Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-Cache
X-XSS-Protection
Age
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
X-Adblock-Key
X-Varnish
CF-RAY
X-Frame-Options
Keep-Alive
X-Check
X-Cacheable
X-Language
P3p
X-Template
X-Buckets
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
MS-Author-Via
WP-Super-Cache
Status
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Geo
X-Geo-Port
X-Server
X-Xss-Protection
X-Request-Id
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Rack-Cache
X-Mod-Pagespeed
X-XRDS-Location
MicrosoftSharePointTeamServices
Strict-Transport-Security
Content-Encoding
X-UA-Device
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-User
Ngpass-All
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Request-ID
X-Tumblr-Pixel-1
X-Robots-Tag
X-Via
X-Varnish-Cache
X-INKT-SITE
X-INKT-URI
X-Webserver
X-Forwarded-For
X-PhApp
X-CF-Powered-By
X-Url
X-Cnection
X-Tumblr-Pixel-2
X-Iinfo
X-Accel-Version
Composed-By
Served-By
X-MS-InvokeApp
X-Firenze-Processing-Times
X-Page-Speed
X-Served-By
Access-Control-Allow-Headers
X-ServedBy
X-Backend
X-ContextId
X-XN-Trace-Token
X-XN-XNHTML
Access-Control-Allow-Methods
X-CDN
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-Stats-Visit-Token
X-Stats-Unique-Token
X-Hostname
X-AH-Environment
X-Tumblr-Pixel-3
Liferay-Portal
Content-Style-Type
Content-Script-Type
X-PC-Hit
X-PC-Key
X-PC-Host
X-PC-AppVer
X-PC-Date
X-Server-Name
X-Ua-Compatible
X-Umbraco-Version
X-Powered-By-360WZB
X-Cache-Info
X-FRAME-OPTIONS
X-Mobilized-By
Refresh
X-Spip-Cache
X-From
Request-Id
SPRequestDuration
X-HeyJason
SPIisLatency
Cartoon
Powered-By-ChinaCache
X-Amz-Id-2
X-W3TC-Minify
X-FB-Debug
Cf-Railgun
X-Content-Digest
X-Outils-CS
X-Amz-Request-Id
TCN
Magicmarker
Rating
X-Ac
X-Amz-Cf-Id
Page-Completion-Status
X-Px
X-Cache-Status
Real-Hostname
X-TN-ServedBy
X-PHP-Engine
X-Loop
X-VCache
X-Cache-Server
X-Device
Imagetoolbar
NS-RTIMER-COMPOSITE
X-TNCMS-Version
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-TNCMS-Memory-Usage
X-Original-Content-Length
X-Content-Encoded-By
Thanks
X-Generated-By
X-Cached-By
PICS-Label
X-Varnish-Cacheable
X-Tumblr-Pixel-4
IBM-Web2-Location
X-Matrix-Proxy
X-Matrix-Server
X-SERVER
X-Tumblr-Content-Rating
Set-Cookie2
X-URL
X-Varnish-TTL
X-Firenze-Processing-Time
X-Powered-By-Anquanbao
X-Served-From-Cache
X-Art-Request-Id
Retry-After
X-Timer
X-Cached
X-Node
X-Processed-By
X-Tumblr-Pixel-5
X-CMS-Version
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-PersistenceNode
X-Trace-App
Generator
IISExport
Access-Control-Max-Age
X-Backend-Server
X-Age
CF-Cache-Status
Product
X-Cache-Enabled
X-Drectory-Script
Access-Control-Request-Method
X-Port
SID
X-PF-Uncompressing
X-NoCache
X-FORWARDED-FOR
X-Duration
X-Safe-Firewall
ServedBy
X-ATG-Version
X-Purge-Host
X-Cache-Debug
Powered-By
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
Lsrequestid
X-I
X-DDC-Arch-Trace
X-DynaTrace
X-Cache-Hit
X-Nitra-Side
X-Director
X-PERF
X-Cookie-Domain
X-ApacheServer
X-DynaTrace-JS-Agent
