Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Cacheable
X-Check
P3p
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
Access-Control-Allow-Origin
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo-Port
X-Geo
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Cache-Lookup
X-Host
X-Type
X-Cache-Group
X-Ac
Access-Control-Allow-Credentials
Strict-Transport-Security
X-Logged-In
X-UA-Device
Ngpass-All
X-Xss-Protection
X-Ua-Compatible
X-Rack-Cache
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-XRDS-Location
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
Content-Encoding
X-Via
X-Robots-Tag
X-Tumblr-Pixel-2
X-Url
X-CF-Powered-By
X-Varnish-Cache
X-INKT-URI
X-INKT-SITE
X-Iinfo
X-Accel-Version
X-Forwarded-For
X-Cnection
X-ServedBy
X-PhApp
Access-Control-Allow-Headers
X-MS-InvokeApp
X-Webserver
X-Backend
X-Served-By
Composed-By
X-Page-Speed
X-ShardId
X-ShopId
X-ContextId
X-Alternate-Cache-Key
Served-By
Access-Control-Allow-Methods
X-CDN
X-XN-Trace-Token
X-Firenze-Processing-Times
X-XN-XNHTML
X-Tumblr-Pixel-3
X-Hostname
X-AH-Environment
X-PC-Hit
X-PC-Key
X-PC-AppVer
X-PC-Date
X-PC-Host
X-Served-With
X-FRAME-OPTIONS
X-Powered-By-360WZB
Content-Style-Type
Liferay-Portal
Content-Script-Type
X-Server-Name
X-Age
X-Umbraco-Version
Refresh
X-Port
X-Spip-Cache
X-Safe-Firewall
X-Cache-Info
Rating
Cf-Railgun
SPIisLatency
Request-Id
SPRequestDuration
X-Amz-Id-2
Powered-By-ChinaCache
X-Amz-Request-Id
Cartoon
X-Cache-Server
X-Content-Digest
X-BC-Is-HA
X-Mobilized-By
X-FB-Debug
X-Cache-Result
X-Pass-Why
X-Amz-Cf-Id
X-Tumblr-Pixel-4
X-HeyJason
TCN
X-Outils-CS
Real-Hostname
X-TN-ServedBy
X-Loop
X-PHP-Engine
X-W3TC-Minify
Thanks
X-Generated-By
X-VCache
X-Tumblr-Content-Rating
X-Cache-Status
X-Device
IBM-Web2-Location
X-Px
Magicmarker
X-Hyper-Cache
X-Cached-By
X-Node
X-TNCMS-Version
X-PersistenceNode
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-Content-Encoded-By
Imagetoolbar
X-FORWARDED-FOR
NS-RTIMER-COMPOSITE
X-Tumblr-Pixel-5
Page-Completion-Status
Content-Security-Policy
X-Pantheon-Styx-Hostname
X-Styx-Version
X-Styx-Build-Sha
X-Styx-Build-Date
X-Pantheon-Endpoint
X-Styx-Build-Num
X-Styx-Req-Id
X-Cached
X-Served-From-Cache
X-Matrix-Proxy
X-Matrix-Server
Time
X-Timer
X-Original-Content-Length
CF-Cache-Status
X-Varnish-Cacheable
X-CMS-Version
X-HOST
Product
X-Powered-By-Anquanbao
X-From
X-DynaTrace
Retry-After
X-HOSTNAME
X-Varnish-TTL
X-SERVER
X-Cache-Enabled
X-Firenze-Processing-Time
Generator
X-Backend-Server
DynaTrace
X-DDC-Arch-Trace
Node
ServedBy
IISExport
Powered-By
X-Xrds-Location
X-Rendering-Engine
