Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
X-Frame-Options
CF-RAY
Keep-Alive
X-Varnish
X-Adblock-Key
P3p
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Ac
X-Pad
X-Geo
X-Geo-Port
X-Runtime
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
Strict-Transport-Security
X-Host
X-Type
X-Cache-Group
Access-Control-Allow-Credentials
X-Cache-Lookup
X-Logged-In
X-Mod-Pagespeed
X-UA-Device
MicrosoftSharePointTeamServices
X-Cache-Hits
X-Rack-Cache
X-XRDS-Location
Ngpass-Ngall
Host-Header
X-Url
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
SPRequestGuid
X-SharePointHealthScore
X-Via
Content-Encoding
X-Tumblr-Pixel-1
X-Forwarded-For
X-Varnish-Cache
X-Iinfo
X-Robots-Tag
X-CF-Powered-By
X-ServedBy
X-Tumblr-Pixel-2
Access-Control-Allow-Headers
X-INKT-SITE
X-INKT-URI
X-Served-By
X-PhApp
X-Accel-Version
X-Webserver
X-Cnection
X-Backend
X-MS-InvokeApp
Composed-By
Access-Control-Allow-Methods
X-Page-Speed
X-ContextId
Served-By
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-BC-Is-HA
X-CDN
X-Safe-Firewall
X-Hostname
X-Firenze-Processing-Times
X-XN-Trace-Token
X-XN-XNHTML
X-Ua-Compatible
X-Tumblr-Pixel-3
X-Request-ID
X-PC-Hit
X-PC-Key
X-PC-AppVer
X-PC-Date
X-PC-Host
X-AH-Environment
X-Served-With
Content-Style-Type
Content-Script-Type
X-Pass-Why
Liferay-Portal
X-Umbraco-Version
X-Port
X-Age
X-Spip-Cache
X-Powered-By-360WZB
X-Server-Name
SPIisLatency
Request-Id
X-Cache-Info
SPRequestDuration
X-Amz-Id-2
Refresh
X-HeyJason
Powered-By-ChinaCache
Ngpass-All
Cf-Railgun
X-Amz-Request-Id
X-FB-Debug
X-Amz-Cf-Id
X-SERVER
Rating
X-Content-Digest
Content-Security-Policy
Cartoon
X-Cache-Server
X-Outils-CS
X-Cache-Status
TCN
X-Cache-Result
X-Mobilized-By
X-Px
X-Hyper-Cache
X-Device
Real-Hostname
X-TN-ServedBy
X-Served-From-Cache
X-Cached-By
X-Loop
X-PHP-Engine
X-VCache
Page-Completion-Status
X-Tumblr-Pixel-4
Magicmarker
CF-Cache-Status
X-DynaTrace
X-From
X-PersistenceNode
X-Varnish-Cacheable
X-Generated-By
Thanks
X-TNCMS-Version
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
NS-RTIMER-COMPOSITE
X-Timer
DynaTrace
X-W3TC-Minify
Imagetoolbar
X-Styx-Req-Id
X-Styx-Build-Sha
X-Styx-Build-Date
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Build-Num
X-Styx-Version
X-Content-Encoded-By
X-Cached
IBM-Web2-Location
X-Original-Content-Length
X-Tumblr-Content-Rating
X-Varnish-TTL
X-HOST
X-Varnish-IP
X-CMS-Version
X-Powered-By-Anquanbao
X-Node
X-Tumblr-Pixel-5
X-Matrix-Proxy
X-Matrix-Server
Access-Control-Max-Age
PICS-Label
X-Varnish-Forwarded-For
IISExport
Generator
X-Processed-By
Product
X-Rendering-Engine
Set-Cookie2
Proxy-Agent
X-Content-Options
X-Firenze-Processing-Time
X-CDN-Geo
X-CDN-Geo-IP
X-CDN-Any-IP
X-Backend-Server
Retry-After
X-URL
ServedBy
Time
X-DDC-Arch-Trace
X-App-Hosting
