Threat Level: green Handler on Duty: Russ McRee

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
X-Frame-Options
Keep-Alive
CF-RAY
X-Adblock-Key
X-Varnish
P3p
X-Cacheable
X-Check
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Ac
X-Pad
X-Geo
X-Geo-Port
X-Runtime
X-Powered-CMS
MicrosoftOfficeWebServer
X-Request-Id
X-Server
Strict-Transport-Security
X-Type
X-Cache-Group
X-Host
Access-Control-Allow-Credentials
X-Cache-Lookup
X-Logged-In
X-Xss-Protection
X-UA-Device
X-Mod-Pagespeed
Ngpass-All
MicrosoftSharePointTeamServices
X-Rack-Cache
X-Cache-Hits
X-XRDS-Location
Host-Header
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-Pixel-1
Content-Encoding
X-Via
X-Forwarded-For
X-Url
X-Robots-Tag
X-CF-Powered-By
X-Varnish-Cache
X-Tumblr-Pixel-2
X-Iinfo
X-Backend
X-INKT-SITE
X-INKT-URI
X-Accel-Version
X-MS-InvokeApp
X-Cnection
X-ServedBy
X-Served-By
Access-Control-Allow-Headers
X-PhApp
X-Webserver
X-Request-ID
X-Page-Speed
Served-By
Composed-By
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-ContextId
Access-Control-Allow-Methods
X-CDN
X-Firenze-Processing-Times
X-BC-Is-HA
X-XN-Trace-Token
X-XN-XNHTML
X-Tumblr-Pixel-3
X-Hostname
X-Ua-Compatible
X-Safe-Firewall
X-PC-Hit
X-PC-Key
X-AH-Environment
X-PC-Host
X-PC-AppVer
X-PC-Date
X-Served-With
Content-Script-Type
Content-Style-Type
Liferay-Portal
X-Server-Name
X-Age
X-Umbraco-Version
X-Powered-By-360WZB
X-Port
X-Pass-Why
X-Spip-Cache
X-Cache-Info
Request-Id
SPIisLatency
SPRequestDuration
Refresh
X-Amz-Id-2
Cf-Railgun
X-Amz-Request-Id
Rating
X-HeyJason
X-Amz-Cf-Id
X-FB-Debug
Powered-By-ChinaCache
X-Content-Digest
X-Cache-Server
X-Outils-CS
X-SERVER
Cartoon
X-Mobilized-By
X-Device
X-Cache-Result
Content-Security-Policy
TCN
X-TN-ServedBy
Real-Hostname
X-Cached-By
X-PHP-Engine
X-Loop
X-W3TC-Minify
X-Tumblr-Pixel-4
X-VCache
X-Hyper-Cache
X-Cache-Status
Ngpass-Ngall
X-Px
X-HOST
X-Generated-By
Page-Completion-Status
X-PersistenceNode
X-TNCMS-Render-Time
X-TNCMS-Version
Thanks
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-DynaTrace
IBM-Web2-Location
Imagetoolbar
NS-RTIMER-COMPOSITE
Magicmarker
X-Tumblr-Content-Rating
X-Original-Content-Length
X-Pantheon-Endpoint
X-Styx-Req-Id
X-Styx-Version
DynaTrace
X-Styx-Build-Sha
X-Styx-Build-Num
X-Styx-Build-Date
X-Pantheon-Styx-Hostname
X-Content-Encoded-By
CF-Cache-Status
X-Timer
X-Cached
X-Served-From-Cache
X-Matrix-Server
X-Matrix-Proxy
X-Node
X-Tumblr-Pixel-5
Product
X-URL
X-CMS-Version
X-Varnish-Cacheable
Time
X-From
PICS-Label
X-Varnish-TTL
X-Cache-Enabled
X-Firenze-Processing-Time
X-Powered-By-Anquanbao
X-Xrds-Location
Powered-By
X-Backend-Server
IISExport
X-Varnish-IP
ServedBy
Access-Control-Max-Age
