Threat Level: green Handler on Duty: Richard Porter

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
X-Cache
Age
Alternate-Protocol
Content-Language
Content-Location
X-UA-Compatible
Via
X-Adblock-Key
X-Varnish
CF-RAY
X-Frame-Options
Keep-Alive
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Cacheable
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
Status
WP-Super-Cache
MS-Author-Via
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Geo-Port
X-Geo
X-Server
X-Xss-Protection
X-Request-Id
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Rack-Cache
X-Mod-Pagespeed
X-XRDS-Location
Strict-Transport-Security
Content-Encoding
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Cache-Hits
X-Tumblr-Pixel-1
SPRequestGuid
X-SharePointHealthScore
Host-Header
X-Robots-Tag
X-Via
X-Request-ID
X-Tumblr-Pixel-2
X-INKT-URI
X-INKT-SITE
X-CF-Powered-By
X-Varnish-Cache
X-Webserver
X-Forwarded-For
X-Iinfo
X-PhApp
X-Accel-Version
X-Firenze-Processing-Times
X-Cnection
Ngpass-All
X-MS-InvokeApp
X-Url
Served-By
X-ServedBy
X-Page-Speed
Composed-By
X-Hostname
X-Served-By
X-ContextId
Access-Control-Allow-Headers
X-XN-Trace-Token
X-Backend
X-XN-XNHTML
X-Tumblr-Pixel-3
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-Stats-Visit-Token
X-Stats-Unique-Token
Access-Control-Allow-Methods
X-CDN
X-Powered-By-360WZB
X-AH-Environment
X-PC-Hit
X-PC-Key
X-PC-Host
X-PC-AppVer
X-PC-Date
Liferay-Portal
Content-Style-Type
X-Ua-Compatible
Content-Script-Type
X-Umbraco-Version
X-Mobilized-By
X-Server-Name
X-FRAME-OPTIONS
X-Cache-Info
Refresh
Rating
Powered-By-ChinaCache
X-HeyJason
Cartoon
X-Cache-Server
Thanks
SPRequestDuration
Request-Id
SPIisLatency
Cf-Railgun
X-W3TC-Minify
X-Outils-CS
X-Content-Digest
X-Spip-Cache
TCN
X-Amz-Id-2
X-FB-Debug
X-Amz-Cf-Id
X-Tumblr-Pixel-4
X-From
X-Amz-Request-Id
Real-Hostname
X-TN-ServedBy
X-Tumblr-Content-Rating
X-Px
X-PHP-Engine
X-Loop
Magicmarker
X-VCache
Page-Completion-Status
X-Generated-By
Imagetoolbar
PICS-Label
NS-RTIMER-COMPOSITE
X-Tumblr-Pixel-5
X-TNCMS-Version
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-Content-Encoded-By
X-Original-Content-Length
X-Cache-Status
X-Matrix-Proxy
X-Matrix-Server
X-Powered-By-Anquanbao
X-Cached-By
X-URL
X-Device
IBM-Web2-Location
X-Firenze-Processing-Time
Product
X-CMS-Version
X-Node
X-Served-From-Cache
X-Timer
X-Cached
X-Pantheon-Endpoint
X-Backend-Server
X-Pantheon-Styx-Hostname
Set-Cookie2
IISExport
Powered-By
X-Varnish-Cacheable
X-SDS
X-Age
Access-Control-Request-Method
X-FORWARDED-FOR
SID
X-Cache-Enabled
X-DynaTrace
X-Cache-Hit
X-DDC-Arch-Trace
X-Safe-Firewall
Lsrequestid
Retry-After
X-SERVER
Access-Control-Max-Age
X-Duration
X-Nitra-Side
X-Cache-Debug
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
CF-Cache-Status
COMMERCE-SERVER-SOFTWARE
X-Drectory-Script
X-Varnish-TTL
ServedBy
X-Trace-App
X-PersistenceNode
Generator
DynaTrace
X-UD-Host
Charset
X-UD-Method
X-PF-Uncompressing
