Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
X-Cache
Age
Alternate-Protocol
Content-Language
X-UA-Compatible
Content-Location
Via
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo-Port
X-Geo
MicrosoftOfficeWebServer
X-Request-Id
X-Powered-CMS
P3p
X-Server
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
Strict-Transport-Security
Ngpass-All
X-Mod-Pagespeed
X-UA-Device
X-Rack-Cache
MicrosoftSharePointTeamServices
X-XRDS-Location
X-Ua-Compatible
X-Tumblr-User
X-Cache-Hits
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Host-Header
Content-Encoding
SPRequestGuid
X-Tumblr-Pixel-1
X-SharePointHealthScore
X-Robots-Tag
X-Via
X-Url
X-Forwarded-For
X-INKT-SITE
X-INKT-URI
X-Tumblr-Pixel-2
X-CF-Powered-By
X-Iinfo
X-Webserver
X-Accel-Version
X-PhApp
X-Varnish-Cache
X-Cnection
X-MS-InvokeApp
Composed-By
X-ServedBy
X-Firenze-Processing-Times
X-Ac
Access-Control-Allow-Headers
X-Served-By
X-Page-Speed
Served-By
X-Hostname
X-CDN
X-ShardId
X-ShopId
X-Alternate-Cache-Key
X-ContextId
X-XN-Trace-Token
X-Backend
X-XN-XNHTML
Access-Control-Allow-Methods
X-Tumblr-Pixel-3
X-Request-ID
X-AH-Environment
X-Powered-By-360WZB
X-PC-Key
X-PC-Hit
Liferay-Portal
X-PC-Host
X-PC-AppVer
X-PC-Date
Content-Style-Type
Content-Script-Type
X-Umbraco-Version
X-Server-Name
X-Cache-Info
Refresh
X-Spip-Cache
Cartoon
X-Mobilized-By
Powered-By-ChinaCache
X-HeyJason
X-Amz-Id-2
X-Cache-Server
X-From
SPIisLatency
SPRequestDuration
Request-Id
X-Cache-Result
X-Age
X-Port
X-Amz-Request-Id
Cf-Railgun
Rating
X-Content-Digest
TCN
X-Px
X-Amz-Cf-Id
X-Outils-CS
X-FB-Debug
X-TN-ServedBy
Real-Hostname
X-PHP-Engine
X-Loop
Thanks
Magicmarker
X-Cache-Status
X-VCache
X-W3TC-Minify
Page-Completion-Status
X-Content-Encoded-By
X-Generated-By
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-Device
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-PersistenceNode
X-Cached-By
IBM-Web2-Location
X-Tumblr-Pixel-4
NS-RTIMER-COMPOSITE
X-Cached
Imagetoolbar
X-Served-From-Cache
X-Original-Content-Length
X-Tumblr-Content-Rating
X-Varnish-Cacheable
PICS-Label
X-Safe-Firewall
Retry-After
X-Matrix-Proxy
X-Matrix-Server
X-Powered-By-Anquanbao
X-Pantheon-Endpoint
X-Node
X-SERVER
X-Pantheon-Styx-Hostname
Set-Cookie2
X-Xrds-Location
X-Firenze-Processing-Time
X-Timer
X-CMS-Version
Product
X-Tumblr-Pixel-5
Time
X-Pass-Why
IISExport
Content-Security-Policy
X-Cache-Enabled
X-Art-Request-Id
X-Varnish-TTL
X-Backend-Server
X-DynaTrace
X-Hyper-Cache
X-PF-Uncompressing
