Threat Level: green Handler on Duty: Chris Mohan

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
X-AspNet-Version
P3P
Link
X-XSS-Protection
X-Content-Type-Options
X-Cache
Age
Alternate-Protocol
X-Adblock-Key
Content-Language
Content-Location
X-UA-Compatible
Via
X-Varnish
CF-RAY
X-Frame-Options
Keep-Alive
P3p
X-Cacheable
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
X-Drupal-Cache
Access-Control-Allow-Origin
Status
WP-Super-Cache
MS-Author-Via
X-Powered-By-Plesk
X-Pad
X-AspNetMvc-Version
X-Geo
X-Geo-Port
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Rack-Cache
X-XRDS-Location
Content-Encoding
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
Strict-Transport-Security
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
X-Via
SPRequestGuid
X-SharePointHealthScore
X-Tumblr-Pixel-2
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-CF-Powered-By
X-Varnish-Cache
X-Webserver
X-Url
X-ServedBy
X-PhApp
X-Iinfo
Composed-By
X-Ua-Compatible
X-Forwarded-For
X-Accel-Version
Served-By
X-Page-Speed
X-Hostname
X-Cnection
X-MS-InvokeApp
X-Firenze-Processing-Times
X-ContextId
Access-Control-Allow-Headers
X-Served-By
X-Tumblr-Pixel-3
X-Backend
X-XN-Trace-Token
X-Alternate-Cache-Key
Access-Control-Allow-Methods
X-ShardId
X-ShopId
X-XN-XNHTML
X-Stats-Visit-Token
X-Stats-Unique-Token
X-CDN
X-Powered-By-360WZB
X-AH-Environment
X-PC-Key
X-PC-Hit
X-PC-Date
X-PC-Host
X-PC-AppVer
X-Umbraco-Version
Liferay-Portal
Content-Style-Type
Content-Script-Type
X-Mobilized-By
X-Request-ID
Cartoon
X-From
Powered-By-ChinaCache
X-Server-Name
X-Cache-Info
Refresh
X-Cache-Server
Rating
X-Spip-Cache
X-HeyJason
X-W3TC-Minify
Thanks
X-Amz-Id-2
X-Amz-Request-Id
X-Outils-CS
TCN
Cf-Railgun
X-FB-Debug
SPIisLatency
SPRequestDuration
Request-Id
Magicmarker
X-Content-Digest
X-Px
X-Amz-Cf-Id
Real-Hostname
X-TN-ServedBy
X-Loop
X-PHP-Engine
X-Tumblr-Content-Rating
X-VCache
X-Original-Content-Length
Page-Completion-Status
X-Content-Encoded-By
NS-RTIMER-COMPOSITE
X-Cache-Status
X-Device
X-Varnish-Cacheable
X-Tumblr-Pixel-4
X-Powered-By-Anquanbao
X-Generated-By
Imagetoolbar
X-TNCMS-Version
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-Matrix-Server
X-Matrix-Proxy
PICS-Label
X-SERVER
X-Cached-By
IBM-Web2-Location
X-Tumblr-Pixel-5
X-Art-Request-Id
Product
IISExport
Retry-After
Set-Cookie2
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
X-Cached
X-Firenze-Processing-Time
X-CMS-Version
X-FORWARDED-FOR
X-Varnish-TTL
X-Timer
Access-Control-Max-Age
CF-Cache-Status
X-Served-From-Cache
X-Backend-Server
X-SDS
X-DynaTrace-JS-Agent
X-Node
X-Drectory-Script
X-I
Powered-By
Time
X-Processed-By
X-ATG-Version
X-PF-Uncompressing
X-Cache-Hit
X-Age
MIME-Version
Generator
X-Director
X-DDC-Arch-Trace
X-Trace-App
X-Duration
X-ApacheServer
X-PERF
X-Nitra-Side
X-SRV
X-App-Hosting
X-Cache-Enabled
X-Cache-Debug
RTSS
Access-Control-Request-Method
X-UD-Method
