Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
Content-Location
X-UA-Compatible
Via
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Check
X-Cacheable
X-Language
X-Buckets
X-Template
X-Generator
P3p
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
X-Powered-By-Plesk
MS-Author-Via
X-AspNetMvc-Version
X-Pad
X-Runtime
MicrosoftOfficeWebServer
X-Geo
X-Geo-Port
X-Powered-CMS
X-Request-Id
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Mod-Pagespeed
Ngpass-All
X-Rack-Cache
Strict-Transport-Security
MicrosoftSharePointTeamServices
X-UA-Device
X-XRDS-Location
X-Ua-Compatible
X-Cache-Hits
Content-Encoding
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-Pixel-1
X-INKT-URI
X-INKT-SITE
X-Via
X-Url
X-Forwarded-For
X-Robots-Tag
X-CF-Powered-By
X-Webserver
X-PhApp
X-Tumblr-Pixel-2
X-Varnish-Cache
X-Iinfo
X-Cnection
X-Firenze-Processing-Times
X-Accel-Version
Composed-By
X-MS-InvokeApp
X-ServedBy
Access-Control-Allow-Headers
X-Page-Speed
Served-By
X-Served-By
X-Hostname
X-Backend
X-CDN
X-Ac
Access-Control-Allow-Methods
X-ContextId
X-ShardId
X-ShopId
X-Alternate-Cache-Key
X-Tumblr-Pixel-3
X-XN-Trace-Token
X-XN-XNHTML
X-Request-ID
X-AH-Environment
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-PC-Key
X-PC-Hit
X-PC-Date
X-PC-AppVer
X-PC-Host
X-Umbraco-Version
X-Server-Name
X-Cache-Info
Refresh
Cartoon
Powered-By-ChinaCache
X-Spip-Cache
X-Mobilized-By
X-HeyJason
X-From
X-Cache-Server
X-Amz-Id-2
X-Port
X-Cache-Result
X-Age
Cf-Railgun
Rating
X-Content-Digest
SPIisLatency
Request-Id
SPRequestDuration
X-Amz-Request-Id
X-Outils-CS
TCN
X-Amz-Cf-Id
X-Px
Real-Hostname
X-TN-ServedBy
X-FB-Debug
Magicmarker
X-PHP-Engine
X-Loop
Thanks
Page-Completion-Status
X-VCache
X-W3TC-Minify
X-Cache-Status
X-TNCMS-Render-Time
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-PersistenceNode
X-TNCMS-Served-By
X-Device
NS-RTIMER-COMPOSITE
X-Content-Encoded-By
X-Generated-By
X-Cached-By
Imagetoolbar
X-Served-From-Cache
X-Original-Content-Length
X-Tumblr-Pixel-4
IBM-Web2-Location
X-Powered-By-Anquanbao
X-Varnish-Cacheable
X-Node
X-Tumblr-Content-Rating
X-SERVER
PICS-Label
X-Timer
X-Safe-Firewall
X-Firenze-Processing-Time
Retry-After
X-Xrds-Location
X-Matrix-Server
X-Matrix-Proxy
X-Cached
IISExport
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
Set-Cookie2
X-Tumblr-Pixel-5
X-Varnish-TTL
X-Art-Request-Id
X-DynaTrace
X-Trace-App
X-CMS-Version
X-Stats-Unique-Token
X-Stats-Visit-Token
Product
X-SDS
Generator
X-Backend-Server
CF-Cache-Status
Access-Control-Max-Age
X-Pass-Why
X-Cache-Hit
DynaTrace
X-PF-Uncompressing
X-Drectory-Script
X-Cache-Enabled
X-DynaTrace-JS-Agent
MIME-Version
X-Nitra-Side
X-Hyper-Cache
Content-Security-Policy
X-Processed-By
Powered-By
X-ATG-Version
X-DDC-Arch-Trace
SID
X-App-Hosting
X-Rendering-Engine
X-I
S
X-PERF
X-ApacheServer
X-Duration
X-Director
Proxy-Agent
RTSS
X-UD-Host
X-UD-Method
ServedBy
Charset
Access-Control-Request-Method
X-Purge-Host
Content-Encoding-Handler
X-Varnish-Backend
Lsrequestid
X-Cache-Debug
X-NoCache
X-Hits
X-Content-Options
