug
X-Content-Age
Debug-IP-Cntry
X-Version
X-Uid
Aoestatic
X-ROUTE-DATA
X-T3Cache
X-S
X-App-Server
X-Dev
X-Cms-Mode
X-Varnish-Server
Worker
X-EdgeRouter
X-Hrouter
MirrorName
SynthaSite-ID
Front
X-App
X-Node-Name
X-Translation
X-Id
X-Artvisual-Server
Ms
X-B2f-Cache-Load
X-ORACLE-DMS-ECID
Hostname
X-Content-Security-Policy
X-NGINX-CACHED
Content-Transfer-Encoding
X-Apache-Backend
X-NGINX-CACHED-AT
Www.Mirrorgate.Se
Hash
X-Farm-Server
X-Brought-To-You-By
Compression-Control
Www.Myjob.Se
X-Jcms-Ajax-Id
X-DTC
X-Dynamic
X-Varnish-Cache-Server
CDN
X-MSG-05
X-ATM-RServer
X-DEBUG-Obj-Ttl
X-ATM-RTime
Www.Mabracertifiering.Se
Web-Server
Test.Executivepeople.Se
X-DEBUG-X-Id
X-MSG-01
X-Actindo-RS
X-MSG-06
X-MSG-04
X-CS
X-MSG-02
X-MSG-03
X-MidCOM-Meta-Cache
X-Via-Kemp
X-B
X-TISSERVER
X-VarnCache
X-Response-Time
CP
X-User-Id
X-Oracle-DMS-ECID
X-VarnPar1
X-Ocache
X-Utime
X-Seen-By
X-T
RequestTime
X-Conf
Ec
X-JSL
X-JAL
X-Varnish-Device
Cluster-ID
X-Powered
X-Vhost
F-In-Cache
X-B2f-Not-Route
Ssl-Enabled
OriginServer
X-Snapsis-PageBlaster
X-Cache-Term
X-PM-ID
X-PageCached
Powered
X-CacheHits
X-Varnish-Cache-Local
X-Varnish-Cache-Hits
X-MSG-00
X-Rewritten-By
X-ERM-RunTime
X-Monstercache
X-Monstercache-Hash
X-Monstercache-Host
X-ERM-ServerName
X-ERM-ServerName-AppPage
X-ManagedFusion-Rewriter-Version
Pool
A1B2C3
X-T3CacheTags
X-Whom
X-Cache-Me-Harder
Open.Jobgate.Se
P3P:CP
Jobb.Gil.Se
Jobb.Passal.Se
Jobb.Assistentpoolen.Se
X-Provisioner-Version
X-Phpwcms-Page-Processed-In
X-Flex-Lang
X-Flex-Evend
X-Geo-IP-Country
X-Powered-By-Server
X-Flex-Evstart
X-Frontend
Origin
X-Phpwcms-Release
X-Flex-Tag
X-Flex-Lastmod
X-Debug
X-Hash
X-Flex-Tags
X-Server-Id
X-Domain-Checked
X-Geo-IPV
Cteonnt-Length
X-Geo-IP-Region
X-Geo-IP-Metro
Provider
ScoreTracker
X-Flex-Community
X-Grid-Server
Provided-Host
VAR-Cache
X-CMS
X-Recruiting
X-Web-Node
At-Isb
7e-Page-Cache
X-Real-Server
Bs-Header
Atp-Isdpp
SS
At-Shoptype
X-Garden-Version
X-NginX-Cache
Pagely
X-Venda-Hitid
Progma
SIP
X-Kermit
Cmsid
X-Header
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
Cmstype
No-Cookie
X-Varnish-Debug-Age
Mime-Version
D
X-FCMS-Cache
SiteName
X-Remote-Addr
X-Varnish-Debug-Hits
X-Nocache
X-Cache-Age
Content
X-NginX-Server
X-GC-Write
X-GC-Read
X-Upstream
X-GC-App
WEBO
X-FreeTag-Count
X-Nginx-Cache
Publisher
X-Header-Set-Id
X-Caching-Rule-Id
LBVIS
X-Ratelimit
X-Powered-Developer
MachineName
X-Author
Access-Control-Expose-Headers
X-Time-Microsecs
Svr
X-Vivastreet-KiwiiPage
X-Vivastreet
Cache-Ctrol
Powered-By-VeryCloud
-GCR
Il-Cl
Warning
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-UD-Target
X-Kirra-SiteId
X-Response
WEBSERVER
Head
X-Locale
X-Amz-Version-Id
X-UserAgent
X-V
Dispatcher
Tpt.Renderer1
Tpt.Renderer
After
Before
Render
ServerConfigManager.WebBugTracker
X-7dig
X-7d-Version
X-Hc-Host
WP-AdvCache-MemCached
Rt-Fastcgi-Cache
X-Vhost-ID
X-SilverStripe-Cache
X-Pixelsilk-Version
X-Pixelsilk-Server