X-PERF
X-ApacheServer
X-I
Surrogate-Control
X-Purge-Host
Pics-Label
X-App-Hosting
X-Cdn
X-Hits
SFY
Accept-Encoding
X-Rendering-Engine
X-Art-Request-Id
LFY
Cache
X-Cache-Expires
S
AMF-Ver
ServerName
X-Content-Options
X-NoCache
X-Purge-URL
MIME-Version
X-Varnish-Backend
X-Microcachable
Proxy-Agent
Content-Encoding-Handler
X-Original-Request
Machine
VAR-Cache
X-Servedby
X-DynaTrace-JS-Agent
WWW-Authenticate
X-ATG-Version
X-Cookie-Domain
X-SRV
X-Handled-By
X-Passed-To-BeforeDispatch
X-Passed-To
X-ServerID
Filter-Revision
X-Passed-To-PostProcessResponse
X-Returned-From-PostProcessResponse
X-Actual-URL
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
Content-Disposition
X-HOSTNAME
X-Passed-To-DLL
X-Returned-From
MIH-CLIENT-FARM
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
X-CJ-Soft
Host
RTSS
X-Pangea-Version
X-App-Start
X-Vary-Options
Id
X-Front
Node
X-TTL
X-FIRSTBase
X-Track
Cm-Server
X-BackEnd
X-Yadis-Location
Server-Info
Website-Info
X-Speed-Cache-Key
X-PwB-Node
X-Processed-By
X-Speed-Cache
X-ServerName
X-FW-Static
X-Srv
X-Director
Content-Security-Policy
NODE
MW-Webserver
X-Micro-Cache
Hamster
X-CDN-Geo-IP
X-CDN-Any-IP
X-CDN-Geo
Debug
X-Trace-Cache
Edge-Control
X-Expires-Orig
SN
X-WR-Flags
Debug-IP-Cntry
X-GeoIP-Country-Code
X-Info
Debug-Begin-IP
X-Engine
X-Hosted-By
F-In-Cache
X-Varnish-Host
Accept-Charset
X-Server-ID
X-Cluster-Node
X-Port
Webluker-Edge
X-Directory-Script
X-Source-Host
X-GeoIP-Country-Name
X-AspNetWebPages-Version
ServerID
X-DNS-Prefetch-Control
X-Gamma-Serve
X-Time
X-Distil-CS
X-Cache-Action
CT
X-Atraveo-Cache-Control
X-Cache-Control-Orig
X-Atraveo-Varnish-Server-Id
X-Blog
X-Atraveo-TTL
X-Trace
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Session-Reinit
X-Sol
X-Cache-Rule
X-Permitted-Cross-Domain-Policies
Pool-Info
X-Highwire-SessionId
X-LIGHTHTTP-PCDID
X-Highwire-RequestId
X-Ms-Invokeapp
Req-Id
SEOMOZ
CommunityServer
QOR-Cache
X-ACMCache
MJ12bot
Pool
Location
Proxy-Connection
A-Powered-By
X-Varnish-Action
X-ASTRO-REWRITE
X-Version
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Cocoon-Version
UniqueName
X-Li-Fabric
X-LI-UUID
Mime-Version
X-Li-Pop
Cteonnt-Length
Author
X-ID
X-UPSTREAM
X-LiteSpeed-Cache
X-FS-UUID
X-Source-ID
X-Machine-Name
X-Cache-TTL
X-AOL-SNH
X-PRAM
X-Magento-Lifetime
ORIGIN
X-Magento-Action
MirrorName
OHS-WebNode
-GCR
X-Force
Server2
X-Geo-IP
X-MJ-Upstream-Addr
X-Id
ScoreTracker
X-Cache-Operation
X-Varnish-Cache-Hits
Cache-By-Node
X-Frontend
X-Phpwcms-Release
X-Orig-Vary
X-Phpwcms-Page-Processed-In
X-Microcache-Status
From
X-Device-Type
X-Varnish-Hits
X-N
Ibm-Web2-Location
X-Pass-Why
X-Ttl
X-FW
Aoestatic
X-App
X-Varnish-IP
X-Sys-Req-ID
X-MJ-Serve-Req-Time
X-Powered-By-Yqk
X-Varnish-Age
X-Yqk-Set
X-Response-Time
X-FreeTag-Count
NLCacheNote
X-Upstream
Content-Transfer-Encoding
X-Grid-Server
X-Provisioner-Version
X-Haiku
Nodo
X-Domain-Checked
X-Uid
X-Accelerated-By
X-GLaDOS
X-Country-Code