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
X-BackEnd
Pics-Label
X-Orig-Vary
Node
X-ServerID
ServerName
X-CDN-Geo-IP
X-CDN-Any-IP
X-Cookie-Domain
X-DNS-Prefetch-Control
X-Srv
X-CDN-Geo
AMF-Ver
COMMERCE-SERVER-SOFTWARE
X-Purge-URL
Time
NODE
X-Expires-Orig
X-Sol
Fhost
X-Vary-Options
X-Microcachable
X-Original-Request
Host
Accept-Encoding
X-Cache-Expires
X-Passed-To-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Returned-From
X-Returned-From-BeforeDispatch
X-Passed-To-DLL
X-Handled-By
Filter-Revision
X-Yadis-Location
X-Returned-From-DLL
X-Passed-To
X-Returned-From-PostProcessResponse
X-Actual-URL
Machine
Cache
Surrogate-Control
X-Trace-Cache
Edge-Control
X-Cache-Control-Orig
Content-Disposition
Ngpass-Vcall
X-VARNISH-Cache
X-Server-ID
Cm-Server
X-CJ-Soft
CT
WWW-Authenticate
X-Speed-Cache
X-Speed-Cache-Key
X-Front
X-LiteSpeed-Cache
X-HOST
Accept-Charset
X-Cache-TTL
MJ12bot
Id
NtCoent-Length
Vacache
UniqueName
X-AOL-SNH
X-Pangea-Version
SEOMOZ
X-App-Start
X-Distil-CS
X-Gamma-Serve
X-URL
MIH-CLIENT-FARM
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
X-FIRSTBase
X-Cluster-Node
MW-Webserver
X-ServerName
X-Ttl
X-Hosted-By
X-Source-Host
X-FW-Static
Server-Info
X-TTL
Website-Info
X-GeoIP-Country-Code
X-GeoIP-Country-Name
X-MJ-Upstream-Addr
VAR-Cache
SN
A-Powered-By
X-LIGHTHTTP-PCDID
X-Directory-Script
X-Id
X-Engine
QOR-Cache
X-SRV
X-Highwire-SessionId
X-ACCELERATE
X-ACMCache
NetMindSessionID
X-Time
X-CHSN
X-Highwire-RequestId
Pool-Info
Response
X-Cache-Action
X-Sys-Req-ID
X-Micro-Cache
Proxy-Connection
X-Cocoon-Version
X-PwB-Node
X-Geo-IP
CommunityServer
X-MJ-Serve-Req-Time
X-AspNetWebPages-Version
X-FW
X-Session-Reinit
Webluker-Edge
X-Blog
X-Atraveo-Varnish-Server-Id
X-Atraveo-TTL
X-Atraveo-NC
Cache-By-Node
X-Atraveo-Cache-Control
X-Atraveo-From-Varnish-Cache
X-Turbo-Control
X-Country-Code
X-Object-Type
F-In-Cache
Srv
X-Object-Id
X-Bettercache-Proxy
X-UPSTREAM
X-Src-Webcache
X-Permitted-Cross-Domain-Policies
ServerID
X-WR-Flags
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Transaction
X-Content-Security-Policy
Content-Security-Policy-Report-Only
From
Nodo
Ms
Pool
X-User-Agent
X-Track
X-Info
X-Varnish-Host
Server-Name
X-Jphone-Copyright
Worker
X-CacheHits
Req-Id
X-Cms-Mode
Location
X-Dev
Content-MD5
X-Machine-Name
SynthaSite-ID
X-MobileDetected
X-Hrouter
X-ServerCache-Info
X-Expires
X-ROUTE-DATA
X-EdgeRouter
X-Magento-Action
X-Source-ID
X-SN
-GCR
X-Magento-Lifetime
X-Middleton-Response
X-Rewritten-By
X-Force
X-PRAM
X-Channel-Maxage
X-ManagedFusion-Rewriter-Version
X-Cache-Rule
CountryCode
X-Trace
MirrorName
X-Provisioner-Version
Origin
Bs-Header
X-Varnish-Hits
X-Version
X-FreeTag-Count
X-Yqk-Set
SFY
LFY
X-Powered-By-Yqk
Cteonnt-Length
X-Domain-Checked
LBVIS
Hamster
ScoreTracker
ORIGIN
X-T3CacheInfo
OriginServer
X-App-Server
X-Wily-Servlet
Aoestatic
X-Varnish-Cache-Hits
Server2
X-Frontend
X-FS-UUID
X-Li-Fabric
X-Li-Pop
X-LI-UUID
Apache
X-ASTRO-REWRITE
X-Varnish-Server
X-Wily-Info
X-Amz-Id-1
X-Response-Time
Allow
X-B2f-Cache-Load
X-Recruiting
