Threat Level: green Handler on Duty: Kevin Liston

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
CF-RAY
X-Frame-Options
X-Varnish
X-Adblock-Key
P3p
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo
X-Geo-Port
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
Strict-Transport-Security
Ngpass-All
X-Ua-Compatible
X-XRDS-Location
X-Mod-Pagespeed
X-Rack-Cache
X-UA-Device
MicrosoftSharePointTeamServices
X-Cache-Hits
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Host-Header
Content-Encoding
X-Via
X-Tumblr-Pixel-1
SPRequestGuid
X-SharePointHealthScore
X-Robots-Tag
X-INKT-URI
X-INKT-SITE
X-CF-Powered-By
X-Varnish-Cache
X-Iinfo
X-FRAME-OPTIONS
X-Tumblr-Pixel-2
X-Url
X-Cnection
X-Accel-Version
Composed-By
X-ServedBy
X-PhApp
Access-Control-Allow-Headers
X-Page-Speed
X-Served-By
X-Webserver
X-Forwarded-For
X-Backend
Served-By
X-MS-InvokeApp
X-ContextId
X-Firenze-Processing-Times
Access-Control-Allow-Methods
X-CDN
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-Ac
X-XN-Trace-Token
X-XN-XNHTML
X-Hostname
X-Tumblr-Pixel-3
X-AH-Environment
X-PC-Key
X-PC-Hit
X-PC-AppVer
X-PC-Host
X-PC-Date
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-Served-With
X-Server-Name
X-Spip-Cache
X-Age
X-Umbraco-Version
X-Cache-Info
Refresh
X-Port
X-Safe-Firewall
X-Cache-Server
Cf-Railgun
X-Request-ID
X-Amz-Id-2
X-Cache-Result
Powered-By-ChinaCache
Request-Id
Cartoon
SPRequestDuration
SPIisLatency
X-Amz-Request-Id
X-Content-Digest
X-Mobilized-By
Rating
X-HeyJason
X-FB-Debug
X-Amz-Cf-Id
X-FORWARDED-FOR
X-Pass-Why
X-TN-ServedBy
X-Outils-CS
TCN
Real-Hostname
X-Loop
X-PHP-Engine
Thanks
X-Tumblr-Pixel-4
X-Generated-By
X-VCache
X-Px
X-W3TC-Minify
Magicmarker
X-Node
X-Cache-Status
IBM-Web2-Location
X-Cached-By
X-PersistenceNode
X-TNCMS-Render-Time
X-TNCMS-Version
X-Device
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-Hyper-Cache
Imagetoolbar
X-Original-Content-Length
X-Content-Encoded-By
Page-Completion-Status
X-Served-From-Cache
X-Tumblr-Content-Rating
X-Matrix-Proxy
NS-RTIMER-COMPOSITE
X-Matrix-Server
X-Cached
X-Styx-Build-Num
X-Styx-Build-Sha
X-Styx-Build-Date
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Version
X-Styx-Req-Id
X-Timer
Retry-After
Content-Security-Policy
CF-Cache-Status
X-URL
X-Powered-By-Anquanbao
X-From
X-Varnish-Cacheable
X-Tumblr-Pixel-5
X-CMS-Version
X-DynaTrace
X-SERVER
X-HOST
X-Varnish-TTL
X-Firenze-Processing-Time
Product
X-Art-Request-Id
X-HOSTNAME
IISExport
Generator
X-Cache-Enabled
X-Trace-App
Time
Pics-Label
DynaTrace
X-Backend-Server
X-CDN-Geo
