Threat Level: green Handler on Duty: Scott Fendley

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
Keep-Alive
P3p
X-Check
X-Cacheable
X-Language
X-Buckets
X-Template
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Ac
X-Geo
X-Geo-Port
X-Pad
X-Runtime
X-Request-Id
X-Powered-CMS
MicrosoftOfficeWebServer
X-Server
Strict-Transport-Security
X-Host
X-Type
X-Cache-Group
Access-Control-Allow-Credentials
X-Cache-Lookup
X-Logged-In
Ngpass-Ngall
X-Mod-Pagespeed
X-UA-Device
X-Rack-Cache
X-Cache-Hits
MicrosoftSharePointTeamServices
X-XRDS-Location
X-Url
Host-Header
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
SPRequestGuid
X-Via
X-SharePointHealthScore
Content-Encoding
X-Forwarded-For
X-Varnish-Cache
X-Iinfo
X-Robots-Tag
X-CF-Powered-By
X-Tumblr-Pixel-2
X-ServedBy
X-Served-By
X-INKT-SITE
X-INKT-URI
Access-Control-Allow-Headers
X-Accel-Version
X-Cnection
X-Backend
X-PhApp
X-MS-InvokeApp
X-Webserver
X-Alternate-Cache-Key
X-ShopId
X-ShardId
Composed-By
X-Page-Speed
X-ContextId
Access-Control-Allow-Methods
X-BC-Is-HA
X-Request-ID
Served-By
X-CDN
X-Hostname
X-Firenze-Processing-Times
X-Safe-Firewall
X-XN-Trace-Token
X-XN-XNHTML
X-Ua-Compatible
X-Tumblr-Pixel-3
X-Served-With
X-PC-Key
X-PC-Hit
X-PC-Host
X-PC-Date
X-PC-AppVer
X-AH-Environment
Content-Style-Type
Content-Script-Type
X-Pass-Why
Liferay-Portal
X-Age
X-Powered-By-360WZB
X-Port
X-Spip-Cache
X-Umbraco-Version
X-SERVER
X-Server-Name
Request-Id
SPIisLatency
X-Cache-Info
X-HeyJason
SPRequestDuration
X-Amz-Id-2
Cf-Railgun
Powered-By-ChinaCache
X-Amz-Cf-Id
X-Amz-Request-Id
Refresh
Rating
X-FB-Debug
X-Cache-Server
Cartoon
X-Content-Digest
Content-Security-Policy
X-Cache-Result
X-Outils-CS
X-Cache-Status
TCN
X-Hyper-Cache
X-Cached-By
Real-Hostname
X-TN-ServedBy
X-Device
X-Tumblr-Pixel-4
X-PHP-Engine
X-Loop
X-Mobilized-By
X-VCache
X-Served-From-Cache
CF-Cache-Status
X-Px
X-DynaTrace
X-TNCMS-Version
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-PersistenceNode
X-TNCMS-Render-Time
Magicmarker
X-Generated-By
X-W3TC-Minify
NS-RTIMER-COMPOSITE
Page-Completion-Status
X-Cached
X-Timer
DynaTrace
Thanks
X-Content-Encoded-By
X-Styx-Build-Num
X-Styx-Build-Sha
X-Styx-Req-Id
X-Styx-Build-Date
X-Styx-Version
X-Pantheon-Styx-Hostname
Imagetoolbar
X-Pantheon-Endpoint
X-Varnish-Cacheable
X-Tumblr-Content-Rating
X-Original-Content-Length
IBM-Web2-Location
X-CMS-Version
X-Tumblr-Pixel-5
X-From
X-Matrix-Server
X-Matrix-Proxy
X-Node
X-Powered-By-Anquanbao
X-Varnish-TTL
Product
X-Varnish-IP
Access-Control-Max-Age
X-Firenze-Processing-Time
X-CDN-Any-IP
X-CDN-Geo
X-CDN-Geo-IP
IISExport
X-Backend-Server
Proxy-Agent
ServedBy
Generator
X-DDC-Arch-Trace
Time
X-Content-Options
PICS-Label
X-Cache-Debug
Set-Cookie2
X-App-Hosting
Charset
Retry-After
X-UD-Host
X-UD-Method
X-Processed-By
X-Content-Security-Policy