X-Cache-Enabled
X-Content-Security-Policy
X-I
X-UD-Host
Charset
X-UD-Method
Node
X-DynaTrace-JS-Agent
X-Expires-Orig
X-Cache-Debug
X-ATG-Version
Response
X-ApacheServer
X-Varnish-Backend
Edge-Control
X-Drectory-Script
Powered-By
X-DNS-Prefetch-Control
X-Original-Request
X-Duration
X-Purge-Host
X-Cache-Hit
X-SDS
Content-Encoding-Handler
X-PF-Uncompressing
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Actual-URL
X-Passed-To-DLL
X-Passed-To
X-Passed-To-PostProcessResponse
X-Returned-From
X-Handled-By
X-Passed-To-BeforeDispatch
MIME-Version
X-PERF
Pics-Label
Lsrequestid
X-FW
X-NoCache
X-Nitra-Side
X-Sol
SID
X-Xrds-Location
X-Varnish-Host
X-Cache-Expires
X-WebKit-CSP
COMMERCE-SERVER-SOFTWARE
X-Cache-Control-Orig
AMF-Ver
X-Middleton-Response
X-Director
X-BackEnd
X-Micro-Cache
X-Purge-URL
X-Whom
Cache-By-Node
X-HOSTNAME
ServerName
X-Front
X-FW-Hash
X-Srv
Grace
Host
X-Speed-Cache-Key
NtCoent-Length
S
X-Orig-Vary
X-FORWARDED-FOR
X-Speed-Cache
Accept-Encoding
X-FW-Type
X-User-Agent
X-FW-Static
X-LiteSpeed-Cache
X-Yadis-Location
X-Hits
X-Permitted-Cross-Domain-Policies
Access-Control-Request-Method
X-Cookie-Domain
X-FW-Serve
Content-Disposition
Filter-Revision
X-PwB-Node
Fhost
Cache
NODE
X-CJ-Soft
X-Vary-Options
X-ServerID
X-TTL
X-Track
X-FIRSTBase
X-Hosted-By
RTSS
X-Cocoon-Version
Accept-Charset
X-Cache-TTL
X-Art-Request-Id
Surrogate-Control
WWW-Authenticate
Website-Info
Server-Info
Cm-Server
X-Varnish-Hits
X-FullPageCaching
X-GeoIP-Country-Name
X-ACMCache
X-AspNetWebPages-Version
X-ServerName
X-GeoIP-Country-Code
X-BackendServer
Id
X-Trace-Cache
X-Distil-CS
X-Trace-App
SEOMOZ
ServerID
X-Sys-Req-ID
X-Session-Reinit
X-Blog
NetMindSessionID
X-CHSN
MJ12bot
A-Powered-By
X-Cache-Config
X-Varnish-Server
X-Geo-IP
X-SN
X-WEBSERVER
X-SRV
UniqueName
X-Swift-SaveTime
X-Swift-CacheTime
Machine
X-Cf-Powered-By
X-Object-Type
X-Version
SN
X-Object-Id
X-Bettercache-Proxy
CT
X-Time
X-LIGHTHTTP-PCDID
X-Response-Time
X-Ttl
X-Engine
Microsoftsharepointteamservices
Nodo
X-Server-ID
X-Src-Webcache
Qs-Cache
X-Gamma-Serve
X-Wily-Info
Srv
X-Cluster-Node
MW-Webserver
X-Wily-Servlet
X-Vtex-Remote-Cache
X-Request-Locale
X-Highwire-SessionId
Sprequestguid
X-Sharepointhealthscore
X-MJ-Upstream-Addr
X-Highwire-RequestId
X-ID
X-Source-Host
X-WR-Flags
Req-Id
X-TempDebug
Ngpass-Vcall
VAR-Cache
X-Connection-Hash
No
X-Transaction
X-Cache-Action
Ms
X-Vtex-Processado-Em
Webluker-Edge
X-Pangea-Version
Location
Buuteeq-Source
X-App-Start
X-Resolver-IP
From
X-Microcache-Status
X-Microcachable
X-Device-Type
X-Machine-Name
Server2
X-Cache-Rule
Content-Transfer-Encoding
X-Country-Code
X-App-Status
X-Secret
X-Provisioner-Version
X-Domain-Checked
X-Recruiting
X-Ms-Invokeapp
X-Old-Content-Length
X-Vtex-Processed-At
X-VTEX-Router-Backend-App