MIME-Version
Charset
DynaTrace
Pics-Label
X-App-Hosting
X-Content-Options
RTSS
X-Varnish-Backend
X-Hits
X-DNS-Prefetch-Control
S
Proxy-Agent
X-Purge-URL
NODE
Surrogate-Control
Accept-Encoding
X-Cache-Expires
X-UD-Method
X-Srv
X-UD-Host
COMMERCE-SERVER-SOFTWARE
AMF-Ver
ServerName
X-Speed-Cache
X-CDN-Geo
X-CDN-Geo-IP
X-Speed-Cache-Key
X-CDN-Any-IP
Edge-Control
X-Rendering-Engine
X-SDS
Cache
X-GeoIP-Country-Code
X-Original-Request
Node
LFY
X-FIRSTBase
SFY
X-Orig-Vary
X-Yadis-Location
X-Trace-Cache
WWW-Authenticate
X-GeoIP-Country-Name
X-Returned-From-BeforeDispatch
X-Returned-From
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Actual-URL
Host
X-Passed-To-PostProcessResponse
X-Passed-To
X-Passed-To-DLL
X-Xrds-Location
X-Handled-By
X-Passed-To-BeforeDispatch
X-Servedby
X-SRV
X-ServerID
Cm-Server
X-Microcachable
Content-Disposition
X-Expires-Orig
Content-Encoding-Handler
X-Front
X-Cluster-Node
X-Sol
X-Cdn
X-CJ-Soft
Server-Info
CT
Website-Info
X-ServerName
X-Vary-Options
X-TTL
X-AOL-SNH
X-Pangea-Version
X-App-Start
X-BackEnd
X-Cache-Control-Orig
Filter-Revision
X-Directory-Script
A-Powered-By
X-FW-Static
Pool
X-Track
X-PwB-Node
X-Distil-CS
X-Cache-Action
MW-Webserver
X-LiteSpeed-Cache
Proxy-Connection
X-Micro-Cache
X-Hosted-By
X-ACMCache
X-StoreSense
X-Cocoon-Version
X-WR-Flags
X-Server-ID
X-ProStores-StoreApiEntryPoint
NtCoent-Length
X-Cache-TTL
X-Time
X-CHSN
QOR-Cache
NetMindSessionID
X-Gamma-Serve
X-HOSTNAME
X-Engine
X-Permitted-Cross-Domain-Policies
X-Sys-Req-ID
X-MJ-Upstream-Addr
Hamster
X-Cache-Result
X-Cache-Rule
Machine
X-FW
Req-Id
SN
Cteonnt-Length
X-Bettercache-Proxy
X-Trace
Webluker-Edge
X-Source-Host
From
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
X-Varnish-Hits
X-Atraveo-NC
X-Atraveo-From-Varnish-Cache
CommunityServer
Nodo
X-Atraveo-Cache-Control
X-Object-Type
Content-Security-Policy
X-Turbo-Control
X-Object-Id
X-Version
Backend
X-ID
VAR-Cache
Accept-Charset
X-ACCELERATE
X-Ms-Invokeapp
X-MJ-Serve-Req-Time
X-LIGHTHTTP-PCDID
X-Highwire-RequestId
X-AspNetWebPages-Version
ServerID
X-Machine-Name
X-Country-Code
X-ASTRO-REWRITE
X-Highwire-SessionId
Pool-Info
Server-Name
MJ12bot
SEOMOZ
X-Ttl
X-User-Agent
X-Hyper-Cache
Mime-Version
X-Magento-Action
X-Force
X-Expires
X-PRAM
MirrorName
X-Magento-Lifetime
X-B2f-Cache-Load
X-Src-Webcache
X-Frames-Options
NLCacheNote
X-Varnish-Debug-Hits
X-Varnish-Debug-Age
X-Cache-Operation
X-ServerCache-Info
X-Blog
X-Varnish-ID
Id
UniqueName
X-Source-ID
X-ROUTE-DATA
MIH-PUBLIC-IDENTIFIER
MIH-CLIENT-FARM
MIH-PLATFORM
X-Info
X-Varnish-Action
X-Session-Reinit
ORIGIN
X-Geo-IP
X-Amz-Id-1
LBVIS
Fhost
X-Amz-Meta-S3cmd-Attrs
SynthaSite-ID
X-EdgeRouter
X-Hrouter
X-Microcache-Status
X-LI-UUID
X-FS-UUID
X-Li-Fabric
X-Li-Pop
Author
X-Device-Type
Ibm-Web2-Location
X-UPSTREAM
Ngpass-Vcall
Server2
X-Pass-Why
X-T3CacheInfo
X-Channel-Maxage
Vacache
X-App-Server
X-Upstream
X-Wily-Info
Debug-Begin-IP
X-Wily-Servlet
Debug
X-Request-Duration
X-Uid
X-Database-Slave-Connection
OriginServer
X-Varnish-Server
RequestTime
