Threat Level: green Handler on Duty: Russ McRee

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
CF-RAY
X-Varnish
X-Frame-Options
X-Adblock-Key
P3p
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo
X-Geo-Port
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Host
X-Cache-Lookup
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
Strict-Transport-Security
Ngpass-All
X-Ua-Compatible
X-Rack-Cache
X-Mod-Pagespeed
X-UA-Device
X-XRDS-Location
MicrosoftSharePointTeamServices
X-Cache-Hits
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Host-Header
Content-Encoding
X-Tumblr-Pixel-1
X-Robots-Tag
X-Via
SPRequestGuid
X-SharePointHealthScore
X-INKT-SITE
X-INKT-URI
X-Url
X-Varnish-Cache
X-CF-Powered-By
X-Iinfo
X-Tumblr-Pixel-2
X-FRAME-OPTIONS
X-Accel-Version
X-Cnection
X-PhApp
Access-Control-Allow-Headers
X-Webserver
X-ServedBy
X-Served-By
X-Forwarded-For
X-Backend
X-Page-Speed
Composed-By
X-Firenze-Processing-Times
Served-By
X-MS-InvokeApp
Access-Control-Allow-Methods
X-CDN
X-ContextId
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-XN-Trace-Token
X-XN-XNHTML
X-Hostname
X-Ac
X-Tumblr-Pixel-3
X-AH-Environment
X-PC-Key
X-PC-Hit
X-Powered-By-360WZB
X-PC-AppVer
X-PC-Date
X-PC-Host
Content-Style-Type
Content-Script-Type
X-Server-Name
Liferay-Portal
X-Age
X-Served-With
X-Request-ID
X-Umbraco-Version
X-Cache-Info
Refresh
X-Port
X-Spip-Cache
X-Cache-Server
Cf-Railgun
X-Safe-Firewall
X-Mobilized-By
X-Cache-Result
Powered-By-ChinaCache
X-Amz-Id-2
Cartoon
Request-Id
SPIisLatency
SPRequestDuration
X-HeyJason
Rating
X-Amz-Request-Id
X-FB-Debug
X-Content-Digest
X-Amz-Cf-Id
TCN
Real-Hostname
X-TN-ServedBy
X-Pass-Why
X-Loop
X-PHP-Engine
X-VCache
X-FORWARDED-FOR
X-Px
X-Outils-CS
Thanks
X-Tumblr-Pixel-4
X-W3TC-Minify
X-Cache-Status
Magicmarker
X-PersistenceNode
X-TNCMS-Version
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-Node
X-SERVER
X-Generated-By
IBM-Web2-Location
Page-Completion-Status
X-Cached-By
X-Device
Imagetoolbar
X-Original-Content-Length
X-Content-Encoded-By
X-Hyper-Cache
X-Timer
NS-RTIMER-COMPOSITE
X-Served-From-Cache
X-Matrix-Proxy
X-Matrix-Server
X-Varnish-Cacheable
X-Tumblr-Content-Rating
X-Cached
Content-Security-Policy
X-Styx-Req-Id
X-Powered-By-Anquanbao
X-Pantheon-Endpoint
X-Styx-Version
X-Styx-Build-Date
X-Styx-Build-Num
X-Styx-Build-Sha
X-Pantheon-Styx-Hostname
X-DynaTrace
CF-Cache-Status
X-Tumblr-Pixel-5
X-From
X-Firenze-Processing-Time
X-CMS-Version
Retry-After
X-HOST
X-Varnish-TTL
Product
X-HOSTNAME
Pics-Label
Time