COMMERCE-SERVER-SOFTWARE
X-DynaTrace
X-UD-Host
ServedBy
S
DynaTrace
Lsrequestid
AMF-Ver
Pics-Label
X-DNS-Prefetch-Control
NODE
X-Vtex-Cache-Key
Charset
X-Vtex-Remote-Cache
Content-Encoding-Handler
WWW-Authenticate
Accept-Encoding
X-Purge-Host
X-Rendering-Engine
Surrogate-Control
X-URL
X-Content-Options
X-Orig-Vary
X-FIRSTBase
Node
MIH-PUBLIC-IDENTIFIER
MIH-CLIENT-FARM
MIH-PLATFORM
X-Vary-Options
X-Varnish-Backend
X-Expires-Orig
Edge-Control
Filter-Revision
X-Yadis-Location
X-Hosted-By
X-Safe-Firewall
Id
LFY
X-Speed-Cache-Key
ServerName
SFY
Webluker-Edge
Host
X-Srv
X-Original-Request
X-Cookie-Domain
X-ServerID
X-ServerName
X-NoCache
X-Purge-URL
X-Cache-Expires
Content-Disposition
SID
X-ACMCache
X-Actual-URL
X-Returned-From-PostProcessResponse
X-Handled-By
X-Passed-To
X-Returned-From-DLL
X-Passed-To-BeforeDispatch
X-LiteSpeed-Cache
X-Ttl
X-Gamma-Serve
Accept-Charset
X-Passed-To-DLL
X-Amz-Meta-S3cmd-Attrs
Content-Security-Policy
X-Returned-From
X-CJ-Soft
X-Returned-From-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Cache-Control-Orig
Debug-IP-Cntry
X-LIGHTHTTP-PCDID
Debug
UniqueName
NetMindSessionID
X-CHSN
X-Speed-Cache
Debug-Begin-IP
Cm-Server
X-Cluster-Node
X-Sys-Req-ID
VAR-Cache
X-MJ-Upstream-Addr
X-Hits
X-GeoIP-Country-Code
X-Cache-TTL
Cache
X-Time
X-Trace-Cache
X-FW
Proxy-Connection
X-Permitted-Cross-Domain-Policies
CT
X-Source-Host
X-Blog
X-Info
X-PwB-Node
X-Session-Reinit
X-Micro-Cache
X-Front
X-MJ-Serve-Req-Time
Nodo
X-GeoIP-Country-Name
SN
Pool-Info
X-N
X-Varnish-Host
MW-Webserver
X-Server-ID
X-Accelerated-By
X-Microcachable
Server2
A-Powered-By
Req-Id
X-Distil-CS
Microsoftsharepointteamservices
Website-Info
MJ12bot
SEOMOZ
X-AspNetWebPages-Version
REFRESH
Proxy-Agent
CommunityServer
Server-Info
Location
ScoreTracker
Sprequestguid
X-Cache-Action
Fhost
F-In-Cache
X-Varnish-Cache-Hits
X-Sharepointhealthscore
ORIGIN
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
X-ID
Machine
NtCoent-Length
X-Turbo-Control
X-Varnish-Action
X-Cocoon-Version
X-UPSTREAM
From
X-FW-Static
X-Varnish-Hits
X-Bettercache-Proxy
Backend
X-App
X-Track
X-Engine
X-Ms-Invokeapp
X-Cache-Rule
Hamster
X-Pass-Why
X-Response-Time
X-Wily-Info
X-Wily-Servlet
X-App-Server
X-Trace
X-StoreSense
ServerID
X-ProStores-StoreApiEntryPoint
X-Cf-Powered-By
X-Benchmark-Sphinx
X-Benchmark-Db
X-Benchmark-Sphinx-Count
X-Pangea-Version
Srv
X-AOL-SNH
X-Benchmark-Cache
X-Benchmark-Total
X-App-Start
X-Expires
X-ServerCache-Info
X-TTL
X-Id
X-Highwire-SessionId
X-Object-Id
X-Phpwcms-Page-Processed-In
Content-MD5
Cteonnt-Length
X-Phpwcms-Release
X-Highwire-RequestId
X-HOSTNAME
X-Object-Type
X-Frontend
X-FreeTag-Count
X-Directory-Script
QOR-Cache
X-ROUTE-DATA
X-CacheHits
-GCR
SS
X-Machine-Name
OHS-WebNode
X-Cdn
X-Geo-IP
X-WR-Flags
X-ACCELERATE
X-Old-Content-Length
X-Device-Type
X-DD-DomainID
X-Microcache-Status
Bs-Header
X-Yqk-Set
X-Server-Id
WP-Cache
X-T3CacheInfo