NetMindSessionID
NtCoent-Length
X-CHSN
X-Oracle-DMS-ECID
X-VE-IsRobot
Server-Name
X-SN
LBVIS
X-Translation
Fhost
X-DD-DomainID
X-User-Agent
Cache-Ctrol
X-TISSERVER
X-Turbo-Control
X-CacheHits
WP-Cache
X-Cached-Status
X-Wily-Info
Tpt.Renderer1
X-JSL
X-Varnish-Debug-Age
CP
SS
ExecuteNonQuerySQLParam
X-ServerCache-Info
X-Geo-IP-Country
X-Kirra-SiteId
Il-Cl
X-VarnPar1
X-Response
X-VarnCache
X-Cache-On
Rt-Server
X-Developer
X-App-Server
SIP
X-Geo-IPV
X-Geo-IP-Region
X-Geo-IP-Metro
Before
X-Vivastreet-KiwiiPage
X-Vivastreet
X-Powered
SRV
X-Varnish-Debug-Hits
X-GeoIP
ServerConfigManager.WebBugTracker
X-User-Id
Progma
Tpt.Renderer
OriginServer
Render
Apache
Content-MD5
Srv
X-Nginx-Cache
X-Varnish-ID
X-Database-Slave-Connection
X-Request-Duration
X-JAL
X-Wily-Servlet
Content-Security-Policy-Report-Only
After
X-Frames-Options
X-Src-Webcache
X-Old-Content-Length
Pagely
Backend
X-Amz-Meta-S3cmd-Attrs
X-Bettercache-Proxy
Servername
X-Varnish-Server
X-Rewritten-By
X-Kermit
X-ManagedFusion-Rewriter-Version
X-Flex-Community
X-NID
CountryCode
X-Purge-Level
X-GC-Read
Bs-Header
X-Object-Id
X-MCB-Server
X-Artvisual-Server
X-GC-Write
X-Monstercache-Timeout
X-REDIRECTSERVER
X-Flex-Tag
X-Agentscape-Info
Ms
X-Empowered-By
X-Framework
X-Transaction
Be-Ip
Response
Be-Va
X-Vtex-Processado-Em
X-Flex-Evstart
X-Powered-By-Server
X-Varnish-Cache-Local
X-GC-App
RequestTime
X-Flex-Tags
X-Flex-Lang
X-Flex-Lastmod
X-Vhost-ID
X-Debug
X-ATM-RServer
X-Vhost
CachedXSLT
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Benchmark-Sphinx
X-Channel-Maxage
X-Header
Sql-Debug
X-Allow-Redis
SiteName
X-Caching-Rule-Id
X-Header-Set-Id
X-Benchmark-Db
X-Benchmark-Cache
X-Amz-Id-1
SynthaSite-ID
X-B2f-Cache-Load
X-ROUTE-DATA
X-Cache-Result
D
X-EdgeRouter
X-Hyper-Cache
X-Hrouter
X-S
X-Expires
X-Varnish-Device
X-T3CacheInfo
X-Max-Age
X-WP
X-CMS-Server
Hash
X-ATM-RTime
X-Venda-Hitid
X-UD-Loopcounter
X-Origin-Id
7e-Page-Cache
X-Whom
X-UD-Target
X-UD-REMOTE-ADDR
Dispatcher
X-CS
X-Jcms-Ajax-Id
MASTERWEBLET
X-NGINX-CACHED-AT
X-Varnish-Cache-Server
X-NGINX-CACHED
X-DTC
X-Actindo-RS
X-Farm-Server
X-Object-Type
X-MidCOM-Meta-Cache
CDN
X-Flex-Evend
X-NginX-Cache
Http
WEBO
Warning
X-Cache-Config
X-NginX-Server
Provider
Buuteeq-Source
X-Content-Age
REFRESH
Robots
X-ACCELERATE
X-Web-Node
X-Content-Security-Policy
Cmsid
Front
Cmstype
Test.Executivepeople.Se
X-Fortrabbit
X-DELIVERYSERVER
X-Fett
X-Via-Kemp
A1B2C3
No
Compression-Control
X-Varnish-Beresp-Ttl
X-T3CacheTags
X-Varnish-Beresp-Status
Www.Mabracertifiering.Se
X-DeliveryServer
Web-Server
X-Cache-Me-Harder
ProxiaInstanceId
Ssl-Enabled
X-Client-Vid
X-Execution-Time
X-Monstercache
X-EPiphany-Vid
X-PHP-Cache
X-Varnish-Beresp-Grace
X-Monstercache-Hash
X-PvInfo
X-Real-Server
X-Client-Addr
X-Monstercache-Host
X-B2f-Not-Route
X-Proxy
Cneonction
X-Pagecache
X-7dig
At-Shoptype
Atp-Isdpp
Accept-Language
ServerId
Ksid
PowerCDN
Cdate
Fw-Via
X-WorkerInstancename
At-Isb
X-CMS-Live
