Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
Access-Control-Allow-Origin
X-Cacheable
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-UA-Device
X-Logged-In
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-Cnection
X-PhApp
X-Via
X-Varnish-Cache
X-W3TC-Minify
X-Webserver
X-CF-Powered-By
Strict-Transport-Security
X-Page-Speed
Served-By
X-Forwarded-For
Composed-By
X-Firenze-Processing-Times
X-ServedBy
X-Served-By
X-Hostname
X-Iinfo
X-Url
X-Accel-Version
X-XN-Trace-Token
X-XN-XNHTML
Access-Control-Allow-Headers
X-Tumblr-Pixel-3
X-MS-InvokeApp
Cartoon
X-Mobilized-By
X-ContextId
Access-Control-Allow-Methods
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-CDN
X-Stats-Unique-Token
X-Stats-Visit-Token
X-Umbraco-Version
X-Powered-By-360WZB
X-AH-Environment
X-Backend
Content-Style-Type
Content-Script-Type
Liferay-Portal
Refresh
X-Cache-Info
X-Server-Name
X-PC-Date
X-PC-AppVer
X-PC-Hit
X-PC-Key
X-PC-Host
Thanks
X-Geo
X-Geo-Port
Powered-By-ChinaCache
Magicmarker
X-Ua-Compatible
X-HeyJason
Rating
X-Cache-Server
X-Amz-Id-2
X-Outils-CS
TCN
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
X-URL
Page-Completion-Status
X-FB-Debug
X-From
X-Content-Digest
X-TN-ServedBy
Real-Hostname
X-Original-Content-Length
X-PHP-Engine
X-Loop
X-Px
X-Tumblr-Pixel-4
Imagetoolbar
X-Spip-Cache
NS-RTIMER-COMPOSITE
Request-Id
SPIisLatency
SPRequestDuration
X-Generated-By
X-Matrix-Server
X-Matrix-Proxy
X-Content-Encoded-By
IBM-Web2-Location
X-Tumblr-Content-Rating
X-Amz-Cf-Id
PICS-Label
X-ChromeLogger-Data
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Version
X-TNCMS-Render-Time
X-Drectory-Script
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
X-Cache-Status
Set-Cookie2
X-Device
X-Cached-By
IISExport
X-Tumblr-Pixel-5
Access-Control-Max-Age
X-Node
X-Firenze-Processing-Time
X-Cached
X-CMS-Version
X-Timer
ServerName
CF-Cache-Status
Retry-After
X-DynaTrace
X-Trace-App
X-PF-Uncompressing
Accept-Encoding
Generator
DynaTrace
COMMERCE-SERVER-SOFTWARE
X-Age
X-SDS
ServedBy
X-ATG-Version
X-Cache-Debug
X-B2f-Cache-Load
X-I
RTSS
Powered-By
X-ApacheServer
Lsrequestid
X-DDC-Arch-Trace
MIME-Version
X-Backend-Server
X-PERF
X-Vary-Options
Product
X-Cache-Hit
X-Nitra-Side
SID
Time
Edge-Control
X-UD-Host
Content-Encoding-Handler
X-UD-Method
X-Hosted-By
Pics-Label
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
Access-Control-Request-Method
X-Processed-By
LFY
SFY
Host
X-Original-Request
X-Purge-Host
X-DynaTrace-JS-Agent
X-FORWARDED-FOR
X-Vtex-Cache-Key
X-Vtex-Remote-Cache
X-NoCache
X-Art-Request-Id
X-PwB-Node
X-Srv
X-LiteSpeed-Cache
X-Director
Surrogate-Control
Machine
X-Speed-Cache-Key
X-Actual-URL
X-Passed-To-PostProcessResponse
X-Passed-To
X-App-Hosting
X-Returned-From
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-Returned-From-BeforeDispatch
