Threat Level: green Handler on Duty: Chris Mohan

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
X-AspNet-Version
P3P
Link
X-Content-Type-Options
X-XSS-Protection
X-Cache
Age
Alternate-Protocol
X-Adblock-Key
Content-Language
Content-Location
X-UA-Compatible
Via
X-Varnish
X-Frame-Options
CF-RAY
Keep-Alive
P3p
X-Cacheable
X-Check
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
X-Drupal-Cache
Status
Access-Control-Allow-Origin
MS-Author-Via
WP-Super-Cache
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Runtime
X-Geo
X-Geo-Port
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Xss-Protection
X-Rack-Cache
X-XRDS-Location
X-UA-Device
Content-Encoding
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
Strict-Transport-Security
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-Via
X-Robots-Tag
X-Tumblr-Pixel-2
X-INKT-SITE
X-INKT-URI
X-CF-Powered-By
X-Url
X-Webserver
X-Varnish-Cache
X-PhApp
X-Accel-Version
X-Iinfo
X-Forwarded-For
Composed-By
X-ServedBy
Served-By
X-Cnection
X-MS-InvokeApp
X-Page-Speed
X-Firenze-Processing-Times
X-Ua-Compatible
X-Hostname
X-ContextId
X-Served-By
Access-Control-Allow-Headers
X-XN-Trace-Token
X-XN-XNHTML
X-Tumblr-Pixel-3
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-Stats-Visit-Token
X-Stats-Unique-Token
X-CDN
X-Backend
Access-Control-Allow-Methods
X-Request-ID
X-Powered-By-360WZB
X-AH-Environment
X-PC-Hit
X-PC-Key
X-PC-Date
X-PC-Host
X-PC-AppVer
Liferay-Portal
X-Umbraco-Version
Content-Style-Type
Content-Script-Type
X-Mobilized-By
X-Server-Name
Cartoon
Powered-By-ChinaCache
X-Cache-Info
X-From
Refresh
X-HeyJason
X-W3TC-Minify
X-Spip-Cache
X-Cache-Server
Rating
Thanks
X-Amz-Id-2
SPIisLatency
Request-Id
SPRequestDuration
TCN
X-Outils-CS
X-Amz-Request-Id
X-Content-Digest
X-FB-Debug
Cf-Railgun
X-Px
Magicmarker
X-Amz-Cf-Id
X-SERVER
Real-Hostname
X-Content-Encoded-By
X-TN-ServedBy
X-PHP-Engine
X-Loop
X-VCache
X-Cache-Status
Page-Completion-Status
X-Tumblr-Content-Rating
NS-RTIMER-COMPOSITE
X-Device
X-Original-Content-Length
X-Generated-By
PICS-Label
X-Tumblr-Pixel-4
X-Powered-By-Anquanbao
Imagetoolbar
X-Varnish-Cacheable
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-Matrix-Server
X-Matrix-Proxy
IBM-Web2-Location
X-Cached-By
Set-Cookie2
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
Retry-After
X-CMS-Version
X-Pantheon-Endpoint
X-Cached
X-Art-Request-Id
X-Firenze-Processing-Time
Product
IISExport
CF-Cache-Status
X-FORWARDED-FOR
X-Timer
X-Backend-Server
X-Varnish-TTL
Access-Control-Max-Age
X-Served-From-Cache
X-Node
Powered-By
X-Drectory-Script
X-SDS
X-PF-Uncompressing
X-DynaTrace-JS-Agent
X-I
COMMERCE-SERVER-SOFTWARE
Time
X-Duration
X-DDC-Arch-Trace
X-Cache-Debug
X-Processed-By
X-ATG-Version
X-Age
X-Nitra-Side
X-Cache-Hit
ServedBy
MIME-Version
Access-Control-Request-Method
X-FIRSTBase
X-Trace-App
Lsrequestid
X-Cache-Enabled
X-Director
Generator
AMF-Ver
X-ApacheServer
X-PERF
X-SRV
X-App-Hosting