Generator
X-Rendering-Engine
Retry-After
Node
X-HOSTNAME
X-DDC-Arch-Trace
Set-Cookie2
X-App-Hosting
X-Varnish-Forwarded-For
X-NoCache
X-Original-Request
X-CDN-Geo-IP
X-CDN-Geo
X-CDN-Any-IP
X-Content-Options
X-Drectory-Script
X-Cache-Debug
X-Cache-Hit
X-Returned-From
X-Returned-From-PostProcessResponse
X-Passed-To-PostProcessResponse
X-Returned-From-DLL
X-Passed-To-BeforeDispatch
X-Actual-URL
X-Handled-By
X-Passed-To
X-Passed-To-DLL
X-Returned-From-BeforeDispatch
MIME-Version
Proxy-Agent
X-DynaTrace-JS-Agent
X-I
Lsrequestid
X-Content-Security-Policy
Charset
X-Duration
X-Cookie-Domain
X-Trace-App
X-UD-Host
X-UD-Method
X-Nitra-Side
COMMERCE-SERVER-SOFTWARE
X-Expires-Orig
X-Processed-By
Response
Content-Encoding-Handler
X-Cache-Expires
X-SDS
X-ATG-Version
X-PF-Uncompressing
Pics-Label
ServerName
X-Front
X-Speed-Cache
X-Varnish-Backend
X-Speed-Cache-Key
X-DNS-Prefetch-Control
X-PERF
X-Sol
X-ApacheServer
X-Purge-Host
Edge-Control
X-Cache-Control-Orig
Content-Disposition
AMF-Ver
X-Hits
X-Whom
Access-Control-Request-Method
SID
X-Purge-URL
X-Yadis-Location
Ngpass-Vcall
X-GeoIP-Country-Name
X-GeoIP-Country-Code
X-PwB-Node
X-FIRSTBase
X-Track
X-WebKit-CSP
X-FORWARDED-FOR
X-Vary-Options
X-Director
Cache
Accept-Encoding
X-User-Agent
X-Micro-Cache
X-FW-Hash
Fhost
X-CJ-Soft
Host
Cm-Server
Surrogate-Control
S
X-Pangea-Version
SN
X-App-Start
Grace
X-Middleton-Response
X-Orig-Vary
X-Hosted-By
X-Microcachable
Machine
Filter-Revision
X-ServerID
X-TTL
X-FW-Static
RTSS
X-Blog
X-Session-Reinit
X-LiteSpeed-Cache
NtCoent-Length
X-Varnish-Host
X-FW
ServerID
X-Permitted-Cross-Domain-Policies
X-ServerName
X-ID
X-SN
X-Art-Request-Id
Server-Info
Website-Info
X-Trace
X-Srv
Req-Id
X-Trace-Cache
X-ACMCache
X-Source-Host
Id
Vacache
Accept-Charset
Cache-By-Node
NODE
WWW-Authenticate
X-Cache-Config
X-App
X-Distil-CS
X-SRV
X-Cache-TTL
X-Cocoon-Version
X-Highwire-RequestId
MW-Webserver
Proxy-Connection
X-Highwire-SessionId
X-AspNetWebPages-Version
X-Geo-IP
X-Varnish-Hits
X-AOL-SNH
X-Swift-CacheTime
X-Cluster-Node
X-Time
X-Swift-SaveTime
MJ12bot
SEOMOZ
X-Ar-Debug
X-Gamma-Serve
X-Engine
X-Tumblr-Pixel-6
X-MJ-Upstream-Addr
X-Device-Type
X-Ttl
X-Microcache-Status
X-Cache-Action
UniqueName
X-Server-ID
X-Varnish-Server
Webluker-Edge
X-Vtex-Remote-Cache
X-FW-Serve
X-FW-Type
X-Source-ID
A-Powered-By
X-LIGHTHTTP-PCDID
X-App-Status
SiteName
X-BackendServer
X-Atraveo-Cache-Control
NetMindSessionID
X-Ar-Forwarded-For
From
X-CHSN
X-MJ-Serve-Req-Time
X-Atraveo-From-Varnish-Cache
X-Provisioner-Version
X-Varnish-Object-Age
X-Atraveo-NC
CT
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
X-Domain-Checked
X-Powered-By-Yqk
X-Yqk-Set