X-Handled-By
X-Returned-From-PostProcessResponse
X-FIRSTBase
X-Returned-From-DLL
Location
X-DNS-Prefetch-Control
X-Varnish-Backend
X-Served-From-Cache
X-Cache-Expires
X-WebServer
NODE
X-Cache-Enabled
X-Purge-URL
Node
AMF-Ver
Charset
X-Cookie-Domain
X-Expires-Orig
X-Yadis-Location
X-Orig-Vary
MW-Webserver
X-Speed-Cache
WWW-Authenticate
X-Cache-Control-Orig
Filter-Revision
Cm-Server
Content-Disposition
Proxy-Agent
Fhost
X-ServerID
X-CJ-Soft
X-ServerName
Microsoftsharepointteamservices
X-Varnish-TTL
X-TTL
X-LIGHTHTTP-PCDID
VAR-Cache
X-SERVER
X-ACMCache
Cache
X-ProStores-StoreApiEntryPoint
Sprequestguid
X-Yqk-Set
X-Sharepointhealthscore
X-StoreSense
X-Powered-By-Yqk
X-Content-Options
X-Micro-Cache
Proxy-Connection
X-FW
Id
X-Cocoon-Version
X-Request-ID
Debug-IP-Cntry
Debug
Server-Info
Debug-Begin-IP
Website-Info
X-App
X-Track
X-GeoIP-Country-Name
S
X-Duration
X-Time
X-GeoIP-Country-Code
X-Trace-Cache
X-Adobe-Content
X-Front
SN
X-MJ-Upstream-Addr
Webluker-Edge
X-Server-ID
X-Cache-Rule
X-App-Start
ORIGIN
X-Pangea-Version
UniqueName
X-MJ-Serve-Req-Time
Nodo
X-Sys-Req-ID
CT
X-SRV
X-Source-Host
Hamster
X-Blog
X-AOL-SNH
X-Gamma-Serve
X-Hits
Req-Id
X-Ms-Invokeapp
X-Session-Reinit
X-Cluster-Node
NetMindSessionID
OHS-WebNode
X-HS-MC-Reqs
X-WR-Flags
X-CHSN
X-Varnish-Hits
QOR-Cache
X-Info
X-Varnish-Action
X-Highwire-SessionId
X-Highwire-RequestId
X-Kirra-SiteId
ServerID
X-AspNetWebPages-Version
X-Old-Content-Length
CommunityServer
X-Trash-Talk
X-Pass-Why
X-Microcachable
Pagely
X-Target
Accept-Charset
X-Engine
X-Phpwcms-Release
X-Phpwcms-Page-Processed-In
From
X-Cache-TTL
X-N
X-Varnish-Host
X-UPSTREAM
X-Cache-Action
SEOMOZ
MJ12bot
X-Header
X-Accelerated-By
X-Varnish-Age
X-ServerCache-Info
ScoreTracker
Server2
X-Varnish-IP
X-Src-Webcache
X-Atraveo-Varnish-Server-Id
X-Atraveo-Cache-Control
X-ASTRO-REWRITE
MvcResult
X-Atraveo-NC
A-Powered-By
X-Atraveo-From-Varnish-Cache
X-Atraveo-TTL
X-Distil-CS
X-Cdn
Content-Transfer-Encoding
X-Geo-IP
X-Turbo-Control
X-Response-Time
X-Ttl
X-Wily-Servlet
X-Microcache-Status
X-Device-Type
X-Grid-Server
X-Machine-Name
X-DeliveryServer
X-Wily-Info
X-Server-Web
X-PvInfo
NtCoent-Length
X-HOSTTYPE
X-Varnish-Server
X-USERNAME
Ibm-Web2-Location
X-Directory-Script
X-Object-Type
X-Haiku
Author
MIH-PUBLIC-IDENTIFIER
X-Cache-Operation
MIH-PLATFORM
X-Object-Id
X-Frontend
X-Debug
X-Enhanced-By
MIH-CLIENT-FARM
X-GLaDOS
X-Id
Pool-Info
X-Bettercache-Proxy
MirrorName
X-Whom
X-Max-Age
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
X-Request-Duration
X-Database-Slave-Connection
X-Varnish-Cache-Hits
X-Hrouter
X-Transaction
X-Channel-Maxage
Server-Name
X-Source-ID
X-FreeTag-Count
X-EdgeRouter
X-Force
X-PRAM
SynthaSite-ID
X-Source
F-In-Cache
X-ID
X-CMS-Server