Set-Cookie2
PICS-Label
X-App-Hosting
Access-Control-Max-Age
X-URL
X-Request-ID
Pics-Label
X-I
X-Cache-Debug
X-Original-Request
X-Cache-Hit
X-CDN-Geo-IP
X-CDN-Geo
X-CDN-Any-IP
X-Passed-To-PostProcessResponse
X-Returned-From-PostProcessResponse
X-Passed-To-DLL
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Returned-From
X-Passed-To
X-Handled-By
X-Actual-URL
X-Purge-Host
X-UD-Host
X-UD-Method
X-Passed-To-BeforeDispatch
Lsrequestid
Ngpass-Vcall
X-PF-Uncompressing
X-Varnish-IP
Charset
X-SDS
X-Content-Options
X-Drectory-Script
MIME-Version
X-Duration
X-Processed-By
Vacache
Access-Control-Request-Method
X-ATG-Version
X-NoCache
Content-Encoding-Handler
Proxy-Agent
ServerName
X-Trace-App
X-Nitra-Side
X-Purge-URL
X-Cache-Expires
Accept-Encoding
X-DynaTrace-JS-Agent
X-Cookie-Domain
X-Hits
S
Response
Cache
X-ApacheServer
X-PERF
X-Sol
COMMERCE-SERVER-SOFTWARE
X-Speed-Cache
Fhost
X-Speed-Cache-Key
Machine
X-GeoIP-Country-Code
X-Varnish-Forwarded-For
X-BackEnd
X-Varnish-Backend
X-Director
X-CJ-Soft
X-LiteSpeed-Cache
X-Micro-Cache
X-PwB-Node
X-GeoIP-Country-Name
X-FIRSTBase
Host
X-FW-Static
X-FW
X-Microcachable
Edge-Control
X-Srv
X-Track
X-Orig-Vary
X-Hosted-By
X-Vary-Options
X-Content-Security-Policy
X-Expires-Orig
X-Front
X-Yadis-Location
X-Whom
X-DNS-Prefetch-Control
SID
AMF-Ver
Filter-Revision
X-Middleton-Response
RTSS
WWW-Authenticate
Surrogate-Control
Content-Disposition
X-Beep
X-Cache-Control-Orig
Cm-Server
X-Permitted-Cross-Domain-Policies
Website-Info
Server-Info
X-Art-Request-Id
X-WebKit-CSP
Accept-Charset
MJ12bot
X-Varnish-Host
SEOMOZ
X-Varnish-Hits
VAR-Cache
X-ServerName
X-ServerID
X-Ttl
X-TTL
X-Cocoon-Version
SN
X-Distil-CS
X-Blog
ServerID
X-Session-Reinit
X-Source-Host
X-User-Agent
Server-Name
X-Grid-Server
X-WebServer
X-Server-ID
X-AspNetWebPages-Version
X-ACMCache
X-AOL-SNH
X-Ar-Debug
X-Pangea-Version
X-App-Start
Hamster
UniqueName
X-Trace-Cache
X-Directory-Script
Req-Id
A-Powered-By
MW-Webserver
Grace
X-SRV
NtCoent-Length
CT
X-Varnish-Object-Age
X-LIGHTHTTP-PCDID
NetMindSessionID
X-Ms-Invokeapp
X-Cache-TTL
X-Geo-IP
Id
X-Gamma-Serve
X-Cache-Rule
X-Engine
X-ID
X-App
X-Time
X-N
X-CHSN
Cteonnt-Length
X-Highwire-RequestId
X-Server-IP
X-Highwire-SessionId
X-WR-Flags
X-Sys-Req-ID
X-Cluster-Node
X-MJ-Upstream-Addr
X-Ar-Forwarded-For
Server2
X-S
X-App-Status
X-Provisioner-Version
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Bettercache-Proxy
X-Domain-Checked
X-CacheHits
Srv
X-Outils-Cs
Nodo
X-Id
X-Trace
X-Varnish-Server
NODE
X-Swift-CacheTime
X-Swift-SaveTime
X-Cache-Action
X-Wily-Info
X-Wily-Servlet
X-TempDebug