X-CMS-Nid
X-CMS-Sid
X-XFPC-Cache-Active
X-XFPC-Cache
-Onnection
Telligent-Evolution
Powered-By-VeryCloud
X-Cache-NHIT
X-7d-Version
X-Ac
X-T3Cache
BM-Cache-Status
Worker
X-Cms-Mode
Provided-Host
X-Jphone-Copyright
X-Dev
BM-Cache-Node
BM-Cache-Key
Powered-By-VeryCDN
X-LAvg
Backend-Host
X-Nginx-Server
X-Hosting-Env
X-GSL-Server
Tpt
IsFullSiteRequest
X-CMS-Stage
X-CMS-State
X-Ocache
X-B
X-RSS-CACHE-STATUS
X-T
X-Enhanced-By
Application-Version
INCOMING-TIME
X-Snapsis-PageBlaster
X-Server-Id
P3P:CP
X-Host-Url
B-Powered-By
Www.Mirrorgate.Se
Www.Myjob.Se
Jobb.Assistentpoolen.Se
Open.Jobgate.Se
Jobb.Passal.Se
Jobb.Gil.Se
Esi-Enabled
Content
X-Nginx-Backend
LBC
Cluster-ID
Accept
X-CMS-CRMSet
X-CMS-Tid
X-LB
X-CMS-Collection
X-D-Time
X-Generation-Time
Custom
X-Real-IP
Front-End-Https
X-Conf
X-Cookie-Pangea-NodeId-Received
X-S-Misc
X-PageCached
X-Cache-Term
X-Cache-Set
X-ServerId
X-Recruiting
X-Node-Name
X-Varnish-Debug-Fetch-Host
Publisher
X-ORACLE-DMS-ECID
X-Uplex
Cache-By-CoreNode
Hostname
X-Bcwwwid
Rt-Fastcgi-Cache
X-Dynatrace-Js-Agent
Hej
X-Back
HostGen
X-Varnish-Count
X-Binarysec-Via
X-RequesterIP
X-Varnish-HitMiss
SLB
X-BackendServer
No-Cache
WSCPUB-Version
WP-AdvCache-MemCached
X-V-TTL
X-Created
X-Req-Host
SVR
X-USERNAME
X-Secret
No-Cookie
X-TLServer
X-Req-Url
X-V-I-TTL
EI-UNIQUE-ID
UNIQUE-ID
X-Apache-Backend
X-HOSTTYPE
OHS-LoadBalancer
X-V-Outer
X-SV
X-Server-IP
X-Cache-Lifetime
X-VTEX-Cache
X-VTEX-Router-Backend-App
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-JanusLatency
X-IDS-WS
X-VTEX-Router-JanusNet-BackEndLatency
X-R4L-VHOST
X-MobileDetected
X-CMS
X-Cluster-Host
X-XHR-Current-Location
X-Nucleus-Cache
X-Cache-Key
Server-Optimized-By
Ttl
X-CCM
Expect:
X-Seschat-URL
X-SeschatDID
X-SeschatLayout
X-Varnish-Hashed-On
X-Box
X-PP
X-Cache-Age
X-SeschatRedID
X-SeschatTemplateID
X-DSMX-Render-MS
X-DSMX-Rewrite-MS
X-WebFarmNode
Foglight-Request-UUID
X-Tiny
Language
X-Server-By
X-Platform
X-Life
X-Rewrite
Beyond-Iis
X-Origin
AV1080
X-Powered-Developer
X-PoolMember
X-Ratelimit
X-Nocache
X-Server-Node
X-Cache-Control
X-TTFB-L
X-TTFB
X-SmugMug-Values
Smug-Env
X-Location
WEBSERVER
X-UA-Profile
X-Environment
SAVVIS
X-RE-Ref
X-Webstats-RespID
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Papaya-Cache
Keywords
Description
X-ERM-ServerName
X-ERM-ServerName-AppPage
X-Dokk-PortalId
X-Papaya-Gzip
X-UA
ExecutionTime
X-Remote-Addr
X-Internal-IP
X-Test
X-Hash
X-Route
Expire
X-SmugMug-Hiring
Test
Noahs-Classifieds
X-WLD-LB
X-LTM-ID
X-Catalyst
Head
X-Hc-Host
X-Pixelsilk-Server
X-Pixelsilk-Version
X-Process-Time
XX
X-Swift-CacheTime
X-Swift-SaveTime
X-Varnish-Cookie-Debug
X-MiniProfiler-Ids
X-SilverStripe-Cache
X-Loc
Content-Instance
X-Router
X-HITS
X-Hit
X-Author
X-FCMS-Cache
X-Time-Microsecs
PageSpeed
X-PM-ID
User-Cache-Control
MachineName
X-AISO-Server
X-AISO-Cache
X-Http-Host
Time
X-Router-Backend
X-HW
X-UseReverse-Proxy
X-Gondor-Server
X-Webapp
X-ERM-RunTime