Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
CF-RAY
X-Varnish
X-Frame-Options
X-Adblock-Key
P3p
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo
X-Geo-Port
MicrosoftOfficeWebServer
X-Request-Id
X-Powered-CMS
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
Strict-Transport-Security
X-Ua-Compatible
Ngpass-All
X-Mod-Pagespeed
X-UA-Device
X-Rack-Cache
X-XRDS-Location
MicrosoftSharePointTeamServices
X-Cache-Hits
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Host-Header
Content-Encoding
X-Tumblr-Pixel-1
SPRequestGuid
X-Via
X-SharePointHealthScore
X-Robots-Tag
X-Xss-Protection
X-INKT-SITE
X-INKT-URI
X-CF-Powered-By
X-FRAME-OPTIONS
X-Url
X-Varnish-Cache
X-Tumblr-Pixel-2
X-Iinfo
X-Accel-Version
X-Cnection
X-PhApp
X-Backend
X-ServedBy
Access-Control-Allow-Headers
Composed-By
X-Webserver
X-Served-By
X-Page-Speed
X-Forwarded-For
X-MS-InvokeApp
Served-By
X-Firenze-Processing-Times
Access-Control-Allow-Methods
X-ContextId
X-CDN
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-XN-Trace-Token
X-XN-XNHTML
X-Hostname
X-Tumblr-Pixel-3
X-Ac
X-AH-Environment
X-PC-Hit
X-PC-Key
X-PC-Date
X-PC-Host
X-PC-AppVer
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-Request-ID
X-Age
X-Server-Name
X-Served-With
X-Umbraco-Version
X-Spip-Cache
Refresh
X-Cache-Info
X-Port
X-Cache-Server
X-Safe-Firewall
Cf-Railgun
Cartoon
X-Cache-Result
Request-Id
X-Amz-Id-2
Powered-By-ChinaCache
SPIisLatency
SPRequestDuration
X-Mobilized-By
Rating
X-FB-Debug
X-Content-Digest
X-Amz-Request-Id
X-HeyJason
X-Amz-Cf-Id
TCN
X-FORWARDED-FOR
X-Outils-CS
X-Px
X-TN-ServedBy
Real-Hostname
X-W3TC-Minify
X-Tumblr-Pixel-4
X-Loop
X-Pass-Why
X-PHP-Engine
X-Cache-Status
Thanks
X-VCache
Magicmarker
IBM-Web2-Location
X-Generated-By
X-Node
X-PersistenceNode
X-Original-Content-Length
X-TNCMS-Version
Page-Completion-Status
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-Device
Imagetoolbar
X-Cached-By
X-Hyper-Cache
X-Served-From-Cache
X-Content-Encoded-By
NS-RTIMER-COMPOSITE
X-Tumblr-Content-Rating
X-Matrix-Server
X-Matrix-Proxy
X-Timer
X-Styx-Version
X-Styx-Build-Sha
X-Styx-Req-Id
X-Styx-Build-Num
X-Cached
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Build-Date
X-Varnish-Cacheable
Content-Security-Policy
X-Tumblr-Pixel-5
X-From
CF-Cache-Status
X-Powered-By-Anquanbao
X-DynaTrace
X-CMS-Version
Retry-After
X-HOST
X-Varnish-TTL
X-Firenze-Processing-Time
X-HOSTNAME
Time
Product
X-Cache-Enabled
IISExport
Pics-Label
Generator
DynaTrace
Set-Cookie2
X-URL
X-Backend-Server
X-Cache-Debug
Powered-By