Generator
IISExport
Set-Cookie2
DynaTrace
X-Cache-Enabled
X-Cache-Debug
Access-Control-Max-Age
X-Cache-Hit
Node
ServedBy
X-DDC-Arch-Trace
X-URL
X-App-Hosting
X-CDN-Any-IP
Lsrequestid
X-CDN-Geo
X-CDN-Geo-IP
X-Backend-Server
X-Rendering-Engine
Powered-By
X-I
X-Nitra-Side
ServerName
X-Trace-App
Charset
PICS-Label
X-Purge-Host
X-UD-Method
MIME-Version
X-Original-Request
X-UD-Host
X-SDS
X-NoCache
Content-Encoding-Handler
X-Ms-Invokeapp
X-PERF
X-ApacheServer
Sprequestguid
X-PF-Uncompressing
X-Sharepointhealthscore
X-Sol
X-Passed-To
X-Returned-From-DLL
X-Returned-From
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-Duration
X-Microcachable
X-ATG-Version
X-Handled-By
X-Passed-To-PostProcessResponse
X-Actual-URL
Cache
X-Processed-By
Response
X-Drectory-Script
X-Cache-Expires
X-Cookie-Domain
X-Purge-URL
X-Content-Options
Access-Control-Request-Method
X-Art-Request-Id
COMMERCE-SERVER-SOFTWARE
S
Proxy-Agent
SID
X-DynaTrace-JS-Agent
Ngpass-Vcall
Accept-Encoding
X-Xrds-Location
X-BackEnd
X-Hits
X-SRV
X-Varnish-Backend
X-Director
X-Expires-Orig
X-Middleton-Response
Vacache
Website-Info
Server-Info
X-ServerID
X-LiteSpeed-Cache
Filter-Revision
AMF-Ver
X-CJ-Soft
Fhost
X-Speed-Cache-Key
X-Speed-Cache
X-Vary-Options
X-GeoIP-Country-Code
X-Cache-Control-Orig
X-BC-Is-HA
X-Content-Security-Policy
X-Orig-Vary
Machine
X-Front
X-Micro-Cache
X-DNS-Prefetch-Control
Edge-Control
X-ServerName
Surrogate-Control
X-GeoIP-Country-Name
Host
X-Track
X-FW
X-PwB-Node
RTSS
X-Beep
WWW-Authenticate
NODE
X-VARNISH-Cache
X-FW-Static
CT
X-Hosted-By
X-B2f-Cache-Load
Cm-Server
X-FIRSTBase
X-Directory-Script
X-Varnish-Object-Age
MJ12bot
SEOMOZ
Origin
Content-Disposition
Accept-Charset
A-Powered-By
X-TTL
X-Yadis-Location
X-WebKit-CSP
X-Source-Host
X-Trace-Cache
X-Cocoon-Version
VAR-Cache
X-User-Agent
X-Varnish-Host
X-Varnish-IP
X-Highwire-RequestId
X-Gamma-Serve
CommunityServer
X-WR-Flags
X-Highwire-SessionId
X-WebServer
X-Pangea-Version
ServerID
X-ACMCache
NetMindSessionID
Server-Name
UniqueName
X-Server-ID
X-AOL-SNH
QOR-Cache
X-App-Start
SN
X-AspNetWebPages-Version
MW-Webserver
X-Session-Reinit
X-Varnish-Hits
X-Blog
X-Whom
X-MJ-Upstream-Addr
Pool-Info
X-Ar-Debug
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Permitted-Cross-Domain-Policies
X-Srv
X-CacheHits
X-Cache-Rule
X-Cluster-Node
X-LIGHTHTTP-PCDID
X-ID
X-Ttl
Hamster
NtCoent-Length
Id
X-Atraveo-Cache-Control
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Atraveo-TTL
X-Cache-TTL
X-Atraveo-Varnish-Server-Id
X-CHSN
X-Server-IP