X-Purge-Host
X-Cache-Hit
X-I
X-Varnish-Forwarded-For
X-DynaTrace-JS-Agent
X-Drectory-Script
Node
Response
X-Expires-Orig
X-SDS
X-Varnish-Backend
X-Original-Request
Content-Encoding-Handler
X-Cache-Expires
X-ApacheServer
Lsrequestid
X-Passed-To
X-Returned-From
X-Passed-To-PostProcessResponse
X-Passed-To-BeforeDispatch
X-Handled-By
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-HOST
X-Sol
X-Returned-From-PostProcessResponse
X-Actual-URL
X-Passed-To-DLL
X-Purge-URL
X-ATG-Version
X-DNS-Prefetch-Control
X-Duration
SID
Edge-Control
Powered-By
X-Varnish-Host
X-Cache-Enabled
MIME-Version
Pics-Label
X-NoCache
X-WebKit-CSP
X-Nitra-Side
X-PF-Uncompressing
X-Permitted-Cross-Domain-Policies
X-Rendering-Engine
COMMERCE-SERVER-SOFTWARE
X-Cache-Control-Orig
X-FW-Hash
X-PERF
X-Front
X-FW-Type
X-FW-Static
X-FW-Serve
X-Director
X-Whom
X-BackEnd
X-Middleton-Response
X-Yadis-Location
Cache-By-Node
X-Micro-Cache
Access-Control-Request-Method
Grace
X-TTL
Cache
AMF-Ver
X-Speed-Cache-Key
X-Speed-Cache
S
ServerName
X-FW
X-PwB-Node
RTSS
X-Cookie-Domain
X-CJ-Soft
Fhost
Host
Content-Disposition
X-Hits
X-Track
Accept-Encoding
X-FullPageCaching
X-FIRSTBase
X-User-Agent
X-ServerID
NODE
X-LiteSpeed-Cache
Filter-Revision
X-Hosted-By
X-Vary-Options
WWW-Authenticate
X-AspNetWebPages-Version
X-Art-Request-Id
Cm-Server
Server-Info
SN
X-Varnish-Hits
Accept-Charset
Surrogate-Control
Website-Info
Id
X-Cocoon-Version
Ngpass-Vcall
Req-Id
X-Orig-Vary
X-Response-Time
X-GeoIP-Country-Name
Ngpass-All
X-GeoIP-Country-Code
X-Trace-Cache
X-Session-Reinit
X-BackendServer
X-Blog
X-Trace-App
X-Srv
X-Distil-CS
X-Geo-IP
X-Xrds-Location
Machine
ServerID
SEOMOZ
X-SN
MJ12bot
X-WEBSERVER
X-Varnish-Server
X-URL
X-Tumblr-Pixel-6
X-Src-Webcache
VAR-Cache
X-Version
X-Cf-Powered-By
X-ServerName
X-Engine
X-Country-Code
NtCoent-Length
Microsoftsharepointteamservices
X-Highwire-SessionId
X-Cache-TTL
CT
X-ACMCache
Webluker-Edge
X-Highwire-RequestId
X-Cache-Config
X-Sys-Req-ID
X-Vtex-Remote-Cache
X-Vtex-Processado-Em
Srv
Qs-Cache
No
NetMindSessionID
PageSpeed
X-WR-Flags
Buuteeq-Source
X-LIGHTHTTP-PCDID
X-MJ-Upstream-Addr
Sprequestguid
X-CHSN
A-Powered-By
X-Sharepointhealthscore
X-Time
X-Directory-Script
Ms
X-Gamma-Serve
X-Varnish-Cache-Hits
X-Cluster-Node
X-ID
X-Server-ID
X-Connection-Hash
X-Transaction
X-App-Status
X-Provisioner-Version
X-Domain-Checked
X-Proxy-Cache
X-Pangea-Version
Nodo
Proxy-Connection
X-Swift-CacheTime
Location
UniqueName
X-Source-Host
X-Powered-By-VTEX-Janus-Edge
X-VTEX-Cache-Status-Janus-Edge
Content-Transfer-Encoding
X-App-Start
X-Vtex-Processed-At
X-Secret
X-Swift-SaveTime
X-Id
X-Object-Id
X-Country
X-Wily-Info
X-Object-Type
X-Wily-Servlet
X-Ms-Invokeapp
MW-Webserver
X-SRV
X-Varnish-Object-Age
X-Bettercache-Proxy
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