X-App-Hosting
Access-Control-Max-Age
X-SERVER
ServedBy
X-UD-Method
X-DDC-Arch-Trace
PICS-Label
X-UD-Host
X-Cache-Hit
Lsrequestid
X-Rendering-Engine
X-SDS
Node
X-Nitra-Side
X-Microcachable
X-ATG-Version
X-I
X-Original-Request
X-NoCache
MIME-Version
X-Processed-By
X-CDN-Any-IP
X-CDN-Geo
X-CDN-Geo-IP
X-Drectory-Script
X-Duration
X-Trace-App
X-PF-Uncompressing
X-Purge-Host
X-Returned-From-BeforeDispatch
X-Returned-From
Response
X-Returned-From-PostProcessResponse
X-Passed-To-DLL
X-Cookie-Domain
X-Returned-From-DLL
X-Passed-To-PostProcessResponse
X-Passed-To
Cache
X-Actual-URL
X-Handled-By
X-Passed-To-BeforeDispatch
X-DynaTrace-JS-Agent
Charset
X-Art-Request-Id
X-Sol
ServerName
Ngpass-Vcall
S
X-Content-Options
Content-Encoding-Handler
Proxy-Agent
Accept-Encoding
X-Cache-Expires
X-Xrds-Location
AMF-Ver
X-PERF
X-ApacheServer
Vacache
X-SRV
X-Purge-URL
Access-Control-Request-Method
X-LiteSpeed-Cache
X-Expires-Orig
X-Middleton-Response
COMMERCE-SERVER-SOFTWARE
X-Director
X-Varnish-Backend
X-Speed-Cache-Key
X-Speed-Cache
X-Hits
X-Ms-Invokeapp
Filter-Revision
X-Vary-Options
X-GeoIP-Country-Code
X-DNS-Prefetch-Control
X-Cache-Control-Orig
X-Sharepointhealthscore
Sprequestguid
X-Orig-Vary
Fhost
X-PwB-Node
X-Content-Security-Policy
X-GeoIP-Country-Name
X-ServerID
X-FW
Machine
X-Micro-Cache
Edge-Control
SID
RTSS
X-CJ-Soft
Host
X-Front
NODE
Content-Disposition
X-VARNISH-Cache
X-FIRSTBase
X-Hosted-By
Cm-Server
X-B2f-Cache-Load
X-ServerName
X-Beep
Surrogate-Control
X-FW-Static
WWW-Authenticate
Server-Info
Website-Info
MJ12bot
SEOMOZ
Accept-Charset
X-Track
X-Cocoon-Version
X-Yadis-Location
VAR-Cache
ServerID
X-Varnish-IP
X-Gamma-Serve
X-Directory-Script
UniqueName
X-Source-Host
X-ACMCache
X-TTL
X-WebKit-CSP
X-AOL-SNH
X-Cluster-Node
X-WebServer
X-App-Start
X-Pangea-Version
X-Trace-Cache
X-Server-ID
NetMindSessionID
X-Permitted-Cross-Domain-Policies
SN
X-AspNetWebPages-Version
X-User-Agent
Hamster
CT
Req-Id
Server-Name
X-Highwire-SessionId
A-Powered-By
X-Distil-CS
X-Srv
X-Highwire-RequestId
X-Varnish-Object-Age
X-Varnish-Host
X-Session-Reinit
X-CacheHits
X-Ttl
X-MJ-Upstream-Addr
X-CHSN
NtCoent-Length
X-Cache-TTL
MW-Webserver
X-LIGHTHTTP-PCDID
X-ProStores-StoreApiEntryPoint
X-StoreSense
X-Blog
Id
X-Varnish-Hits
X-WR-Flags
CommunityServer
Pool-Info
X-Device-Type
X-Engine
X-Microcache-Status
X-Whom
X-Outils-Cs
X-Grid-Server
X-ID
X-Time
Nodo
X-Geo-IP
X-Ar-Debug
X-Bettercache-Proxy
Cteonnt-Length
X-Cache-Action
X-Vtex-Remote-Cache
X-Machine-Name
X-Trace
X-Vtex-Cache-Key
X-Sys-Req-ID