X-Developer
X-Vtex-Processado-Em
X-Sys-Req-ID
X-N
Content-Transfer-Encoding
CommunityServer
NLCacheNote
X-FullPageCaching
X-Translation
Server-Name
X-Cache-Rule
Server2
X-Grid-Server
Edgecast
X-Country-Code
Buuteeq-Source
X-WebServer
X-S
Origin
No
Author
X-Version
X-Machine-Name
X-StoreSense
X-ProStores-StoreApiEntryPoint
WP-Cache
X-Bettercache-Proxy
Beyond-Iis
X-Src-Webcache
X-Wily-Servlet
X-Wily-Info
-GCR
X-GeoIP
Srv
QOR-Cache
X-Secret
X-TempDebug
X-Request-Locale
X-Li-Pop
X-LI-UUID
X-Li-Fabric
Content-MD5
X-FS-UUID
Nodo
X-Magento-Action
X-Object-Id
MIH-CLIENT-FARM
X-Magento-Lifetime
X-PRAM
X-Object-Type
X-WR-Flags
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
Aoestatic
SRV
X-Force
MirrorName
X-Info
Hamster
X-Geo-IP-Metro
Apache
X-Amz-Meta-S3cmd-Attrs
X-Geo-IP-Region
X-Resolver-IP
X-Framework
X-Cache-Age
VAR-Cache
X-Geo-IP-Country
X-Geo-IPV
X-WR-MODIFICATION
PageSpeed
X-CacheHits
X-Id
Ms
X-FreeTag-Count
X-Frontend
X-Old-Content-Length
X-Connection-Hash
X-Cache-Lifetime
X-Transaction
Cmsid
Cmstype
X-PvInfo
X-Empowered-By
X-T3CacheInfo
X-Cached-Status
X-Vtex-Cache-Key
X-Turbo-Control
REFRESH
Location
Warning
X-Varnish-Cache-Local
X-Varnish-Debug-Hits
Powered
Copyright
X-Directory-Script
X-Artvisual-Server
X-Varnish-Debug-Age
X-GSL-Server
X-UPSTREAM
X-Origin-Id
X-Expires
X-Dev
X-Stage
Backend
X-Cms-Mode
X-Jphone-Copyright
Worker
X-VTEX-Router-Powered-By
Qs-Cache
X-ManagedFusion-Rewriter-Version
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-JanusNet-BackEndLatency
X-Uid
X-VTEX-Router-JanusNet-AspNetLatency
X-Varnish-Action
X-VTEX-Router-Backend-App
X-Powered-By-VTEX-Janus-Edge
X-ORACLE-DMS-ECID
X-Rewritten-By
X-VTEX-Cache-Status-Janus-Edge
X-Accelerated-By
X-Stale
OriginServer
Web-Server
X-Recruiting
X-Varnish-ID
X-Varnish-Device
X-VarnCache
X-VarnPar1
X-ACCELERATE
LBVIS
X-Hash
Provided-Host
Be-Va
X-TISSERVER
Be-Ip
X-Origin
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Venda-Hitid
X-DeliveryServer
BM-Cache-Key
X-Header
X-Remote-Addr
SS
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Frames-Options
X-ServerCache-Info
BM-Cache-Node
X-REDIRECTSERVER
X-Purge-Level
X-Amz-Id-1
X-Content-Age
BM-Cache-Status
X-Debug
X-Allow-Redis
Front
X-Varnish-Cache-Hits
SIP
7e-Page-Cache
X-Web-Node
POOL
X-Hostingcenter
X-Vtex-Processed-At
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Evstart
X-Flex-Evend
X-ROUTE-DATA
X-Flex-Community
X-Powered-By-Server
X-Flex-Tags
X-Nginx-Server
X-Max-Age
X-Server-Node
X-Via-Kemp
X-User-Id
X-Response-Time
X-LB
X-NGINX-CACHED-AT
Compression-Control
X-Dynatrace
X-Response
X-Powered
X-Upstream
X-Varnish-Cache-Server
X-ASTRO-REWRITE
X-B2f-Not-Route