CF-Cache-Status
Generator
MIME-Version
X-DDC-Arch-Trace
X-SDS
X-Cache-Hit
X-DynaTrace-JS-Agent
Powered-By
X-Rendering-Engine
Access-Control-Max-Age
DynaTrace
X-Processed-By
X-App-Hosting
X-Trace-App
X-Cache-Debug
X-I
X-Duration
ServedBy
X-Drectory-Script
X-Purge-Host
Lsrequestid
Node
X-Stats-Unique-Token
X-Nitra-Side
X-Stats-Visit-Token
X-ApacheServer
X-PERF
S
Access-Control-Request-Method
X-ATG-Version
X-UD-Method
X-Director
X-UD-Host
X-CDN-Geo-IP
X-CDN-Any-IP
COMMERCE-SERVER-SOFTWARE
X-CDN-Geo
X-NoCache
X-Content-Options
X-Purge-URL
Pics-Label
X-Microcachable
X-Cookie-Domain
X-Cache-Expires
Content-Encoding-Handler
Accept-Encoding
X-Hits
X-BackEnd
X-DNS-Prefetch-Control
X-Expires-Orig
Charset
Ngpass-Vcall
X-Orig-Vary
X-ServerID
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
RTSS
ServerName
X-FIRSTBase
X-Srv
AMF-Ver
Cache
Vacache
X-Sol
X-Varnish-Backend
X-Cache-Control-Orig
Fhost
X-Yadis-Location
Proxy-Agent
X-Original-Request
Filter-Revision
Host
X-FW-Static
Surrogate-Control
X-Speed-Cache-Key
X-GeoIP-Country-Code
X-Speed-Cache
NODE
X-CJ-Soft
X-Server-ID
X-Vary-Options
Content-Disposition
X-GeoIP-Country-Name
X-Hosted-By
X-VARNISH-Cache
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
MJ12bot
SEOMOZ
CT
X-Returned-From-BeforeDispatch
Webluker-Edge
X-Passed-To-BeforeDispatch
X-Actual-URL
X-Returned-From
X-Directory-Script
X-Passed-To
X-Handled-By
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
Edge-Control
Cm-Server
X-HOST
X-Geo-IP
X-TTL
Accept-Charset
WWW-Authenticate
Id
X-AOL-SNH
UniqueName
X-Micro-Cache
X-Cache-TTL
X-URL
X-PwB-Node
NtCoent-Length
X-Distil-CS
SID
X-Cluster-Node
MIH-CLIENT-FARM
MIH-PLATFORM
Machine
MIH-PUBLIC-IDENTIFIER
X-Time
X-LiteSpeed-Cache
Req-Id
Response
X-Trace-Cache
X-ServerName
SN
X-FW
VAR-Cache
X-Content-Security-Policy
X-Ttl
X-Gamma-Serve
X-MJ-Upstream-Addr
X-LIGHTHTTP-PCDID
QOR-Cache
X-Info
X-UPSTREAM
X-CHSN
X-ACMCache
NetMindSessionID
Server-Name
X-ACCELERATE
X-Id
X-Track
Server-Info
Website-Info
X-SRV
X-Cocoon-Version
X-HOSTNAME
A-Powered-By
X-AspNetWebPages-Version
X-Source-Host
Proxy-Connection
X-Sys-Req-ID
X-Permitted-Cross-Domain-Policies
X-User-Agent
X-Front
X-Highwire-SessionId
Pool-Info
X-Varnish-Host
X-Blog
X-Highwire-RequestId
X-ProStores-StoreApiEntryPoint
X-Session-Reinit
CommunityServer
X-MJ-Serve-Req-Time
X-StoreSense
MW-Webserver
From
X-Turbo-Control
Hamster
Cache-By-Node
X-Trace
Content-MD5
Srv
X-Object-Type
X-Object-Id
X-Bettercache-Proxy
