Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Alternate-Protocol
Age
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
X-Check
X-Language
X-Buckets
X-Template
X-Hacker
X-Generator
WP-Super-Cache
P3p
Status
MS-Author-Via
X-Drupal-Cache
X-Pad
Access-Control-Allow-Origin
X-Cacheable
X-Powered-By-Plesk
X-Runtime
X-AspNetMvc-Version
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Host
X-Server
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
MicrosoftSharePointTeamServices
X-Mod-Pagespeed
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-SITE
X-INKT-URI
X-SharePointHealthScore
SPRequestGuid
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-W3TC-Minify
X-Cnection
X-PhApp
X-Webserver
X-Ua-Compatible
X-Varnish-Cache
X-CF-Powered-By
Composed-By
X-Via
Served-By
X-Forwarded-For
X-Page-Speed
X-Firenze-Processing-Times
X-ServedBy
Strict-Transport-Security
X-Url
X-Served-By
X-XN-Trace-Token
X-Hostname
X-XN-XNHTML
X-Iinfo
X-Accel-Version
X-Tumblr-Pixel-3
X-MS-InvokeApp
Access-Control-Allow-Headers
X-Mobilized-By
Cartoon
X-ContextId
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-Stats-Unique-Token
X-Stats-Visit-Token
Access-Control-Allow-Methods
X-CDN
X-Umbraco-Version
X-AH-Environment
X-Powered-By-360WZB
Content-Style-Type
Refresh
X-Backend
Content-Script-Type
Liferay-Portal
X-Cache-Info
X-Server-Name
Powered-By-ChinaCache
Magicmarker
Thanks
X-PC-Host
X-PC-AppVer
X-PC-Key
X-PC-Date
X-PC-Hit
X-HeyJason
X-Cache-Server
Rating
TCN
X-Outils-CS
X-Amz-Id-2
X-From
X-Geo-Port
X-Geo
Cf-Railgun
X-Content-Digest
X-Amz-Request-Id
X-Powered-By-Anquanbao
X-FB-Debug
Page-Completion-Status
X-TN-ServedBy
Real-Hostname
X-Loop
X-PHP-Engine
IBM-Web2-Location
X-Original-Content-Length
Imagetoolbar
X-Tumblr-Pixel-4
NS-RTIMER-COMPOSITE
X-Generated-By
PICS-Label
X-Px
X-Spip-Cache
X-Amz-Cf-Id
Request-Id
SPIisLatency
SPRequestDuration
X-Matrix-Server
X-Matrix-Proxy
X-URL
X-TNCMS-Served-By
X-ChromeLogger-Data
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-Tumblr-Content-Rating
X-TNCMS-Render-Time
X-Content-Encoded-By
Set-Cookie2
X-Cache-Status
X-Drectory-Script
X-Device
X-Cached-By
X-CDN-Geo-IP
X-CDN-Any-IP
X-CDN-Geo
ServerName
X-Tumblr-Pixel-5
X-Trace-App
X-Cached
X-CMS-Version
X-Firenze-Processing-Time
X-Node
IISExport
Access-Control-Max-Age
Retry-After
CF-Cache-Status
X-PF-Uncompressing
COMMERCE-SERVER-SOFTWARE
X-SERVER
X-DynaTrace
Accept-Encoding
X-Age
DynaTrace
X-DDC-Arch-Trace
X-FORWARDED-FOR
RTSS
ServedBy
X-Timer
Lsrequestid
X-I
X-Cache-Debug
Powered-By
X-Backend-Server
MIME-Version
Generator
X-ATG-Version
X-SDS
X-Vary-Options
X-Art-Request-Id
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Cache-Hit
Machine
Product
Pics-Label
SID
X-Nitra-Side
X-ApacheServer
X-Hosted-By
X-Processed-By
X-PwB-Node
X-UD-Host
X-Speed-Cache-Key
X-Original-Request
Access-Control-Request-Method
X-UD-Method