X-Content-Age
X-Id
X-Old-Content-Length
X-Recruiting
Debug-IP-Cntry
Content-MD5
X-VE-IsRobot
F-In-Cache
X-Kermit
Location
X-Varnish-Host
X-Cache-Config
Aoestatic
Content-Security-Policy-Report-Only
Worker
Cache-By-Node
X-Translation
X-Swift-SaveTime
X-Swift-CacheTime
X-Dev
X-N
X-Cms-Mode
X-Jphone-Copyright
Pagely
Hostname
X-SN
X-Flex-Evstart
X-TISSERVER
Cluster-ID
CDN
X-DTC
WP-Cache
X-Flex-Lang
X-Flex-Tag
X-Flex-Evend
X-Origin-Id
X-PageCached
X-Flex-Community
X-Flex-Tags
X-Flex-Lastmod
X-Actindo-RS
X-NGINX-CACHED-AT
X-REDIRECTSERVER
X-NGINX-CACHED
SS
Content-Transfer-Encoding
X-Provisioner-Version
X-Domain-Checked
X-Varnish-IP
X-Farm-Server
CP
X-Nginx-Backend
X-JSL
X-JAL
X-Jcms-Ajax-Id
X-User-Id
X-VarnCache
X-VarnPar1
Jobb.Assistentpoolen.Se
X-GeoIP
Www.Myjob.Se
Web-Server
Compression-Control
Open.Jobgate.Se
Jobb.Passal.Se
Www.Mirrorgate.Se
Www.Mabracertifiering.Se
X-WP
X-Cache-Me-Harder
X-T3CacheTags
X-Monstercache-Timeout
Test.Executivepeople.Se
X-T3Cache
X-Via-Kemp
Ssl-Enabled
CountryCode
X-Conf
X-T
X-Oracle-DMS-ECID
SIP
X-Cache-Term
X-Response-Time
X-Powered
X-Ocache
X-Vhost
X-B2f-Not-Route
P3P:CP
X-B
X-Cached-Status
X-Varnish-Device
A1B2C3
Jobb.Gil.Se
X-Powered-By-Yqk
Progma
X-Yqk-Set
D
X-Varnish-Age
X-Header
SRV
X-ManagedFusion-Rewriter-Version
X-Rewritten-By
Buuteeq-Source
WEBO
X-Node-Name
XX
Content-Instance
X-Transaction
X-SilverStripe-Cache
LBC
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
Ms
X-DeliveryServer
X-Varnish-Debug-Fetch-Host
X-Frontend
X-Uplex
Srv
Provided-Host
Http
X-MobileDetected
Front
SiteName
OHS-WebNode
X-UA
X-MidCOM-Meta-Cache
X-PM-ID
Hash
Origin
X-Header-Set-Id
X-Vhost-ID
X-Servername
MASTERWEBLET
Dispatcher
Render
ServerConfigManager.WebBugTracker
Tpt.Renderer
X-Artvisual-Server
X-Whom
X-Content-Security-Policy
X-ERM-ServerName-AppPage
X-Geo-IPV
X-Varnish-Cache-Hits
X-Debug
X-Powered-By-Server
X-ERM-ServerName
X-ERM-RunTime
Response
X-Benchmark-Sphinx-Count
X-CacheHits
Be-Ip
Sql-Debug
Be-Va
Tpt.Renderer1
CachedXSLT
X-Vtex-Processado-Em
X-Purge-Level
X-Benchmark-Db
X-Benchmark-Sphinx
ExecuteNonQuerySQLParam
X-Benchmark-Total
No-Cookie
X-ORACLE-DMS-ECID
X-Geo-IP-Metro
X-Monstercache-Host
X-Geo-IP-Country
X-Box
X-Empowered-By
X-Varnish-Cache-Local
X-Allow-Redis
X-BackendServer
X-Monstercache-Hash
X-Geo-IP-Region
X-Monstercache
-GCR
X-Agentscape-Info
X-Benchmark-Cache
After
Before
X-Grid-Server
X-Caching-Rule-Id
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
Apache
X-Varnish-Beresp-Grace
X-Test
X-App
X-Web-Node
X-GLaDOS
ScoreTracker
X-Accelerated-By
Cmsid
X-Hash
X-Route
X-Haiku
X-Nginx-Cache
Publisher
X-FreeTag-Count
Cmstype
X-NginX-Server
Provider
Warning
REFRESH
X-NginX-Cache
-Onnection
X-Varnish-Cookie-Debug
X-Varnish-Cache-Server
X-CS
X-GC-App
BM-Cache-Status
NnCoection
TMP
Ec
BM-Cache-Node
BM-Cache-Key
Tpt
X-Enhanced-By
X-GSL-Server
X-Varnish-Hit
X-Wm-1
OriginalHost
TypeOfContent
X-NewRelic-App-Data
Optimizer
CacheInfoFetch
X-Wm-VIP
CacheDuration
CacheInfo
IsFullSiteRequest
X-S
X-UD-Target
X-Kirra-SiteId