Jobb.Assistentpoolen.Se
X-App-Server
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
RequestTime
Pool
Ksid
Dispatcher
BALANCEDTO
X-WP
X-Benchmark-Sphinx-Count
X-Benchmark-Total
X-CacheServer
X-Actindo-RS
CDN
Cluster-ID
X-PageCached
X-DTC
X-Cache-Term
X-Nginx-Backend
X-Conf
X-Monstercache-Timeout
ScoreTracker
X-Farm-Server
X-T3Cache
X-T3CacheTags
A1B2C3
X-Mod-Oboe-PS
No-Cookie
X-MidCOM-Meta-Cache
X-Enhanced-By
X-Kirra-SiteId
X-CS
Jobb.Gil.Se
Test.Executivepeople.Se
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
Www.Myjob.Se
X-ATM-RServer
X-ATM-RTime
Jobb.Passal.Se
Open.Jobgate.Se
P3P:CP
X-NGINX-CACHED
CP
Render
X-NID
IsFullSiteRequest
ServerConfigManager.WebBugTracker
Tpt.Renderer
X-NginX-Cache
X-Cache-Set
Tpt.Renderer1
Servername
X-ChromeLogger-Data
X-Cache-Operation
X-Server-Id
X-OPNET-Transaction-Trace
After
Before
ExecuteNonQuerySQLParam
Progma
Cteonnt-Length
X-Client-Vid
X-NginX-Server
Provider
X-Dynatrace-Js-Agent
X-Garden-Version
X-MCB-Server
SVR
Il-Cl
Rt-Server
X-EPiphany-Vid
Cache-Ctrol
X-Cache-On
Acdc-Web
X-Header-Set-Id
X-Hosting-Env
X-Real-Server
X-Route
X-Caching-Rule-Id
X-GC-App
X-GC-Read
X-IDS-WS
Fpc-Cache-Id
X-GC-Write
WP-AdvCache-MemCached
X-JSON-API-AGE
X-USERNAME
X-TTL-Age
X-JSON-API-LATENCY
X-Locale
X-SERVER-ID
X-Page-Generation-Time
X-Page-Generated-At
X-Uplex
Mime-Version
X-Binarysec-Via
X-JSON-API-TTL
X-Vivastreet-KiwiiPage
Cneonction
X-B2f-Cache-Load
X-Channel-Maxage
X-7d-Version
X-7dig
Server-IP
X-Monstercache
X-Catalyst
X-Monstercache-Host
X-Monstercache-Hash
XX
X-Vhost-ID
X-Your-GrandPa-Would-Wait
X-Would-Your-GrandPa-Wait
X-Varnish-Debug-Fetch-Host
ORIGIN
X-SilverStripe-Cache
X-Host-Url
B-Powered-By
X-Varnish-Age
X-UserAgent
X-Vivastreet
ExecutionTime
X-HOSTTYPE
X-Server-By
X-Author
X-UseReverse-Proxy
X-UD-Target
X-UD-Loopcounter
X-UD-REMOTE-ADDR
X-FCMS-Cache
X-Pb-Mii
F-In-Cache
X-Client-IP
X-Location-Id
X-ATP-Server
Www.Aujourdhui.Com
X-CacheTTL
X-Device-Group
X-Nucleus-Cache
X-Mii-Cache-Hit
X-CCM
Foglight-Request-UUID
Redirect
X-Beep
X-Varnish-HitMiss
D
X-Vhost
X-Varnish-Count
X-Mobile
X-Fett
X-Webapp
X-DefendeR-Runtime
X-Nginx-Host
X-Router-Backend
X-Router
WEBO
X-Sto
X-Hit
PowerCDN
Publisher
EZ-Origin
X-App-TTL
Disaptch-Cache-Rule
X-Internal-IP
INCOMING-TIME
X-UA-Class
X-Life
Http
X-Loc
Bs-Header
LBC
RequestId
At-Isb
Content-Cache
X-BKSrc
X-CMS-Collection
X-VG-WebCache
At-Shoptype
EI-UNIQUE-ID
Svr
Atp-Isdpp
X-Lb
X-CMS
Noahs-Classifieds
X-GLaDOS
X-SDE-Name
SLB
X-Bcwwwid
X-Server-Instance
Accept
X-RemovedCookies
X-ProcessESI
Front-End-Https
Head
Hej
X-Node-Name
X-V
X-Haiku
X-Cached-Page
Backend-Host
X-WLD-LB
Hishop
Content-ID
Hash
Accept-Language
X-Varnish-Cookie-Debug