Nodo
Content-Security-Policy-Report-Only
X-Middleton-Response
Ms
X-Transaction
X-WebKit-CSP
X-Geo-IP-Metro
X-Geo-IPV
Cteonnt-Length
X-Geo-IP-Country
X-Machine-Name
Worker
X-Cms-Mode
X-Dev
Location
X-Jphone-Copyright
X-Geo-IP-Region
X-FreeTag-Count
X-Varnish-Hits
X-Engine
F-In-Cache
Origin
X-Cache-Action
Author
X-CacheHits
X-Src-Webcache
Apache
Server2
X-Atraveo-From-Varnish-Cache
X-Expires
X-Atraveo-Varnish-Server-Id
X-Atraveo-TTL
X-Varnish-Server
X-Atraveo-NC
X-Atraveo-Cache-Control
X-Wily-Servlet
X-Rewritten-By
SRV
X-ManagedFusion-Rewriter-Version
X-Cache-Rule
REFRESH
X-Cache-Config
X-App-Start
X-Pangea-Version
X-Country-Code
-GCR
X-ROUTE-DATA
X-Wily-Info
Pool
X-ServerCache-Info
X-Provisioner-Version
ServerID
Bs-Header
X-Styx-Build-Date
X-Styx-Build-Num
X-Styx-Build-Sha
X-Styx-Version
X-Styx-Req-Id
X-WR-Flags
ScoreTracker
X-T3CacheInfo
X-App-Server
X-EdgeRouter
X-Varnish-Cache-Hits
SynthaSite-ID
X-N
X-Channel-Maxage
X-Hrouter
X-MobileDetected
CountryCode
X-Response-Time
NLCacheNote
Backend
RequestTime
ORIGIN
X-Frontend
X-App
X-Amz-Id-1
X-MCB-Server
X-Domain-Checked
X-Outils-Cs
Allow
X-NginX-Cache
X-B2f-Cache-Load
MirrorName
X-Powered-By-Yqk
X-NginX-Server
X-Powered-By-Server
X-Yqk-Set
X-Recruiting
7e-Page-Cache
X-GSL-Server
Content-Transfer-Encoding
X-T
X-WP
Il-Cl
Be-Ip
X-Enhanced-By
X-Frames-Options
X-ERM-RunTime
X-ERM-ServerName
X-Cache-On
X-Cache-Operation
X-Via-Kemp
Compression-Control
Web-Server
X-ERM-ServerName-AppPage
X-T3Cache
Be-Va
X-GeoIP
X-Remote-Addr
A1B2C3
X-B
OriginServer
X-T3CacheTags
X-Test
X-Cache-Me-Harder
X-Monstercache-Timeout
X-Debug
X-Nginx-Backend
X-Developer
X-DTC
CDN
X-Actindo-RS
X-Varnish-Debug-Hits
Cluster-ID
X-Empowered-By
X-Vivastreet-KiwiiPage
X-Varnish-Debug-Age
Cache-Ctrol
X-Farm-Server
X-S
X-NGINX-CACHED-AT
X-Grid-Server
X-Cache-Set
X-MidCOM-Meta-Cache
Powered-By-VeryCDN
X-NGINX-CACHED
X-Varnish-Cache-Server
X-CS
X-Vivastreet
X-ATM-RServer
X-PageCached
X-Cache-Age
Ssl-Enabled
X-Phpwcms-Release
X-Cache-Term
MASTERWEBLET
X-Ocache
X-Conf
Ec
Powered
Copyright
X-ATM-RTime
X-Amz-Meta-S3cmd-Attrs
SS
Rt-Server
Ksid
Cdate
LBVIS
X-Cache-Ttl
X-Phpwcms-Page-Processed-In
Progma
X-Accelerated-By
PageSpeed
Debug
X-Varnish-Action
Debug-IP-Cntry
X-Vhost
Debug-Begin-IP
X-Database-Slave-Connection
X-Request-Duration
Pagely
X-Old-Content-Length
Buuteeq-Source
X-Kermit
X-B2f-Not-Route
X-Servername
LFY
SFY
X-Microcache-Status
X-ASTRO-REWRITE
X-Varnish-IP
X-Content-Age
X-Device-Type