X-Atraveo-TTL
X-VTEX-Router-JanusNet-AspNetLatency
-GCR
X-Powered-By-VTEX-Janus-Edge
X-VTEX-Router-Powered-By
X-GeoIP
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-JanusNet-BackEndLatency
CommunityServer
X-VTEX-Cache-Status-Janus-Edge
X-Turbo-Control
Beyond-Iis
Origin
X-Tumblr-Pixel-6
Proxy-Connection
PageSpeed
NLCacheNote
Cteonnt-Length
X-Varnish-Object-Age
X-Atraveo-NC
X-Atraveo-Varnish-Server-Id
X-Proxy-Cache
Server-Name
X-Atraveo-From-Varnish-Cache
X-Atraveo-Cache-Control
X-MJ-Serve-Req-Time
X-App
X-Varnish-Cache-Hits
X-Trace
X-Expires
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Info
X-S
Author
X-Grid-Server
X-FreeTag-Count
Be-Ip
X-AOL-SNH
Be-Va
SiteName
X-Dynatrace
X-N
X-Stage
X-Amz-Meta-S3cmd-Attrs
X-Amz-Id-1
Hamster
X-Empowered-By
X-Powered-By-Server
X-Directory-Script
Upgrade
LBVIS
X-Debug
X-Force
X-PRAM
MirrorName
X-CacheHits
Apache
X-ServerCache-Info
X-ACCELERATE
MIH-CLIENT-FARM
Front
MIH-PLATFORM
REFRESH
SVR
X-Country
X-Stale
X-Geo-IP-Metro
X-Geo-IP-Country
X-Geo-IP-Region
X-Geo-IPV
X-Id
MIH-PUBLIC-IDENTIFIER
X-Translation
X-Cache-Age
X-UPSTREAM
X-Uid
Pool
X-Frontend
X-Cache-Lifetime
ORIGIN
Backend
X-Frames-Options
X-Block
X-Magento-Lifetime
X-Cdn
X-Channel-Maxage
X-Magento-Action
X-Dev
X-Origin
X-Jphone-Copyright
X-Varnish-Age
X-NGINX-CACHED-AT
X-Catalyst
X-NGINX-CACHED
CDN
Allow
SS
X-Powered-By-Yqk
X-Source-ID
X-Cached-Status
X-Nginx-Backend
X-Server-Id
X-Yqk-Set
X-ATM-RServer
Dispatcher
XX
Mime-Version
X-DTC
Worker
X-Actindo-RS
X-ATM-RTime
X-Cms-Mode
X-MidCOM-Meta-Cache
X-Origin-Id
X-Conf
X-CacheServer
X-CS
RequestTime
Aoestatic
X-T3CacheInfo
X-Content-Age
X-Header
X-Cache-Ttl
X-Developer
X-Gannett-Site-Version
Provided-Host
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
X-PvInfo
X-Nginx-Server
Content-MD5
Edgecast
X-Accelerated-By
X-SilverStripe-Cache
X-MSEdge-Ref
X-ORACLE-DMS-ECID
7e-Page-Cache
X-B2f-Cache-Load
SRV
X-ChromeLogger-Data
X-REDIRECTSERVER
X-Varnish-Cache-Local
Ksid
ScoreTracker
QOR-Cache
X-Geolocation
X-CacheTTL
Rt-Server
BALANCEDTO
X-ASTRO-REWRITE
X-Vhost-ID
X-Cache-On
BM-Cache-Node
X-Varnish-Cookie-Debug
X-MiniProfiler-Ids
X-GSL-Server
BM-Cache-Key
A1B2C3
Ram
X-Venda-Hitid
X-Adobe-Content
X-VarnPar1
Cache-Ctrol
Jobb.Gil.Se
X-Varnish-Cache-Server
Compression-Control
Web-Server
Cpu
Il-Cl
Jobb.Passal.Se
Open.Jobgate.Se
Noq
X-Farm-Server
X-Kirra-SiteId
X-Hosting-Env
X-Cache-Operation
X-XHR-Current-Location
X-Vivastreet
X-VarnCache
X-Vivastreet-KiwiiPage
Ttl
X-Route
X-WP
X-Node-Name
Cluster-ID
LBC
Content-Instance
X-TISSERVER
Jobb.Assistentpoolen.Se
No-Cookie
X-Monstercache-Timeout
X-DeliveryServer
Accept-Language
SIP
X-T3CacheTags
OriginServer
X-Vhost
X-Varnish-ID
X-Server-By
P3P:CP
X-App-Server
X-B2f-Not-Route
X-Via-Kemp