Bs-Header
X-Country-Code
WP-Cache
X-S
X-Vivastreet
OriginServer
X-Amz-Id-1
X-CacheHits
X-App-Server
X-Framework
X-Vivastreet-KiwiiPage
X-Garden-Version
X-Provisioner-Version
X-UD-Loopcounter
RequestTime
X-Response
X-Domain-Checked
X-UD-REMOTE-ADDR
X-ACCELERATE
X-UD-Target
Provided-Host
-Onnection
X-Version
X-Jphone-Copyright
X-Cms-Mode
X-Varnish-Debug-Hits
X-Uid
X-Varnish-Debug-Age
SRV
NLCacheNote
X-FS-UUID
X-Geo-IPV
X-REDIRECTSERVER
X-Magento-Action
X-Nginx-Cache
X-Li-Pop
X-Magento-Lifetime
X-Geo-IP-Region
X-Geo-IP-Metro
Srv
PowerCDN
X-WLD-LB
X-Expires
X-WP
X-Monstercache-Timeout
X-Geo-IP-Country
SS
X-LI-UUID
X-SN
X-Li-Fabric
Jobb.Gil.Se
X-B2f-Not-Route
Jobb.Passal.Se
Beyond-Iis
X-Vhost
X-Varnish-ID
X-Powered-By-Server
X-Varnish-Device
Open.Jobgate.Se
X-Route
Backend-Host
Jobb.Assistentpoolen.Se
WP-AdvCache-MemCached
P3P:CP
X-MCB-Server
Content
LBVIS
X-Venda-Hitid
Rt-Fastcgi-Cache
Powered
X-T3CacheTags
NodeID
SIP
X-Powered
CountryCode
X-Cache-Me-Harder
X-Frames-Options
Test.Executivepeople.Se
Www.Mabracertifiering.Se
Www.Mirrorgate.Se
Ssl-Enabled
Content-MD5
X-SV
Compression-Control
X-Via-Kemp
A1B2C3
ProxiaInstanceId
Www.Myjob.Se
X-NGINX-CACHED
X-Nginx-Server
MASTERWEBLET
Cluster-ID
X-Hosting-Env
Hash
X-Cache-Term
Front
X-NGINX-CACHED-AT
X-T3Cache
X-Apache-Backend
Proxy-From
X-Farm-Server
X-Content-Age
CDN
X-T3CacheInfo
Ec
X-Conf
X-MidCOM-Meta-Cache
X-Actindo-RS
X-Translation
X-T
X-Ocache
X-User-Id
X-JSL
X-Varnish-Cache-Local
Preview-Refresh
X-JAL
X-Cf-Powered-By
X-B
X-Recruiting
Backend
WEBO
X-Oracle-DMS-ECID
X-Amz-Meta-S3cmd-Attrs
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Lang
X-Flex-Evstart
X-Flex-Community
X-Flex-Evend
X-Flex-Tags
X-ManagedFusion-Rewriter-Version
X-Rewritten-By
Pool
CP
X-Fett
X-MSG-05
X-Mii-Cache-Hit
X-Device-Group
PUBLISH
X-MSG-06
X-ATP-Server
D
X-DEBUG-X-Id
X-VarnCache
No
X-Pb-Mii
Mobiquo-Is-Login
X-Vtex-Processado-Em
X-MSG-03
X-DEBUG-Obj-Ttl
X-MSG-02
X-MSG-01
X-MSG-00
X-TISSERVER
X-MSG-04
X-SilverStripe-Cache
X-Varnish-Debug-Fetch-Host
CacheControlMode
X-Web-Node
Content-Instance
XX
Rt-Server
X-Jcms-Ajax-Id
7e-Page-Cache
Cmstype
Cmsid
X-ORACLE-DMS-ECID
Warning
SVR
X-Dev
Worker
X-Varnish-Cache-Server
Hej
Cache-Ctrol
If-Modified-Since
ExecutionTime
X-ERM-RunTime
X-ERM-ServerName
X-View
B-Powered-By
X-Permitted-Cross-Domain-Policies
X-Origin-Id
X-GC-Write
X-GC-Read
VTag
Ms
X-PM-ID
X-FCMS-Cache
X-Test
X-GC-App
X-ERM-ServerName-AppPage
X-Server-By
X-Cache-Backend
Aoestatic
X-Artvisual-Server
Robots
X-Geoip-Country-Code
POOL
X-VCache
Xc
X-Node-Name
X-Monstercache-Host
X-Full-URL
INCOMING-TIME
X-Optimization
Publisher
X-Monstercache-Hash
X-Monstercache
X-Upstream
Provider
HCVer
BKREF
HAVer
X-Cluster-Host
X-Pixelsilk-Server
X-Pixelsilk-Version
X-BKSrc
X-Header-Set-Id
