Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
Alternate-Protocol
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
MS-Author-Via
Access-Control-Allow-Origin
X-Cacheable
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Host
X-Server
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Tumblr-Pixel-1
X-Cache-Hits
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-PhApp
X-Webserver
X-Cnection
X-W3TC-Minify
Composed-By
X-Varnish-Cache
X-CF-Powered-By
X-Via
Served-By
X-Page-Speed
X-Forwarded-For
Strict-Transport-Security
X-Firenze-Processing-Times
X-Url
X-ServedBy
X-Served-By
X-Hostname
X-Iinfo
X-Accel-Version
X-XN-Trace-Token
X-XN-XNHTML
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
Cartoon
X-MS-InvokeApp
X-Mobilized-By
X-ContextId
Access-Control-Allow-Methods
X-CDN
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Umbraco-Version
X-Stats-Visit-Token
X-Stats-Unique-Token
X-AH-Environment
X-Backend
Content-Style-Type
X-Powered-By-360WZB
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
Magicmarker
Powered-By-ChinaCache
X-PC-Host
X-PC-Key
X-PC-Hit
X-PC-AppVer
X-PC-Date
Thanks
X-FRAME-OPTIONS
X-Geo-Port
X-Geo
X-Ua-Compatible
X-HeyJason
X-Cache-Server
Rating
X-Outils-CS
X-Amz-Id-2
TCN
X-From
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
X-Content-Digest
X-FB-Debug
Real-Hostname
Page-Completion-Status
X-TN-ServedBy
X-Loop
X-PHP-Engine
IBM-Web2-Location
X-Original-Content-Length
X-Tumblr-Pixel-4
Imagetoolbar
NS-RTIMER-COMPOSITE
X-Spip-Cache
X-Generated-By
X-Px
PICS-Label
X-TNCMS-Version
X-ChromeLogger-Data
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-Amz-Cf-Id
X-Matrix-Proxy
X-Matrix-Server
SPIisLatency
SPRequestDuration
Request-Id
X-Device
X-Tumblr-Content-Rating
X-Content-Encoded-By
X-Drectory-Script
Set-Cookie2
X-CDN-Geo
X-Cached-By
X-CDN-Geo-IP
X-CDN-Any-IP
X-Cache-Status
X-Tumblr-Pixel-5
ServerName
X-CMS-Version
IISExport
X-Trace-App
X-URL
X-Node
X-Firenze-Processing-Time
Access-Control-Max-Age
X-Cached
Retry-After
CF-Cache-Status
X-PF-Uncompressing
Generator
X-DynaTrace
X-Age
Accept-Encoding
DynaTrace
X-ATG-Version
X-Timer
X-I
X-DDC-Arch-Trace
X-FORWARDED-FOR
COMMERCE-SERVER-SOFTWARE
Lsrequestid
MIME-Version
X-Cache-Debug
Powered-By
ServedBy
Product
X-Cache-Hit
X-Vary-Options
X-SDS
RTSS
X-ApacheServer
X-Backend-Server
X-Art-Request-Id
X-DynaTrace-JS-Agent
X-PERF
X-Nitra-Side
Time
X-Pantheon-Endpoint
X-Processed-By
X-Pantheon-Styx-Hostname
SID
X-UD-Host
X-UD-Method
X-Hosted-By
Pics-Label
Edge-Control
X-LiteSpeed-Cache
Access-Control-Request-Method
X-NoCache
SFY
LFY
Content-Encoding-Handler
Host
X-App-Hosting
X-PwB-Node
X-Original-Request
X-Speed-Cache-Key
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
Machine
X-DNS-Prefetch-Control
X-Srv
X-Director
X-FIRSTBase
X-Purge-Host