WP-Cache
7e-Page-Cache
X-Powered-By-Server
Web-Server
X-Enhanced-By
Rt-Server
X-App
X-MCB-Server
X-ERM-ServerName
X-JSL
X-ERM-RunTime
X-Grid-Server
X-Cache-On
Compression-Control
X-Frames-Options
Ssl-Enabled
Powered-By-VeryCDN
Cache-Ctrol
X-Vivastreet-KiwiiPage
SIP
X-TISSERVER
X-Origin-Id
X-VarnCache
X-Powered
X-Database-Slave-Connection
X-B2f-Not-Route
Il-Cl
X-Vhost
X-Vivastreet
X-Request-Duration
X-Varnish-Action
X-Via-Kemp
X-Phpwcms-Page-Processed-In
X-Nginx-Backend
X-T
X-B
X-DTC
CDN
X-NGINX-CACHED
X-WP
X-Farm-Server
X-Ocache
X-Actindo-RS
X-PageCached
Ec
X-Cache-Term
X-Conf
RequestTime
Cluster-ID
SS
X-JAL
X-NGINX-CACHED-AT
X-MidCOM-Meta-Cache
X-Test
X-Cache-Me-Harder
Ksid
Cdate
X-Debug
X-Servername
X-Phpwcms-Release
X-T3CacheTags
Be-Ip
Be-Va
A1B2C3
X-Monstercache-Timeout
X-CS
X-Varnish-Cache-Server
X-ATM-RServer
X-ATM-RTime
X-GeoIP
X-ERM-ServerName-AppPage
X-T3Cache
Debug-Begin-IP
Debug
Debug-IP-Cntry
NLCacheNote
X-Oracle-DMS-ECID
X-User-Id
X-Old-Content-Length
X-Accelerated-By
Backend
X-Geo-IPV
X-Geo-IP-Region
X-Microcache-Status
X-Device-Type
X-Geo-IP-Country
X-Geo-IP-Metro
X-GLaDOS
X-HOSTNAME
X-Content-Age
X-Haiku
X-Uid
Hostname
BM-Cache-Status
Provided-Host
X-SilverStripe-Cache
X-Cdn
At-Isb
BM-Cache-Key
BM-Cache-Node
X-ORACLE-DMS-ECID
LBC
Buuteeq-Source
X-GC-Write
X-Framework
WEBO
Front
X-Hosting-Env
X-Nginx-Server
X-Allow-Redis
At-Shoptype
Atp-Isdpp
CP
Open.Jobgate.Se
P3P:CP
X-Cached-Status
Jobb.Passal.Se
X-Remote-Addr
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Test.Executivepeople.Se
Www.Mabracertifiering.Se
X-Varnish-Debug-Fetch-Host
X-Uplex
X-PM-ID
X-Loc
Www.Myjob.Se
X-WebKit-CSP
X-LB
Www.Mirrorgate.Se
X-Hash
X-REDIRECTSERVER
X-UD-REMOTE-ADDR
X-UD-Target
X-UD-Loopcounter
X-Kirra-SiteId
X-7d-Version
X-7dig
SiteName
X-Flex-Lastmod
X-Flex-Tag
PageSpeed
X-Response
Author
X-GC-App
X-GC-Read
X-Flex-Evend
X-Flex-Community
X-Flex-Tags
X-Real-IP
Head
X-DeliveryServer
X-Flex-Lang
Dispatcher
Hash
X-Caching-Rule-Id
No
X-Varnish-Cache-Local
X-Flex-Evstart
X-Cache-Config
MASTERWEBLET
X-Header-Set-Id
X-Vtex-Processado-Em
X-Cache-Operation
X-Artvisual-Server
X-Purge-Level
X-Cache-Set
X-Translation
INCOMING-TIME
X-Upstream
X-TLServer
XX
Content-Instance
X-N
X-Swift-SaveTime
X-Swift-CacheTime
X-Route
X-Web-Node
X-Nginx-Cache
Http
Publisher
SRV
X-S-Misc
X-Developer
X-VTEX-Cache
X-WorkerInstancename
X-XHR-Current-Location
X-ID
PowerCDN
SVR
X-VTEX-Router-Backend-App
X-VTEX-Router-JanusNet-AspNetLatency
X-V-TTL
X-V-Outer
X-V-I-TTL
Content-Transfer-Encoding
X-NID
X-Ratelimit
X-VarnPar1
Beyond-Iis
X-D-Time
X-Varnish-ID
RATING
X-Secret
Svr
X-Nginx-Host
Pagely
X-Kermit
X-Jcms-Ajax-Id
No-Cookie
X-Varnish-Id
X-VTEX-Router-JanusNet-BackEndLatency
X-Continum-Server
X-VTEX-Router-Powered-By
X-Max-Age
Accept-Language
X-Venda-Hitid
X-VTEX-Router-JanusNet-JanusLatency
X-ProcessESI
X-RemovedCookies
X-CMS-Server
X-Varnish-Device
Telligent-Evolution
X-NginX-Cache
X-NginX-Server
X-GSL-Server
Progma
X-Cache-Age
X-Real-Server
Copyright
Powered
X-ChromeLogger-Data
X-Vhost-ID
X-App-Status