CacheInfoFetch
Optimizer
CacheInfo
X-Wm-1
X-Forwarded-Proto
X-Varnish-Hit
X-Hc-Host
X-IDS-WS
EbdTrace
X-Hit
OMNI-C
MachineName
X-RE-Ref
Telligent-Evolution
X-Author
X-Time-Microsecs
X-XHR-Current-Location
X-Rewrite
X-CCM
Web-Head
X-Execution-Time
X-Proxy
OriginalHost
X-EPiphany-Vid
ServerId
HostName
Content-Security-Policy
X-FW-Static
X-7dig
X-Cache-NHIT
X-OPNET-Transaction-Trace
X-NID
X-ATM-RServer
X-ATM-RTime
X-OLM-Node
X-Utime
X-Origin
X-CMS
X-7d-Version
X-LAvg
Access-Control-Expose-Headers
CacheControlHeader
X-Nucleus-Cache
X-Box
CachedXSLT
X-Agentscape-Info
RequestId
SiteName
X-RemovedCookies
Mime-Version
X-ProcessESI
X-Unbounce-Instance
X-Caching-Rule-Id
X-Cache-Ttl
X-TLServer
TypeOfContent
Description
Keywords
X-Symfony-Cache
Application-Version
Expire
X-Trace
X-Webstats-RespID
Accept-Language
Esi-Enabled
Head
X-Papaya-Gzip
X-Papaya-Cache
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-UA
X-Varnish-Cacheable
Web-Server
DeleGate-Ver
X-Host-Url
X-NginX-Server
X-NginX-Cache
X-Client-Vid
Copyright
X-Platform
X-Secret
SiteSpect-Identity
X-WA-Info
WEBSERVER
No-Cache
Apache
WebServer
X-PP
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-PROTOCOL
X-Answer
X-Ratelimit
X-IP-Address
X-PS-MURDOCK-ORIG-FILEEXT
Front-End-Https
X-DELIVERYSERVER
X-SERVERID
X-WEBSERVER
X-WorkerInstancename
X-ServerId
X-Continum-Server
X-Stackable-Node
SBMCLOUD
OutputRewritten
X-Config-By
X-Hash
Buuteeq-Source
X-JSON-API-AGE
X-JSON-API-TTL
X-Cache-Control
X-JSON-API-LATENCY
X-Page-Generated-At
X-RAMCache
X-MSEdge-Ref
X-Mobile
X-CMS-Sid
X-IP
ResourceTag
X-Server-Node
Public-Extension
VM
X-Set-Cookie
X-Environment
X-Server-Id
X-GeoIP
X-Page-Generation-Time
Www.Aujourdhui.Com
X-PHP-Cache
SAVVIS
X-Vhost-ID
X-CMS-Live
X-Rot
X-DC-Origin-IP
Source
X-Varnish-Id
X-CMS-CRMSet
X-Cached-Page
Response
EI-UNIQUE-ID
W
X-CMS-Collection
Cteonnt-Length
X-GitHub-Request-Id
Http
Last-Modified:
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
X-Would-Your-GrandPa-Wait
X-PoolMember
X-Status
X-CMS-Nid
OGHopCount
WZ-Device-Match
WZ-Cache
X-Powered-Developer
X-TTL-Age
X-Catalyst
X-TTFB-L
X-Allow-Redis
X-TTFB
X-SmugMug-Values
X-SmugMug-Hiring
X-Site:
TimeRestart
X-Pagename
X-Abuse
X-Hit-Cache
X-Modules
X-Serial
X-Purge-Level
INFO
X-Yottaa-Metrics
RayEngine
X-Yottaa-Optimizations
Login-Required
HTTP
X-Bcwwwid
X-Varnish-Cookie-Debug
X-Empowered-By
X-CMS-Tid
X-Web-Hosting-Service-Provider
SLB
X-DEBUG
Test
X-Extra-Header
X-Varnish-Count
X-Varnish-HitMiss
X-AISO-Server
X-AISO-Cache
X-BackendServer
X-CMS-Stage
Noahs-Classifieds
X-Cache-Lifetime
X-Developer
X-Cache-Age
X-Backend-Host
UNIQUE-ID
Xonnection
X-User-Agent
At-Shoptype
Atp-Isdpp
At-Isb
X-CMS-State
X-ProxyInstancename
Accept
X-Life
Srv-N
X-Process-Time
Ap-Exec-Time-Mks
Progma
X-Loc
X-Crafted