X-GLaDOS
X-Magento-Action
X-Magento-Lifetime
X-Haiku
LBC
X-Li-Fabric
X-Source-ID
Jobb.Gil.Se
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
Jobb.Assistentpoolen.Se
X-Hosting-Env
X-SN
X-Hash
X-PRAM
Front
Provider
X-Whom
X-GC-Write
X-Nginx-Server
X-DeliveryServer
X-GC-App
X-LB
X-LI-UUID
Head
X-Oracle-DMS-ECID
X-Loc
X-Cached-Status
X-Author
X-Li-Pop
X-PM-ID
X-GC-Read
X-App-Status
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
Www.Myjob.Se
D
X-FS-UUID
Test.Executivepeople.Se
ServerConfigManager.WebBugTracker
X-Origin-Id
Atp-Isdpp
At-Shoptype
X-Header
X-Node-Name
X-Uplex
Provided-Host
X-Response
At-Isb
X-7d-Version
Dispatcher
X-REDIRECTSERVER
Hash
Hostname
X-Venda-Hitid
X-7dig
X-Artvisual-Server
X-Execution-Time
X-SilverStripe-Cache
X-Varnish-Debug-Fetch-Host
Render
X-Force
X-Powered
IsFullSiteRequest
Before
WEBO
After
X-ORACLE-DMS-ECID
X-UD-REMOTE-ADDR
SIP
X-Kirra-SiteId
X-UD-Loopcounter
X-UD-Target
X-VarnCache
Tpt.Renderer1
Tpt
Tpt.Renderer
X-Garden-Version
Content-Instance
X-Route
INCOMING-TIME
X-Version
X-TLServer
XX
X-Swift-CacheTime
WP-Cache
Http
Publisher
X-Swift-SaveTime
X-Translation
Aoestatic
X-SeschatRedID
X-Max-Age
X-Server-Node
X-SeschatTemplateID
X-SeschatLayout
X-Varnish-Hashed-On
X-Host-Url
UNIQUE-ID
X-Binarysec-Via
X-Platform
X-PP
X-CCM
X-Seschat-URL
X-SeschatDID
No
X-RemovedCookies
X-V
X-ProcessESI
X-Varnish-Cache-Local
X-Framework
X-JSL
X-User-Id
X-CMS-Server
X-Created
X-Vtex-Processado-Em
X-ChromeLogger-Data
X-Vhost-ID
X-JAL
X-IDS-WS
SVR
Accept
X-Life
X-Real-IP
X-Goog-Hash
X-V-Outer
X-NID
X-V-TTL
Telligent-Evolution
X-S-Misc
Accept-Language
X-Server-IP
X-Generation-Time
X-D-Time
Hej
Content-Cache
X-AISO-Cache
X-Origin
X-AISO-Server
X-Req-Host
PowerCDN
X-WorkerInstancename
X-TISSERVER
Esi-Enabled
X-VarnPar2
HostGen
X-V-I-TTL
X-Req-Url
X-FCMS-Cache
X-RSS-CACHE-STATUS
No-Cookie
X-Flex-Evend
X-Flex-Evstart
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Community
Beyond-Iis
X-Varnish-Device
X-WR-MODIFICATION
X-Uid
Access-Control-Expose-Headers
X-Flex-Tag
X-Flex-Tags
X-Powered-Developer
MachineName
User-Cache-Control
X-Hit
X-XHR-Current-Location
X-Monstercache-Host
X-Ratelimit
X-ID
X-Monstercache
Svr
X-Varnish-ID
X-Dokk-PortalId
X-EPiphany-Vid
X-Client-Vid
X-Nginx-Host
X-JSON-API-AGE
X-Location-Id
Foglight-Request-UUID
NnCoection
Content
ExecutionTime
X-Secret
X-Locale
X-JSON-API-LATENCY
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
Edgecast
X-Continum-Server
Expire
