Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
X-Cacheable
MS-Author-Via
Access-Control-Allow-Origin
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-UA-Device
X-Logged-In
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Tumblr-Pixel-1
X-Cache-Hits
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Cnection
X-PhApp
X-W3TC-Minify
X-Varnish-Cache
X-Webserver
X-CF-Powered-By
X-Via
Served-By
X-Forwarded-For
Composed-By
X-Page-Speed
Strict-Transport-Security
X-Firenze-Processing-Times
X-Hostname
X-Served-By
X-ServedBy
X-Url
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-Mobilized-By
X-MS-InvokeApp
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-Stats-Visit-Token
X-Stats-Unique-Token
X-CDN
X-AH-Environment
X-Umbraco-Version
X-Powered-By-360WZB
X-Backend
Content-Style-Type
Content-Script-Type
Liferay-Portal
Refresh
X-Cache-Info
X-Server-Name
Magicmarker
Powered-By-ChinaCache
Thanks
X-Geo
X-Geo-Port
X-PC-Host
X-PC-Hit
X-PC-Date
X-PC-AppVer
X-PC-Key
X-From
X-Ua-Compatible
X-Cache-Server
X-HeyJason
Rating
X-Amz-Id-2
TCN
X-Outils-CS
Cf-Railgun
X-Amz-Request-Id
Page-Completion-Status
X-Powered-By-Anquanbao
X-FB-Debug
X-Content-Digest
X-TN-ServedBy
Real-Hostname
X-Loop
X-PHP-Engine
X-URL
X-Original-Content-Length
Imagetoolbar
X-Tumblr-Pixel-4
X-Spip-Cache
X-Px
NS-RTIMER-COMPOSITE
SPIisLatency
Request-Id
SPRequestDuration
X-Generated-By
IBM-Web2-Location
X-ChromeLogger-Data
X-TNCMS-Served-By
X-Tumblr-Content-Rating
X-TNCMS-Version
X-TNCMS-Memory-Usage
X-Amz-Cf-Id
X-TNCMS-Render-Time
X-Content-Encoded-By
X-Matrix-Proxy
X-Matrix-Server
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
X-Drectory-Script
PICS-Label
X-Device
Set-Cookie2
X-Cache-Status
X-Cached-By
IISExport
X-Tumblr-Pixel-5
Access-Control-Max-Age
ServerName
X-Firenze-Processing-Time
X-Cached
X-Node
X-Timer
X-CMS-Version
CF-Cache-Status
Retry-After
X-DynaTrace
X-PF-Uncompressing
X-Trace-App
DynaTrace
X-SDS
X-I
Accept-Encoding
X-Age
Generator
ServedBy
X-B2f-Cache-Load
COMMERCE-SERVER-SOFTWARE
Pics-Label
X-ATG-Version
Lsrequestid
X-DDC-Arch-Trace
X-Backend-Server
X-Cache-Debug
Edge-Control
Powered-By
X-Processed-By
RTSS
Product
MIME-Version
X-ApacheServer
SID
Time
X-PERF
X-Pantheon-Styx-Hostname
X-Nitra-Side
X-Pantheon-Endpoint
X-Vary-Options
X-Cache-Hit
Access-Control-Request-Method
X-Hosted-By
Host
X-UD-Method
Content-Encoding-Handler
X-UD-Host
X-Purge-Host
SFY
LFY
X-NoCache
X-Original-Request
X-FORWARDED-FOR
X-Vtex-Cache-Key
Surrogate-Control
X-Vtex-Remote-Cache
X-DynaTrace-JS-Agent
X-Art-Request-Id
X-PwB-Node
X-Speed-Cache-Key
X-DNS-Prefetch-Control
X-Srv
X-Director
Machine
X-LiteSpeed-Cache
X-FIRSTBase
X-Passed-To-BeforeDispatch
X-Handled-By
X-Passed-To-DLL
X-Returned-From
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Actual-URL
