Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
Keep-Alive
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Cacheable
X-Check
P3p
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
Access-Control-Allow-Origin
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo-Port
X-Geo
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Cache-Lookup
X-Host
X-Type
X-Cache-Group
X-Ac
Access-Control-Allow-Credentials
Strict-Transport-Security
X-Logged-In
X-UA-Device
Ngpass-All
X-Xss-Protection
X-Ua-Compatible
X-Rack-Cache
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-XRDS-Location
X-Tumblr-Pixel-1
X-Cache-Hits
Host-Header
SPRequestGuid
X-SharePointHealthScore
Content-Encoding
X-Via
X-Tumblr-Pixel-2
X-Robots-Tag
X-Url
X-CF-Powered-By
X-Varnish-Cache
X-INKT-URI
X-INKT-SITE
X-Iinfo
X-Accel-Version
X-Forwarded-For
X-Cnection
X-ServedBy
X-PhApp
Access-Control-Allow-Headers
X-MS-InvokeApp
X-Webserver
X-Backend
X-Served-By
Composed-By
X-ContextId
X-ShopId
X-Alternate-Cache-Key
X-ShardId
X-Page-Speed
Served-By
Access-Control-Allow-Methods
X-CDN
X-Tumblr-Pixel-3
X-XN-Trace-Token
X-Firenze-Processing-Times
X-XN-XNHTML
X-Hostname
X-PC-Key
X-PC-Hit
X-AH-Environment
X-PC-Date
X-PC-AppVer
X-PC-Host
X-Served-With
X-FRAME-OPTIONS
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-Server-Name
X-Age
X-Umbraco-Version
Refresh
X-Port
X-Spip-Cache
X-Safe-Firewall
X-Cache-Info
Rating
Cf-Railgun
X-Amz-Id-2
Request-Id
SPRequestDuration
SPIisLatency
X-Amz-Request-Id
Powered-By-ChinaCache
Cartoon
X-Cache-Server
X-Content-Digest
X-Mobilized-By
X-BC-Is-HA
X-Cache-Result
X-Tumblr-Pixel-4
X-FB-Debug
X-Amz-Cf-Id
X-Pass-Why
X-HeyJason
TCN
X-Outils-CS
X-TN-ServedBy
Real-Hostname
X-PHP-Engine
X-Loop
X-W3TC-Minify
Thanks
X-Tumblr-Content-Rating
X-Generated-By
X-VCache
X-Cache-Status
X-Device
X-Px
Magicmarker
X-Hyper-Cache
X-Cached-By
IBM-Web2-Location
X-TNCMS-Version
X-Node
X-TNCMS-Memory-Usage
X-PersistenceNode
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-Content-Encoded-By
X-Tumblr-Pixel-5
X-FORWARDED-FOR
NS-RTIMER-COMPOSITE
Imagetoolbar
Page-Completion-Status
Content-Security-Policy
X-Cached
X-Styx-Build-Sha
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Build-Date
X-Styx-Build-Num
X-Styx-Req-Id
X-Styx-Version
X-Matrix-Server
X-Matrix-Proxy
X-Served-From-Cache
Time
X-Timer
X-Original-Content-Length
CF-Cache-Status
X-Varnish-Cacheable
X-CMS-Version
X-HOST
Product
X-DynaTrace
X-From
X-Powered-By-Anquanbao
X-HOSTNAME
Retry-After
X-Varnish-TTL
X-SERVER
X-Cache-Enabled
X-Firenze-Processing-Time
Generator
X-Backend-Server
X-DDC-Arch-Trace
DynaTrace
ServedBy
IISExport
Node
X-Xrds-Location
X-Rendering-Engine
Powered-By
Set-Cookie2
X-App-Hosting
X-Request-ID
X-URL
Pics-Label
Access-Control-Max-Age
X-Cache-Debug
X-I
X-Original-Request
X-CDN-Geo-IP
PICS-Label
X-CDN-Geo
X-CDN-Any-IP
X-Cache-Hit