MIH-CLIENT-FARM
X-GeoIP
X-Resolver-IP
X-Machine-Name
X-ServerCache-Info
Server2
X-Request-Locale
X-Cache-Rule
Upgrade
From
X-Info
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
X-Microcache-Status
Server-Name
NLCacheNote
X-Atraveo-NC
X-Header
X-Device-Type
X-Microcachable
X-TempDebug
Cteonnt-Length
X-Atraveo-Cache-Control
X-Atraveo-From-Varnish-Cache
X-Cache-Age
X-ProStores-StoreApiEntryPoint
X-StoreSense
Ibm-Web2-Location
SVR
X-FreeTag-Count
X-MJ-Serve-Req-Time
CommunityServer
X-Turbo-Control
X-Powered-By-Server
X-AOL-SNH
Be-Va
-GCR
Origin
X-Cache-Lifetime
Hamster
Be-Ip
Beyond-Iis
X-FORWARDED-FOR
X-Grid-Server
X-Recruiting
X-CacheHits
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
Warning
X-VTEX-Router-Backend-App
SiteName
X-N
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Router-JanusNet-BackEndLatency
Backend
X-Geo-IPV
X-Geo-IP-Metro
X-Geo-IP-Region
X-Cache-Action
X-Geo-IP-Country
X-Server-Id
MirrorName
X-UPSTREAM
X-Debug
Mime-Version
X-App
X-Ttl
X-Translation
X-Origin
Author
X-Empowered-By
X-Force
X-PRAM
X-Expires
X-Stage
X-Stale
X-MiniProfiler-Ids
Edgecast
X-S
Provider
X-Amz-Id-1
X-ACCELERATE
X-Catalyst
X-Venda-Hitid
X-Trace
X-Rewritten-By
ORIGIN
X-ChromeLogger-Data
X-Frontend
SRV
X-Uid
X-Old-Content-Length
X-ManagedFusion-Rewriter-Version
X-Origin-Id
X-Magento-Lifetime
X-Content-Age
X-Cache-Ttl
X-Gannett-Site-Version
X-Block
SS
X-Varnish-Count
X-Varnish-HitMiss
X-Amz-Meta-S3cmd-Attrs
Provided-Host
Apache
X-Magento-Action
Allow
X-PvInfo
X-T3CacheInfo
LBVIS
X-Nginx-Server
X-Frames-Options
X-Varnish-Age
X-Cdn
X-GSL-Server
Aoestatic
X-Channel-Maxage
X-Source-ID
X-MSEdge-Ref
X-Enhanced-By
Pool
X-Max-Age
ScoreTracker
X-Developer
Fpc-Cache-Id
Front
X-Framework
X-B2f-Cache-Load
X-Accelerated-By
X-ORACLE-DMS-ECID
Ram
Noq
Cpu
Accept-Language
X-XHR-Current-Location
X-Via-Kemp
A1B2C3
X-VarnPar1
X-Varnish-Device
X-Varnish-ID
Compression-Control
X-VarnCache
X-TISSERVER
SIP
Ttl
X-Geolocation
Web-Server
X-ASTRO-REWRITE
X-Pagename
X-Route
X-Varnish-Action
X-Hit-Cache
X-DeliveryServer
X-B2f-Not-Route
X-Cached-Status
X-Vhost
RequestTime
Backend-Host
BALANCEDTO
X-Kirra-SiteId
X-UD-Loopcounter
XX
X-NGINX-CACHED-AT
X-Hosting-Env
X-MidCOM-Meta-Cache
X-Nginx-Backend
X-NGINX-CACHED
X-UD-REMOTE-ADDR
X-UD-Target
No-Cookie
Progma
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Vivastreet-KiwiiPage
X-Vivastreet
Cache-Ctrol
Il-Cl
Rt-Server
X-Cache-On
X-DTC
X-CS
P3P:CP
Test.Executivepeople.Se
Www.Mabracertifiering.Se
Www.Myjob.Se
Open.Jobgate.Se
Jobb.Passal.Se
X-T3CacheTags
AV1080
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
X-Monstercache-Timeout
X-WP
X-Actindo-RS
X-ATM-RServer
X-ATM-RTime
X-CacheServer
Dispatcher
CDN
BM-Cache-Node
X-Conf
REFRESH
X-Adobe-Content
X-T3Cache
Www.Mirrorgate.Se
Servername
X-Varnish-Cache-Local