X-CDN-Geo-IP
X-ATG-Version
X-CDN-Any-IP
X-DNS-Prefetch-Control
X-DynaTrace-JS-Agent
X-DDC-Arch-Trace
X-Cache-Hit
X-Cache-Debug
Set-Cookie2
X-App-Hosting
X-Rendering-Engine
Powered-By
Access-Control-Max-Age
X-I
Node
ServedBy
X-SDS
X-BC-Is-HA
X-UD-Host
X-Processed-By
X-UD-Method
X-Drectory-Script
X-Original-Request
Ngpass-Vcall
X-Sol
Lsrequestid
X-Nitra-Side
X-Purge-Host
Response
PICS-Label
X-NoCache
X-Passed-To-PostProcessResponse
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Passed-To-DLL
X-Returned-From
X-PF-Uncompressing
X-Handled-By
X-Content-Options
X-Passed-To
X-Passed-To-BeforeDispatch
X-Actual-URL
Charset
Vacache
X-Duration
MIME-Version
X-Cookie-Domain
ServerName
Content-Encoding-Handler
Proxy-Agent
Cache
X-Hits
X-Cache-Expires
X-PERF
X-ApacheServer
X-Microcachable
X-Varnish-Backend
X-Purge-URL
Edge-Control
Accept-Encoding
RTSS
X-Xrds-Location
AMF-Ver
X-Middleton-Response
X-LiteSpeed-Cache
X-SRV
X-BackEnd
X-Speed-Cache
X-Speed-Cache-Key
X-Director
Access-Control-Request-Method
X-Expires-Orig
X-GeoIP-Country-Code
COMMERCE-SERVER-SOFTWARE
S
X-Ms-Invokeapp
NODE
X-Vary-Options
X-Micro-Cache
X-GeoIP-Country-Name
Fhost
Sprequestguid
X-Front
X-Cache-Control-Orig
X-Orig-Vary
X-Sharepointhealthscore
Cm-Server
Machine
X-FIRSTBase
Host
X-Hosted-By
NetMindSessionID
Filter-Revision
X-Varnish-Hits
X-B2f-Cache-Load
X-Content-Security-Policy
SID
X-FW-Static
Surrogate-Control
X-FW
X-Trace-Cache
X-PwB-Node
X-ServerID
X-CJ-Soft
X-VARNISH-Cache
X-Cache-TTL
SEOMOZ
MJ12bot
X-ServerName
Server-Info
Website-Info
X-AOL-SNH
X-Beep
WWW-Authenticate
X-Yadis-Location
Content-Disposition
X-WebKit-CSP
Accept-Charset
X-Track
ServerID
VAR-Cache
X-User-Agent
X-Varnish-Host
X-Cocoon-Version
X-Gamma-Serve
X-Sys-Req-ID
X-Server-IP
X-Directory-Script
X-Varnish-IP
X-Source-Host
X-Server-ID
UniqueName
X-TTL
NtCoent-Length
X-Pangea-Version
X-WebServer
X-ACMCache
X-App-Start
X-Varnish-Server
X-Distil-CS
Pool-Info
Proxy-Connection
X-Blog
X-Session-Reinit
X-Whom
X-Time
CT
X-Permitted-Cross-Domain-Policies
Ms
X-Transaction
X-AspNetWebPages-Version
Content-Security-Policy-Report-Only
A-Powered-By
X-Srv
X-Src-Webcache
X-App-Status
X-Domain-Checked
X-Highwire-RequestId
X-Provisioner-Version
X-Highwire-SessionId
X-StoreSense
SN
X-ProStores-StoreApiEntryPoint
MW-Webserver
X-Varnish-Object-Age
Id
Server-Name
X-CacheHits
X-WR-Flags
X-LIGHTHTTP-PCDID
X-ACCELERATE
Hamster
X-Geo-IP
X-CHSN
X-Cluster-Node
X-Ttl
X-Ar-Debug
Req-Id
Buuteeq-Source
X-Amz-Id-1
X-Outils-Cs
X-Cache-Rule
X-Grid-Server
X-MJ-Upstream-Addr
Nodo
Grace
Cteonnt-Length