X-Returned-From
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Passed-To-DLL
X-Passed-To-BeforeDispatch
X-Handled-By
X-Actual-URL
X-Passed-To
X-Passed-To-PostProcessResponse
X-Purge-Host
X-UD-Method
X-UD-Host
X-Varnish-IP
Lsrequestid
Ngpass-Vcall
Charset
MIME-Version
X-PF-Uncompressing
X-Processed-By
X-SDS
X-Drectory-Script
X-Content-Options
X-Duration
X-NoCache
X-ATG-Version
Vacache
Access-Control-Request-Method
X-Purge-URL
X-Cache-Expires
Content-Encoding-Handler
Proxy-Agent
ServerName
X-DynaTrace-JS-Agent
X-Nitra-Side
X-Trace-App
X-Cookie-Domain
Accept-Encoding
Response
X-Hits
Cache
S
X-ApacheServer
X-PERF
X-CJ-Soft
X-Sol
Fhost
Machine
X-Speed-Cache
X-Speed-Cache-Key
COMMERCE-SERVER-SOFTWARE
X-GeoIP-Country-Code
X-Varnish-Forwarded-For
X-BackEnd
X-Director
X-Varnish-Backend
X-LiteSpeed-Cache
X-PwB-Node
X-Micro-Cache
X-GeoIP-Country-Name
Edge-Control
X-Microcachable
X-Yadis-Location
Host
X-FW
X-Content-Security-Policy
X-FIRSTBase
X-Srv
X-Vary-Options
X-FW-Static
X-Track
X-Front
X-Orig-Vary
X-Hosted-By
X-Expires-Orig
X-Whom
SID
Filter-Revision
WWW-Authenticate
X-DNS-Prefetch-Control
AMF-Ver
RTSS
X-Middleton-Response
Content-Disposition
Surrogate-Control
Cm-Server
X-Cache-Control-Orig
X-Beep
X-Permitted-Cross-Domain-Policies
Server-Info
Website-Info
X-WebKit-CSP
X-Art-Request-Id
MJ12bot
Accept-Charset
X-Varnish-Host
SEOMOZ
VAR-Cache
X-Varnish-Hits
SN
X-ServerID
X-ServerName
X-Cocoon-Version
X-Ttl
X-Distil-CS
X-Source-Host
X-Session-Reinit
ServerID
X-TTL
X-Blog
X-User-Agent
X-Grid-Server
X-AspNetWebPages-Version
X-AOL-SNH
X-App-Start
Server-Name
X-Trace-Cache
X-Pangea-Version
X-ACMCache
X-Directory-Script
UniqueName
X-WebServer
X-Ar-Debug
X-Server-ID
MW-Webserver
A-Powered-By
NtCoent-Length
Req-Id
X-SRV
Grace
Id
Hamster
CT
X-Varnish-Object-Age
X-Gamma-Serve
X-Cache-TTL
NetMindSessionID
X-Ms-Invokeapp
X-N
X-LIGHTHTTP-PCDID
X-Cache-Rule
X-ID
X-Engine
X-App
X-Geo-IP
X-Time
X-WR-Flags
X-Server-IP
X-CHSN
X-Ar-Forwarded-For
X-MJ-Upstream-Addr
X-Sys-Req-ID
X-Cluster-Node
X-Highwire-SessionId
X-Highwire-RequestId
Server2
Cteonnt-Length
X-StoreSense
X-S
X-Provisioner-Version
X-Bettercache-Proxy
X-App-Status
X-ProStores-StoreApiEntryPoint
X-Domain-Checked
X-Trace
X-CacheHits
X-Outils-Cs
Nodo
X-Id
Srv
X-Swift-CacheTime
X-Wily-Servlet
X-Wily-Info
NODE
X-Swift-SaveTime
X-Varnish-Server
X-Cache-Action
X-Vtex-Remote-Cache
X-ServerCache-Info
Origin
From
X-TempDebug
X-MJ-Serve-Req-Time
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
X-Atraveo-TTL
QOR-Cache
X-VARNISH-Cache
X-Developer
X-Empowered-By
Webluker-Edge
X-Atraveo-Varnish-Server-Id
X-Atraveo-Cache-Control
X-Vtex-Cache-Key
X-WEBSERVER
Proxy-Connection
X-Country-Code
Pool-Info
SiteName
X-Device-Type
Author
X-Object-Id
X-Object-Type
X-Microcache-Status
Edgecast
Apache
X-Cached-Status
X-Header
Ms
X-Cache-Config
X-Cache-Operation