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
Time
X-NoCache
X-PERF
Edge-Control
Content-Encoding-Handler
Surrogate-Control
X-FIRSTBase
X-Purge-Host
Host
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Handled-By
X-Cache-Enabled
X-Returned-From-BeforeDispatch
X-Returned-From
X-Passed-To-DLL
LFY
X-Passed-To-PostProcessResponse
X-Passed-To
X-Passed-To-BeforeDispatch
X-Actual-URL
SFY
X-Cookie-Domain
X-LiteSpeed-Cache
X-Speed-Cache
X-Srv
X-Director
X-DNS-Prefetch-Control
Node
X-App-Hosting
X-GeoIP-Country-Code
X-DynaTrace-JS-Agent
X-Purge-URL
X-Yadis-Location
Charset
WWW-Authenticate
X-Cache-Expires
Location
X-GeoIP-Country-Name
X-Served-From-Cache
MW-Webserver
X-Trace-Cache
AMF-Ver
Proxy-Agent
X-Varnish-Backend
VAR-Cache
X-Orig-Vary
Content-Disposition
X-B2f-Cache-Load
NODE
Proxy-Connection
X-CJ-Soft
Cm-Server
X-Expires-Orig
X-TTL
X-StoreSense
X-Content-Options
X-LIGHTHTTP-PCDID
X-ProStores-StoreApiEntryPoint
Fhost
Cache
X-ACMCache
X-Duration
X-Track
Filter-Revision
Req-Id
X-Cache-Control-Orig
X-ServerID
X-Cocoon-Version
X-Yqk-Set
X-Powered-By-Yqk
X-Time
Server-Info
X-Request-ID
X-Micro-Cache
Website-Info
Hamster
S
Accept-Charset
SN
X-ServerName
Pagely
X-Info
X-Target
X-Trash-Talk
X-Varnish-TTL
X-SRV
ORIGIN
CT
X-FW
UniqueName
X-Source-Host
X-MJ-Upstream-Addr
X-Old-Content-Length
X-Adobe-Content
X-Sys-Req-ID
Nodo
X-Server-ID
X-AOL-SNH
NetMindSessionID
X-Blog
X-Session-Reinit
X-MJ-Serve-Req-Time
X-Cache-Rule
X-Front
X-Gamma-Serve
Debug-IP-Cntry
X-CHSN
QOR-Cache
X-AspNetWebPages-Version
X-WR-Flags
Debug-Begin-IP
Debug
X-Hits
Webluker-Edge
Id
X-Distil-CS
X-Cluster-Node
X-Highwire-RequestId
CommunityServer
X-Highwire-SessionId
X-WebServer
X-Varnish-Host
X-Varnish-Hits
A-Powered-By
X-Cache-TTL
ServerID
X-Microcachable
From
X-UPSTREAM
X-App
X-Accelerated-By
X-PvInfo
X-Engine
NtCoent-Length
X-Header
X-Atraveo-TTL
Server2
X-Atraveo-Varnish-Server-Id
X-HS-MC-Reqs
MvcResult
X-N
X-ID
X-Atraveo-NC
X-Server-Web
X-Atraveo-Cache-Control
X-Microcache-Status
X-Device-Type
X-Atraveo-From-Varnish-Cache
Server-Name
X-ASTRO-REWRITE
X-Varnish-Action
X-Channel-Maxage
X-Geo-IP
Author
X-ACCELERATE
OHS-WebNode
X-Varnish-IP
X-Src-Webcache
X-Cache-Operation
X-Grid-Server
X-Wily-Info
X-Ttl
X-Phpwcms-Page-Processed-In
X-Machine-Name
X-Turbo-Control
X-Phpwcms-Release
ScoreTracker
Content-Transfer-Encoding
X-Varnish-Age
X-CacheHits
X-Wily-Servlet
X-Country-Code
X-Enhanced-By
X-Cache-Action
Pool-Info
X-Pass-Why
X-Source
X-FreeTag-Count
X-Pangea-Version
RequestTime
X-Benchmark-Total
X-Benchmark-Db
X-Benchmark-Sphinx
X-Benchmark-Cache
X-Benchmark-Sphinx-Count
Provided-Host
X-Request-Duration
X-PangeaVersion
X-App-Start
X-PRAM
X-Kirra-SiteId
X-Varnish-Debug-Hits
X-Force
X-SN
WP-Cache
X-Varnish-Debug-Age
X-Source-ID
MirrorName
X-Database-Slave-Connection
SRV
-Onnection
X-Hrouter
X-DeliveryServer
X-Directory-Script
X-Varnish-Server
Warning