QOR-Cache
OriginServer
X-NID
X-REDIRECTSERVER
B-Powered-By
PowerCDN
WP-Cache
X-Jphone-Copyright
Worker
X-Dev
BM-Cache-Key
X-Cms-Mode
Cmsid
X-Remote-Addr
X-DefendeR-Runtime
X-LI-UUID
X-NginX-Cache
X-NginX-Server
Cmstype
X-Li-Fabric
X-FS-UUID
X-Li-Pop
Content-MD5
Content-Instance
X-Varnish-Debug-Hits
X-Server-By
X-Web-Node
Bs-Header
X-LB
X-Nginx-Host
X-Farm-Server
X-FCMS-Cache
X-Powered
X-OPNET-Transaction-Trace
X-Nginx-Cache
X-Response
Before
X-SERVERID
X-Real-Server
X-Hostingcenter
Ksid
X-Symfony-Cache
X-SSL
WEBO
X-Node-Name
X-Distributed-By
X-App-Server
X-Varnish-Cookie-Debug
X-Vhost-ID
Http
X-Allow-Redis
IsFullSiteRequest
X-Yqk-Set
Publisher
7e-Page-Cache
CP
X-Powered-By-Yqk
X-SilverStripe-Cache
After
F-In-Cache
Copyright
Powered
Cneonction
Rt-Fastcgi-Cache
X-Purge-Level
X-PM-ID
At-Shoptype
X-ROUTE-DATA
Server-N
X-Environment
X-Host-Url
X-SATserver
X-CacheTTL
X-EdgeRouter
BM-Cache-Status
X-Cache-Set
X-Hrouter
X-Uplex
Tpt.Renderer1
X-MCB-Server
X-Location-Id
Atp-Isdpp
Tpt.Renderer
ServerConfigManager.WebBugTracker
LBC
Render
X-Varnish-Debug-Age
Cluster-ID
X-Cache-Operation
X-MobileDetected
HostName
At-Isb
X-IDS-WS
X-GC-App
X-Artvisual-Server
X-GC-Write
X-GC-Read
X-Hit
X-Caching-Rule-Id
X-Loc
INCOMING-TIME
X-VTEX-Janus-Router-Backend-App
X-VTEX-Cache-Status-Janus-ApiCache
X-Powered-By-VTEX-Janus-Router
Ozcache
X-Life
X-Accel-Expires
X-Dynatrace
X-Powered-By-VTEX-Janus-ApiCache
X-Header-Set-Id
X-Hash
X-APP
X-Garden-Version
X-ServerId
Redirect
X-Webapp
X-Created
X-V-TTL
X-V-Outer
X-Varnish-Cache-Server
X-Varnish-Hit
X-V-I-TTL
X-Lb
X-Mobile
X-Req-Url
X-Time-Spent
X-Wm-1
X-Wm-VIP
X-Router
X-Router-Backend
X-SDE-Name
X-RemovedCookies
X-ProcessESI
Pramga
Server-Ip
X-UseReverse-Proxy
X-CMS-Nid
X-UA-Class
X-Sto
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-WA-Info
X-RSS-CACHE-STATUS
X-App-TTL
Front-End-Https
SLB
EZ-Origin
No-Cache
ExecuteNonQuerySQLParam
Foglight-Request-UUID
X-SV
X-LAvg
X-Cache-Route
X-Do-Not-Hack
X-Varnish-Hashed-On
X-Drupal-Cache-Tags
X-DB-Content-Length
Head
X-Client-Vid
X-EPiphany-Vid
X-VarnPar2
Esi-Enabled
X-XFPC-Cache-Active
X-USERNAME
X-Unbounce-VisitorID
X-WR-MODIFICATION
Accept
Hej
X-Unbounce-Variant
X-Unbounce-PageId
X-HOSTTYPE
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Server-Instance
Hishop
X-Bcwwwid
X-CMS-Tid
X-CMS-State
X-Ec-Custom-Error
X-WorkerInstancename
X-XFPC-Cache
X-CMS-Stage
X-CMS-Sid
X-CMS-Collection
X-CMS-CRMSet
X-CMS-Live
X-CMS-Server
Acdc-Web
X-Req-Host
TP-L2-Cache
TP-Cache
X-Cache-Backend
X-Cache-Host
X-JSON-API-AGE
X-Hosting
S-Cnection
Pool-Info
D
X-Internal-IP
X-Dynatrace-Js-Agent
X-Stackable-Node
Keywords
Description
X-JSON-API-LATENCY
X-JSON-API-TTL
X-TTL-Age
X-PS-MURDOCK-ORIG-PROTOCOL
X-UserAgent
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Webstats-RespID
X-WAP