X-Passed-To-PostProcessResponse
X-Passed-To
WWW-Authenticate
X-Cache-Enabled
X-App-Hosting
Node
X-Ms-Invokeapp
X-Expires-Orig
Location
X-Cookie-Domain
X-Cache-Control-Orig
X-WebServer
NODE
X-Speed-Cache
X-Varnish-Backend
X-Yadis-Location
AMF-Ver
X-Purge-URL
MW-Webserver
X-Orig-Vary
X-Cache-Expires
VAR-Cache
Charset
Cm-Server
Proxy-Agent
X-Served-From-Cache
X-CJ-Soft
Filter-Revision
Microsoftsharepointteamservices
Proxy-Connection
X-Varnish-TTL
X-TTL
Fhost
X-Micro-Cache
Cache
X-SERVER
Content-Disposition
X-ACMCache
X-LIGHTHTTP-PCDID
X-Content-Options
X-ServerID
X-Cocoon-Version
X-Sharepointhealthscore
Sprequestguid
X-ServerName
X-ProStores-StoreApiEntryPoint
X-StoreSense
X-FW
X-GeoIP-Country-Code
X-GeoIP-Country-Name
X-Source-Host
X-Yqk-Set
Server-Info
X-Request-ID
Nodo
Website-Info
X-Powered-By-Yqk
X-MJ-Upstream-Addr
X-Trace-Cache
S
X-Track
ORIGIN
X-Duration
X-Time
CT
X-Server-ID
X-Adobe-Content
SN
X-Hits
Req-Id
X-MJ-Serve-Req-Time
X-SRV
X-Sys-Req-ID
X-Cache-Rule
UniqueName
Id
Webluker-Edge
X-Pangea-Version
X-Gamma-Serve
X-App-Start
Hamster
X-AOL-SNH
X-Varnish-Host
X-Blog
X-Cluster-Node
X-Session-Reinit
Accept-Charset
X-Varnish-Hits
X-App
X-WR-Flags
X-Microcachable
X-Info
From
X-CHSN
NetMindSessionID
Debug-Begin-IP
QOR-Cache
Debug-IP-Cntry
Debug
X-Highwire-SessionId
X-Highwire-RequestId
X-AspNetWebPages-Version
X-Front
X-Kirra-SiteId
ServerID
CommunityServer
X-HS-MC-Reqs
A-Powered-By
X-Trash-Talk
X-Old-Content-Length
X-Cache-TTL
X-Pass-Why
Pagely
X-Engine
X-Target
X-Varnish-Action
X-N
X-Cache-Action
X-UPSTREAM
X-Device-Type
X-Atraveo-Cache-Control
X-Accelerated-By
MvcResult
X-Atraveo-Varnish-Server-Id
X-Atraveo-From-Varnish-Cache
X-ServerCache-Info
X-Src-Webcache
X-Header
X-ASTRO-REWRITE
X-Phpwcms-Release
X-Phpwcms-Page-Processed-In
X-Varnish-IP
X-Machine-Name
X-Microcache-Status
X-Server-Web
X-Distil-CS
X-Varnish-Age
Server2
X-Atraveo-NC
X-Atraveo-TTL
OHS-WebNode
X-Bettercache-Proxy
X-Cdn
X-Geo-IP
X-Directory-Script
X-Turbo-Control
X-ID
MJ12bot
ScoreTracker
SEOMOZ
NtCoent-Length
X-Grid-Server
X-CacheHits
X-DeliveryServer
X-Wily-Servlet
X-PvInfo
X-Varnish-Server
X-Ttl
Ibm-Web2-Location
X-Wily-Info
Pool-Info
X-Cache-Operation
X-Object-Id
X-Enhanced-By
X-Object-Type
X-PRAM
X-FreeTag-Count
X-Database-Slave-Connection
X-Force
SynthaSite-ID
X-Hrouter
X-Request-Duration
X-Id
X-Response-Time
X-Source-ID
Server-Name
X-EdgeRouter
MirrorName
X-Benchmark-Cache
X-Benchmark-Db
X-Whom
X-Benchmark-Total
X-Benchmark-Sphinx
X-Channel-Maxage
X-Benchmark-Sphinx-Count
Content-Transfer-Encoding
X-Domain-Checked
X-Provisioner-Version
X-Country-Code
Srv
X-Source
Warning
X-Frontend
F-In-Cache
WP-Cache
Author
Bs-Header
X-Li-Fabric
X-FS-UUID
X-LI-UUID
X-S
X-Li-Pop
X-Amz-Id-1
Provided-Host
X-Amz-Meta-S3cmd-Attrs
-Onnection
X-ACCELERATE
