Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
Alternate-Protocol
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
Access-Control-Allow-Origin
X-Cacheable
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Tumblr-Pixel-1
X-Cache-Hits
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-PhApp
X-Webserver
X-W3TC-Minify
X-Cnection
X-Varnish-Cache
Composed-By
X-CF-Powered-By
X-Via
Served-By
X-Page-Speed
X-Forwarded-For
Strict-Transport-Security
X-Firenze-Processing-Times
X-Url
X-ServedBy
X-Served-By
X-Hostname
X-Iinfo
X-Accel-Version
X-XN-Trace-Token
X-XN-XNHTML
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
Cartoon
X-MS-InvokeApp
X-Mobilized-By
X-ContextId
Access-Control-Allow-Methods
X-ShardId
X-ShopId
X-Alternate-Cache-Key
X-Umbraco-Version
X-CDN
X-Stats-Unique-Token
X-Stats-Visit-Token
X-AH-Environment
X-Backend
Content-Style-Type
X-Powered-By-360WZB
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
Magicmarker
Powered-By-ChinaCache
X-PC-Host
X-PC-Date
X-PC-Hit
X-PC-AppVer
X-PC-Key
Thanks
X-Geo-Port
X-Geo
X-Ua-Compatible
X-HeyJason
Rating
X-Cache-Server
X-Outils-CS
X-Amz-Id-2
TCN
X-From
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
X-Content-Digest
Real-Hostname
X-TN-ServedBy
X-PHP-Engine
X-Loop
X-FB-Debug
Page-Completion-Status
IBM-Web2-Location
NS-RTIMER-COMPOSITE
X-Original-Content-Length
Imagetoolbar
X-Tumblr-Pixel-4
X-Px
X-Spip-Cache
X-Generated-By
X-ChromeLogger-Data
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-TNCMS-Version
X-TNCMS-Memory-Usage
PICS-Label
X-Amz-Cf-Id
X-Matrix-Proxy
X-Matrix-Server
Request-Id
SPRequestDuration
X-Tumblr-Content-Rating
SPIisLatency
X-Device
X-Content-Encoded-By
X-Drectory-Script
X-URL
Set-Cookie2
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
X-Cached-By
X-Cache-Status
X-Tumblr-Pixel-5
IISExport
ServerName
X-Trace-App
X-CMS-Version
X-Node
X-Firenze-Processing-Time
Access-Control-Max-Age
X-Cached
CF-Cache-Status
Retry-After
X-PF-Uncompressing
Generator
X-DynaTrace
X-Age
Accept-Encoding
DynaTrace
X-I
X-Timer
COMMERCE-SERVER-SOFTWARE
X-DDC-Arch-Trace
Lsrequestid
X-FORWARDED-FOR
X-Cache-Debug
MIME-Version
ServedBy
X-ATG-Version
Product
X-SDS
X-Vary-Options
Powered-By
RTSS
X-ApacheServer
X-Art-Request-Id
X-Backend-Server
X-Nitra-Side
X-Cache-Hit
X-PERF
Time
X-UD-Host
X-Processed-By
X-UD-Method
SID
Edge-Control
Access-Control-Request-Method
X-Hosted-By
X-Pantheon-Styx-Hostname
Pics-Label
X-Pantheon-Endpoint
X-LiteSpeed-Cache
Host
Content-Encoding-Handler
LFY
SFY
X-PwB-Node
X-App-Hosting
X-NoCache
X-Vtex-Cache-Key
X-Original-Request
X-Purge-Host
X-Vtex-Remote-Cache
Machine
X-DNS-Prefetch-Control
X-DynaTrace-JS-Agent
X-Srv
Surrogate-Control
X-Director
X-Speed-Cache-Key
X-Passed-To-BeforeDispatch
X-Passed-To
X-Handled-By
X-Passed-To-DLL
X-Returned-From-DLL