Surrogate-Control
X-Actual-URL
X-Handled-By
X-Passed-To
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Returned-From
X-Passed-To-BeforeDispatch
X-Cookie-Domain
Proxy-Agent
X-Speed-Cache
NODE
X-Served-From-Cache
Node
X-Cache-Enabled
AMF-Ver
Charset
X-B2f-Cache-Load
X-Varnish-Backend
X-Purge-URL
WWW-Authenticate
Cm-Server
Proxy-Connection
X-Trace-Cache
X-Cache-Expires
X-LIGHTHTTP-PCDID
MW-Webserver
X-Yadis-Location
Cache
Location
X-ServerID
X-Expires-Orig
X-Ms-Invokeapp
X-Orig-Vary
Fhost
X-Cache-Control-Orig
X-CJ-Soft
Microsoftsharepointteamservices
X-GeoIP-Country-Code
VAR-Cache
X-ACMCache
X-GeoIP-Country-Name
X-SERVER
X-Powered-By-Yqk
X-Sharepointhealthscore
X-AOL-SNH
Sprequestguid
X-Yqk-Set
Filter-Revision
X-Duration
Content-Disposition
X-Cache-Rule
X-Content-Options
X-TTL
X-Varnish-TTL
X-Request-ID
X-Time
X-StoreSense
Website-Info
X-ProStores-StoreApiEntryPoint
Server-Info
Accept-Charset
X-Track
X-ServerName
X-Hits
X-Server-ID
X-Cocoon-Version
X-UPSTREAM
SN
X-Micro-Cache
Req-Id
S
X-MJ-Upstream-Addr
X-Front
Hamster
CT
ORIGIN
X-Source-Host
X-SRV
X-MJ-Serve-Req-Time
X-App-Start
X-Adobe-Content
X-FW
UniqueName
X-Old-Content-Length
X-Sys-Req-ID
X-Pangea-Version
Nodo
X-Blog
X-Session-Reinit
NetMindSessionID
Id
X-WR-Flags
X-Highwire-RequestId
QOR-Cache
X-Highwire-SessionId
X-Gamma-Serve
Debug-Begin-IP
X-Info
X-App
X-CHSN
Debug-IP-Cntry
Debug
Webluker-Edge
X-ACCELERATE
X-Src-Webcache
X-Microcachable
From
X-Cluster-Node
X-Cache-Operation
X-PvInfo
X-Varnish-IP
X-Varnish-Host
X-Engine
X-Varnish-Hits
X-HS-MC-Reqs
X-Target
Pagely
ServerID
X-Trash-Talk
X-WebServer
CommunityServer
X-N
X-Accelerated-By
X-Distil-CS
NtCoent-Length
X-Varnish-Action
X-AspNetWebPages-Version
X-Atraveo-NC
A-Powered-By
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Kirra-SiteId
MvcResult
X-Microcache-Status
X-Varnish-Age
X-Channel-Maxage
X-Turbo-Control
Server2
Pool-Info
X-Server-Web
X-Atraveo-TTL
X-Device-Type
X-Header
X-Pass-Why
X-Atraveo-Varnish-Server-Id
X-ASTRO-REWRITE
X-Atraveo-From-Varnish-Cache
X-DeliveryServer
X-Atraveo-Cache-Control
X-Varnish-Server
X-Cache-Action
OHS-WebNode
X-Cache-TTL
SynthaSite-ID
X-EdgeRouter
X-Geo-IP
X-Hrouter
X-Wily-Info
X-Wily-Servlet
X-Ttl
X-Grid-Server
X-Country-Code
ScoreTracker
X-Machine-Name
X-ID
-Onnection
X-Amz-Id-1
X-Enhanced-By
X-Transaction
WP-Cache
X-Source
X-Garden-Version
X-Benchmark-Sphinx-Count
X-Benchmark-Total
MirrorName
X-Database-Slave-Connection
X-Benchmark-Sphinx
X-Cms-Mode
X-ServerCache-Info
X-Benchmark-Db
X-PRAM
X-Request-Duration
X-Benchmark-Cache
X-Source-ID
X-Force
X-Jphone-Copyright
X-FreeTag-Count
X-CacheHits
Server-Name
X-App-Server
Provided-Host
Content-Transfer-Encoding
X-Id
X-Whom
Author
X-Li-Pop
X-LI-UUID
Warning
X-Li-Fabric
X-Monstercache-Timeout
X-Directory-Script
X-Varnish-Cache-Hits