X-Response
X-Cache-On
X-UD-REMOTE-ADDR
X-UD-Loopcounter
Ksid
X-Hosting-Env
X-Nginx-Server
X-GC-Write
X-GC-Read
X-Vivastreet
Powered-By-VeryCDN
Cache-Ctrol
X-Vivastreet-KiwiiPage
Il-Cl
Rt-Server
Fw-Via
Cdate
X-ATM-RTime
X-ATM-RServer
X-NID
Cneonction
X-Framework
X-Pagecache
ProxiaInstanceId
X-Fett
X-DELIVERYSERVER
X-RE-Ref
SAVVIS
Servername
X-PvInfo
X-Fortrabbit
X-Real-Server
X-Cache-Set
Content
Beyond-Iis
B-Powered-By
X-PHP-Cache
X-Developer
ExecutionTime
Expire
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Webstats-RespID
X-Proxy
X-Dokk-PortalId
No
X-Remote-Addr
Time
X-MCB-Server
X-EPiphany-Vid
X-Client-Addr
X-Hit
X-Author
X-HITS
X-Hc-Host
Noahs-Classifieds
X-WLD-LB
X-Execution-Time
X-Pixelsilk-Version
X-Pixelsilk-Server
X-Time-Microsecs
Custom
X-PoolMember
X-Powered-Developer
X-Client-Vid
User-Cache-Control
X-Ratelimit
MachineName
PageSpeed
X-Max-Age
7e-Page-Cache
X-ServerId
Bs-Header
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Cache
X-VTEX-Router-Backend-App
X-R4L-VHOST
Ttl
X-CMS
X-XHR-Current-Location
X-Cluster-Host
X-Cache-Key
X-Nucleus-Cache
Server-Optimized-By
Language
If-Modified-Since
X-Server-By
X-Tiny
X-SeschatTemplateID
X-SeschatRedID
X-Seschat-URL
X-SeschatDID
X-SeschatLayout
Foglight-Request-UUID
X-DSMX-Render-MS
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
X-IDS-WS
X-CCM
X-DSMX-Rewrite-MS
X-WebFarmNode
Expect:
X-Real-IP
X-JSON-API-TTL
X-Garden-Version
Access-Control-Expose-Headers
HTTP
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
X-Page-Generation-Time
X-TTL-Age
X-Would-Your-GrandPa-Wait
OGHopCount
X-Snapsis-PageBlaster
X-Yottaa-Optimizations
X-Source
X-Server-Node
X-Yottaa-Metrics
Mobiquo-Is-Login
X-GitHub-Request-Id
HAVer
HCVer
X-Page-Generated-At
X-Varnish-Hashed-On
X-Extra-Header
DCGI-Server
Source
X-Secret
WEB-CLUSTER-NODE
X-Continum-Server
X-Stackable-Node
X-Nginx-Host
Ozcache
X-Backend-Status
X-Locale
X-JSON-API-LATENCY
X-UserAgent
X-JSON-API-AGE
AcceptLangage
X-Cookie-Store
X-Url-Store
SBMCLOUD
X-Back
At-Shoptype
Atp-Isdpp
X-Internal-IP
X-Nocache
At-Isb
X-WorkerInstancename
Keywords
Description
OHS-LoadBalancer
AV1080
PowerCDN
Accept-Language
X-D-Time
X-Server-IP
X-Generation-Time
X-Environment
Telligent-Evolution
X-Rewrite
ServerId
WP-AdvCache-MemCached
X-Papaya-Cache
X-Cache-NHIT
SVR
X-Papaya-Gzip
X-V-TTL
X-Created
Test
X-HW
X-MiniProfiler-Ids
X-Http-Host
X-Server-Id
X-Req-Host
X-Req-Url
X-7d-Version
X-7dig
X-Venda-Hitid
X-SV
Backend-Host
X-V-I-TTL
X-V-Outer
X-LAvg
X-S-Misc
X-XFPC-Cache
WSCPUB-Version
WEBSERVER
No-Cache
X-Varnish-Count
X-UA-Profile
X-Origin
INCOMING-TIME
Application-Version
X-LTM-ID
X-Varnish-HitMiss
X-RSS-CACHE-STATUS
X-Host-Url
X-PP
X-Cache-Age
X-Platform
UNIQUE-ID
X-Cache-Control
X-Binarysec-Via
X-RequesterIP
Rt-Fastcgi-Cache
Esi-Enabled
X-CMS-Nid
X-CMS-Server
X-CMS-Sid
X-CMS-Stage
X-CMS-Live
X-CMS-CRMSet
X-XFPC-Cache-Active
X-CMS-Tid
X-CMS-Collection
X-CMS-State
Accept
Robots
X-Dynatrace-Js-Agent
Front-End-Https
HostGen
Hej
SLB
X-LB
X-Bcwwwid
X-Cache-Lifetime