X-Cache-Action
X-Bettercache-Proxy
X-Country-Code
X-Engine
X-Wily-Info
X-Wily-Servlet
X-Id
X-Info
QOR-Cache
Origin
From
X-Atraveo-NC
X-Atraveo-From-Varnish-Cache
X-Atraveo-Cache-Control
Webluker-Edge
X-Cache-Config
X-Connection-Hash
Cache-By-Node
Mime-Version
X-TempDebug
X-Turbo-Control
Server2
X-Atraveo-TTL
X-Trace
X-WEBSERVER
X-ServerCache-Info
CommunityServer
X-ID
X-Atraveo-Varnish-Server-Id
X-Device-Type
MIH-PLATFORM
SS
X-ROUTE-DATA
X-Ar-Forwarded-For
X-ORACLE-DMS-ECID
SiteName
X-App
MIH-CLIENT-FARM
X-Microcache-Status
WEBO
MIH-PUBLIC-IDENTIFIER
LBVIS
X-Yqk-Set
F-In-Cache
X-N
X-Vtex-Cache-Key
Srv
X-Upstream
X-Powered-By-Yqk
X-Cached-Status
WP-Cache
X-MJ-Serve-Req-Time
X-Vtex-Remote-Cache
PageSpeed
X-Swift-CacheTime
X-Source-ID
X-Machine-Name
X-S
X-Varnish-ID
X-Swift-SaveTime
X-Powered-By-Server
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Lang
X-Flex-Evstart
X-Object-Type
X-Flex-Evend
X-Flex-Tags
X-Flex-Community
OriginServer
X-Object-Id
Www.Myjob.Se
X-Empowered-By
X-Expires
X-Jphone-Copyright
X-Dev
X-PRAM
X-T3CacheInfo
X-Amz-Meta-S3cmd-Attrs
Www.Mirrorgate.Se
X-GeoIP
Test.Executivepeople.Se
Be-Va
Be-Ip
Edgecast
A1B2C3
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
X-LI-UUID
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
Www.Mabracertifiering.Se
X-Cms-Mode
X-Force
X-Cache-Operation
X-Frontend
Apache
X-LB
X-Li-Pop
X-Origin
X-Rewritten-By
X-FS-UUID
X-FreeTag-Count
X-Li-Fabric
X-DeliveryServer
X-ManagedFusion-Rewriter-Version
Backend
Worker
Web-Server
X-Translation
ORIGIN
X-Version
X-Old-Content-Length
MirrorName
LBC
X-REDIRECTSERVER
X-Varnish-Debug-Age
X-Varnish-Debug-Hits
Http
X-WR-MODIFICATION
RequestTime
X-Origin-Id
X-WP
X-Response-Time
X-Remote-Addr
X-Powered-Developer
X-Developer
X-T3Cache
X-T3CacheTags
Beyond-Iis
Content-Transfer-Encoding
X-Monstercache-Timeout
X-Kermit
X-Header
X-Channel-Maxage
X-Phpwcms-Page-Processed-In
X-PM-ID
X-Phpwcms-Release
Pagely
X-Varnish-Age
X-Magento-Lifetime
X-Hrouter
X-EdgeRouter
X-Uid
Provided-Host
X-Content-Age
X-Magento-Action
X-MobileDetected
SRV
Content-MD5
X-Recruiting
Aoestatic
Front
X-Cache-Ttl
SynthaSite-ID
Author
Ibm-Web2-Location
X-Varnish-Cache-Hits
X-Vtex-Processado-Em
ScoreTracker
Location
X-Frames-Options
7e-Page-Cache
X-UPSTREAM
X-CS
Warning
X-B2f-Not-Route
X-Vhost
X-ATM-RTime
X-Farm-Server
X-Cache-Term
X-Varnish-Cache-Server
SFY
X-Framework
X-Actindo-RS
X-ATM-RServer
Il-Cl
MASTERWEBLET
X-Pixelsilk-Server
X-Pixelsilk-Version
X-DTC
X-PageCached
X-Via-Kemp
X-Debug
X-Vhost-ID
Hash
Ksid
Dispatcher
Rt-Server