X-WP
X-FS-UUID
X-GLaDOS
OriginServer
X-Debug
X-USERNAME
X-Cache-Me-Harder
X-Bettercache-Proxy
X-Max-Age
X-Frontend
MJ12bot
X-S
X-SV
X-HOSTTYPE
SEOMOZ
X-Haiku
X-Response-Time
X-Cdn
X-Version
RequestTime
Beyond-Iis
X-Varnish-Debug-Hits
A1B2C3
X-Varnish-Debug-Age
X-Uid
X-IP-Address
X-WLD-LB
X-REDIRECTSERVER
Xc
Front
X-Nginx-Cache
F-In-Cache
X-SN
X-NewRelic-App-Data
X-Magento-Action
X-CMS-Server
X-Magento-Lifetime
X-Expires
X-Content-Age
Ms
Bs-Header
X-Route
X-UD-Target
Ssl-Enabled
X-Via-Kemp
X-UD-REMOTE-ADDR
X-B2f-Not-Route
Rt-Fastcgi-Cache
Cache-Ctrol
P3P:CP
Test.Executivepeople.Se
Open.Jobgate.Se
Jobb.Passal.Se
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
X-Ocache
X-T
X-B
X-Frames-Options
Www.Myjob.Se
ProxiaInstanceId
Compression-Control
LBVIS
X-NGINX-CACHED-AT
Backend-Host
Hash
X-NGINX-CACHED
X-Farm-Server
X-Varnish-Cache-Local
X-Vivastreet-KiwiiPage
X-Jcms-Ajax-Id
MASTERWEBLET
NodeID
If-Modified-Since
X-Vivastreet
X-User-Id
X-JSL
X-Venda-Hitid
X-JAL
X-MidCOM-Meta-Cache
Content
X-Response
X-Framework
X-Varnish-Device
NLCacheNote
X-Powered
X-Varnish-ID
X-UD-Loopcounter
X-Conf
Ec
X-Vhost
Powered
D
X-Actindo-RS
CDN
X-Apache-Backend
Cluster-ID
X-Powered-By-Server
Content-MD5
SIP
CountryCode
X-T3CacheTags
X-Amz-Meta-S3cmd-Attrs
X-ERM-ServerName-AppPage
Srv
X-Dev
X-ERM-ServerName
X-ERM-RunTime
X-Cf-Powered-By
X-T3CacheInfo
X-Translation
Backend
X-Test
Worker
X-Cache-Ttl
X-T3Cache
X-Varnish-Debug-Fetch-Host
X-Object-Type
X-Object-Id
X-Monstercache
X-Flex-Evend
X-Flex-Community
WEBO
X-Flex-Lang
X-Oracle-DMS-ECID
X-Flex-Lastmod
X-Monstercache-Hash
X-Monstercache-Host
Content-Instance
X-Geo-IP-Metro
X-Flex-Tag
X-Geo-IP-Region
X-Geo-IPV
X-Geo-IP-Country
PowerCDN
X-Flex-Evstart
SRV
X-Recruiting
X-Flex-Tags
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
X-GC-Write
Cmsid
X-Hosting-Env
X-GC-App
Hej
Cmstype
X-Nginx-Server
X-GC-Read
X-Web-Node
X-View
X-Permitted-Cross-Domain-Policies
B-Powered-By
X-Server-By
CacheControlMode
CP
X-MCB-Server
X-Varnish-Cache-Server
X-ORACLE-DMS-ECID
VTag
X-MSG-03
X-Provisioner-Version
X-Domain-Checked
X-MSG-04
X-DEBUG-X-Id
X-MSG-00
Proxy-From
X-MSG-02
X-MSG-01
Rt-Server
X-Node-Name
X-MSG-05
7e-Page-Cache
Preview-Refresh
X-MSG-06
X-Vtex-Processado-Em
X-DEBUG-Obj-Ttl
No
Pool
PUBLISH
CacheControlHeader
X-Cache-Term
X-Varnish-Cacheable
X-Origin-Id
X-Pb-Mii
X-PM-ID
X-ATP-Server
X-Device-Group
ExecutionTime
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-PS-MURDOCK-CASE-NORMALIZATION
X-FCMS-Cache
Content-Security-Policy
X-PS-MURDOCK-ORIG-FILEEXT
X-Author
X-PS-MURDOCK-ORIG-PROTOCOL
X-Answer
X-Mii-Cache-Hit
X-VarnCache
SS
X-Ratelimit
X-Secret
Mobiquo-Is-Login
X-TISSERVER
X-Artvisual-Server
INCOMING-TIME
Aoestatic
POOL
X-Optimization
X-Full-URL
X-Cache-Backend
X-SilverStripe-Cache