X-Cache-Action
X-Distil-CS
Req-Id
X-Time
X-ServerCache-Info
X-Grid-Server
X-Outils-Cs
Nodo
X-Engine
X-Sys-Req-ID
Cteonnt-Length
From
X-Bettercache-Proxy
X-App-Status
X-Wily-Info
X-Wily-Servlet
X-Provisioner-Version
X-Domain-Checked
X-Transaction
Server2
Microsoftsharepointteamservices
Content-Security-Policy-Report-Only
Ms
X-Geo-IP
X-Trace
X-Cache-Config
X-Info
Cache-By-Node
X-Cached-Status
Webluker-Edge
X-Vtex-Cache-Key
LBVIS
X-Vtex-Remote-Cache
X-MJ-Serve-Req-Time
X-Id
X-TempDebug
X-Varnish-Server
Proxy-Connection
X-WEBSERVER
X-Device-Type
X-Ar-Forwarded-For
X-App
MIH-CLIENT-FARM
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
X-Microcache-Status
X-Force
X-PRAM
X-Powered-By-Yqk
Srv
Beyond-Iis
X-Recruiting
Grace
F-In-Cache
X-Yqk-Set
X-ManagedFusion-Rewriter-Version
X-Cache-Operation
X-Rewritten-By
MirrorName
X-Object-Type
Web-Server
X-Object-Id
X-Src-Webcache
X-Swift-CacheTime
X-DeliveryServer
X-Magento-Lifetime
WP-Cache
X-Magento-Action
X-Varnish-ID
Aoestatic
X-Machine-Name
X-S
X-Source-ID
X-Country-Code
X-Swift-SaveTime
X-Frontend
X-ASTRO-REWRITE
X-FS-UUID
X-FreeTag-Count
X-LB
X-B2f-Not-Route
X-Empowered-By
X-Developer
Backend
X-Uid
X-Powered
X-Vhost
X-Li-Pop
X-ROUTE-DATA
X-LI-UUID
X-Amz-Id-1
X-N
X-Turbo-Control
X-Origin
X-REDIRECTSERVER
X-Expires
X-Li-Fabric
Edgecast
X-Amz-Meta-S3cmd-Attrs
Compression-Control
Apache
X-Via-Kemp
X-SN
X-Varnish-Action
PageSpeed
SS
X-Connection-Hash
LBC
ORIGIN
X-Real-Server
X-Version
X-Vtex-Processado-Em
SiteName
X-Old-Content-Length
X-Translation
X-ORACLE-DMS-ECID
Buuteeq-Source
X-Response-Time
X-T3CacheInfo
X-Varnish-Debug-Age
Be-Ip
Content-Transfer-Encoding
Be-Va
X-WR-MODIFICATION
RequestTime
X-Varnish-Debug-Hits
X-GeoIP
Warning
X-Phpwcms-Release
X-Origin-Id
X-Phpwcms-Page-Processed-In
X-TISSERVER
X-OPNET-Transaction-Trace
X-JSL
X-Kermit
SIP
X-User-Id
X-JAL
X-Varnish-Age
No
X-VarnCache
Pagely
X-Secret
SRV
X-Cms-Mode
X-Dev
X-ACCELERATE
X-Oracle-DMS-ECID
Worker
X-Upstream
Author
If-Modified-Since
Mime-Version
X-Jphone-Copyright
Provided-Host
Front
Content-MD5
X-UPSTREAM
X-Frames-Options
ScoreTracker
X-Flex-Tag
X-Flex-Community
X-Flex-Evstart
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Evend
X-Flex-Tags
X-Powered-By-Server
7e-Page-Cache
Location
OriginServer
X-XHR-Current-Location
X-Route
P3P:CP
Open.Jobgate.Se
NLCacheNote
LFY
Content-Instance
SFY
X-PageCached
X-Actindo-RS
X-Nginx-Backend
X-Debug
Cluster-ID
X-Cache-Term
Jobb.Passal.Se
X-DTC
CDN
X-MobileDetected
X-B
X-Pixelsilk-Server
X-Varnish-Abtest-Expires