X-TTL-Age
X-UserAgent
X-JSON-API-TTL
X-Page-Generated-At
X-Page-Generation-Time
X-Time-Microsecs
X-Monstercache-Hash
OGHopCount
X-Varnish-Beresp-Ttl
X-Cache-Lifetime
Server-IP
X-Jcms-Ajax-Id
X-HITS
X-Pixelsilk-Version
X-Pixelsilk-Server
X-Box
X-Hc-Host
X-Varnish-Id
TMP
X-Wm-1
X-WHOIS-Cached
RATING
X-Varnish-Beresp-Status
X-Wm-VIP
X-Varnish-Beresp-Grace
POOL
X-Caching-Rule-Id
X-Nocache
X-Header-Set-Id
X-Web-Node
SiteName
X-Dynatrace-Js-Agent
X-Tumblr-Pixel-6
X-Nginx-Cache
X-VG-WebCache
X-PS-MURDOCK-ORIG-FILEEXT
X-PoweredBy
Test
Web-Head
Www.Aujourdhui.Com
Requested-Host
X-Mobile
X-Pb-Mii
X-DC-Origin-IP
CP
Server-Optimized-By
X-User-Authenticated
X-User-Login-Url
X-Proxy
X-Pagecache
X-Real-Server
Ttl
X-Client-IP
HostName
X-Crafted
ProxiaInstanceId
BM-Cache-Status
X-Mii-Cache-Hit
X-SV
X-ATP-Server
X-Device-Group
X-PS-MURDOCK-ORIG-PROTOCOL
X-Process-Time
X-Varnish-Object-Age
X-Gondor-Server
X-VTEX-Cache
X-Beep
Front-End-Https
X-Upstream
X-Varnish-Count
X-VTEX-Router-Backend-App
X-VTEX-Router-JanusNet-AspNetLatency
X-MadeOn
AV1080
X-Config-By
WebDevSrc
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-Varnish-HitMiss
B-Powered-By
CacheControlHeader
X-Router-Backend
Language
X-Server-By
Host-Service
X-PS-MURDOCK-CASE-NORMALIZATION
X-Hop-By
X-RequesterIP
X-Internal-IP
BM-Cache-Key
BM-Cache-Node
X-Location
X-Router
X-Webapp
X-UseReverse-Proxy
X-MSEdge-Ref
X-Nucleus-Cache
X-USERNAME
Noahs-Classifieds
X-WLD-LB
X-Source
X-Varnish-Hit
X-Yottaa-Optimizations
X-Yottaa-Metrics
HAVer
HCVer
Mobiquo-Is-Login
X-BackendServer
CacheDuration
X-UA
X-NewRelic-App-Data
ErrorCodeCount
TypeOfContent
OriginalHost
CacheInfo
CacheInfoFetch
Optimizer
X-GitHub-Request-Id
HTTP
X-Backend-Status
X-Cookie-Store
X-Url-Store
Ozcache
WEB-CLUSTER-NODE
Source
DCGI-Server
X-Extra-Header
AcceptLangage
X-Stackable-Node
X-PoolMember
If-Modified-Since
X-RE-Ref
SAVVIS
X-VarnPar1
X-Webstats-RespID
SBMCLOUD
X-Varnish-Debug-Varnish-TTL-Set-From-Server
Backend-Host
Warning
X-Panel-Name
X-Catalyst
Cmsid
Servername
X-Panel-Id
ExecuteNonQuerySQLParam
X-Back
X-View
X-Server-Id
Cmstype
X-Client-Addr
X-Fett
X-Purge-Level
X-Allow-Redis
X-DELIVERYSERVER
X-Fortrabbit
X-PvInfo
CachedXSLT
X-Agentscape-Info
Application-Version
Rt-Fastcgi-Cache
X-CMS-Collection
X-CMS-CRMSet
X-CMS-Live
X-XFPC-Cache-Active
X-XFPC-Cache
EI-UNIQUE-ID
X-HOSTTYPE
ServerId
X-CMS-Nid
X-CMS-Sid
X-FarmId
X-Bcwwwid
WebServer
X-DefendeR-Runtime
SLB
X-CMS-Stage
X-CMS-State
X-CMS-Tid
X-Varnish-Age