X-Vtex-Cache-Key
X-Atraveo-From-Varnish-Cache
X-Atraveo-Varnish-Server-Id
Origin
X-Atraveo-Cache-Control
X-Atraveo-TTL
X-FW-Hash
X-Atraveo-NC
Webluker-Edge
X-ServerCache-Info
X-MJ-Serve-Req-Time
Proxy-Connection
X-Developer
X-WEBSERVER
X-Empowered-By
QOR-Cache
X-Vtex-Remote-Cache
From
X-VARNISH-Cache
SiteName
Pool-Info
X-Object-Id
X-Object-Type
Author
X-UPSTREAM
X-Country-Code
X-Device-Type
X-Microcache-Status
Content-MD5
Edgecast
X-Cache-Operation
Content-Security-Policy-Report-Only
X-Cache-Config
Ms
X-Cached-Status
X-Connection-Hash
Apache
Content-Transfer-Encoding
X-Transaction
Buuteeq-Source
Cache-By-Node
CommunityServer
X-Machine-Name
MIH-PUBLIC-IDENTIFIER
X-Varnish-Cache-Hits
SRV
MIH-CLIENT-FARM
Backend
SS
X-Source-ID
X-Src-Webcache
MIH-PLATFORM
X-Amz-Meta-S3cmd-Attrs
Powered
Web-Server
X-Geo-IP-Metro
X-Amz-Id-1
X-Origin
X-Expires
X-Phpwcms-Page-Processed-In
X-Cms-Mode
-GCR
Worker
X-Recruiting
X-Phpwcms-Release
X-Geo-IP-Country
WP-Cache
X-Geo-IP-Region
Copyright
X-ROUTE-DATA
Progma
X-Jphone-Copyright
X-Turbo-Control
X-Dev
X-Force
X-WR-MODIFICATION
LBVIS
X-T3CacheInfo
X-PRAM
X-LB
X-Header
X-FreeTag-Count
X-Geo-IPV
X-ManagedFusion-Rewriter-Version
X-Rewritten-By
Provided-Host
X-Old-Content-Length
MirrorName
Mime-Version
X-BackendServer
X-Varnish-ID
X-Vtex-Processado-Em
ORIGIN
X-Version
Provider
X-Translation
X-Frontend
Location
X-Cache-Age
X-Info
X-Origin-Id
Beyond-Iis
X-Cache-Ttl
Server-IP
X-Response-Time
Be-Va
Be-Ip
X-GeoIP
No
X-Varnish-Debug-Hits
X-Cache-Set
X-ACCELERATE
PageSpeed
X-Catalyst
NLCacheNote
X-Varnish-Debug-Age
RequestTime
X-App-Server
X-GSL-Server
X-LI-UUID
X-Hash
X-Li-Pop
X-DeliveryServer
X-Li-Fabric
Front
X-Uid
X-Magento-Lifetime
X-Magento-Action
Aoestatic
X-Upstream
X-FS-UUID
X-ORACLE-DMS-ECID
F-In-Cache
X-Frames-Options
X-Flex-Tags
X-Flex-Tag
X-Server-Id
REFRESH
X-Tumblr-Pixel-6
X-Flex-Evend
X-GC-Write
X-Flex-Lastmod
X-Dynatrace-Js-Agent
X-Flex-Evstart
X-Powered-By-Server
X-Cache-Lifetime
X-Flex-Lang
LBC
X-Flex-Community
X-GC-Read
X-REDIRECTSERVER
X-GLaDOS
X-GC-App
X-Haiku
Compression-Control
X-Vhost
ServerConfigManager.WebBugTracker
X-Via-Kemp
X-Actindo-RS
X-Vhost-ID
OriginServer
INCOMING-TIME
Tpt
Render
X-VarnCache
X-Monstercache-Timeout
X-CS
X-TISSERVER
X-EPiphany-Vid
X-Client-Vid
X-Farm-Server
Pagely
X-ATM-RTime
Tpt.Renderer1
ExecutionTime
X-T3Cache
Tpt.Renderer
X-Framework
X-PageCached
X-Varnish-Cache-Server
X-ASTRO-REWRITE
X-Nginx-Backend
SIP
X-Yqk-Set
X-Debug
X-Powered
Ksid
Hash
Dispatcher
X-WP
X-Powered-By-Yqk
X-Varnish-Cache-Local
X-CacheServer
X-T3CacheTags
X-Cache-Term
X-Artvisual-Server
