Threat Level: green Handler on Duty: Chris Mohan

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
X-AspNet-Version
P3P
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Language
Content-Location
X-UA-Compatible
Via
X-Varnish
CF-RAY
Keep-Alive
P3p
X-Frame-Options
X-Cacheable
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
Access-Control-Allow-Origin
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Geo
X-Geo-Port
X-Runtime
MicrosoftOfficeWebServer
X-Request-Id
X-Powered-CMS
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Rack-Cache
X-XRDS-Location
X-Mod-Pagespeed
Content-Encoding
MicrosoftSharePointTeamServices
X-UA-Device
Strict-Transport-Security
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-INKT-URI
X-INKT-SITE
X-CACHE
X-Via
X-Tumblr-Pixel-1
X-Robots-Tag
X-Varnish-Cache
X-Webserver
X-CF-Powered-By
X-PhApp
X-Url
X-Page-Speed
X-Tumblr-Pixel-2
X-Firenze-Processing-Times
X-Iinfo
X-Forwarded-For
Composed-By
X-Cnection
X-Accel-Version
X-ServedBy
Served-By
X-MS-InvokeApp
X-Served-By
X-Ua-Compatible
Access-Control-Allow-Headers
X-Hostname
X-Backend
X-ContextId
X-CDN
Access-Control-Allow-Methods
X-XN-Trace-Token
X-XN-XNHTML
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-Stats-Unique-Token
X-Stats-Visit-Token
X-Tumblr-Pixel-3
X-AH-Environment
X-Powered-By-360WZB
X-Umbraco-Version
Content-Style-Type
Liferay-Portal
Content-Script-Type
X-PC-Hit
X-PC-Key
X-PC-Date
X-PC-Host
X-PC-AppVer
X-FRAME-OPTIONS
X-Mobilized-By
X-Cache-Info
Cartoon
X-Server-Name
Powered-By-ChinaCache
X-W3TC-Minify
X-From
Refresh
X-Spip-Cache
X-Amz-Id-2
X-HeyJason
Thanks
X-Amz-Request-Id
SPIisLatency
X-FB-Debug
Request-Id
X-Outils-CS
SPRequestDuration
Cf-Railgun
X-Cache-Server
Rating
TCN
X-Content-Digest
Magicmarker
X-Px
X-Amz-Cf-Id
X-Original-Content-Length
X-VCache
Page-Completion-Status
NS-RTIMER-COMPOSITE
X-TN-ServedBy
Real-Hostname
X-PHP-Engine
X-Loop
X-Cache-Status
X-Device
Imagetoolbar
X-Content-Encoded-By
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Version
X-TNCMS-Memory-Usage
X-Powered-By-Anquanbao
PICS-Label
X-Matrix-Proxy
X-Matrix-Server
X-Generated-By
X-Request-ID
X-Varnish-Cacheable
X-Cached-By
IBM-Web2-Location
Time
IISExport
X-Tumblr-Pixel-4
X-Timer
X-Tumblr-Content-Rating
X-Firenze-Processing-Time
X-SERVER
CF-Cache-Status
X-Age
Set-Cookie2
X-Art-Request-Id
Retry-After
X-Node
X-Served-From-Cache
X-Tumblr-Pixel-5
X-Trace-App
X-DynaTrace-JS-Agent
X-FORWARDED-FOR
X-CMS-Version
X-Cached
Access-Control-Max-Age
X-Pantheon-Endpoint
X-Varnish-TTL
X-Pantheon-Styx-Hostname
X-ATG-Version
Product
X-Drectory-Script
MIME-Version
X-ApacheServer
X-PERF
X-PF-Uncompressing
Generator
X-Processed-By
X-Cache-Hit
COMMERCE-SERVER-SOFTWARE
X-I
Powered-By
X-SDS
X-Duration
X-Nitra-Side
RTSS
X-Backend-Server
Access-Control-Request-Method
Charset
X-Cache-Debug
SID
Lsrequestid
X-DDC-Arch-Trace
ServedBy
X-Director
NODE
X-UD-Host
X-UD-Method
X-Purge-Host
X-SRV