X-Actual-URL
X-Returned-From-PostProcessResponse
X-Returned-From-BeforeDispatch
X-Returned-From
X-Passed-To-PostProcessResponse
Proxy-Agent
X-Varnish-Backend
NODE
X-Served-From-Cache
X-FIRSTBase
X-Cache-Expires
Node
X-Cookie-Domain
X-Cache-Enabled
X-Purge-URL
X-B2f-Cache-Load
Cache
Charset
Cm-Server
X-Speed-Cache
AMF-Ver
X-Trace-Cache
WWW-Authenticate
X-Yadis-Location
MW-Webserver
X-Ms-Invokeapp
Location
Fhost
X-Expires-Orig
Proxy-Connection
X-Orig-Vary
X-Cache-Control-Orig
Microsoftsharepointteamservices
X-CJ-Soft
X-ServerID
VAR-Cache
X-Duration
X-Varnish-TTL
X-ACMCache
X-SERVER
X-LIGHTHTTP-PCDID
Sprequestguid
X-AOL-SNH
X-Sharepointhealthscore
X-TTL
Filter-Revision
X-Server-ID
X-Content-Options
X-GeoIP-Country-Code
Content-Disposition
X-GeoIP-Country-Name
X-StoreSense
Server-Info
Website-Info
X-ProStores-StoreApiEntryPoint
X-Request-ID
X-Hits
X-Yqk-Set
X-Cocoon-Version
X-Track
X-ServerName
X-Powered-By-Yqk
Accept-Charset
X-Cache-Rule
X-Micro-Cache
X-Front
SN
Req-Id
X-MJ-Upstream-Addr
S
X-Time
X-Adobe-Content
ORIGIN
CT
X-Pangea-Version
X-UPSTREAM
X-App-Start
X-Source-Host
X-SRV
Hamster
X-MJ-Serve-Req-Time
X-FW
X-Old-Content-Length
UniqueName
X-Sys-Req-ID
Nodo
X-Session-Reinit
NetMindSessionID
X-Cluster-Node
X-Blog
X-Highwire-RequestId
X-Highwire-SessionId
Debug-Begin-IP
Webluker-Edge
X-Microcachable
X-WR-Flags
Debug
Debug-IP-Cntry
Id
X-ACCELERATE
X-CHSN
X-Varnish-Hits
QOR-Cache
X-Info
X-App
X-Gamma-Serve
X-Src-Webcache
X-Varnish-Host
From
X-Cdn
ServerID
X-Trash-Talk
Pagely
X-Engine
X-Target
X-Varnish-IP
CommunityServer
X-WebServer
X-N
X-Header
X-Accelerated-By
X-Varnish-Action
X-Distil-CS
NtCoent-Length
X-AspNetWebPages-Version
MvcResult
X-Atraveo-NC
X-Pass-Why
X-Phpwcms-Page-Processed-In
X-Microcache-Status
A-Powered-By
X-HS-MC-Reqs
X-Server-Web
X-Atraveo-TTL
X-Kirra-SiteId
X-Device-Type
X-Phpwcms-Release
Server2
X-Atraveo-Cache-Control
SynthaSite-ID
X-Varnish-Age
X-Channel-Maxage
X-Atraveo-From-Varnish-Cache
X-Hrouter
X-Atraveo-Varnish-Server-Id
X-DeliveryServer
X-EdgeRouter
X-ASTRO-REWRITE
X-PvInfo
Pool-Info
X-Cache-TTL
OHS-WebNode
X-Geo-IP
X-Cache-Operation
X-Cache-Action
X-Varnish-Server
X-Grid-Server
X-Ttl
X-Wily-Info
X-Turbo-Control
X-Wily-Servlet
ScoreTracker
X-ID
X-Machine-Name
-Onnection
X-Source
WP-Cache
X-Enhanced-By
X-Country-Code
Server-Name
X-ServerCache-Info
X-Garden-Version
X-App-Server
X-Request-Duration
X-Force
MirrorName
X-Varnish-Cache-Hits
X-FreeTag-Count
X-Source-ID
X-Database-Slave-Connection
X-PRAM
X-Benchmark-Total
X-Benchmark-Sphinx-Count
Provided-Host
X-Whom
X-Benchmark-Cache
X-Id
X-Benchmark-Sphinx
X-Cms-Mode
X-Jphone-Copyright
X-CacheHits
Content-Transfer-Encoding
X-Benchmark-Db
X-Li-Fabric
X-Varnish-Debug-Fetch-Host
Warning
X-FS-UUID
X-LI-UUID
X-Li-Pop
Author
X-Directory-Script
X-HOSTTYPE
SEOMOZ