From
X-WEBSERVER
Server2
Content-Security-Policy-Report-Only
Webluker-Edge
Ms
X-MJ-Serve-Req-Time
X-Info
X-Atraveo-NC
X-Atraveo-Varnish-Server-Id
X-TempDebug
X-Atraveo-From-Varnish-Cache
Origin
X-Transaction
Srv
QOR-Cache
X-Cache-Rule
Proxy-Connection
X-Wily-Info
X-Atraveo-TTL
X-Wily-Servlet
X-Id
X-ServerCache-Info
Cache-By-Node
X-Atraveo-Cache-Control
X-App
MIH-CLIENT-FARM
X-App-Status
MIH-PLATFORM
X-Translation
X-Server-IP
X-Provisioner-Version
X-Domain-Checked
MIH-PUBLIC-IDENTIFIER
X-Ar-Forwarded-For
X-Yqk-Set
X-Varnish-Server
F-In-Cache
LBVIS
X-Powered-By-Yqk
X-Li-Pop
X-Src-Webcache
X-LI-UUID
X-S
X-Li-Fabric
X-FS-UUID
X-Country-Code
Buuteeq-Source
X-Object-Id
Author
X-Object-Type
X-Empowered-By
X-LB
X-N
X-Expires
Edgecast
X-Source-ID
X-Turbo-Control
X-Amz-Id-1
X-Force
X-PRAM
X-Origin
Grace
X-Cache-Config
X-Cached-Status
X-FreeTag-Count
X-Frontend
X-REDIRECTSERVER
Content-Transfer-Encoding
Backend
X-Rewritten-By
X-ROUTE-DATA
X-ManagedFusion-Rewriter-Version
Apache
PageSpeed
X-Old-Content-Length
OriginServer
SS
X-Version
X-Connection-Hash
LBC
MirrorName
Web-Server
X-Vtex-Processado-Em
X-DeliveryServer
SiteName
ORIGIN
No
X-Varnish-Age
X-Developer
X-Varnish-Debug-Age
RequestTime
Beyond-Iis
X-Vhost-ID
X-GSL-Server
X-Response-Time
NLCacheNote
Mime-Version
X-T3CacheInfo
Front
X-Phpwcms-Release
X-Magento-Lifetime
X-Magento-Action
X-Phpwcms-Page-Processed-In
X-Recruiting
Content-MD5
X-Amz-Meta-S3cmd-Attrs
Aoestatic
X-Uid
X-Cms-Mode
Worker
X-ACCELERATE
X-Dev
X-Jphone-Copyright
X-SN
Provided-Host
SRV
X-Cache-Operation
X-Varnish-Debug-Hits
X-Frames-Options
Cmstype
X-Flex-Evstart
X-ORACLE-DMS-ECID
7e-Page-Cache
Cmsid
X-Flex-Evend
X-Flex-Lastmod
X-Flex-Lang
X-Flex-Tag
X-Flex-Tags
X-Upstream
X-Powered-By-Server
X-Flex-Community
X-Swift-CacheTime
ScoreTracker
X-Varnish-ID
WP-Cache
X-UPSTREAM
X-Swift-SaveTime
Jobb.Gil.Se
Jobb.Passal.Se
Powered
Open.Jobgate.Se
X-Varnish-Abtest-Expires
Jobb.Assistentpoolen.Se
X-GeoIP
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
Test.Executivepeople.Se
Be-Va
P3P:CP
Www.Myjob.Se
X-T3CacheTags
X-Powered
Progma
X-Mod-Oboe-PS
X-ATM-RServer
X-B2f-Not-Route
Server-IP
X-Vhost
X-Via-Kemp
MASTERWEBLET
A1B2C3
X-ERM-ServerName-AppPage
X-ERM-ServerName
Warning
X-ERM-RunTime
Be-Ip
Pool
X-Response
X-CS
X-DTC
X-Cache-Term
X-Vivastreet
SFY
X-Actindo-RS
Hash
Rt-Server
Dispatcher
X-Kirra-SiteId
X-Pixelsilk-Server
X-ATM-RTime
X-PageCached
X-ASTRO-REWRITE
X-Nginx-Backend
X-Vivastreet-KiwiiPage
Ksid
X-Farm-Server
-GCR
X-GLaDOS
X-Ocache
X-B
Copyright
