Threat Level: green Handler on Duty: Chris Mohan

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
X-AspNet-Version
P3P
Link
X-Content-Type-Options
X-XSS-Protection
X-Cache
Age
Alternate-Protocol
X-Adblock-Key
Content-Language
Content-Location
X-UA-Compatible
Via
X-Varnish
X-Frame-Options
CF-RAY
Keep-Alive
P3p
X-Cacheable
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
Status
MS-Author-Via
WP-Super-Cache
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
X-Geo
X-Geo-Port
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Xss-Protection
X-UA-Device
X-Rack-Cache
X-XRDS-Location
Content-Encoding
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
Strict-Transport-Security
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Via
X-Robots-Tag
X-Tumblr-Pixel-2
X-INKT-URI
X-INKT-SITE
X-CF-Powered-By
X-Url
X-Webserver
X-Varnish-Cache
X-PhApp
X-Accel-Version
X-Iinfo
X-Forwarded-For
X-ServedBy
Composed-By
X-Page-Speed
Served-By
X-MS-InvokeApp
X-Cnection
X-Ua-Compatible
X-Hostname
X-Firenze-Processing-Times
X-ContextId
X-Served-By
Access-Control-Allow-Headers
X-Tumblr-Pixel-3
X-XN-Trace-Token
X-XN-XNHTML
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-Stats-Visit-Token
X-Stats-Unique-Token
X-Request-ID
X-Backend
X-CDN
Access-Control-Allow-Methods
X-Powered-By-360WZB
X-AH-Environment
X-PC-Hit
X-PC-Key
X-PC-AppVer
X-PC-Date
X-PC-Host
X-Umbraco-Version
Liferay-Portal
Content-Style-Type
Content-Script-Type
X-Mobilized-By
X-Server-Name
Cartoon
Powered-By-ChinaCache
X-Cache-Info
X-From
Refresh
X-W3TC-Minify
Rating
X-Cache-Server
X-HeyJason
Thanks
X-Amz-Id-2
X-Spip-Cache
Request-Id
SPIisLatency
SPRequestDuration
X-Amz-Request-Id
X-Outils-CS
TCN
Cf-Railgun
X-FB-Debug
X-Content-Digest
X-Px
Magicmarker
X-Amz-Cf-Id
X-TN-ServedBy
Real-Hostname
X-VCache
X-PHP-Engine
X-Loop
X-Content-Encoded-By
X-Cache-Status
X-Tumblr-Content-Rating
X-Original-Content-Length
Page-Completion-Status
X-Device
X-Generated-By
NS-RTIMER-COMPOSITE
PICS-Label
X-Tumblr-Pixel-4
Imagetoolbar
X-Powered-By-Anquanbao
X-Varnish-Cacheable
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-Matrix-Server
X-Matrix-Proxy
IBM-Web2-Location
X-Cached-By
X-Tumblr-Pixel-5
X-SERVER
Set-Cookie2
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-CMS-Version
Retry-After
X-Art-Request-Id
Product
X-Cached
IISExport
X-Firenze-Processing-Time
X-Timer
X-FORWARDED-FOR
CF-Cache-Status
X-Backend-Server
X-Varnish-TTL
Access-Control-Max-Age
Powered-By
X-Served-From-Cache
X-Node
X-Drectory-Script
X-SDS
X-PF-Uncompressing
X-I
Time
X-Duration
X-DDC-Arch-Trace
MIME-Version
COMMERCE-SERVER-SOFTWARE
X-Cache-Debug
X-Cache-Hit
X-Nitra-Side
X-Age
X-Processed-By
ServedBy
X-App-Hosting
X-Cache-Enabled
Access-Control-Request-Method
Lsrequestid
X-DynaTrace-JS-Agent
X-FIRSTBase
X-Director
Generator
X-PERF
X-DynaTrace
X-SRV
X-ApacheServer
X-UD-Method
X-UD-Host
X-ATG-Version
RTSS