Requested-Host
RATING
X-Time-Spent
X-Proxy-Cache
X-Cache-Key
X-Cluster-Host
DCGI-Server
If-Modified-Since
Ttl
X-RSS-CACHE-STATUS
X-SeschatLayout
X-SeschatRedID
X-SeschatTemplateID
X-Varnish-Hashed-On
X-Gondor-Server
Source
X-TLServer
X-S-Misc
X-MiniProfiler-Ids
X-Generation-Time
X-WorkerInstancename
X-XFPC-Cache
X-AISO-Server
X-AISO-Cache
X-XFPC-Cache-Active
X-SeschatDID
X-Seschat-URL
MASTERWEBLET
UNIQUE-ID
HostName
Esi-Enabled
X-Gannett-Site-Version
X-IP-Address
X-DELIVERYSERVER
ProxiaInstanceId
X-VarnPar2
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Name
X-Crafted
X-DSMX-Render-MS
X-DSMX-Rewrite-MS
Tpt
Language
X-RequesterIP
X-SV
CacheControlHeader
X-FarmId
Ozcache
XDomainRequestAllowed
Ec
OGHopCount
X-ACLR-Version
X-CMS-Live
X-CMS-Nid
X-CMS-Sid
X-Status
X-CMS-Server
X-Clientip
X-GitHub-Request-Id
X-CMS-CRMSet
BKREF
Content-Instance
HAVer
X-Pixelsilk-Version
X-Pixelsilk-Server
X-Hc-Host
X-Http-Host
X-PBY
X-Ratelimit
X-Powered-Developer
X-MobileDetected
X-MSEdge-Ref
X-CMS-Tid
X-CMS-State
X-Hrouter
X-EdgeRouter
ServerIP
X-D-Time
X-Dokk-PortalId
AV1080
Portlet.Expiration-Cache
X-Feed
X-Original-IP
X-PM-ID
X-PoolMember
X-CMS-Stage
X-DC-Origin-IP
SAVVIS
X-Accel-Expires
X-Cache-Backend
HCVer
X-V-Outer
X-Req-Url
X-V-TTL
X-Req-Host
X-Created
X-XHR-Current-Location
X-ServerId
X-Cache-Ttl
X-V-I-TTL
X-Job-Offer
X-Req-Counter
X-Varnish-Id
X-Abuse
User-Cache-Control
X-Time-Microsecs
X-Varnish-Max-Age
X-Hit-Cache
W
X-Unbounce-PageId
X-Box
Test
Mark
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-FILEEXT
TP-Cache
Pool-Info
X-LAvg
X-PS-MURDOCK-ORIG-PROTOCOL
X-Rot
MachineName
HTTP
X-WAP
X-Source
X-Pagename
Device
ResourceTag
TIMESTAMP
Public-Extension
HGR-NOCACHE
Allow
X-Cdn-View
X-Client-Addr
X-Pagecache
X-Instart-Request-ID
X-Block
Server-Optimized-By
X-VHOST
X-PROCESSED-BY
X-HasAuthorization
X-Back
Smug-Env
X-Unbounce-Variant
X-IsPremium
X-SmugMug-Hiring
X-Lang
X-TTFB-L
X-TTFB
X-SmugMug-Values
SFY
LFY
X-Process-Time
X-Reject
X-Stackable-Node
AcceptLangage
CountryCode
X-Src-Loadbalancer
X-Oracle-DMS-ECID
No-Cache
X-Continum-Server
X-Forwarded-Proto
X-Kermit
Expire
X-Backend-Status
X-Varnish-URL
Xc
X-Test
X-Application
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Server-IP
X-Cookie-Store
X-Url-Store
X-Webstats-RespID
X-Distributed-By
WSCPUB-Version
X-Config-By
X-R4L-VHOST
OutputRewritten
X-Edge-Location
X-Backend-Name
X-Edge-IP
X-Adobe-Content
X-Nginx-Cache
Content
CACHED-RESPONSE
X-Jcms-Ajax-Id
X-Unbounce-VisitorID
CacheControl
X-Cluster-ID
Mobiquo-Is-Login
Pagely
SBMCLOUD
WEB-CLUSTER-NODE
X-Varnish-Mode
X-VarnishServer
X-GL-SRV
X-Location
X-Obvious-Info
X-Obvious-Tid
Pramga