Server-IP
X-WHOIS-Cached
Server-Optimized-By
X-Goog-Hash
X-V
X-Origin
X-VarnPar2
X-Cache-Ttl
X-Empowered-By
X-Life
X-Nucleus-Cache
Accept
ProxiaInstanceId
X-Req-Host
X-Pagecache
X-Box
X-Req-Url
X-Created
Hej
X-AISO-Cache
X-AISO-Server
X-S
Esi-Enabled
X-FCMS-Cache
Content-Cache
HostGen
Ttl
X-Server-IP
X-Generation-Time
X-Hc-Host
MachineName
X-Pixelsilk-Version
X-Page-Generation-Time
X-TTL-Age
X-Would-Your-GrandPa-Wait
Expire
X-Page-Generated-At
X-JSON-API-TTL
X-Monstercache-Hash
X-Locale
X-Amz-Meta-S3cmd-Attrs
X-JSON-API-LATENCY
X-Monstercache-Host
D
X-UserAgent
X-HITS
X-Your-GrandPa-Would-Wait
X-Hit
NnCoection
Access-Control-Expose-Headers
X-Garden-Version
X-WR-MODIFICATION
X-Header
User-Cache-Control
X-Author
X-Time-Microsecs
OGHopCount
TMP
X-Powered-Developer
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-Dokk-PortalId
X-Varnish-Beresp-Grace
X-JSON-API-AGE
X-Pixelsilk-Server
X-Monstercache
X-Wm-VIP
X-Varnish-Debug-Hits
X-Varnish-Debug-Age
X-Node-Name
X-Wm-1
ExecutionTime
Content
X-Nocache
POOL
X-Whom
X-Dynatrace-Js-Agent
Provider
X-Tumblr-Pixel-6
X-CCM
X-Webstats-RespID
X-Server-Node
Servername
X-Execution-Time
Cmsid
X-IDS-WS
X-Process-Time
X-Router-Backend
X-UseReverse-Proxy
X-Webapp
HTTP
X-Gondor-Server
X-SeschatDID
X-SeschatLayout
X-SeschatRedID
X-Varnish-Hashed-On
X-Seschat-URL
X-Catalyst
X-Varnish-Object-Age
X-SeschatTemplateID
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Panel-Id
X-Panel-Name
Front-End-Https
Cmstype
X-Beep
X-JG-Page-Cache
X-Router
CachedXSLT
X-SV
X-PoolMember
WebDevSrc
Test
Web-Head
X-Pb-Mii
Www.Aujourdhui.Com
X-MSEdge-Ref
X-MadeOn
AV1080
X-PS-MURDOCK-CASE-NORMALIZATION
Host-Service
X-Internal-IP
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
X-DC-Origin-IP
X-Config-By
X-Mii-Cache-Hit
X-Mobile
X-Fett
X-Cache-Lifetime
X-Varnish-IP
X-DELIVERYSERVER
X-Fortrabbit
SAVVIS
X-PvInfo
X-Agentscape-Info
X-Varnish-Age
X-Client-IP
X-PoweredBy
X-VG-WebCache
Requested-Host
X-RE-Ref
X-Device-Group
X-Hop-By
X-ATP-Server
X-Client-Addr
X-Server-Id
AcceptLangage
X-Source
EI-UNIQUE-ID
Warning
If-Modified-Since
X-Backend-Status
X-Cookie-Store
X-Url-Store
X-HOSTTYPE
X-USERNAME
X-PHP-Cache
X-CMS
X-Yottaa-Optimizations
ServerId
X-Cluster-Host
X-WLD-LB
X-R4L-VHOST
Noahs-Classifieds
SBMCLOUD
X-Varnish-Hit
Ozcache
WEB-CLUSTER-NODE
ErrorCodeCount
X-Extra-Header
DCGI-Server
Mime-Version
Source
X-NewRelic-App-Data
X-UA
TypeOfContent
CacheDuration
X-BackendServer
Backend-Host
CacheInfo
CacheInfoFetch
X-Stackable-Node
OriginalHost
Optimizer
X-Yottaa-Metrics
Mobiquo-Is-Login
Before
ExecuteNonQuerySQLParam
IsFullSiteRequest
After
X-RSS-CACHE-STATUS
Application-Version
X-Back
X-View
Render
ServerConfigManager.WebBugTracker
UNIQUE-ID
X-Host-Url
X-Platform
X-Binarysec-Via
REFRESH
Tpt
Tpt.Renderer
Tpt.Renderer1
Rt-Fastcgi-Cache
WebServer
X-CMS-Collection
X-CMS-CRMSet
X-CMS-Live
X-GitHub-Request-Id
X-XFPC-Cache-Active
HCVer
HAVer
X-XFPC-Cache
X-CMS-Nid
X-CMS-Sid
X-Cache-Key
X-FarmId
X-Bcwwwid
X-DefendeR-Runtime
SLB
X-CMS-Stage
X-CMS-State
X-CMS-Tid
X-PP