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
X-Page-Generated-At
X-Locale
X-Page-Generation-Time
X-Papaya-Cache
X-Papaya-Gzip
X-Forwarded-Proto
X-Continum-Server
X-Flex-Tags
X-Flex-Tag
X-Fett
X-Mii-Cache-Hit
X-DSMX-Rewrite-MS
X-Nucleus-Cache
X-Flex-Lastmod
X-Flex-Lang
X-Device-Group
X-Flex-Community
X-Flex-Evend
X-Client-IP
X-Flex-Evstart
X-DSMX-Render-MS
X-Pb-Mii
ExecutionTime
Www.Aujourdhui.Com
SBMCLOUD
Source
X-Config-By
Server-Optimized-By
DCGI-Server
X-ATP-Server
X-DELIVERYSERVER
X-Server-Node
X-Client-Addr
X-Upstream
X-CCM
X-Would-Your-GrandPa-Wait
X-Dokk-PortalId
MageStack-Response-Ttl
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Time-Microsecs
MageStack-PageSpeed
MageStack-Tag
X-CMS
XDisk
MageStack-Area
X-Http-Host
MageStack-Cache
MageStack-Loadbalancer
MageStack-Debug
X-Your-GrandPa-Would-Wait
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
MageStack-Cache-Lifetime
MageStack-Cache-Status
MageStack-Config
Noahs-Classifieds
Web-Head
MageStack-Cacheable
MageStack-Cache-Hits
X-Hc-Host
X-Monstercache
X-Monstercache-Hash
X-Powered-Developer
X-Server-IP
X-Pixelsilk-Server
X-Pixelsilk-Version
Xc
Portlet.Expiration-Cache
X-Box
X-Varnish-URL
X-Monstercache-Host
X-Varnish-Currency
X-Author
XDomainRequestAllowed
OGHopCount
Ec
X-TLServer
X-FFX-B
X-Varnish-Debug-Pool-Fetch
X-Varnish-Beresp-Grace
X-Varnish-Debug-Fetch-Host
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
POOL
Dynatrace
X-SERVER-ID
X-ESI-Enable
X-Varnish-Debug-Pool-Recv
X-Abuse
Prama
X-HITS
X-Feed
X-Original-IP
X-DC-Origin-IP
X-Backend-Ip
User-Cache-Control
X-Ratelimit
X-Serendipity-InterfaceLang
X-Fstrz
X-HW
MachineName
X-Serendipity-InterfaceLangSource
X-Unique-Id
X-FarmId
X-TTFB-L
X-AREQUESTID
X-ASEN
X-AISO-Server
X-AISO-Cache
Smug-Env
Mobiquo-Is-Login
X-AUSERNAME
X-TTFB
X-Gondor-Server
X-Jcms-Ajax-Id
X-Flow-Powered
X-SmugMug-Hiring
X-Var-Hash
X-SmugMug-Values
Server-IP
Language
GenSvr
Robots
X-D-Time
Content-Cache
X-Server-Generated
X-MSU-SOURCE
X-PoweredBy
X-Generation-Time
X-Middleton-PageSpeed
OutputRewritten
Xonnection
X-VHOST
X-Src-Loadbalancer
X-Process-Time
X-S-Misc
X-ESI-Processing
X-Binarysec-Via
X-IsPremium
X-RAMCache
X-HasAuthorization
X-Back
Svr
X-Extra-Header
X-ErrorPage
X-Ar-Debug
ResourceTag
Public-Extension
HGR-NOCACHE
X-Cluster
NnCoection
Disaptch-Cache-Rule
X-Job-Offer
X-GitHub-Request-Id
X-Req-Counter
X-7dig
X-7d-Version
X-ACLR-Version
EI-UNIQUE-ID
X-Rot
Device
X-Source
X-Haiku
X-GLaDOS
If-Modified-Since
LFY
X-Pagecache
Title
X-Debug-Serve
X-Confluence-Request-Time
X-Cluster-Host
AcceptLangage
CountryCode
X-Compressed-By
X-Cookie-Store
X-Backend-Status
WP-AdvCache-MemCached
ServerIP
X-Cache-Key
ProxiaInstanceId
UNIQUE-ID
TIMESTAMP
SFY
Content
Countrycode
X-Cluster-ID
X-Cdn-View
X-PHP-Cache
CacheControlHeader
X-V
X-RequesterIP
X-Url-Store