X-Purge-Host
RTSS
X-DynaTrace
Accept-Encoding
X-UD-Method
X-UD-Host
Node
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
Surrogate-Control
X-Content-Options
S
DynaTrace
Pics-Label
X-Rendering-Engine
NODE
X-DNS-Prefetch-Control
Content-Encoding-Handler
Charset
X-Purge-URL
X-Vary-Options
Filter-Revision
WWW-Authenticate
X-Expires-Orig
X-Cache-Expires
X-Orig-Vary
X-URL
X-Hosted-By
Content-Disposition
X-Hits
X-Speed-Cache-Key
X-Original-Request
X-Servedby
X-Cookie-Domain
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
MIH-CLIENT-FARM
X-Yadis-Location
X-GeoIP-Country-Code
Edge-Control
ServerName
X-Varnish-Backend
X-NoCache
X-Safe-Firewall
X-Cache-Control-Orig
X-Micro-Cache
Id
X-Speed-Cache
Req-Id
SFY
X-Info
LFY
Host
X-Handled-By
X-Returned-From-PostProcessResponse
X-Actual-URL
X-Srv
Webluker-Edge
X-Time
X-Passed-To
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Passed-To-DLL
X-Returned-From
X-Passed-To-BeforeDispatch
X-ACMCache
X-ServerID
X-ServerName
SID
X-Cluster-Node
Accept-Charset
Content-Security-Policy
SN
X-LiteSpeed-Cache
X-CJ-Soft
X-GeoIP-Country-Name
X-Amz-Meta-S3cmd-Attrs
X-Gamma-Serve
X-PwB-Node
X-LIGHTHTTP-PCDID
X-Sys-Req-ID
Cm-Server
NetMindSessionID
X-CHSN
Debug
Debug-Begin-IP
UniqueName
Debug-IP-Cntry
X-MJ-Upstream-Addr
X-Ttl
Cache
X-TTL
X-Cache-TTL
X-Front
VAR-Cache
CT
X-Permitted-Cross-Domain-Policies
X-Blog
X-Session-Reinit
X-Source-Host
X-Cocoon-Version
X-Trace
X-FW
Proxy-Connection
X-Trace-Cache
X-Microcachable
X-AspNetWebPages-Version
Author
X-StoreSense
MW-Webserver
X-N
X-Server-ID
X-FW-Static
X-ProStores-StoreApiEntryPoint
Pool-Info
Nodo
X-MJ-Serve-Req-Time
Server2
Hamster
A-Powered-By
X-Track
X-Accelerated-By
X-Distil-CS
Website-Info
MJ12bot
From
Location
Microsoftsharepointteamservices
X-Varnish-Host
CommunityServer
SEOMOZ
Server-Info
REFRESH
Proxy-Agent
X-Sharepointhealthscore
X-ID
ScoreTracker
F-In-Cache
Fhost
Srv
X-Turbo-Control
X-CDN-Geo-IP
X-UPSTREAM
X-CDN-Geo
X-CDN-Any-IP
X-Geo-IP
ORIGIN
X-Varnish-Cache-Hits
NtCoent-Length
X-Varnish-Action
X-Cache-Action
Sprequestguid
Server-Name
Machine
Content-MD5
X-App
X-Highwire-RequestId
X-Highwire-SessionId
X-Engine
Backend
X-Varnish-Hits
X-Bettercache-Proxy
ServerID
X-Cf-Powered-By
X-App-Server
X-ServerCache-Info
X-Cache-Rule
NLCacheNote
RequestTime
Content-Transfer-Encoding
X-VARNISH-Cache
X-Wily-Info
X-Pangea-Version
X-Response-Time
X-Wily-Servlet
X-AOL-SNH
X-Directory-Script
X-Pass-Why
X-App-Start
X-Ms-Invokeapp
X-Benchmark-Db
X-Benchmark-Total
X-Expires
X-Benchmark-Sphinx
X-Benchmark-Sphinx-Count
X-Benchmark-Cache
Cteonnt-Length
X-Object-Type
X-Yqk-Set
X-Powered-By-Yqk
X-Object-Id
X-Frontend
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Id
X-HOSTNAME
SS
X-WR-Flags
X-FreeTag-Count
Tpt.Renderer1
ServerConfigManager.WebBugTracker
OHS-WebNode
Tpt.Renderer
X-Machine-Name
-GCR
X-ROUTE-DATA
QOR-Cache
Render
X-CacheHits
After
Before
X-ACCELERATE
X-Cdn
X-T3CacheInfo