Test.Executivepeople.Se
X-Varnish-Device
X-Varnish-Action
Www.Myjob.Se
AV1080
Www.Mirrorgate.Se
X-T3Cache
X-NID
Www.Mabracertifiering.Se
X-Ar-Debug
Cmstype
X-LI-UUID
X-Remote-Addr
Svr
X-Li-Pop
X-Li-Fabric
Disaptch-Cache-Rule
PowerCDN
X-Artvisual-Server
Cmsid
X-FS-UUID
Fpc-Cache-Id
X-MCB-Server
X-Varnish-Count
X-OPNET-Transaction-Trace
X-Uplex
X-Pagename
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-Real-Server
X-Powered
X-LB
X-Hit-Cache
Powered
WEBO
Atp-Isdpp
Provider
Http
X-GC-App
Copyright
IsFullSiteRequest
X-GC-Write
X-GC-Read
X-UD-Target
X-ROUTE-DATA
X-FCMS-Cache
X-EPiphany-Vid
X-Enhanced-By
X-Client-Vid
INCOMING-TIME
Tpt.Renderer1
Render
ServerConfigManager.WebBugTracker
Tpt.Renderer
X-Hostingcenter
X-Web-Node
X-EdgeRouter
X-Hrouter
X-SERVERID
X-MobileDetected
F-In-Cache
X-SSL
X-Location-Id
X-Nginx-Host
X-Server-Node
Before
X-Distributed-By
X-Benchmark-Sphinx-Count
X-Benchmark-Total
X-Box
X-Max-Age
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
Noahs-Classifieds
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
X-CMS
X-Lb
X-7d-Version
X-7dig
X-Dynatrace-Js-Agent
X-Mobile
BM-Cache-Status
Warning
CP
Publisher
X-Time-Spent
X-Allow-Redis
X-Response
Acdc-Web
X-Yottaa-Metrics
X-Yottaa-Optimizations
WP-Cache
After
Progma
X-Varnish-HitMiss
X-PM-ID
X-Purge-Level
At-Isb
At-Shoptype
X-App-TTL
EZ-Origin
X-Ar-Forwarded-For
X-Sto
X-Hit
X-UA-Class
X-NginX-Server
X-Framework
X-NginX-Cache
X-Header-Set-Id
X-Caching-Rule-Id
Servername
Ozcache
X-Hash
X-Accel-Expires
X-Webkit-CSP
X-Garden-Version
X-ServerId
X-IDS-WS
Description
Keywords
X-Internal-IP
X-Config-By
X-Continum-Server
Source
DCGI-Server
SBMCLOUD
ExecutionTime
X-Upstream
X-Forwarded-Proto
X-Nucleus-Cache
X-Stackable-Node
X-Nginx-Cache
Rt-Fastcgi-Cache
X-Pb-Mii
X-Mii-Cache-Hit
Ec
MageStack-Cache
MageStack-Area
XDisk
MageStack-Cache-Hits
MageStack-Cache-Lifetime
MageStack-Config
MageStack-Cacheable
MageStack-Cache-Status
X-Varnish-Currency
X-Pixelsilk-Version
X-Http-Host
X-Author
OGHopCount
X-Time-Microsecs
Web-Head
X-Pixelsilk-Server
X-Hc-Host
MageStack-Debug
MageStack-Loadbalancer
X-Wm-VIP
X-Wm-1
X-Varnish-Hit
Backend-Host
X-VarnPar2
X-Drupal-Cache-Tags
X-DB-Content-Length
X-V-TTL
X-V-Outer
MageStack-Tag
MageStack-Response-Ttl
MageStack-PageSpeed
X-Created
X-Req-Host
X-V-I-TTL
X-Req-Url
X-Flex-Tags
XDomainRequestAllowed
X-Page-Generated-At
X-Locale
X-JSON-API-TTL
X-Page-Generation-Time
X-Papaya-Cache
X-PS-MURDOCK-CASE-NORMALIZATION
X-Papaya-Gzip
X-JSON-API-LATENCY
X-JSON-API-AGE
TP-L2-Cache
TP-Cache
S-Cnection
X-Cache-Backend
X-Cache-Host
X-Hosting
X-Dokk-PortalId
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
X-Monstercache-Hash
X-Monstercache
Portlet.Expiration-Cache
X-Monstercache-Host
X-Powered-Developer