X-Haiku
MJ12bot
X-GLaDOS
X-Frontend
X-Varnish-Debug-Age
X-SV
X-Debug
X-S
X-Response-Time
X-USERNAME
X-Uid
Beyond-Iis
X-Max-Age
X-Varnish-Debug-Hits
X-Route
X-Amz-Id-1
X-Bettercache-Proxy
X-Version
X-Cache-Me-Harder
OriginServer
RequestTime
X-Transaction
X-Expires
Front
X-REDIRECTSERVER
X-Magento-Lifetime
Xc
X-Magento-Action
F-In-Cache
X-NewRelic-App-Data
X-WLD-LB
X-T3CacheInfo
X-T3Cache
X-Nginx-Cache
Bs-Header
X-WP
X-CMS-Server
X-Monstercache-Timeout
X-Content-Age
X-SN
Jobb.Passal.Se
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
X-Frames-Options
NodeID
X-Vhost
Rt-Fastcgi-Cache
X-B2f-Not-Route
ProxiaInstanceId
Content
Ssl-Enabled
X-Varnish-ID
Www.Myjob.Se
X-Ocache
X-B
Compression-Control
Www.Mirrorgate.Se
Www.Mabracertifiering.Se
P3P:CP
X-Via-Kemp
Test.Executivepeople.Se
X-T
Open.Jobgate.Se
Cluster-ID
A1B2C3
X-UD-Target
MASTERWEBLET
Cache-Ctrol
X-Response
X-NGINX-CACHED
X-NGINX-CACHED-AT
Hash
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-JAL
If-Modified-Since
X-Venda-Hitid
X-Varnish-Cache-Local
Backend-Host
X-MidCOM-Meta-Cache
X-JSL
X-Farm-Server
X-Jcms-Ajax-Id
Powered
NLCacheNote
LBVIS
Ec
X-Vivastreet-KiwiiPage
X-Powered
CountryCode
X-Conf
X-Vivastreet
SIP
CDN
X-Apache-Backend
X-User-Id
X-Actindo-RS
X-Framework
D
Content-MD5
X-Varnish-Device
X-Test
X-Cf-Powered-By
X-IP-Address
Worker
X-ERM-ServerName-AppPage
X-Dev
X-ERM-RunTime
X-Cache-Ttl
X-ERM-ServerName
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-T3CacheTags
X-Amz-Meta-S3cmd-Attrs
Srv
X-Translation
Backend
X-Object-Type
X-Object-Id
X-Flex-Lastmod
X-Flex-Tags
X-Flex-Lang
X-Flex-Evstart
X-Flex-Tag
X-Geo-IP-Metro
Content-Instance
X-Oracle-DMS-ECID
WEBO
PowerCDN
X-Geo-IP-Country
X-Flex-Community
X-Geo-IP-Region
X-Flex-Evend
X-Geo-IPV
SRV
X-Rewritten-By
X-Recruiting
X-ManagedFusion-Rewriter-Version
CacheControlHeader
X-Webstats-RespID
Rt-Server
CacheControlMode
Cmstype
X-Varnish-Cache-Server
X-DEBUG-X-Id
X-Web-Node
X-DEBUG-Obj-Ttl
X-UA
CP
Proxy-From
Accept-Language
X-Provisioner-Version
Cmsid
X-Domain-Checked
Pool
7e-Page-Cache
Preview-Refresh
Hej
X-MSG-04
X-MSG-03
X-MSG-01
X-MSG-02
X-Nginx-Server
X-Hosting-Env
X-Papaya-Cache
B-Powered-By
PUBLISH
Keywords
X-Answer
Description
X-Node-Name
X-Papaya-Gzip
X-MCB-Server
ExecutionTime
X-Mii-Cache-Hit
X-Cache-Term
X-Device-Group
VTag
X-ATP-Server
X-Pb-Mii
X-GC-App
X-PS-MURDOCK-ORIG-PROTOCOL
Ms
X-Author
X-Server-By
X-GC-Read
X-GC-Write
X-MSG-00
Content-Security-Policy
X-View
X-MSG-06
X-Secret
SS
X-Vtex-Processado-Em
X-Powered-By-Server
X-Origin-Id
No
X-MSG-05
X-PM-ID
X-VarnCache
X-PS-MURDOCK-CASE-NORMALIZATION
X-Permitted-Cross-Domain-Policies
X-TISSERVER
Mobiquo-Is-Login
X-PS-MURDOCK-ORIG-FILEEXT
Atp-Isdpp
X-Full-URL
X-Artvisual-Server
X-Monstercache-Host
X-Monstercache-Hash
At-Isb
X-SilverStripe-Cache
XX
Provider
POOL