X-Server-Id
X-Nginx-Backend
X-GLaDOS
X-VarnCache
No
X-JAL
X-GSL-Server
X-Varnish-Device
X-Nginx-Server
Progma
X-JSL
X-Mod-Oboe-PS
X-ASTRO-REWRITE
X-Powered
SIP
X-TISSERVER
X-User-Id
X-Varnish-Cache-Local
Powered
Allow
ExecutionTime
NLCacheNote
Compression-Control
X-Kirra-SiteId
X-Haiku
Server-IP
X-SN
X-Response
X-Varnish-Action
X-Secret
-GCR
X-Catalyst
X-Stage
X-Vivastreet
X-Vivastreet-KiwiiPage
X-Cache-On
Copyright
X-Monstercache
X-Monstercache-Host
X-Ratelimit
X-DC-Origin-IP
X-Cache-Backend
Pool
X-B
X-Varnish-Abtest-Expires
X-Monstercache-Hash
X-Ocache
X-Feed
X-T
X-Route
X-Hash
LFY
X-PoolMember
CDN
SAVVIS
X-Original-IP
Cluster-ID
Content-Instance
X-Geo-IPV
X-Geo-IP-Region
Atp-Isdpp
At-Shoptype
X-Dynatrace-Js-Agent
Cmstype
X-Accelerated-By
Cmsid
X-Cache-Age
At-Isb
X-Cache-Lifetime
X-Geo-IP-Country
X-Real-Server
X-Geo-IP-Metro
X-BackendServer
X-FCMS-Cache
X-Enhanced-By
X-ServerId
X-GC-Read
X-App-Server
X-GC-App
Rt-Fastcgi-Cache
Cache-Ctrol
X-MSEdge-Ref
X-UD-Target
X-UD-REMOTE-ADDR
POOL
X-Tumblr-Pixel-6
X-Web-Node
X-GC-Write
X-UD-Loopcounter
X-NID
X-ERM-RunTime
REFRESH
IsFullSiteRequest
Render
Before
X-SilverStripe-Cache
X-Status
X-PvInfo
After
X-Stale
D
Tpt.Renderer
Tpt.Renderer1
Provider
Tpt
ServerConfigManager.WebBugTracker
Ec
X-Conf
X-Host-Url
XDomainRequestAllowed
X-ERM-ServerName
X-Venda-Hitid
X-Cache-Set
X-Jcms-Ajax-Id
X-NGINX-CACHED
X-Locale
X-OPNET-Transaction-Trace
X-NGINX-CACHED-AT
X-UserAgent
X-Artvisual-Server
X-Garden-Version
X-ERM-ServerName-AppPage
Ttl
Xc
X-7dig
X-7d-Version
CP
X-Hosting-Env
INCOMING-TIME
X-Uplex
Publisher
If-Modified-Since
X-Varnish-Debug-Fetch-Host
Servername
X-TLServer
PowerCDN
X-Internal-IP
X-Stackable-Node
X-Reject
X-TTL-Age
X-Varnish-URL
ProxiaInstanceId
X-Varnish-Set-Cookie
X-Page-Generation-Time
X-Fett
X-IDS-WS
X-EPiphany-Vid
X-Nginx-Host
X-Oracle-DMS-ECID
X-Page-Generated-At
AV1080
X-Would-Your-GrandPa-Wait
Disaptch-Cache-Rule
X-ChromeLogger-Data
X-NginX-Server
X-NginX-Cache
ExecuteNonQuerySQLParam
X-MidCOM-Meta-Cache
X-CacheServer
X-Your-GrandPa-Would-Wait
X-XHR-Current-Location
X-Server-Node
X-VarnPar1
X-Server-By
Noahs-Classifieds
X-JSON-API-LATENCY
X-Goog-Hash
X-Mii-Cache-Hit
X-VTEX-Router-JanusNet-BackEndLatency
X-Device-Group
X-Client-IP
X-Cache-Key
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-JanusNet-AspNetLatency
X-Nginx-Cache
X-SATserver
X-VarnPar2
X-Purge-Level
X-VTEX-Router-Backend-App
X-Nucleus-Cache
X-Pb-Mii
X-ATP-Server
X-VTEX-Router-Powered-By
X-Continum-Server
WEB-CLUSTER-NODE
BM-Cache-Status
BM-Cache-Node
BM-Cache-Key