Accept-Encoding
AMF-Ver
X-Purge-Host
DynaTrace
X-Vtex-Cache-Key
Surrogate-Control
Node
X-Vtex-Remote-Cache
S
Pics-Label
X-Rendering-Engine
X-Content-Options
X-DNS-Prefetch-Control
NODE
Content-Encoding-Handler
X-Expires-Orig
Charset
WWW-Authenticate
Filter-Revision
X-Trace-App
X-Original-Request
X-URL
SFY
LFY
X-Orig-Vary
X-Purge-URL
X-Hosted-By
X-Speed-Cache-Key
X-Vary-Options
X-Cache-Expires
X-Servedby
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
Content-Disposition
MIH-CLIENT-FARM
X-Cookie-Domain
X-Returned-From-BeforeDispatch
X-Varnish-Backend
X-Returned-From
Edge-Control
X-Passed-To-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Hits
X-NoCache
X-Cache-Control-Orig
X-Actual-URL
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Passed-To
X-Handled-By
X-Info
X-Safe-Firewall
X-Yadis-Location
Id
X-Speed-Cache
ServerName
X-GeoIP-Country-Code
X-Micro-Cache
X-LiteSpeed-Cache
X-Srv
Host
Req-Id
X-ACMCache
X-Cluster-Node
X-ServerName
SID
X-ServerID
SN
Webluker-Edge
X-GeoIP-Country-Name
X-Gamma-Serve
X-Amz-Meta-S3cmd-Attrs
X-PwB-Node
Cache
X-Time
Accept-Charset
X-CJ-Soft
Content-Security-Policy
X-Sys-Req-ID
NetMindSessionID
X-Microcachable
X-CHSN
UniqueName
Debug-IP-Cntry
X-LIGHTHTTP-PCDID
Debug
Debug-Begin-IP
X-TTL
X-MJ-Upstream-Addr
VAR-Cache
X-Cache-TTL
X-Ttl
X-Cocoon-Version
X-Permitted-Cross-Domain-Policies
X-FW
X-Trace
CT
X-AspNetWebPages-Version
X-Blog
X-Session-Reinit
Proxy-Connection
X-Source-Host
Cm-Server
X-N
Pool-Info
Nodo
MW-Webserver
X-FW-Static
X-MJ-Serve-Req-Time
CommunityServer
X-Front
Author
X-Server-ID
X-Accelerated-By
Hamster
X-Track
Server2
A-Powered-By
MJ12bot
X-ProStores-StoreApiEntryPoint
X-StoreSense
X-Distil-CS
SEOMOZ
X-Varnish-Host
Microsoftsharepointteamservices
Website-Info
REFRESH
From
Server-Info
Location
NtCoent-Length
X-Cache-Rule
Machine
Srv
ScoreTracker
Sprequestguid
F-In-Cache
X-ID
X-Cache-Action
X-Geo-IP
X-Sharepointhealthscore
X-Trace-Cache
X-UPSTREAM
X-Varnish-Cache-Hits
Fhost
ORIGIN
X-Varnish-Action
X-CDN-Geo-IP
X-CDN-Any-IP
X-CDN-Geo
X-Engine
X-Bettercache-Proxy
X-App
Content-MD5
Proxy-Agent
Backend
X-Pass-Why
X-App-Start
X-Response-Time
X-Ms-Invokeapp
X-Wily-Servlet
X-ServerCache-Info
X-Benchmark-Total
X-Benchmark-Sphinx
X-Wily-Info
X-Benchmark-Db
X-Turbo-Control
Server-Name
X-Cf-Powered-By
X-Benchmark-Sphinx-Count
X-App-Server
X-Expires
X-AOL-SNH
X-Benchmark-Cache
ServerID
X-Pangea-Version
X-Directory-Script
X-Id
X-Microcache-Status
Cteonnt-Length
X-Yqk-Set
X-Powered-By-Yqk
X-Device-Type
X-Frontend
X-Highwire-SessionId
X-HOSTNAME
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Object-Type
X-Object-Id
X-Highwire-RequestId
OHS-WebNode
X-Cdn
-GCR
RequestTime
X-Varnish-Hits
QOR-Cache
X-Cache-Operation
X-CacheHits
X-Machine-Name
NLCacheNote
Content-Transfer-Encoding
SS
X-WR-Flags
X-FreeTag-Count
X-ROUTE-DATA
X-Varnish-Age
X-Old-Content-Length
WP-Cache
X-Server-Id
Front