X-Purge-Level
X-MCB-Server
X-HITS
CData
Content-Instance
XX
X-Box
TypeOfContent
X-Empowered-By
X-PS-MURDOCK-ORIG-PROTOCOL
X-SV
OriginalHost
Optimizer
X-UA
CacheDuration
CacheInfo
CacheInfoFetch
X-Allow-Redis
Xc
X-VTEX-Router-Backend-App
X-Accel-Expires
SRV
X-Varnish-Hashed-On
X-DSMX-Render-MS
X-Proxy
X-VTEX-Router-JanusNet-AspNetLatency
OHS-WebNode
X-Cache-Set
ServerId
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-JanusNet-BackEndLatency
X-Origin
X-DSMX-Rewrite-MS
X-Fortrabbit
X-Server-Node
X-WebFarmNode
X-Agentscape-Info
X-IDS-WS
CachedXSLT
X-R4L-VHOST
X-Framework
X-Server-By
X-PvInfo
Servername
X-Pagecache
ProxiaInstanceId
X-CCM
X-Cache-Lifetime
X-JSON-API-LATENCY
X-JSON-API-TTL
X-JSON-API-AGE
X-Your-GrandPa-Would-Wait
X-TTL-Age
X-Would-Your-GrandPa-Wait
Expire
X-Uplex
X-WR-MODIFICATION
X-PS-MURDOCK-CASE-NORMALIZATION
X-Varnish-HitMiss
X-Test
X-Varnish-Debug-Fetch-Host
X-Dokk-PortalId
X-Platform
X-Page-Generation-Time
Copyright
X-Route
X-Host-Url
X-Rewrite
X-PS-MURDOCK-ORIG-FILEEXT
X-Page-Generated-At
X-Location
ExecutionTime
X-Origin-Id
X-Varnish-Count
B-Powered-By
X-RSS-CACHE-STATUS
LBC
X-ChromeLogger-Data
INCOMING-TIME
X-Haiku
X-Max-Age
X-GLaDOS
X-AISO-Cache
X-AISO-Server
Public-Extension
X-Back
Xonnection
Application-Version
X-XHR-Current-Location
Smug-Env
X-TTFB
X-SmugMug-Values
X-RemovedCookies
X-TTFB-L
X-VG-WebCache
X-User-Agent
Esi-Enabled
RATING
X-CMS-Tid
SLB
X-Bcwwwid
X-CMS-State
X-CMS-Stage
X-CMS-Server
X-CMS-Sid
Hej
Robots
Front-End-Https
Product-Version
X-Served2-By
Cache-By-CoreNode
Cache-By-Node
Mobiquo-Is-Login
X-Server-IP
Requested-Host
DCGI-Server
X-Http-Host
Noahs-Classifieds
WEB-CLUSTER-NODE
X-DC-Origin-IP
X-WLD-LB
X-GitHub-Request-Id
Source
Content-Security-Policy-Report-Only
X-CMS-Nid
Http
Test
X-Hit
User-Cache-Control
X-Nginx-Host
X-Secret
X-VTEX-Cache
X-SmugMug-Hiring
X-Real-IP
X-Client-Addr
X-PP
X-ProcessESI
ResourceTag
X-MiniProfiler-Ids
SBMCLOUD
X-Continum-Server
X-Config-By
X-Cache-Backend
X-Cluster-Host
X-Varnish-Cookie-Debug
UNIQUE-ID
X-SeschatTemplateID
EWHSERVER
Server-Optimized-By
X-DELIVERYSERVER
Www.Aujourdhui.Com
X-Nucleus-Cache
X-BackendApp
POOL
X-Source
Expect:
X-Panel-Id
X-Cache-Control
MyServer
X-Mobile-Device
CacheControlHeader
X-Vtex-Server
X-Forwarded
X-DEBUG
X-CDNHash
DNNOutputCache
WebDevSrc
SVR
X-Internal-IP
CACHED-RESPONSE
X-IP-Address
Server-Ip
X-Answer
X-Set-Cookie
OGHopCount
X-VTEX-Router-Backend-Environment
X-CDNIgnore
Sigma
X-Modules
X-MSG-Debug
X-Serial
X-Panel-Name
CacheControlMode
X-Pagename
X-Hit-Cache
Telligent-Evolution
PowerCDN
EbdTrace
X-WorkerInstancename
Rt-Server
X-View
X-D-Time
X-CMS-Collection
X-CMS-CRMSet
Accept
X-LB
Accept-Language
X-Generation-Time
X-S-Misc
Server-N
X-Hop-By
X-LAvg
Backend-Host
X-Catalyst
X-Nginx-Server
X-Hosting-Env
X-PBY
Redirect
X-Seschat-URL
X-SeschatDID
Apache
X-SATserver
X-BackendServer
X-Cache-NHIT
X-SeschatLayout
X-SeschatRedID
X-CMS-Live