X-Varnish-Cache-Server
X-Cache-On
X-T
Content-Instance
X-Haiku
LFY
Cluster-ID
CDN
Il-Cl
X-Catalyst
X-Pixelsilk-Version
X-T3Cache
X-Debug
SIP
X-Varnish-Cache-Local
X-PvInfo
X-Framework
X-Goog-Hash
X-Origin-Id
X-JSL
X-JAL
X-Geo-IPV
X-Geo-IP-Region
SynthaSite-ID
X-Nginx-Server
X-Cache-Ttl
X-EdgeRouter
X-MobileDetected
X-Geo-IP-Metro
X-Geo-IP-Country
X-Server-Id
X-TISSERVER
X-Hrouter
X-VarnCache
X-VarnPar2
X-User-Id
Compression-Control
X-BackendServer
At-Isb
Atp-Isdpp
X-Content-Age
WEBO
X-Real-Server
X-Route
X-Accelerated-By
Servername
At-Shoptype
X-Cache-Age
X-Cache-Lifetime
X-OPNET-Transaction-Trace
X-NGINX-CACHED
X-Jcms-Ajax-Id
X-NID
Provider
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-WR-MODIFICATION
X-IDS-WS
X-Kermit
Ec
X-Conf
X-UD-Target
X-SilverStripe-Cache
X-7d-Version
X-7dig
X-Client-Addr
X-CCM
X-Artvisual-Server
D
X-Dynatrace-Js-Agent
Before
IsFullSiteRequest
Render
After
X-Header
REFRESH
X-Cache-Set
ServerConfigManager.WebBugTracker
Tpt
X-NginX-Server
X-Oracle-DMS-ECID
X-Varnish-Cache-Hits
X-NginX-Cache
X-MCB-Server
Tpt.Renderer
Tpt.Renderer1
X-Venda-Hitid
X-Host-Url
X-Web-Node
Location
Allow
X-Secret
X-Hash
X-Varnish-Action
Cache-Ctrol
X-App-Server
X-GC-App
POOL
Pagely
X-FCMS-Cache
X-Tumblr-Pixel-6
X-GC-Read
X-GC-Write
X-PM-ID
X-NGINX-CACHED-AT
X-Powered-Developer
ExecutionTime
X-Monstercache-Timeout
X-Remote-Addr
Ttl
X-Cache-Me-Harder
X-WP
CP
X-MSEdge-Ref
X-Channel-Maxage
PowerCDN
Publisher
X-Nginx-Cache
X-Internal-IP
X-TLServer
X-Hosting-Env
If-Modified-Since
INCOMING-TIME
Disaptch-Cache-Rule
X-WorkerInstancename
X-SATserver
X-CMS-Tid
X-CMS-State
X-Varnish-Device
X-CMS-Sid
X-CMS-Stage
X-XFPC-Cache
X-XFPC-Cache-Active
Esi-Enabled
Rt-Fastcgi-Cache
X-Uplex
X-S-Misc
X-Generation-Time
X-Varnish-Debug-Fetch-Host
X-UserAgent
X-D-Time
Content
X-CMS-Server
Hej
Powered-By-VeryCDN
SVR
X-Your-GrandPa-Would-Wait
Accept-Language
DCGI-Server
X-XHR-Current-Location
Accept
X-CacheServer
Telligent-Evolution
X-CMS-CRMSet
X-CMS-Live
X-CMS-Nid
X-CMS-Collection
X-MidCOM-Meta-Cache
X-Would-Your-GrandPa-Wait
X-Enhanced-By
Source
X-Back
X-Cluster-ID
X-VTEX-Router-JanusNet-JanusLatency
X-Seschat-URL
X-CacheTTL
X-JSON-API-AGE
X-EPiphany-Vid
X-JSON-API-LATENCY
X-Client-Vid
X-SeschatDID
X-VTEX-Router-Powered-By
X-Purge-Level
Foglight-Request-UUID
HostName
X-Pb-Mii
X-SeschatTemplateID
X-SeschatLayout
X-SeschatRedID
X-Varnish-HitMiss
X-Varnish-Count
X-Server-By
X-Page-Generated-At
Expire
X-Page-Generation-Time
X-ServerID-App
X-TTL-Age
X-Server-Node
X-Nucleus-Cache
X-Mii-Cache-Hit