X-Varnish-Action
Pool
X-JAL
X-DTC
X-User-Id
X-SN
X-Mod-Oboe-PS
X-JSL
X-ATM-RServer
X-Varnish-Age
X-Stage
CDN
Rt-Server
Rt-Fastcgi-Cache
X-OPNET-Transaction-Trace
X-FCMS-Cache
IsFullSiteRequest
X-Content-Age
X-Kirra-SiteId
X-Cache-On
ScoreTracker
X-MidCOM-Meta-Cache
Allow
X-Pixelsilk-Server
P3P:CP
X-Nginx-Server
X-Pixelsilk-Version
X-Secret
Open.Jobgate.Se
Jobb.Passal.Se
A1B2C3
Il-Cl
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
X-Host-Url
X-Kermit
Before
Www.Mirrorgate.Se
Test.Executivepeople.Se
Www.Myjob.Se
After
X-Varnish-Device
X-B2f-Not-Route
X-Response
X-Vivastreet-KiwiiPage
X-Enhanced-By
X-Vivastreet
X-Cluster-ID
X-Varnish-Count
X-Route
Cluster-ID
Warning
X-Varnish-HitMiss
Www.Mabracertifiering.Se
X-Conf
X-Venda-Hitid
Cmstype
At-Isb
Cmsid
At-Shoptype
Atp-Isdpp
X-NginX-Server
SynthaSite-ID
X-MobileDetected
X-Hrouter
X-EdgeRouter
WEBO
X-Real-Server
X-NginX-Cache
X-VTEX-Router-JanusNet-BackEndLatency
X-NID
X-7dig
X-NGINX-CACHED-AT
X-Channel-Maxage
X-Jcms-Ajax-Id
X-Locale
X-VTEX-Router-Backend-App
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-AspNetLatency
Cache-Ctrol
X-VTEX-Router-JanusNet-JanusLatency
Source
X-Varnish-Beresp-Ttl
X-Binarysec-Via
UNIQUE-ID
MASTERWEBLET
X-Varnish-Beresp-Status
X-Location
X-B2f-Cache-Load
X-SeschatLayout
X-SeschatDID
X-Seschat-URL
Content-Instance
X-Stale
7e-Page-Cache
X-Node-Name
X-Yottaa-Optimizations
X-Accelerated-By
X-Yottaa-Metrics
POOL
X-Varnish-Beresp-Grace
X-Back
X-PM-ID
Esi-Enabled
X-SeschatRedID
X-SeschatTemplateID
BM-Cache-Node
BM-Cache-Key
CP
X-Web-Node
BM-Cache-Status
X-Allow-Redis
X-Purge-Level
X-MSEdge-Ref
X-UserAgent
X-Server-Node
X-Server-By
X-Benchmark-Db
X-Benchmark-Sphinx
X-Benchmark-Sphinx-Count
X-Benchmark-Total
ExecuteNonQuerySQLParam
X-NGINX-CACHED
X-Remote-Addr
X-PvInfo
X-Benchmark-Cache
X-7d-Version
Servername
X-SERVER-ID
X-SilverStripe-Cache
SVR
Http
X-Varnish-Debug-Fetch-Host
X-Uplex
X-Hosting-Env
Redirect
X-Internal-IP
If-Modified-Since
Content-ID
Requested-Host
Ttl
X-Box
BKREF
X-BKSrc
X-Mobile
HAVer
Noahs-Classifieds
HCVer
XX
X-Gondor-Server
Host-Service
Disaptch-Cache-Rule
X-AISO-Cache
X-AISO-Server
X-Panel-Name
X-Panel-Id
X-XFPC-Cache-Active
X-XFPC-Cache
X-UD-Loopcounter
X-S-Misc
X-UD-REMOTE-ADDR
X-UD-Target
X-WorkerInstancename
X-PROCESSED-BY
X-Resolver-IP
X-Test
X-VTEX-Cache-Status-Janus-Edge
BALANCEDTO
No-Cookie
Cneonction
X-Powered-By-VTEX-Janus-Edge
X-VarnPar1
X-VHOST
X-Varnish-Hashed-On
X-ChromeLogger-Data
X-DSMX-Render-MS
X-DSMX-Rewrite-MS
X-Loc
X-Life
X-Max-Age
X-HOSTTYPE
X-USERNAME
Accept
Hej
Accept-Language
PowerCDN
EI-UNIQUE-ID