X-Old-Content-Length
Buuteeq-Source
Front
WP-Cache
X-DD-DomainID
X-Server-Id
Bs-Header
X-Debug
X-Device-Type
X-Node-Name
X-Microcache-Status
X-Amz-Id-1
X-ATM-RServer
X-GLaDOS
Il-Cl
X-MidCOM-Meta-Cache
X-Vivastreet
Hash
X-Varnish-Cache-Server
Ec
X-Transaction
X-Cache-Operation
X-CS
X-Varnish-IP
X-Response
X-Country-Code
X-Monstercache-Timeout
X-Jcms-Ajax-Id
X-Farm-Server
X-Kirra-SiteId
X-Cached-Status
X-Venda-Hitid
X-ATM-RTime
X-WP
X-NGINX-CACHED-AT
X-NGINX-CACHED
CDN
X-B
X-Geo-IPV
X-Varnish-Debug-Age
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Geo-IP-Region
X-DeliveryServer
X-Atraveo-Varnish-Server-Id
X-Geo-IP-Metro
X-Atraveo-Cache-Control
X-Src-Webcache
X-Seen-By
Pool
X-S
X-MCB-Server
X-Conf
CountryCode
X-Cache-Term
X-Whom
X-Varnish-Debug-Hits
X-PageCached
X-Geo-IP-Country
X-PM-ID
Cluster-ID
D
MASTERWEBLET
X-Actindo-RS
X-Apache-Backend
X-DTC
Cache-Ctrol
Powered-By-VeryCloud
X-Enhanced-By
X-Ocache
X-Varnish-Age
X-Atraveo-TTL
Progma
X-Utime
X-Haiku
Pagely
X-Kermit
X-T
X-Vivastreet-KiwiiPage
X-Content-Age
X-NginX-Cache
Provided-Host
X-Rewritten-By
X-NginX-Server
X-Server-Web
X-Magento-Lifetime
X-Version
X-Magento-Action
X-ManagedFusion-Rewriter-Version
X-Varnish-Server
SRV
X-Grid-Server
X-GC-App
X-GC-Write
X-GC-Read
X-Snapsis-PageBlaster
Beyond-Iis
X-Varnish-ID
X-Server-Node
X-CMS
X-Content-Security-Policy
X-Header
X-Developer
At-Shoptype
ExecuteNonQuerySQLParam
Atp-Isdpp
At-Isb
X-UD-Target
X-UD-Loopcounter
X-UD-REMOTE-ADDR
Rt-Server
X-Powered-By-Server
Head
Content
X-FCMS-Cache
WEBSERVER
Ms
X-CMS-Server
-Onnection
X-Source-ID
OriginServer
X-Channel-Maxage
X-Monstercache-Host
X-Monstercache-Hash
Mime-Version
X-Request-Duration
X-ORACLE-DMS-ECID
MirrorName
X-ASTRO-REWRITE
Jobb.Gil.Se
X-Monstercache
Www.Myjob.Se
X-Remote-Addr
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
Test.Executivepeople.Se
Jobb.Assistentpoolen.Se
A1B2C3
Www.Mirrorgate.Se
Www.Mabracertifiering.Se
X-PRAM
X-Database-Slave-Connection
7e-Page-Cache
X-Varnish-Beresp-Status
X-Force
X-Varnish-Beresp-Ttl
X-Max-Age
Hostname
X-Varnish-Beresp-Grace
X-SN
X-B2f-Cache-Load
X-Recruiting
X-Artvisual-Server
X-Translation
X-Upstream
Origin
Robots
INCOMING-TIME
Provider
Publisher
X-Hash
X-T3Cache
X-LI-UUID
X-FS-UUID
X-Uid
X-Li-Fabric
Worker
X-Cms-Mode
X-Jphone-Copyright
WEBO
X-Dev
Aoestatic
X-Li-Pop
Servername
X-REDIRECTSERVER
X-Host-Url
X-T3CacheTags
Ibm-Web2-Location
B-Powered-By
X-Vhost-ID
X-Location
X-Varnish-Device
X-V
X-HITS
X-Powered
Rt-Fastcgi-Cache
X-Dynamic
X-Brought-To-You-By
X-Vhost
X-SilverStripe-Cache
X-Secret
X-AISO-Cache
Application-Version
Front-End-Https
X-Locale
X-UserAgent
X-AISO-Server
XX
Content-Instance
X-Cookie-Pangea-NodeId-Received
X-Time-Microsecs
X-RSS-CACHE-STATUS
X-Author
Powered
X-Cache-Me-Harder
Content-Security-Policy-Report-Only
X-Pixelsilk-Server
X-TISSERVER
X-Hosting-Env
X-Varnish-Cache-Local
X-Real-IP
X-Pixelsilk-Version
X-Amz-Version-Id
X-JAL
X-User-Id
X-JSL