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
LFY
SFY
X-App-Hosting
S
X-Vary-Options
X-Content-Options
Surrogate-Control
Accept-Encoding
X-Varnish-Backend
X-DNS-Prefetch-Control
X-FIRSTBase
ServerName
X-Expires-Orig
Content-Disposition
X-Cache-Expires
DynaTrace
X-DynaTrace
Pics-Label
Content-Encoding-Handler
AMF-Ver
X-Purge-URL
X-Cache-Enabled
X-ServerID
X-LiteSpeed-Cache
WWW-Authenticate
X-Speed-Cache-Key
X-ServerName
X-Original-Request
Edge-Control
X-Hits
X-URL
X-Orig-Vary
X-Trace-Cache
X-Actual-URL
X-Handled-By
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Passed-To-DLL
X-Passed-To
X-Cookie-Domain
X-Passed-To-BeforeDispatch
Cm-Server
X-Passed-To-PostProcessResponse
X-Returned-From
X-Returned-From-DLL
X-Front
Host
X-Speed-Cache
X-Rendering-Engine
X-Hosted-By
Node
Filter-Revision
X-Cache-Control-Orig
X-NoCache
CT
Proxy-Agent
X-Yadis-Location
X-MJ-Upstream-Addr
X-Cluster-Node
X-App-Start
X-ACMCache
X-Pangea-Version
X-Cache-TTL
X-AOL-SNH
X-GeoIP-Country-Code
Cache
Server-Info
Website-Info
MIH-PLATFORM
Webluker-Edge
MIH-PUBLIC-IDENTIFIER
ORIGIN
MIH-CLIENT-FARM
Pool-Info
X-MJ-Serve-Req-Time
MW-Webserver
Proxy-Connection
X-Srv
X-Time
X-Amz-Meta-S3cmd-Attrs
X-TTL
X-Gamma-Serve
Content-Security-Policy
X-Info
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Micro-Cache
X-WR-Flags
NetMindSessionID
CommunityServer
QOR-Cache
X-CHSN
X-Sys-Req-ID
Debug-IP-Cntry
Debug-Begin-IP
Id
X-Cache-Action
X-Microcachable
X-Cocoon-Version
X-Source-Host
UniqueName
Debug
X-CDN-Geo-IP
X-Ttl
X-Cache-Rule
X-AspNetWebPages-Version
X-GeoIP-Country-Name
X-CDN-Any-IP
X-CDN-Geo
X-Safe-Firewall
Accept-Charset
X-Highwire-SessionId
X-CJ-Soft
Req-Id
X-Highwire-RequestId
X-Server-ID
From
X-Track
Nodo
X-PwB-Node
X-ID
ServerID
SN
X-Engine
VAR-Cache
X-ServerCache-Info
X-Turbo-Control
A-Powered-By
Srv
X-FW
X-N
NtCoent-Length
Author
Location
X-Cache-Operation
X-Microcache-Status
X-Device-Type
X-Varnish-Hits
REFRESH
SEOMOZ
X-Src-Webcache
X-Permitted-Cross-Domain-Policies
Microsoftsharepointteamservices
X-Machine-Name
MJ12bot
X-ACCELERATE
X-Magento-Lifetime
X-T3CacheInfo
X-DeliveryServer
X-Sharepointhealthscore
Sprequestguid
X-Magento-Action
X-LIGHTHTTP-PCDID
X-Session-Reinit
X-Varnish-Action
Beyond-Iis
F-In-Cache
X-Blog
Hamster
Fhost
X-Trace
X-LI-UUID
X-Bettercache-Proxy
X-Distil-CS
X-Pass-Why
X-Li-Pop
X-FS-UUID
X-FW-Static
X-Server-Web
X-Old-Content-Length
X-Li-Fabric
X-Varnish-Host
X-Geo-IP
Backend
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Wily-Info
X-Request-Duration
X-Database-Slave-Connection
X-Cached-Status
X-Benchmark-Sphinx
X-Benchmark-Db
X-Expires
X-Cf-Powered-By
X-Amz-Id-1
Content-Transfer-Encoding
X-Benchmark-Cache
X-Source-ID
X-Varnish-Cache-Hits
X-Response-Time
X-Atraveo-Cache-Control
X-Directory-Script
X-SN
X-Force
X-PRAM
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Atraveo-Varnish-Server-Id
X-Powered-By-Yqk
X-Atraveo-TTL
X-ASTRO-REWRITE
X-Yqk-Set