X-Cache-Me-Harder
X-JSON-API-AGE
Source
SBMCLOUD
Www.Aujourdhui.Com
X-Allow-Redis
X-Client-Vid
Content
Expire
DCGI-Server
X-JSON-API-TTL
X-MCB-Server
MachineName
X-Max-Age
HTTP
Accept
OGHopCount
User-Cache-Control
X-RemovedCookies
X-Benchmark-Cache
X-VG-WebCache
X-Author
Accept-Language
Hej
X-CMS-Collection
X-CMS-CRMSet
X-CMS-Live
X-CMS-Nid
X-SERVERID
Telligent-Evolution
Ngpass-Static
Powered-By-VeryCDN
SVR
X-ProcessESI
X-Node-Name
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
XX
Content-ID
X-Varnish-Beresp-Ttl
X-PBY
X-BKSrc
HCVer
HAVer
BKREF
X-Time-Microsecs
Requested-Host
X-Benchmark-Sphinx-Count
X-Client-Addr
X-Benchmark-Db
X-Mobile
X-Benchmark-Total
X-GitHub-Request-Id
Svr
X-Hit
X-Box
X-CMS-Server
X-Benchmark-Sphinx
X-PP
X-Varnish-Count
X-Varnish-HitMiss
X-Location
X-Binarysec-Via
X-Back
UNIQUE-ID
X-CacheTTL
X-Cluster-ID
X-CMS-Sid
X-SeschatTemplateID
X-SeschatRedID
X-SeschatLayout
X-Seschat-URL
X-SeschatDID
Esi-Enabled
X-Platform
X-XFPC-Cache-Active
X-D-Time
X-Generation-Time
X-XFPC-Cache
X-CCM
X-CMS-Stage
X-CMS-State
X-CMS-Tid
X-S-Misc
X-WorkerInstancename
X-FW-Hash
X-Nocache
CountryCode
Smug-Env
Server-N
X-Backend-Status
HostName
X-SmugMug-Hiring
X-SmugMug-Values
X-TTFB-L
AcceptLangage
X-TTFB
X-JG-Page-Cache
X-Panel-Id
X-Gondor-Server
X-Life
X-FarmId
X-DefendeR-Runtime
X-Bcwwwid
X-Loc
Apple-Itunes-App
X-Panel-Name
X-AISO-Server
X-AISO-Cache
Host-Service
Mobiquo-Is-Login
X-Resolver-IP
X-MadeOn
X-DSMX-Rewrite-MS
SLB
X-Dokk-PortalId
X-Extra-Header
X-Url-Store
X-Location-Id
X-Hc-Host
X-PHP-Cache
Server-Optimized-By
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-DSMX-Render-MS
X-Execution-Time
X-VHOST
X-Varnish-Hashed-On
X-Config-By
X-VTEX-Cache-Status-Janus-Edge
X-Cookie-Store
X-DELIVERYSERVER
X-Powered-By-VTEX-Janus-Edge
Redirect
X-Webstats-RespID
X-PROCESSED-BY
X-Yottaa-Metrics
X-Cluster
Test
Front-End-Https
X-Adobe-Content
X-PoweredBy
X-ErrorPage
X-APP
X-ServerID-App
X-Header-Set-Id
X-R4L-VHOST
X-RSS-CACHE-STATUS
X-Router
X-Router-Backend
X-VTEX-Cache
WP-AdvCache-MemCached
X-V
X-Real-IP
X-Cluster-Host
CacheControlHeader
X-Sw-Accesskey
X-UseReverse-Proxy
X-Webapp
X-WHOIS-Cached
X-Caching-Rule-Id
X-User-Login-Url
X-SDE-Name
X-Server-Instance
Foglight-Request-UUID
Bs-Header
Web-Head
X-Varnish-Cookie-Debug
X-WLD-LB
Head
X-USERNAME
X-HOSTTYPE
EI-UNIQUE-ID
X-Yottaa-Optimizations
X-Varnish-Max-Age
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
X-IP-Address
X-User-Authenticated
X-PS-MURDOCK-ORIG-PROTOCOL
X-WAP
X-SERVER-ID
X-Http-Host
X-ACLR-Version
XDisk
HostGen