X-Framework
CP
WP-AdvCache-MemCached
X-VarnCache
X-Cache-On
X-Frames-Options
X-Proxy
X-Domain-Checked
X-Provisioner-Version
X-Allow-Redis
X-Purge-Level
SIP
Dispatcher
X-VarnPar1
X-IDS-WS
X-CCM
X-Hc-Host
X-B2f-Not-Route
Esi-Enabled
OriginalHost
X-ERM-ServerName
TypeOfContent
PowerCDN
X-ERM-ServerName-AppPage
Optimizer
Web-Server
CacheDuration
CacheInfo
CacheInfoFetch
Telligent-Evolution
ServerId
X-CMS-Tid
X-Via-Kemp
X-Empowered-By
Compression-Control
X-Box
MachineName
X-WorkerInstancename
CData
Ssl-Enabled
No-Cookie
Warning
X-Oracle-DMS-ECID
X-D-Time
X-7d-Version
X-SV
X-7dig
X-UA
X-CMS-State
Backend-Host
X-CMS-Sid
X-Cache-Set
X-Nginx-Server
X-Execution-Time
X-LAvg
X-Generation-Time
X-CMS-Nid
X-LB
Accept-Language
X-S-Misc
X-Cache-NHIT
X-CMS-Collection
X-CMS-CRMSet
Cneonction
X-CMS-Live
Accept
X-ERM-RunTime
X-CMS-Stage
Cache-By-Node
Cache-By-CoreNode
SynthaSite-ID
X-Flex-Evend
Cmstype
X-Web-Node
X-Flex-Evstart
X-Flex-Lang
X-Flex-Tags
X-Flex-Tag
X-Flex-Lastmod
X-Nocache
X-Flex-Community
X-EdgeRouter
SiteName
No
X-Vtex-Processado-Em
X-Hrouter
Cmsid
X-PS-MURDOCK-ORIG-FILEEXT
X-Dokk-PortalId
X-PS-MURDOCK-CASE-NORMALIZATION
Access-Control-Expose-Headers
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
X-Test
X-Varnish-Debug-Fetch-Host
X-PS-MURDOCK-ORIG-PROTOCOL
Expire
X-JSON-API-AGE
X-Garden-Version
X-Uplex
X-Life
X-UseReverse-Proxy
X-Webapp
X-Gondor-Server
X-SmugMug-Hiring
X-Router-Backend
X-Router
X-TTL-Age
X-Loc
X-Process-Time
X-Catalyst
X-SmugMug-Values
X-TTFB
X-Cache-Control
X-Client-Vid
X-EPiphany-Vid
HostName
X-UA-Profile
X-Environment
X-TTFB-L
Smug-Env
Apache
X-GeoIP
Be-Va
Noahs-Classifieds
X-WLD-LB
X-DC-Origin-IP
X-Cache-Backend
X-Http-Host
X-GitHub-Request-Id
Http
Test
User-Cache-Control
X-Hit
X-Varnish-Cookie-Debug
X-MiniProfiler-Ids
X-TLServer
X-XFPC-Cache
X-XFPC-Cache-Active
Be-Ip
X-NID
Response
EI-UNIQUE-ID
X-HOSTTYPE
X-USERNAME
X-Ratelimit
X-VTEX-Router-Backend-App
X-Platform
X-PP
Sigma
UNIQUE-ID
X-Modules
X-Back
X-Source
X-Serial
X-Accel-Expires
X-Cache-Age
X-PvInfo
X-DSMX-Render-MS
X-DSMX-Rewrite-MS
X-Server-By
EWHSERVER
X-Cache-Lifetime
X-Varnish-Hashed-On
Xonnection
Mobiquo-Is-Login
X-SeschatRedID
X-SeschatTemplateID
X-BackendServer
X-SeschatLayout
X-SeschatDID
X-Powered-Developer
X-WR-MODIFICATION
X-Seschat-URL
Svr
CacheControlMode
SLB
X-Bcwwwid
Hej
EbdTrace
DNNOutputCache
X-Hop-By
CacheControlHeader
X-WebFarmNode
X-Client-Addr
SBMCLOUD
X-Continum-Server
X-Nginx-Host
OGHopCount
X-Config-By
LBVIS
Copyright
X-Nginx-Cache
WEB-CLUSTER-NODE
DCGI-Server
X-JSON-API-LATENCY
X-JSON-API-TTL
X-Page-Generated-At
Xc
ExecutionTime
Source
X-Route
X-Rewrite
X-Origin-Id
X-R4L-VHOST
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Cache
X-Fortrabbit
CachedXSLT
X-Agentscape-Info
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
X-Real-Server
X-Origin
X-Cluster-Host
X-Pagecache
X-Header-Set-Id
ProxiaInstanceId
X-Caching-Rule-Id
X-Page-Generation-Time