SynthaSite-ID
X-EdgeRouter
X-HOSTTYPE
X-Cdn
X-Bettercache-Proxy
X-Transaction
X-Response-Time
X-Frontend
X-Max-Age
X-USERNAME
X-Magento-Action
X-S
X-Ms-Invokeapp
X-App-Server
X-SV
D
X-Debug
Content-MD5
X-Version
X-Garden-Version
If-Modified-Since
X-Geo-IPV
SEOMOZ
X-Whom
X-Nginx-Cache
OriginServer
NLCacheNote
X-HOSTNAME
X-ServerCache-Info
X-Uid
X-REDIRECTSERVER
X-Amz-Id-1
MJ12bot
Backend
X-Geo-IP-Country
X-Magento-Lifetime
X-Geo-IP-Metro
X-Geo-IP-Region
X-Li-Fabric
X-WLD-LB
X-Li-Pop
X-NewRelic-App-Data
X-Monstercache-Timeout
X-WP
Bs-Header
X-LI-UUID
X-FS-UUID
F-In-Cache
Content
X-Expires
Front
X-CMS-Server
LBVIS
X-Powered
X-Apache-Backend
X-Jcms-Ajax-Id
X-MidCOM-Meta-Cache
X-B2f-Not-Route
X-TISSERVER
X-Varnish-Device
X-Via-Kemp
X-Vivastreet-KiwiiPage
Ssl-Enabled
ProxiaInstanceId
X-Varnish-ID
X-Farm-Server
X-NGINX-CACHED
NodeID
MASTERWEBLET
X-B
X-JSL
X-User-Id
X-JAL
Hash
Beyond-Iis
X-Pb-Mii
X-NGINX-CACHED-AT
X-Mii-Cache-Hit
X-Device-Group
Powered
X-ATP-Server
X-Response
X-Venda-Hitid
X-Id
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Test.Executivepeople.Se
Www.Mabracertifiering.Se
X-T
Cache-Ctrol
Www.Myjob.Se
X-Conf
Www.Mirrorgate.Se
Ec
Cluster-ID
Backend-Host
CDN
SiteSpect-Identity
Compression-Control
X-Author
X-Vivastreet
X-Varnish-Cache-Hits
X-Actindo-RS
X-UD-REMOTE-ADDR
X-UD-Target
A1B2C3
X-UD-Loopcounter
X-Framework
X-Ocache
X-Cache-Me-Harder
X-GLaDOS
X-Object-Id
Srv
X-Haiku
X-Cf-Powered-By
X-Object-Type
X-Amz-Meta-S3cmd-Attrs
X-Varnish-Cache-Local
Atp-Isdpp
At-Isb
X-Translation
X-Route
X-Vtex-Processado-Em
X-Rewritten-By
Mobiquo-Is-Login
X-ManagedFusion-Rewriter-Version
Aoestatic
WEBO
At-Shoptype
X-Varnish-Debug-Fetch-Host
Content-Instance
X-Cms-Mode
PowerCDN
X-Recruiting
X-Jphone-Copyright
X-ERM-ServerName
X-ERM-ServerName-AppPage
Pool
X-Node-Name
CountryCode
Preview-Refresh
SS
X-Test
7e-Page-Cache
X-Cache-Term
Content-Security-Policy
X-Content-Age
Hej
Ms
X-PM-ID
X-Hosting-Env
X-Server-By
X-NginX-Server
X-View
X-GC-Write
X-GC-Read
X-NginX-Cache
X-Client-Vid
X-CCM
X-Forwarded-Proto
X-Proxy
X-Execution-Time
X-EPiphany-Vid
X-GC-App
X-MCB-Server
X-Web-Node
Cmstype
X-Nginx-Server
X-ERM-RunTime
CacheControlMode
Cmsid
Rt-Server
X-Powered-By-Server
VTag
Proxy-From
X-Provisioner-Version
X-Domain-Checked
CacheControlHeader
X-Varnish-Cache-Server
X-Flex-Community
X-Flex-Tags
X-MSG-01
X-MSG-00
X-Flex-Evend
X-Flex-Tag
X-Flex-Lastmod
X-DEBUG-X-Id
X-Frames-Options
Xc
X-DEBUG-Obj-Ttl
X-MSG-03
X-MSG-02
X-VarnCache
X-MSG-06
PUBLISH
No
X-Flex-Evstart
X-Vhost
B-Powered-By
X-MSG-04
X-Flex-Lang
X-MSG-05
X-Oracle-DMS-ECID
X-Optimization
X-Full-URL
Robots
RequestId
X-Artvisual-Server
Provider
X-Cache-Backend
INCOMING-TIME
XX
X-SilverStripe-Cache
X-Monstercache-Hash
X-Monstercache-Host
X-Monstercache
Publisher
X-FW-Static
X-IDS-WS
X-Cache-NHIT
X-Abuse
X-Fett
Accept-Language
CachedXSLT
X-Agentscape-Info
Copyright
X-7dig