Robots
Aoestatic
X-Monstercache
Publisher
X-Cache-Backend
INCOMING-TIME
X-Optimization
At-Shoptype
X-Geoip-Country-Code
X-EPiphany-Vid
X-Client-Vid
X-NginX-Cache
Copyright
X-NginX-Server
SVR
SiteSpect-Identity
Apache
X-Platform
Web-Server
X-PP
X-Host-Url
Web-Head
X-FCMS-Cache
DeleGate-Ver
X-WR-MODIFICATION
CachedXSLT
MIH-PLATFORM
X-OPNET-Transaction-Trace
X-Nucleus-Cache
MIH-CLIENT-FARM
Expire
MIH-PUBLIC-IDENTIFIER
SiteName
X-Caching-Rule-Id
X-Header-Set-Id
RequestId
X-Fett
X-CCM
X-Rewrite
X-Proxy
X-IDS-WS
X-Cluster-Host
Access-Control-Expose-Headers
X-Agentscape-Info
X-Forwarded-Proto
X-Execution-Time
X-Empowered-By
HAVer
HCVer
Noahs-Classifieds
X-Varnish-Cacheable
X-Pixelsilk-Version
Spot
Custom
X-Pixelsilk-Server
X-CMS
X-Varnish-Cookie-Debug
X-7d-Version
X-7dig
X-Abuse
X-LAvg
X-Server-Id
X-XHR-Current-Location
X-Box
X-Allow-Redis
X-Purge-Level
X-Page-Generated-At
X-Page-Generation-Time
X-TTL-Age
X-JSON-API-TTL
X-JSON-API-LATENCY
X-ORACLE-DMS-ECID
Mime-Version
X-JSON-API-AGE
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
X-Modules
X-Serial
TimeRestart
X-Time-Microsecs
X-Hit
X-Ratelimit
X-Extra-Header
X-Cache-NHIT
X-RE-Ref
Esi-Enabled
Head
Ibm-Web2-Location
Front-End-Https
X-Symfony-Cache
Application-Version
X-FW-Static
WEBSERVER
X-WA-Info
No-Cache
X-TLServer
WebServer
EbdTrace
WP-AdvCache-MemCached
Telligent-Evolution
X-SERVERID
X-DELIVERYSERVER
X-WEBSERVER
X-WorkerInstancename
Progma
X-Loc
X-AISO-Cache
X-Life
Ap-Exec-Time-Mks
Srv-N
HostName
X-BackendServer
ServerId
X-Process-Time
X-User-Agent
X-Upstream
OriginalHost
TypeOfContent
Optimizer
CacheInfoFetch
X-Wm-1
CacheInfo
X-Unbounce-Instance
X-Hit-Cache
OutputRewritten
X-AISO-Server
X-RemovedCookies
X-ProcessESI
X-Site:
X-ProxyInstancename
X-Varnish-Count
ResourceTag
X-IP
Public-Extension
X-Server-Node
X-Crafted
Last-Modified:
X-Mobile
X-NID
X-GeoIP
X-Origin
X-MSEdge-Ref
Www.Aujourdhui.Com
VM
X-Set-Cookie
X-Developer
X-Cache-Lifetime
X-RAMCache
X-Continum-Server
X-Hash
Buuteeq-Source
X-Varnish-HitMiss
X-Config-By
X-Stackable-Node
X-Varnish-Hit
SBMCLOUD
X-Cache-Age
X-Backend-Host
UNIQUE-ID
X-Catalyst
X-PHP-Cache
INFO
X-CMS-Sid
X-CMS-Stage
Nbaid
Nbmt
X-DC-Origin-IP
X-CMS-Nid
Mark
X-CMS-State
X-Bcwwwid
Xonnection
OGHopCount
SLB
X-CMS-Tid
Login-Required
X-Rot
X-DEBUG
X-Req-Url
X-Req-Host
X-V-I-TTL
X-V-Outer
Response
X-V-TTL
X-Created
Origin
X-Vhost-ID
X-CMS-Live
X-CMS-CRMSet
X-CMS-Collection
Accept
X-PBY
X-ACLR-Version
X-VCache
Test
HTTP
X-TTFB-L
X-SmugMug-Values
X-TTFB
MachineName
OMNI-C
X-Yottaa-Optimizations
BKREF
X-Yottaa-Metrics
RayEngine
Http
X-Hc-Host
X-Environment
X-SmugMug-Hiring
X-Powered-Developer
X-Cache-Control
WZ-Cache
WZ-Device-Match
X-GitHub-Request-Id
X-Web-Hosting-Service-Provider
X-Pagename
X-Trace
Allow
Content-Control
SAVVIS
X-PoolMember
X-Status
X-BKSrc