X-Uid
X-Framework
RequestTime
X-Garden-Version
X-NGINX-CACHED
X-App-Server
X-Debug
X-USERNAME
X-SV
X-Transaction
X-GLaDOS
X-Haiku
X-HOSTTYPE
X-Jphone-Copyright
X-NGINX-CACHED-AT
OriginServer
X-Cms-Mode
X-Hosting-Env
X-Varnish-Debug-Hits
X-Nginx-Server
X-Max-Age
X-Farm-Server
X-Version
X-Varnish-Debug-Age
X-Jcms-Ajax-Id
X-Geo-IP-Region
SS
X-Geo-IP-Country
X-Geo-IPV
X-Geo-IP-Metro
X-REDIRECTSERVER
X-Varnish-Cache-Hits
X-Magento-Lifetime
X-Magento-Action
NLCacheNote
MIH-PLATFORM
X-WP
X-CMS-Server
X-Expires
X-WLD-LB
Backend
X-Nginx-Cache
X-Monstercache-Timeout
X-SN
MIH-CLIENT-FARM
MIH-PUBLIC-IDENTIFIER
7e-Page-Cache
Ec
X-UD-Target
X-UD-REMOTE-ADDR
Powered
X-UD-Loopcounter
X-Varnish-Device
X-Ocache
X-T
Hash
X-B
X-MidCOM-Meta-Cache
Beyond-Iis
Backend-Host
X-Powered
Cache-Ctrol
X-Vhost
X-Conf
CountryCode
X-Vivastreet
Content-MD5
Content
X-Actindo-RS
X-MCB-Server
X-Apache-Backend
X-Translation
X-Cf-Powered-By
ProxiaInstanceId
NodeID
X-Varnish-Cache-Local
X-JAL
X-Vivastreet-KiwiiPage
MASTERWEBLET
Front
X-Cache-Term
SIP
Cluster-ID
X-JSL
X-User-Id
CDN
X-Response
X-Varnish-ID
X-T3CacheInfo
Www.Mirrorgate.Se
X-T3Cache
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
X-Content-Age
Www.Mabracertifiering.Se
P3P:CP
X-SilverStripe-Cache
A1B2C3
X-T3CacheTags
Test.Executivepeople.Se
X-Frames-Options
Www.Myjob.Se
Jobb.Passal.Se
Ssl-Enabled
Open.Jobgate.Se
X-B2f-Not-Route
X-Route
X-Via-Kemp
X-Venda-Hitid
X-Cache-Me-Harder
Compression-Control
If-Modified-Since
PowerCDN
X-Flex-Community
X-Flex-Evstart
X-Flex-Lang
X-Flex-Evend
SRV
X-Oracle-DMS-ECID
X-Node-Name
Pool
X-Recruiting
X-Flex-Lastmod
WEBO
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
X-Flex-Tag
X-Flex-Tags
X-Mii-Cache-Hit
X-Pb-Mii
X-ERM-ServerName-AppPage
X-Fett
X-Origin-Id
X-Device-Group
Ms
X-MSG-05
B-Powered-By
D
X-Test
X-FCMS-Cache
X-Permitted-Cross-Domain-Policies
Rt-Fastcgi-Cache
X-Server-By
X-Box
X-MSG-06
ExecutionTime
X-DEBUG-Obj-Ttl
X-ATP-Server
X-Trace
PUBLISH
LBVIS
X-VarnCache
X-TISSERVER
X-PM-ID
CP
X-MSG-04
X-MSG-03
X-DEBUG-X-Id
Mobiquo-Is-Login
No
X-MSG-00
X-ERM-ServerName
X-MSG-02
X-MSG-01
X-ERM-RunTime
X-Vtex-Processado-Em
X-Web-Node
Rt-Server
Content-Security-Policy
X-7dig
X-7d-Version
Proxy-From
WP-AdvCache-MemCached
X-GC-Read
X-GC-App
VTag
X-Powered-By-Server
X-Varnish-Cache-Server
CacheControlMode
Preview-Refresh
Worker
X-Dev
X-ORACLE-DMS-ECID
Hej
Cmsid
CacheControlHeader
XX
Content-Instance
X-Varnish-Debug-Fetch-Host
X-GC-Write
Cmstype
X-View
X-Full-URL
X-Cache-Backend
Robots
Provider
Atp-Isdpp
X-Monstercache-Hash
X-Monstercache-Host
Publisher
X-Optimization
X-Artvisual-Server
At-Isb
Aoestatic
Xc
X-Monstercache
POOL
At-Shoptype
X-Geoip-Country-Code
INCOMING-TIME
X-Hit
DeleGate-Ver
MachineName
Apache
OMNI-C
X-PS-MURDOCK-ORIG-PROTOCOL