Publisher
X-Geoip-Country-Code
At-Shoptype
Robots
Provider
Atp-Isdpp
At-Isb
XX
X-Papaya-Cache
X-PP
X-Trace
X-Papaya-Gzip
X-IDS-WS
X-CCM
Keywords
X-Platform
X-Proxy
X-Host-Url
Accept-Language
DeleGate-Ver
Expire
X-Client-Vid
X-EPiphany-Vid
X-NginX-Server
X-UA
X-NginX-Cache
X-Execution-Time
X-Webstats-RespID
SVR
X-Rewrite
X-Header-Set-Id
X-Caching-Rule-Id
SiteName
MIH-PLATFORM
X-OPNET-Transaction-Trace
Description
MIH-PUBLIC-IDENTIFIER
X-Nucleus-Cache
X-Cluster-Host
Copyright
MIH-CLIENT-FARM
Access-Control-Expose-Headers
X-Agentscape-Info
HTTP
CachedXSLT
X-Fett
RequestId
X-WR-MODIFICATION
SiteSpect-Identity
Web-Server
Web-Head
X-Forwarded-Proto
X-Server-Id
HCVer
Noahs-Classifieds
X-CMS
HAVer
X-Pixelsilk-Version
Spot
Custom
X-Pixelsilk-Server
X-Varnish-Cookie-Debug
X-XHR-Current-Location
X-7dig
X-Abuse
X-Cache-NHIT
X-7d-Version
X-LAvg
X-Box
X-Empowered-By
X-Allow-Redis
X-Purge-Level
X-Page-Generated-At
X-Page-Generation-Time
X-TTL-Age
X-JSON-API-TTL
X-JSON-API-LATENCY
Mime-Version
X-JSON-API-AGE
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
X-Modules
X-Serial
TimeRestart
X-Time-Microsecs
X-Hit
X-RE-Ref
X-Extra-Header
X-FW-Static
X-Powered-Developer
WebServer
Front-End-Https
X-WA-Info
Ibm-Web2-Location
Head
Application-Version
X-Symfony-Cache
Esi-Enabled
No-Cache
WEBSERVER
Apache
X-TLServer
Telligent-Evolution
WP-AdvCache-MemCached
EbdTrace
X-WorkerInstancename
X-SERVERID
X-WEBSERVER
X-DELIVERYSERVER
X-AISO-Cache
X-AISO-Server
X-ProxyInstancename
X-BackendServer
CacheInfoFetch
X-Varnish-Count
Http
X-Varnish-HitMiss
X-Site:
X-ProcessESI
X-RemovedCookies
HostName
Optimizer
OriginalHost
Ap-Exec-Time-Mks
X-Loc
Progma
Srv-N
X-Process-Time
X-User-Agent
ServerId
X-Life
X-Unbounce-Instance
TypeOfContent
X-Backend-Host
X-PHP-Cache
X-Upstream
X-Origin
X-GeoIP
Www.Aujourdhui.Com
X-MSEdge-Ref
OutputRewritten
X-Config-By
X-Hash
Buuteeq-Source
X-RAMCache
X-Continum-Server
SBMCLOUD
X-Stackable-Node
X-Set-Cookie
VM
X-Developer
X-Crafted
X-Cache-Lifetime
X-Cache-Age
UNIQUE-ID
CacheInfo
Last-Modified:
X-Server-Node
X-Mobile
X-NID
X-IP
ResourceTag
Public-Extension
X-Catalyst
X-Hc-Host
Nbmt
Nbaid
X-CMS-State
X-DC-Origin-IP
X-CMS-Stage
X-Rot
X-CMS-Tid
SLB
Login-Required
X-PBY
OGHopCount
Xonnection
Mark
X-Bcwwwid
X-Vhost-ID
X-CMS-Sid
X-V-I-TTL
X-Req-Url
X-V-Outer
X-V-TTL
Accept
X-CMS-Collection
X-Req-Host
X-Created
X-CMS-Live
X-CMS-Nid
X-DEBUG
Origin
X-CMS-CRMSet
X-ACLR-Version
X-Web-Hosting-Service-Provider
INFO
X-Pagename
OMNI-C
MachineName
X-Hit-Cache
Test
Response
RayEngine
X-BKSrc
X-Varnish-Hit
BKREF
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Environment
X-Cache-Control
WZ-Cache
X-VCache
WZ-Device-Match
X-SmugMug-Values
X-SmugMug-Hiring
X-GitHub-Request-Id
X-TTFB
X-Status
Content-Control
X-TTFB-L
Allow
SAVVIS
X-PoolMember
X-Wm-1