X-Node-Name
Bs-Header
X-T3CacheInfo
X-Debug
X-DD-DomainID
X-Atraveo-NC
X-PM-ID
Cluster-ID
X-Vivastreet
Pool
X-Atraveo-Cache-Control
X-Transaction
X-Atraveo-From-Varnish-Cache
Tpt.Renderer1
CDN
X-Whom
X-Apache-Backend
Tpt.Renderer
X-Vivastreet-KiwiiPage
X-Actindo-RS
Il-Cl
X-Ocache
Powered-By-VeryCloud
Cache-Ctrol
X-S
X-Cache-Term
Ec
X-Geo-IP-Country
CountryCode
X-Geo-IP-Region
X-Geo-IP-Metro
X-Conf
X-Haiku
X-Atraveo-TTL
X-Geo-IPV
X-Utime
X-T
X-Varnish-IP
X-GLaDOS
X-Atraveo-Varnish-Server-Id
X-PageCached
Progma
X-Seen-By
X-B
X-DTC
X-Varnish-Cache-Server
X-DeliveryServer
X-MidCOM-Meta-Cache
X-Response
MASTERWEBLET
Pagely
X-Kermit
X-CS
Before
X-Venda-Hitid
X-Kirra-SiteId
X-Snapsis-PageBlaster
After
X-ATM-RServer
X-ATM-RTime
X-Enhanced-By
D
X-Cached-Status
Render
X-Jcms-Ajax-Id
ServerConfigManager.WebBugTracker
X-NGINX-CACHED
X-Farm-Server
X-NGINX-CACHED-AT
Hash
X-GC-App
X-Magento-Action
X-Magento-Lifetime
X-Rewritten-By
Servername
X-Grid-Server
X-ManagedFusion-Rewriter-Version
X-Version
SRV
X-Server-Web
X-GC-Write
X-Translation
X-GC-Read
X-Varnish-Server
Provided-Host
X-UD-REMOTE-ADDR
X-Frames-Options
X-Server-Node
X-UD-Target
X-Powered-By-Server
X-Varnish-Debug-Hits
X-Varnish-Debug-Age
Rt-Server
Beyond-Iis
X-Varnish-ID
X-Country-Code
-Onnection
Atp-Isdpp
At-Shoptype
At-Isb
X-Vhost-ID
X-CMS
OriginServer
X-Proxy
X-Varnish-Beresp-Ttl
X-Recruiting
Hostname
X-ASTRO-REWRITE
MirrorName
X-Database-Slave-Connection
X-Request-Duration
X-Monstercache-Timeout
Ms
X-Developer
WEBSERVER
X-FCMS-Cache
X-SN
7e-Page-Cache
X-Source-ID
X-Force
X-PRAM
Head
Content
X-ORACLE-DMS-ECID
X-Amz-Id-1
X-WP
X-Varnish-Beresp-Status
Mime-Version
X-Header
X-Max-Age
X-Src-Webcache
X-Varnish-Beresp-Grace
X-MCB-Server
X-CMS-Server
X-UD-Loopcounter
X-Content-Security-Policy
X-Uid
Origin
Aoestatic
X-Li-Pop
X-Li-Fabric
X-FS-UUID
X-Upstream
X-ACCELERATE
X-REDIRECTSERVER
Provider
Cmstype
X-NginX-Server
X-Cms-Mode
X-NginX-Cache
X-Dev
X-Jphone-Copyright
Cmsid
Publisher
Worker
Buuteeq-Source
X-Artvisual-Server
X-LI-UUID
X-Hash
X-T3Cache
X-Content-Age
INCOMING-TIME
Robots
X-Dynamic
X-Host-Url
B-Powered-By
X-Location
X-RSS-CACHE-STATUS
X-Brought-To-You-By
X-Server-By
X-PvInfo
X-B2f-Not-Route
X-Cache-Me-Harder
X-V
Content-Security-Policy-Report-Only
X-Channel-Maxage
X-Monstercache
A1B2C3
X-T3CacheTags
X-UserAgent
Web-Server
Compression-Control
X-ERM-RunTime
X-ERM-ServerName
X-Locale
X-ERM-ServerName-AppPage
X-Monstercache-Hash
X-Monstercache-Host
Jobb.Passal.Se
Jobb.Gil.Se
Dispatcher
X-Cache-On
ExecuteNonQuerySQLParam
X-Cookie-Pangea-NodeId-Received
Jobb.Assistentpoolen.Se
Www.Myjob.Se
P3P:CP
Open.Jobgate.Se
Test.Executivepeople.Se
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
X-Via-Kemp
Ssl-Enabled
X-Varnish-Cache-Local
X-Fortrabbit
X-Real-IP
X-Framework
X-JAL
X-User-Id
X-Agentscape-Info
CachedXSLT
X-WebFarmNode
X-DSMX-Rewrite-MS
X-CCM
X-IDS-WS
X-Client-Addr
X-JSL