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-UA
Accept-Language
X-Webstats-RespID
Description
Keywords
X-Papaya-Cache
X-Papaya-Gzip
X-Author
X-Answer
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
No-Cache
X-Ratelimit
X-Host-Url
Mime-Version
X-Empowered-By
X-Origin
X-Cache-Ttl
X-Server-Id
TypeOfContent
X-Platform
X-ProcessESI
X-RemovedCookies
Public-Extension
X-OPNET-Transaction-Trace
HostName
X-User-Agent
SVR
ResourceTag
OriginalHost
Optimizer
X-Pixelsilk-Server
X-Pixelsilk-Version
HAVer
X-Hc-Host
X-XHR-Current-Location
Web-Head
X-PP
HCVer
X-CMS
CacheInfo
CacheInfoFetch
X-Wm-1
X-Varnish-Hit
BKREF
X-BKSrc
X-Time-Microsecs
X-IP-Address
Access-Control-Expose-Headers
X-RE-Ref
RequestId
X-Utime
X-TLServer
Telligent-Evolution
X-Cluster-Host
X-Client-Vid
Copyright
X-EPiphany-Vid
X-Execution-Time
X-Rewrite
X-Nucleus-Cache
Application-Version
X-Header-Set-Id
Front-End-Https
X-Caching-Rule-Id
X-Proxy
SiteName
X-OLM-Node
WebServer
X-CCM
X-IDS-WS
X-Symfony-Cache
Esi-Enabled
Head
X-NginX-Cache
EbdTrace
SiteSpect-Identity
X-Forwarded-Proto
Web-Server
X-LAvg
X-Secret
CachedXSLT
WEBSERVER
X-Agentscape-Info
X-NginX-Server
X-WA-Info
X-Abuse
X-Cache-NHIT
X-FW-Static
Expire
X-Varnish-Cacheable
X-SERVERID
X-WEBSERVER
X-WorkerInstancename
X-NewRelic-App-Data
X-DELIVERYSERVER
X-ServerId
Last-Modified:
X-Crafted
X-PHP-Cache
X-Cache-Lifetime
X-Cache-Age
X-Developer
X-GeoIP
X-IP
X-Set-Cookie
X-Mobile
Pramga
VM
X-ATM-RServer
X-ATM-RTime
X-NID
X-Server-Node
X-Varnish-Id
X-MSEdge-Ref
Www.Aujourdhui.Com
Origin
OGHopCount
X-Page-Generated-At
X-Page-Generation-Time
X-Powered-Developer
X-JSON-API-TTL
X-JSON-API-LATENCY
WZ-Device-Match
WZ-Cache
X-Status
X-Backend-Host
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
X-Would-Your-GrandPa-Wait
Http
SAVVIS
X-TTL-Age
X-PoolMember
X-JSON-API-AGE
Buuteeq-Source
OutputRewritten
X-Config-By
SBMCLOUD
X-Rot
X-Vhost-ID
X-Upstream
Content-ID
X-DC-Origin-IP
Source
X-RAMCache
X-Hash
X-Continum-Server
X-Stackable-Node
Cteonnt-Length
X-GitHub-Request-Id
X-VG-WebCache
TimeRestart
X-Cache-Control
X-V-TTL
Xonnection
Response
X-DEBUG
X-TTFB-L
X-V-Outer
X-V-I-TTL
X-Environment
Test
HTTP
X-Created
X-Req-Url
X-Req-Host
Accept
X-CMS-Collection
X-Bcwwwid
SLB
Login-Required
X-Web-Hosting-Service-Provider
X-SmugMug-Values
X-SmugMug-Hiring
X-CMS-Tid
X-CMS-State
X-CMS-Live
X-CMS-CRMSet
X-CMS-Nid
X-CMS-Sid
X-CMS-Stage
X-Extra-Header
X-Hit-Cache
Progma
Ap-Exec-Time-Mks
X-Loc
X-Life
X-ProxyInstancename
ServerId
Srv-N
X-Process-Time
X-Varnish-HitMiss
X-Catalyst
X-Varnish-Count
X-AISO-Server
X-BackendServer
X-AISO-Cache
X-Site:
X-Unbounce-Instance
X-Purge-Level
INFO
X-Allow-Redis
X-TTFB
X-Modules
X-Serial
RayEngine
X-Yottaa-Metrics
X-Varnish-Cookie-Debug
X-Pagename
X-VCache
Noahs-Classifieds
X-Yottaa-Optimizations
UNIQUE-ID