X-Varnish-URL
X-Server-IP
Xc
X-Your-GrandPa-Would-Wait
X-UserAgent
X-TTL-Age
X-Symfony-Cache
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-WAP
X-Would-Your-GrandPa-Wait
X-Webstats-RespID
Pool-Info
X-Host-Url
X-WorkerInstancename
X-Loc
X-XFPC-Cache
X-XFPC-Cache-Active
Device
X-Life
X-DefendeR-Runtime
X-CMS-Sid
X-CMS-Stage
X-CMS-State
X-CMS-Tid
Esi-Enabled
Front-End-Https
X-Wikidot-Static-Cache
X-Binarysec-Via
X-V
Cneonction
X-Wikidot-Backend
X-RSS-CACHE-STATUS
Head
X-Back
X-HasAuthorization
X-IsPremium
X-CMS-Server
X-CMS-Nid
X-SDE-Name
X-Router-Backend
X-UseReverse-Proxy
X-Webapp
EI-UNIQUE-ID
X-Router
X-RemovedCookies
WP-AdvCache-MemCached
X-Vtex-Cache-Key
X-Name
X-ProcessESI
X-GLaDOS
X-Haiku
X-Bcwwwid
X-Flex-Tag
X-CMS-CRMSet
X-CMS-Live
SLB
Hishop
X-HOSTTYPE
X-USERNAME
Accept
Hej
ExecuteNonQuerySQLParam
X-CMS-Collection
X-DELIVERYSERVER
X-DSMX-Render-MS
X-DSMX-Rewrite-MS
X-Fett
X-Client-Addr
X-CCM
X-Varnish-Debug-Hits
B-Powered-By
D
Server-Optimized-By
Www.Aujourdhui.Com
X-Flex-Evstart
X-Flex-Lang
X-Flex-Lastmod
Foglight-Request-UUID
X-Flex-Community
X-ATP-Server
X-Client-IP
X-Device-Group
X-Varnish-Debug-Age
X-Flex-Evend
Redirect
HostName
X-Cache-Set
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Varnish-Debug-Fetch-Host
X-Varnish-Beresp-Ttl
X-SERVER-ID
Dynatrace
X-Varnish-Debug-Pool-Recv
X-Varnish-Debug-Pool-Fetch
Bs-Header
X-APP
POOL
X-Feed
X-Unbounce-VisitorID
X-Original-IP
X-Unbounce-Variant
X-Unbounce-PageId
X-WR-MODIFICATION
X-Ec-Custom-Error
SFY
Server-N
LFY
No-Cache
X-Server-Instance
UNIQUE-ID
X-HITS
X-HW
X-LAvg
Ez
MachineName
X-Serendipity-InterfaceLangSource
Server-Ip
Pramga
X-Ratelimit
X-Serendipity-InterfaceLang
BKREF
X-Environment
ServerIP
X-Backend-Status
CountryCode
AcceptLangage
Title
X-Compressed-By
X-Cookie-Store
User-Cache-Control
X-Var-Hash
X-Url-Store
X-DC-Origin-IP
X-Pagecache
X-Debug-Serve
X-WA-Info
X-SATserver
X-RequesterIP
X-Backend-Ip
CacheControlHeader
ProxiaInstanceId
X-Confluence-Request-Time
X-Cluster-Host
X-Cache-Key
HAVer
X-Cluster-ID
RequestId
X-Cluster
Public-Extension
HGR-NOCACHE
X-AISO-Server
X-D-Time
X-AISO-Cache
ResourceTag
TIMESTAMP
If-Modified-Since
X-Seschat-URL
X-Gondor-Server
X-Cdn-View
X-SeschatDID
X-ErrorPage
X-FarmId
X-SeschatTemplateID
Server-IP
X-RAMCache
X-SeschatRedID
X-Source
X-SeschatLayout
Smug-Env
X-Varnish-Hashed-On
X-Extra-Header
X-Generation-Time
X-VHOST
X-S-Misc
X-TLServer
X-PROCESSED-BY
Content-Cache
Requested-Host
RATING
Language
MASTERWEBLET
X-TTFB-L
X-PHP-Cache
Content-ID
X-WLD-LB
NnCoection
X-Rot
X-BKSrc
X-Cache-Term
X-PageCached
X-TTFB
X-VG-WebCache
Mobiquo-Is-Login
X-Cached-Page
X-SmugMug-Hiring
X-Lang
Countrycode
Content
X-ACLR-Version
W
X-Req-Counter
X-SV
X-Job-Offer
X-SmugMug-Values
X-GitHub-Request-Id
HCVer