X-EdgeRouter
X-Hrouter
X-Ocache
Www.Myjob.Se
SynthaSite-ID
Pool
Www.Mabracertifiering.Se
X-T
Www.Mirrorgate.Se
Test.Executivepeople.Se
X-Farm-Server
-GCR
Allow
Copyright
X-Catalyst
X-Vivastreet-KiwiiPage
X-Response
X-Vivastreet
Powered
X-Cache-Ttl
X-Varnish-Device
Server-IP
X-Varnish-Cache-Local
X-Mod-Oboe-PS
Progma
X-GSL-Server
X-Kirra-SiteId
X-Haiku
MASTERWEBLET
X-ATM-RServer
X-ATM-RTime
Ksid
Hash
X-Vhost-ID
Dispatcher
X-CS
X-Nginx-Server
Rt-Server
X-Cache-On
Il-Cl
X-Varnish-Cache-Server
Jobb.Gil.Se
X-Framework
X-Pixelsilk-Version
X-GLaDOS
Source
X-Server-Id
X-T3CacheTags
CP
DCGI-Server
X-T3Cache
X-ERM-ServerName-AppPage
ExecutionTime
X-Nginx-Host
X-ERM-RunTime
X-ERM-ServerName
Jobb.Assistentpoolen.Se
X-Continum-Server
A1B2C3
Cmstype
X-Dynatrace-Js-Agent
X-BackendServer
At-Isb
X-Nginx-Cache
X-Content-Age
At-Shoptype
X-Geo-IP-Region
WEBO
X-Cache-Lifetime
Atp-Isdpp
X-Cache-Age
Cmsid
X-Geo-IPV
X-Accelerated-By
X-Geo-IP-Metro
X-Internal-IP
X-Geo-IP-Country
X-Header
POOL
X-Cache-Me-Harder
Render
ServerConfigManager.WebBugTracker
Tpt
IsFullSiteRequest
X-Hash
X-Conf
Before
REFRESH
After
X-Cache-Set
X-Jcms-Ajax-Id
Provider
X-VTEX-Router-Backend-App
X-VarnPar2
X-NGINX-CACHED
X-Host-Url
X-NGINX-CACHED-AT
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
Content
X-Venda-Hitid
Ttl
X-7dig
X-7d-Version
X-SilverStripe-Cache
Tpt.Renderer
X-App-Server
X-Varnish-Cache-Hits
Cache-Ctrol
X-GC-App
X-GC-Read
X-Artvisual-Server
X-UD-REMOTE-ADDR
Tpt.Renderer1
X-Stackable-Node
X-WP
X-Monstercache-Timeout
SBMCLOUD
WEB-CLUSTER-NODE
X-Reject
X-Powered-Developer
X-Channel-Maxage
X-Remote-Addr
X-PM-ID
X-UD-Target
X-Config-By
X-UD-Loopcounter
X-FCMS-Cache
X-Goog-Hash
X-NID
Ec
D
X-PvInfo
X-Web-Node
X-GC-Write
X-Tumblr-Pixel-6
INCOMING-TIME
Servername
X-Hosting-Env
Publisher
PowerCDN
X-TLServer
X-D-Time
UNIQUE-ID
X-WorkerInstancename
X-CMS-State
X-S-Misc
X-XFPC-Cache
Rt-Fastcgi-Cache
X-Binarysec-Via
Esi-Enabled
X-Location
X-Back
X-CMS-Tid
X-Generation-Time
X-SeschatLayout
X-Client-IP
X-Device-Group
X-Mii-Cache-Hit
X-MSEdge-Ref
X-Cache-Key
X-ATP-Server
BM-Cache-Node
BM-Cache-Status
Www.Aujourdhui.Com
X-Allow-Redis
X-Nucleus-Cache
X-Pb-Mii
Disaptch-Cache-Rule
ExecuteNonQuerySQLParam
X-ChromeLogger-Data
X-VarnPar1
X-MidCOM-Meta-Cache
X-CacheServer
X-Purge-Level
X-SATserver
X-Enhanced-By
X-ErrorPage
BM-Cache-Key
X-Fett
X-SeschatDID
X-CMS-Stage
X-SeschatRedID
X-SeschatTemplateID
X-Seschat-URL
X-Cluster-ID
X-PP
X-Varnish-Count
X-Varnish-HitMiss
X-CacheTTL
X-CCM
X-Client-Addr