CP
X-Powered
Powered
X-Varnish-Device
X-Vhost
X-AISO-Server
X-Secret
X-Provisioner-Version
X-Domain-Checked
X-TISSERVER
X-Amz-Version-Id
X-VarnCache
X-VarnPar1
SIP
X-DSMX-Render-MS
X-LB
TypeOfContent
X-UA
X-Pixelsilk-Version
X-Box
X-7dig
XX
X-Cache-NHIT
OriginalHost
CacheInfoFetch
ServerId
X-WorkerInstancename
Warning
Optimizer
X-7d-Version
X-SV
No-Cookie
X-Purge-Level
X-HITS
CData
X-AISO-Cache
X-Pixelsilk-Server
X-Empowered-By
Ibm-Web2-Location
X-LAvg
Backend-Host
X-Nginx-Server
X-Cache-Set
X-Hosting-Env
PowerCDN
X-Hc-Host
X-CMS-Tid
X-SilverStripe-Cache
X-CMS-State
X-CMS-Stage
X-Time-Microsecs
X-CMS-Sid
Rt-Fastcgi-Cache
X-Author
Application-Version
CacheDuration
MachineName
Esi-Enabled
Front-End-Https
WP-AdvCache-MemCached
X-CMS-Nid
X-Generation-Time
X-S-Misc
X-D-Time
Content-Instance
X-Allow-Redis
Telligent-Evolution
X-CMS-Collection
Accept-Language
Accept
X-CMS-Live
X-CMS-CRMSet
CacheInfo
X-Web-Node
X-Flex-Evstart
X-Flex-Community
X-Flex-Evend
No
X-Hrouter
WEBO
X-B2f-Cache-Load
SiteName
Cache-By-CoreNode
Cache-By-Node
X-Flex-Lang
X-EdgeRouter
X-Flex-Tag
X-Flex-Lastmod
SynthaSite-ID
X-Flex-Tags
X-Nocache
X-Vtex-Processado-Em
X-Hit
User-Cache-Control
Test
Http
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
X-Garden-Version
Access-Control-Expose-Headers
X-Ratelimit
X-Remote-Addr
X-GitHub-Request-Id
X-USERNAME
X-Gondor-Server
X-SmugMug-Hiring
X-SmugMug-Values
X-TTFB
X-Webapp
X-UseReverse-Proxy
X-Catalyst
X-Router
X-Router-Backend
X-TTFB-L
Smug-Env
X-Client-Vid
X-EPiphany-Vid
X-Execution-Time
Cneonction
X-Cache-Control
Apache
X-Environment
X-UA-Profile
X-Process-Time
X-Loc
X-MiniProfiler-Ids
EI-UNIQUE-ID
X-HOSTTYPE
X-Varnish-Cookie-Debug
X-Cache-Backend
Noahs-Classifieds
X-WLD-LB
X-DC-Origin-IP
X-Test
Response
Be-Va
X-GeoIP
X-Life
Be-Ip
X-XFPC-Cache-Active
X-NID
X-TLServer
X-XFPC-Cache
X-Http-Host
Source
X-VTEX-Router-Backend-App
X-R4L-VHOST
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Cache
Svr
X-SeschatLayout
X-SeschatDID
X-Seschat-URL
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-Header-Set-Id
X-Pagecache
X-Real-Server
X-Caching-Rule-Id
CacheControlMode
X-VTEX-Router-Powered-By
ProxiaInstanceId
X-SeschatRedID
X-SeschatTemplateID
X-Bcwwwid
SLB
UNIQUE-ID
Hej
Mobiquo-Is-Login
X-Back
Xonnection
X-Platform
X-PP
EbdTrace
X-Hop-By
X-BackendServer
X-Varnish-Hashed-On
X-Cache-Lifetime
X-Accel-Expires
X-Cache-Age
CacheControlHeader
X-Origin
X-Page-Generation-Time
X-TTL-Age
X-Would-Your-GrandPa-Wait
X-Page-Generated-At
X-JSON-API-TTL
Xc
X-JSON-API-LATENCY
X-Your-GrandPa-Would-Wait
X-JSON-API-AGE
X-Dokk-PortalId
X-Uplex
X-Varnish-Debug-Fetch-Host
X-Serial
X-Modules
Expire
Sigma
ExecutionTime
X-Route
X-Source
Copyright
X-Nginx-Cache
LBVIS
X-Rewrite
X-Cluster-Host
X-Origin-Id
X-Oracle-DMS-ECID
X-Config-By
WEB-CLUSTER-NODE
DCGI-Server
OGHopCount
X-Nginx-Host
X-Continum-Server
EWHSERVER
SBMCLOUD
DNNOutputCache