X-Server-Instance
X-RemovedCookies
X-Varnish-Cookie-Debug
X-VG-WebCache
X-WLD-LB
SLB
X-Bcwwwid
X-CMS-Tid
X-CMS-State
X-D-Time
X-DefendeR-Runtime
X-Generation-Time
X-CMS-Stage
X-CMS-Sid
X-CMS-CRMSet
X-CMS-Collection
X-CMS-Live
X-CMS-Nid
X-CMS-Server
X-ProcessESI
X-ERM-ServerName-AppPage
X-Continum-Server
X-ERM-RunTime
X-ERM-ServerName
X-JSON-API-AGE
X-CCM
WEB-CLUSTER-NODE
LFY
SBMCLOUD
SFY
X-JSON-API-LATENCY
X-JSON-API-TTL
X-SERVERID
X-TTL-Age
X-Would-Your-GrandPa-Wait
Foglight-Request-UUID
X-Reject
X-Page-Generation-Time
X-Nginx-Host
X-Oracle-DMS-ECID
X-Page-Generated-At
X-Client-Addr
Expire
X-IDS-WS
X-ATP-Server
X-Cache-Key
X-Client-IP
Www.Aujourdhui.Com
X-Location-Id
ProxiaInstanceId
X-MCB-Server
X-Fett
X-Device-Group
X-Goog-Hash
X-VarnPar2
Content
DCGI-Server
X-SATserver
X-Pb-Mii
X-Mii-Cache-Hit
X-Nginx-Cache
X-Nucleus-Cache
X-XHR-Current-Location
X-Stackable-Node
XDomainRequestAllowed
Ec
X-Ocache
X-Your-GrandPa-Would-Wait
X-PBY
X-Varnish-Abtest-Expires
X-Status
Xc
X-Http-Host
X-Hit
X-ACLR-Version
X-Author
Front-End-Https
Publisher
OGHopCount
X-GitHub-Request-Id
X-B
X-Platform
X-Ratelimit
X-Garden-Version
X-CacheTTL
X-Monstercache
X-Monstercache-Hash
X-Feed
X-DC-Origin-IP
SAVVIS
X-Cache-Backend
D
X-PP
X-Monstercache-Host
X-T
X-FullPageCaching
X-Time-Microsecs
X-Powered-Developer
X-Original-IP
X-PoolMember
X-ServerId
X-TLServer
X-Nocache
X-Hc-Host
X-HITS
X-Webstats-RespID
X-Backend-Status
X-Cookie-Store
X-Dokk-PortalId
X-Url-Store
X-Varnish-Debug-Varnish-TTL-Set-From-Server
AV1080
X-Varnish-URL
AcceptLangage
CountryCode
X-Varnish-Set-Cookie
Mark
X-UA
CacheControl
X-GL-SRV
B-Powered-By
X-MiniProfiler-Ids
No-Cache
X-Obvious-Info
X-Obvious-Tid
OutputRewritten
X-Lang
Language
X-Varnish-Mode
X-RequesterIP
Hishop
X-MadeOn
X-Req-Host
X-Req-Url
X-Created
X-Cache-Extended
X-Time-Spent
X-V-I-TTL
X-V-Outer
X-Cached-Page
X-PoweredBy
W
X-Varnish-Id
X-V-TTL
XDisk
X-Cluster-Host
X-Cluster
X-ErrorPage
X-ServerID-App
X-SDE-Name
Head
HostGen
X-VTEX-Cache
CacheControlHeader
Telligent-Evolution
Ngpass-Static
X-Cache-Me-Harder
X-IP-Address
HTTP
MachineName
User-Cache-Control
Web-Head
Bs-Header
X-WAP
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-FILEEXT
Svr
X-PS-MURDOCK-ORIG-PROTOCOL
X-Real-IP
X-FarmId
HostName
X-Execution-Time
X-TTFB-L
X-TTFB
X-DELIVERYSERVER
Server-Optimized-By
X-Config-By
X-APP
X-RSS-CACHE-STATUS
X-PHP-Cache
X-SmugMug-Values
X-SmugMug-Hiring
X-Header-Set-Id
X-R4L-VHOST
X-Adobe-Content
X-Varnish-Max-Age
X-Caching-Rule-Id
X-User-Login-Url
Smug-Env
Server-N
X-JG-Page-Cache
X-User-Authenticated
X-Extra-Header