X-Debug
Author
X-Powered-By-Yqk
Front
X-Amz-Id-1
X-Atraveo-TTL
X-Varnish-Cache-Server
X-WP
X-Haiku
X-NGINX-CACHED-AT
Content-Transfer-Encoding
X-Cache-Operation
X-Monstercache-Timeout
X-CS
X-Atraveo-From-Varnish-Cache
X-ATM-RServer
MASTERWEBLET
Cluster-ID
X-Apache-Backend
X-Src-Webcache
X-Venda-Hitid
Il-Cl
X-Kirra-SiteId
X-ATM-RTime
NLCacheNote
X-Atraveo-Varnish-Server-Id
X-Response
Hash
X-Actindo-RS
Cache-Ctrol
X-Atraveo-Cache-Control
X-Atraveo-NC
X-Ocache
X-B
X-Conf
X-PM-ID
CountryCode
X-DTC
X-DeliveryServer
RequestTime
CDN
Ec
X-Utime
X-T
X-Whom
X-Varnish-IP
X-Jcms-Ajax-Id
Powered-By-VeryCloud
Pool
X-NGINX-CACHED
X-MidCOM-Meta-Cache
X-Country-Code
X-Vivastreet
X-Vivastreet-KiwiiPage
X-S
X-Seen-By
X-Enhanced-By
X-Farm-Server
X-Cached-Status
X-Cache-Term
X-GLaDOS
X-PageCached
X-Transaction
X-GC-App
X-Version
X-GC-Write
X-GC-Read
X-Magento-Lifetime
X-Magento-Action
Server-Name
X-Server-Web
X-Node-Name
X-Grid-Server
Buuteeq-Source
Provided-Host
X-Varnish-Server
X-ManagedFusion-Rewriter-Version
X-Content-Age
X-Rewritten-By
X-CMS
X-MCB-Server
Content
ServerConfigManager.WebBugTracker
Tpt.Renderer
Render
Before
X-Kermit
After
Tpt.Renderer1
X-Varnish-Age
Beyond-Iis
X-Varnish-ID
X-Snapsis-PageBlaster
Progma
X-Content-Security-Policy
X-Header
Pagely
X-Developer
At-Shoptype
Atp-Isdpp
At-Isb
X-UD-Target
X-UD-Loopcounter
X-UD-REMOTE-ADDR
Rt-Server
X-Powered-By-Server
X-FCMS-Cache
Head
WEBSERVER
X-CMS-Server
Ms
-Onnection
X-Source-ID
Www.Myjob.Se
7e-Page-Cache
X-Recruiting
X-Monstercache
X-B2f-Cache-Load
X-Channel-Maxage
Jobb.Passal.Se
X-Monstercache-Hash
A1B2C3
Www.Mirrorgate.Se
Jobb.Assistentpoolen.Se
Open.Jobgate.Se
Jobb.Gil.Se
P3P:CP
X-Max-Age
Www.Mabracertifiering.Se
Test.Executivepeople.Se
Hostname
OriginServer
X-Monstercache-Host
X-Database-Slave-Connection
X-Varnish-Beresp-Grace
MirrorName
X-SN
X-Varnish-Beresp-Status
X-ASTRO-REWRITE
X-Request-Duration
X-Force
X-ORACLE-DMS-ECID
X-PRAM
X-Varnish-Beresp-Ttl
X-Li-Pop
Publisher
X-LI-UUID
X-Li-Fabric
WEBO
Servername
X-FS-UUID
X-Dev
X-Artvisual-Server
Worker
X-REDIRECTSERVER
X-Hash
X-T3Cache
Provider
INCOMING-TIME
X-Translation
Aoestatic
X-Cms-Mode
X-Upstream
X-Uid
X-Jphone-Copyright
Robots
Origin
X-ERM-ServerName-AppPage
X-ERM-ServerName
X-Locale
X-UserAgent
X-AISO-Cache
X-AISO-Server
X-ERM-RunTime
Compression-Control
X-Secret
X-Location
X-B2f-Not-Route
Ssl-Enabled
X-Via-Kemp
X-RSS-CACHE-STATUS
Web-Server
Application-Version
X-CMS-Stage
X-CMS-State
X-CMS-Tid
X-CMS-Sid
X-Cookie-Pangea-NodeId-Received
X-CMS-Live
X-CMS-Nid
X-Cache-On
Dispatcher
X-T3CacheTags
Esi-Enabled
X-V
Front-End-Https
Content-Security-Policy-Report-Only
X-Cache-Me-Harder
B-Powered-By
X-Host-Url
X-TISSERVER
X-Amz-Version-Id
X-Frames-Options
X-VarnCache
X-VarnPar1
X-Varnish-Debug-Hits
SIP
D
CP
X-Framework
X-JAL
X-JSL
X-Real-IP
Accept
X-Varnish-Cache-Local
X-Varnish-Debug-Age
X-Domain-Checked
X-Powered
Powered