X-Ms-Invokeapp
Server2
X-Wily-Servlet
NLCacheNote
X-Country-Code
Content-MD5
X-Debug
X-REDIRECTSERVER
WP-Cache
Server-Name
X-Content-Security-Policy
X-Object-Id
Machine
X-Powered-By-Server
X-Accelerated-By
X-UPSTREAM
X-Object-Type
X-Monstercache-Timeout
X-Version
X-ROUTE-DATA
X-Jphone-Copyright
X-WP
Aoestatic
X-Frontend
CountryCode
X-Channel-Maxage
X-Uid
X-App-Server
X-Varnish-Age
X-Varnish-Server
X-Content-Age
Worker
X-Cms-Mode
X-Dev
X-T3Cache
OHS-WebNode
X-Varnish-ID
X-Frames-Options
X-Cdn
Buuteeq-Source
X-Id
No
X-Vtex-Processado-Em
X-App
X-Translation
Front
X-Node-Name
X-Haiku
X-Phpwcms-Release
Bs-Header
X-EdgeRouter
X-Phpwcms-Page-Processed-In
MirrorName
X-ORACLE-DMS-ECID
X-B2f-Cache-Load
X-Transaction
ScoreTracker
X-Hrouter
SynthaSite-ID
X-GLaDOS
X-ERM-RunTime
X-Enhanced-By
X-NGINX-CACHED
X-ERM-ServerName
Compression-Control
X-NGINX-CACHED-AT
X-Actindo-RS
Web-Server
X-Apache-Backend
X-Snapsis-PageBlaster
CDN
X-Farm-Server
X-Jcms-Ajax-Id
X-Via-Kemp
OriginServer
X-Varnish-IP
X-DTC
X-User-Id
Powered
Hash
X-VarnPar1
X-VarnCache
X-Kirra-SiteId
X-TISSERVER
MASTERWEBLET
X-Varnish-Cache-Server
X-ATM-RTime
X-B2f-Not-Route
X-ATM-RServer
X-CS
X-MidCOM-Meta-Cache
X-Response
X-Powered
X-Vivastreet
X-Vhost
X-Vivastreet-KiwiiPage
X-Varnish-Cache-Local
X-CacheHits
Il-Cl
X-Varnish-Device
X-Oracle-DMS-ECID
CP
X-ERM-ServerName-AppPage
X-JSL
X-JAL
Ssl-Enabled
X-Monstercache-Host
Jobb.Gil.Se
X-PM-ID
X-Cache-Term
X-Upstream
Jobb.Assistentpoolen.Se
Www.Mabracertifiering.Se
X-PageCached
Www.Myjob.Se
X-T3CacheTags
P3P:CP
Test.Executivepeople.Se
Www.Mirrorgate.Se
Open.Jobgate.Se
Jobb.Passal.Se
Pool
X-Ocache
X-B
Ec
X-T
RequestTime
X-ManagedFusion-Rewriter-Version
X-Rewritten-By
X-Cache-Me-Harder
Cluster-ID
X-Seen-By
X-Utime
X-Monstercache
X-Monstercache-Hash
A1B2C3
SS
-Onnection
X-Conf
Ms
X-GC-Read
X-GC-App
X-GC-Write
X-Server-Id
X-Flex-Community
Cteonnt-Length
Provided-Host
Servername
X-Geo-IP-Region
X-Geo-IP-Country
X-Geo-IP-Metro
X-Hash
X-Geo-IPV
X-Flex-Tags
X-Artvisual-Server
X-Flex-Evstart
X-Flex-Evend
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Tag
X-Header
Mime-Version
SIP
X-FCMS-Cache
Content
X-CMS
X-Remote-Addr
Rt-Server
X-MSG-02
X-MSG-01
X-MSG-00
X-DEBUG-X-Id
X-Developer
X-MSG-04
Powered-By-VeryCloud
D
X-MSG-06
X-MSG-05
X-DEBUG-Obj-Ttl
X-Dynamic
X-Web-Node
Hostname
X-Recruiting
X-Nocache
X-Max-Age
7e-Page-Cache
X-Brought-To-You-By
Cmsid
Cmstype
SiteName
Cache-Ctrol
X-MSG-03
X-UD-Target
X-Garden-Version
Atp-Isdpp
X-UD-Loopcounter
ServerId
X-UD-REMOTE-ADDR
PowerCDN
At-Shoptype
X-Real-Server
X-S
At-Isb
X-Venda-Hitid
X-Grid-Server
WEBO
X-Header-Set-Id
X-HOSTNAME
Publisher
X-Caching-Rule-Id
X-FreeTag-Count
LBVIS
X-Nginx-Cache
X-Whom
Origin
X-UserAgent
X-7dig
X-Cache-NHIT
X-7d-Version
X-Locale
X-V
Dispatcher
Rt-Fastcgi-Cache
CData
X-Pixelsilk-Server
X-Hosting-Env
X-HITS
X-MCB-Server
X-Nginx-Server
X-Pixelsilk-Version
WP-AdvCache-MemCached
X-Hc-Host
X-SV
Backend-Host