Access-Control-Expose-Headers
X-LAvg
Rt-Fastcgi-Cache
X-Rewrite
X-OPNET-Transaction-Trace
SIP
CP
SVR
Nbmt
SiteName
X-Permitted-Cross-Domain-Policies
X-Cluster-Host
Nbaid
X-7d-Version
X-PP
Xonnection
Head
Ibm-Web2-Location
X-Nucleus-Cache
WebServer
Esi-Enabled
X-Symfony-Cache
Application-Version
X-WA-Info
WEBSERVER
No-Cache
X-FCMS-Cache
Front-End-Https
Web-Head
Apache
X-T3CacheTags
X-Platform
Mime-Version
X-Host-Url
EbdTrace
X-Cache-Ttl
X-TLServer
Telligent-Evolution
POOL
Expire
DeleGate-Ver
X-DELIVERYSERVER
X-Crafted
X-Allow-Redis
X-Answer
X-RE-Ref
TimeRestart
X-Purge-Level
Spot
Last-Modified:
X-Pixelsilk-Version
X-Varnish-Cacheable
X-Pixelsilk-Server
X-Origin-Id
Custom
X-Serial
X-Ratelimit
ExecutionTime
X-Modules
Web-Server
X-Time-Microsecs
X-Hit
X-JSON-API-LATENCY
X-Extra-Header
X-Developer
X-Page-Generated-At
X-Cache-Lifetime
X-Cache-Age
X-JSON-API-TTL
HAVer
X-Server-Node
X-Webstats-RespID
HCVer
X-TTL-Age
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Your-GrandPa-Would-Wait
X-Varnish-Cookie-Debug
X-Empowered-By
X-JSON-API-AGE
X-Box
X-XHR-Current-Location
MIH-CLIENT-FARM
X-Would-Your-GrandPa-Wait
Noahs-Classifieds
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
X-IP-Address
X-Secret
X-Page-Generation-Time
X-T3CacheInfo
X-T3Cache
X-Upstream
X-ORACLE-DMS-ECID
X-WorkerInstancename
X-Nocache
X-SERVERID
X-WEBSERVER
Worker
ResourceTag
Test
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
Public-Extension
X-IP
Keywords
X-Papaya-Cache
X-IPc
X-UA
X-Trace
X-Papaya-Gzip
Description
HTTP
BKREF
X-User-Agent
X-Process-Time
Srv-N
HostName
X-BackendServer
TypeOfContent
X-AISO-Server
X-AISO-Cache
X-Unbounce-Instance
X-Site:
X-DEBUG
ServerId
X-Loc
Progma
X-ProxyInstancename
X-ProcessESI
X-RemovedCookies
Ap-Exec-Time-Mks
X-Varnish-Count
OriginalHost
RayEngine
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Hc-Host
INFO
OMNI-C
X-Backend-Host
UNIQUE-ID
X-Life
X-BKSrc
Optimizer
X-Catalyst
X-Varnish-HitMiss
CacheInfoFetch
CacheInfo
X-Varnish-Hit
X-Wm-1
MachineName
X-Set-Cookie
X-Vhost-ID
X-Continum-Server
X-Stackable-Node
X-CMS
X-Rot
Mark
X-DC-Origin-IP
X-Mobile
X-Vtex-Server
X-Created
X-Req-Host
X-Req-Url
OutputRewritten
X-Server-Id
X-Pta-Px
Origin
X-Processing-Begin
X-Processing-Finished
SAVVIS
X-PoolMember
X-Status
Allow
Content-Control
X-WR-MODIFICATION
Http
X-Powered-Developer
WZ-Cache
X-PBY
OGHopCount
X-ACLR-Version
X-Hash
WZ-Device-Match
X-GitHub-Request-Id
X-V-I-TTL
X-V-Outer
X-TTFB
X-TTFB-L
X-Hit-Cache
X-SmugMug-Values
X-SmugMug-Hiring
X-Forwarded
X-Web-Hosting-Service-Provider
X-Pagename
X-VCache
Login-Required
X-Caching-Rule-Id
X-Header-Set-Id
VM
X-NID
X-Environment
X-Cache-Control
Www.Aujourdhui.Com
X-MSEdge-Ref
Accept
X-CMS-Collection
X-CMS-CRMSet
WP-AdvCache-MemCached
X-Origin
X-V-TTL
Response
X-CMS-Live
X-CMS-Nid
SLB
X-Bcwwwid
X-CMS-Tid
X-CMS-State
X-CMS-Sid
X-CMS-Stage
X-Geoip-Country-Code