X-NginX-Server
X-Server-By
X-Server-Node
ProxiaInstanceId
X-NginX-Cache
X-MCB-Server
X-Client-Vid
X-EPiphany-Vid
X-IDS-WS
X-Platform
X-XFPC-Cache-Active
X-GitHub-Request-Id
X-Hit
X-Page-Generation-Time
X-Time-Microsecs
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-CMS-Sid
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
HAVer
HCVer
X-JSON-API-AGE
Noahs-Classifieds
X-JSON-API-LATENCY
X-JSON-API-TTL
X-Varnish-Beresp-Ttl
X-Page-Generated-At
BKREF
X-Locale
X-Author
User-Cache-Control
X-Cache-Backend
X-DC-Origin-IP
X-Feed
X-Garden-Version
X-UserAgent
X-Varnish-Debug-Fetch-Host
Http
X-Your-GrandPa-Would-Wait
SAVVIS
X-Would-Your-GrandPa-Wait
X-Monstercache
X-Monstercache-Hash
X-TTL-Age
HTTP
MachineName
OGHopCount
X-Uplex
X-Ratelimit
X-Monstercache-Host
X-Original-IP
X-PoolMember
X-BKSrc
X-ServerID-App
X-ProcessESI
X-RemovedCookies
X-VG-WebCache
X-Real-IP
X-Node-Name
X-Mobile
Svr
X-Box
X-VTEX-Cache
X-MadeOn
X-CMS-Live
SVR
Telligent-Evolution
X-CMS-Collection
X-CMS-CRMSet
Powered-By-VeryCDN
Ngpass-Static
Accept
Accept-Language
Hej
Requested-Host
X-Max-Age
XX
X-PBY
X-SERVERID
X-CMS-Server
Content-ID
Expire
X-CMS-Nid
X-Nocache
X-Extra-Header
X-Powered-By-VTEX-Janus-Edge
SLB
HostGen
X-Stale
X-DefendeR-Runtime
X-Bcwwwid
X-PHP-Cache
Head
Web-Head
X-HOSTTYPE
X-Varnish-Cookie-Debug
X-Server-Instance
X-SDE-Name
Bs-Header
X-WLD-LB
X-VTEX-Cache-Status-Janus-Edge
X-Webstats-RespID
EI-UNIQUE-ID
X-RAMCache
Server-Optimized-By
X-USERNAME
X-V
X-DSMX-Render-MS
X-TTFB-L
X-TTFB
X-Yottaa-Optimizations
X-SmugMug-Values
X-DELIVERYSERVER
X-Panel-Id
X-Varnish-Hashed-On
X-VHOST
X-PROCESSED-BY
X-Panel-Name
X-SmugMug-Hiring
Smug-Env
Host-Service
X-Resolver-IP
X-Loc
X-Life
X-AISO-Cache
X-AISO-Server
Server-N
X-DSMX-Rewrite-MS
X-JG-Page-Cache
X-Gondor-Server
X-FarmId
X-IP-Address
X-User-Login-Url
X-Caching-Rule-Id
X-User-Authenticated
Apple-Itunes-App
X-Location-Id
X-Header-Set-Id
X-R4L-VHOST
X-Router
X-Adobe-Content
X-PoweredBy
X-RSS-CACHE-STATUS
X-Execution-Time
AcceptLangage
Foglight-Request-UUID
HostName
X-Dokk-PortalId
X-Cookie-Store
X-Hc-Host
Ozcache
Redirect
XDisk
CountryCode
Mobiquo-Is-Login
X-Head
X-APP
Test
X-WAP
Xc
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
XDomainRequestAllowed
X-ACLR-Version
X-Varnish-Max-Age
X-Status
X-SERVER-ID
X-Http-Host
X-Backend-Status
WP-AdvCache-MemCached
X-UseReverse-Proxy
WebDevSrc
X-Sw-Accesskey
X-Cluster-Host
X-Router-Backend
X-Webapp
X-WHOIS-Cached
X-Cluster
CacheControlHeader
Front-End-Https
X-Url-Store
X-Yottaa-Metrics