X-LAvg
X-Cache-On
X-Amz-Version-Id
Render
TypeOfContent
X-Kermit
After
OriginalHost
CacheInfoFetch
Optimizer
Pagely
Head
X-CMS-Server
No-Cookie
X-Empowered-By
-GCR
X-Box
WEBSERVER
CacheInfo
CacheDuration
ServerConfigManager.WebBugTracker
X-Vhost-ID
Tpt.Renderer
Tpt.Renderer1
X-Varnish-Debug-Age
Progma
Before
X-SilverStripe-Cache
XX
X-UA
X-WorkerInstancename
Warning
Content-Instance
X-Varnish-Debug-Hits
X-PS-MURDOCK-ORIG-PROTOCOL
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-Powered-By
X-Rewrite
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Router-Backend-App
X-Pagecache
X-Origin
X-Domain-Checked
X-Provisioner-Version
Xc
X-Page-Generated-At
ExecutionTime
X-Origin-Id
Copyright
X-Route
ProxiaInstanceId
X-Framework
X-Server-Node
X-Server-By
CachedXSLT
X-IDS-WS
X-WebFarmNode
X-CCM
X-PvInfo
X-DSMX-Rewrite-MS
X-Cache-Age
X-R4L-VHOST
X-Fortrabbit
X-Proxy
X-Agentscape-Info
X-DSMX-Render-MS
X-Page-Generation-Time
X-VTEX-Router-JanusNet-JanusLatency
MachineName
X-Time-Microsecs
X-Test
X-Varnish-Beresp-Grace
X-Dokk-PortalId
X-Varnish-Beresp-Status
X-PS-MURDOCK-CASE-NORMALIZATION
X-TTL-Age
X-Ratelimit
X-Powered-Developer
Access-Control-Expose-Headers
X-PS-MURDOCK-ORIG-FILEEXT
X-Author
X-Varnish-Beresp-Ttl
X-WR-MODIFICATION
X-JSON-API-LATENCY
X-Your-GrandPa-Would-Wait
X-JSON-API-TTL
X-Purge-Level
X-JSON-API-AGE
Expire
X-Varnish-Debug-Fetch-Host
X-Allow-Redis
X-Uplex
X-Would-Your-GrandPa-Wait
X-NginX-Server
X-ChromeLogger-Data
X-NginX-Cache
Cache-By-CoreNode
LBC
Provider
INCOMING-TIME
Cache-By-Node
X-AISO-Server
X-USERNAME
X-Cache-Lifetime
SRV
X-AISO-Cache
X-Varnish-Hashed-On
UNIQUE-ID
Response
X-Vtex-Server
Expect:
X-RSS-CACHE-STATUS
X-NID
X-Forwarded
X-Location
X-PP
X-Platform
X-Host-Url
B-Powered-By
X-Accel-Expires
X-Config-By
X-Hit
X-GitHub-Request-Id
User-Cache-Control
Test
Http
X-Http-Host
Noahs-Classifieds
X-Varnish-Cookie-Debug
X-MiniProfiler-Ids
X-Cache-Backend
X-DC-Origin-IP
X-WLD-LB
X-Back
Content-Security-Policy-Report-Only
X-Cluster-Host
SBMCLOUD
X-VTEX-Cache
X-Real-IP
X-HOSTTYPE
X-Continum-Server
X-Secret
Source
EI-UNIQUE-ID
DCGI-Server
WEB-CLUSTER-NODE
X-Nginx-Host
X-Client-Addr
X-Generation-Time
X-VTEX-Router-Backend-Environment
X-Seschat-URL
X-MSG-Debug
X-Cache-Set
X-Answer
X-Set-Cookie
X-SeschatDID
X-SeschatLayout
X-CDNHash
X-DEBUG
X-BackendServer
X-CDNIgnore
X-SeschatRedID
X-SeschatTemplateID
SVR
WebDevSrc
DNNOutputCache
X-Source
EWHSERVER
X-Serial
Sigma
X-Modules
X-IP-Address
CacheControlHeader
CacheControlMode
Svr
X-Internal-IP
CACHED-RESPONSE
Server-Ip
X-BackendApp
X-Hop-By
X-CMS-State
X-CMS-Tid
X-CMS-Stage
X-CMS-Sid
X-CMS-Live
X-CMS-Nid
SLB
X-Bcwwwid
Esi-Enabled
Xonnection
Front-End-Https
Mobiquo-Is-Login
Hej
Robots
Accept
X-CMS-CRMSet
EbdTrace
Telligent-Evolution
Server-Optimized-By
Www.Aujourdhui.Com
POOL
X-Nucleus-Cache
X-DELIVERYSERVER
X-D-Time
X-LB
X-CMS-Collection
Accept-Language
X-S-Misc
OGHopCount
Application-Version