X-Varnish-Device
X-Purge-Level
X-Vhost
X-Platform
X-Brought-To-You-By
X-Dynamic
SRV
X-Provisioner-Version
X-Geo-IPV
X-Geo-IP-Region
X-Geo-IP-Country
X-Geo-IP-Metro
X-User-Id
X-PP
X-Remote-Addr
X-Box
X-Empowered-By
TypeOfContent
OriginalHost
CacheInfo
CacheInfoFetch
X-CMS-CRMSet
No-Cookie
X-Hosting-Env
X-SV
X-7d-Version
X-7dig
Backend-Host
X-LAvg
X-Cache-Set
X-Nginx-Server
CacheDuration
X-UA
X-Pixelsilk-Version
WP-AdvCache-MemCached
X-Hc-Host
X-Pixelsilk-Server
X-Time-Microsecs
X-Allow-Redis
X-HITS
CData
X-Author
MachineName
X-SilverStripe-Cache
Content-Instance
XX
X-Vhost-ID
X-Oracle-DMS-ECID
Rt-Fastcgi-Cache
Mime-Version
X-Cache-NHIT
Optimizer
X-S-Misc
X-CMS-Collection
X-Generation-Time
Warning
Accept-Language
X-LB
X-WorkerInstancename
ServerId
PowerCDN
X-D-Time
Telligent-Evolution
X-Flex-Evend
X-Flex-Tags
X-NginX-Cache
Cache-By-CoreNode
Cache-By-Node
Ibm-Web2-Location
X-Flex-Lastmod
SynthaSite-ID
X-Flex-Evstart
X-Flex-Tag
X-Flex-Lang
X-Nocache
X-Flex-Community
Cmsid
Cmstype
No
X-NginX-Server
X-EdgeRouter
SiteName
X-Vtex-Processado-Em
X-Hrouter
X-Web-Node
X-Garden-Version
X-PS-MURDOCK-ORIG-PROTOCOL
Http
Test
X-Ratelimit
Access-Control-Expose-Headers
X-TTL-Age
X-Modules
X-Serial
Expire
X-Uplex
X-Dokk-PortalId
Hej
SLB
X-Bcwwwid
X-Varnish-Debug-Fetch-Host
User-Cache-Control
X-Would-Your-GrandPa-Wait
X-PS-MURDOCK-CASE-NORMALIZATION
X-Test
X-Your-GrandPa-Would-Wait
X-JSON-API-AGE
X-PS-MURDOCK-ORIG-FILEEXT
X-DC-Origin-IP
X-Router
X-Router-Backend
X-UseReverse-Proxy
X-Catalyst
X-Process-Time
X-GeoIP
X-Life
X-Loc
X-Webapp
X-Gondor-Server
Smug-Env
Apache
X-Cache-Control
ExecuteNonQuerySQLParam
X-TTFB-L
X-SmugMug-Hiring
X-SmugMug-Values
X-TTFB
Be-Va
Be-Ip
X-Cache-Backend
X-Varnish-Cookie-Debug
X-MiniProfiler-Ids
X-Page-Generation-Time
X-WLD-LB
X-GitHub-Request-Id
X-Http-Host
Noahs-Classifieds
Sigma
EI-UNIQUE-ID
X-TLServer
X-XFPC-Cache
X-XFPC-Cache-Active
X-NID
Response
X-HOSTTYPE
X-USERNAME
OGHopCount
X-Hit
WEB-CLUSTER-NODE
CachedXSLT
X-Agentscape-Info
X-Fortrabbit
X-Client-Addr
X-IDS-WS
X-WebFarmNode
X-CCM
Svr
CacheControlMode
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-AspNetLatency
X-R4L-VHOST
X-VTEX-Cache
X-VTEX-Router-Backend-App
X-DSMX-Rewrite-MS
X-DSMX-Render-MS
X-SeschatLayout
X-SeschatDID
X-Seschat-URL
X-Accel-Expires
X-SeschatRedID
X-BackendServer
X-SeschatTemplateID
X-Cache-Age
X-Cache-Lifetime
X-PvInfo
X-Server-Node
X-Proxy
X-Server-By
X-Varnish-Hashed-On
X-Hop-By
ProxiaInstanceId
X-WR-MODIFICATION
UNIQUE-ID
DCGI-Server
Source
X-Nginx-Host
X-Continum-Server
X-Source
SBMCLOUD
DNNOutputCache
EWHSERVER
X-JSON-API-LATENCY
X-JSON-API-TTL
Xc
Mobiquo-Is-Login
X-Route
ExecutionTime
X-Config-By
X-Nginx-Cache
X-Powered-Developer
CacheControlHeader
EbdTrace
X-Real-Server
X-Pagecache
X-Caching-Rule-Id
X-Header-Set-Id
X-Origin
X-Cluster-Host
Xonnection
Copyright
LBVIS
X-Rewrite
X-Origin-Id
X-Back
X-Page-Generated-At