X-Locale
X-Platform
X-Execution-Time
X-PP
X-Location
X-JSON-API-TTL
UNIQUE-ID
X-Binarysec-Via
Redirect
Ngpass-Static
Noahs-Classifieds
X-BKSrc
X-VTEX-Router-JanusNet-BackEndLatency
X-DELIVERYSERVER
X-Fett
HTTP
HAVer
HCVer
Www.Aujourdhui.Com
X-PoolMember
X-Monstercache-Hash
X-Monstercache
Requested-Host
X-Monstercache-Host
Content-ID
X-PBY
X-Original-IP
XX
MachineName
BKREF
X-Benchmark-Sphinx
X-Benchmark-Sphinx-Count
X-Benchmark-Total
X-Benchmark-Db
X-Benchmark-Cache
User-Cache-Control
X-Author
BM-Cache-Node
X-GitHub-Request-Id
X-Hit
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
OGHopCount
X-Varnish-Beresp-Grace
X-Time-Microsecs
BM-Cache-Key
BM-Cache-Status
X-Real-IP
Svr
X-Ratelimit
X-VG-WebCache
X-Nginx-Host
SAVVIS
X-RemovedCookies
X-Node-Name
X-ProcessESI
X-Device-Group
X-VTEX-Cache
X-VTEX-Router-JanusNet-AspNetLatency
Http
ExecuteNonQuerySQLParam
X-Continum-Server
X-Max-Age
X-Client-IP
X-VTEX-Router-Backend-App
X-Cache-Backend
X-ATP-Server
X-Cache-Key
X-Box
X-DC-Origin-IP
X-Garden-Version
X-Feed
X-Mobile
X-Allow-Redis
X-BC-Is-HA
X-Nocache
EI-UNIQUE-ID
X-SERVER-ID
X-WLD-LB
X-Gondor-Server
X-HOSTTYPE
X-JG-Page-Cache
X-Http-Host
HostGen
Head
X-USERNAME
X-AISO-Cache
X-Varnish-Cookie-Debug
Web-Head
X-DEBUG-X-Id
X-Status
X-Varnish-Max-Age
X-Yottaa-Metrics
Bs-Header
X-AISO-Server
X-Server-Instance
X-MSG-06
X-DSMX-Rewrite-MS
X-SDE-Name
SLB
X-Yottaa-Optimizations
X-VHOST
X-FarmId
X-DEBUG-Obj-Ttl
X-SmugMug-Values
X-Resolver-IP
X-SmugMug-Hiring
X-PROCESSED-BY
X-MSG-00
X-Panel-Id
X-TTFB-L
X-DSMX-Render-MS
X-Panel-Name
X-ACLR-Version
X-Life
X-Varnish-Hashed-On
X-DefendeR-Runtime
Smug-Env
X-TTFB
Server-N
X-MSG-05
X-MSG-04
Host-Service
X-MSG-01
X-MSG-02
X-Loc
X-MSG-03
X-Bcwwwid
X-Webapp
X-Hc-Host
XDisk
CachedXSLT
X-Agentscape-Info
Mobiquo-Is-Login
X-ChromeLogger-Data
X-MadeOn
X-PoweredBy
X-Sw-Accesskey
X-UseReverse-Proxy
X-Router-Backend
X-Router
WebDevSrc
X-Proxy
Apple-Itunes-App
X-Backend-Status
X-Cookie-Store
Ozcache
CountryCode
AcceptLangage
X-Dokk-PortalId
X-Head
Server-Optimized-By
Test
X-Mii-Uncompressed-Size
X-Webstats-RespID
X-Url-Store
X-Config-By
X-WHOIS-Cached
X-ErrorPage
X-Reject
X-Cluster
WEB-CLUSTER-NODE
CacheControlHeader
SBMCLOUD
X-Stackable-Node
X-IP-Address
X-WAP
Xc
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
X-Cluster-Host
X-Adobe-Content
X-APP
X-RSS-CACHE-STATUS
Front-End-Https
X-V
WP-AdvCache-MemCached
X-Location-Id
X-User-Authenticated
X-Header-Set-Id
X-R4L-VHOST
X-Caching-Rule-Id
ProxiaInstanceId
X-User-Login-Url
XDomainRequestAllowed