X-Connection-Hash
X-FW-Hash
Content-Transfer-Encoding
Content-Security-Policy-Report-Only
X-Transaction
Buuteeq-Source
CommunityServer
Cache-By-Node
MIH-CLIENT-FARM
Content-MD5
X-Machine-Name
X-Src-Webcache
X-UPSTREAM
MIH-PLATFORM
X-Amz-Meta-S3cmd-Attrs
X-Source-ID
Backend
MIH-PUBLIC-IDENTIFIER
SS
X-Varnish-Cache-Hits
ORIGIN
X-Turbo-Control
Progma
X-Origin
X-FreeTag-Count
X-Recruiting
Powered
WP-Cache
X-Expires
X-LB
X-ROUTE-DATA
Copyright
X-Rewritten-By
X-T3CacheInfo
X-Dev
Worker
X-Jphone-Copyright
X-Phpwcms-Page-Processed-In
Web-Server
X-WR-MODIFICATION
X-Phpwcms-Release
X-Cms-Mode
X-ManagedFusion-Rewriter-Version
X-PRAM
LBVIS
X-Amz-Id-1
X-Force
Provided-Host
X-Varnish-ID
X-Vtex-Processado-Em
X-BackendServer
X-Cache-Set
MirrorName
X-Geo-IP-Region
X-Frontend
X-Geo-IPV
X-Old-Content-Length
X-Translation
Mime-Version
Location
X-Geo-IP-Country
SRV
X-Geo-IP-Metro
X-Version
Provider
Server-IP
X-GeoIP
X-LI-UUID
X-Uid
X-Upstream
X-ORACLE-DMS-ECID
X-Li-Pop
X-Response-Time
X-FS-UUID
X-Origin-Id
RequestTime
NLCacheNote
No
X-Cache-Ttl
X-Varnish-Debug-Age
X-Varnish-Debug-Hits
Beyond-Iis
X-GSL-Server
X-Info
X-App-Server
PageSpeed
X-Magento-Lifetime
X-Catalyst
X-ACCELERATE
-GCR
X-Li-Fabric
Aoestatic
X-Magento-Action
X-DeliveryServer
Front
Be-Va
F-In-Cache
Be-Ip
X-Cache-Age
X-Tumblr-Pixel-6
REFRESH
X-Cache-Lifetime
X-GC-Write
X-REDIRECTSERVER
X-Flex-Evend
X-Flex-Evstart
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Lang
X-Dynatrace-Js-Agent
X-GC-App
X-Flex-Tags
X-GC-Read
X-Powered-By-Server
X-Haiku
X-Flex-Community
LBC
X-Server-Id
X-Frames-Options
X-GLaDOS
X-WP
Www.Mirrorgate.Se
Dispatcher
Open.Jobgate.Se
X-Nginx-Backend
X-PageCached
X-Secret
X-Debug
X-ASTRO-REWRITE
X-JSL
X-MidCOM-Meta-Cache
X-Artvisual-Server
X-Cache-Term
X-CacheServer
X-Via-Kemp
X-Vhost-ID
X-Actindo-RS
X-T3CacheTags
X-Vhost
X-Framework
X-DTC
X-User-Id
X-Varnish-Cache-Local
Www.Mabracertifiering.Se
SIP
Test.Executivepeople.Se
X-Mod-Oboe-PS
X-JAL
X-T3Cache
Hash
X-Yqk-Set
X-TISSERVER
X-Varnish-Action
Jobb.Assistentpoolen.Se
Warning
Il-Cl
X-Kermit
Pagely
X-Kirra-SiteId
X-OPNET-Transaction-Trace
X-Farm-Server
X-Response
Jobb.Gil.Se
X-Cache-On
Pool
X-CS
X-Enhanced-By
Rt-Server
X-B2f-Not-Route
X-Vivastreet
X-Vivastreet-KiwiiPage
X-Monstercache-Timeout
X-Pixelsilk-Server
X-Varnish-Cache-Server
X-Powered
X-Pixelsilk-Version
X-Powered-By-Yqk
A1B2C3
X-SN
Jobb.Passal.Se
Www.Myjob.Se
X-ATM-RTime
ExecutionTime
X-ATM-RServer
Compression-Control
X-VarnCache
X-Varnish-Device
Ksid
X-Cluster-ID
X-Nginx-Server
P3P:CP
X-Conf
X-Varnish-Age
After
IsFullSiteRequest
Before
ScoreTracker
X-Venda-Hitid
X-Varnish-HitMiss
Allow
X-FCMS-Cache
Rt-Fastcgi-Cache
INCOMING-TIME
X-Host-Url
X-Varnish-Count
CDN
X-Stale
OriginServer
X-Stage
Render
X-Content-Age
Tpt.Renderer
Tpt.Renderer1
X-Hash
X-Client-Vid
Tpt
ServerConfigManager.WebBugTracker
Cluster-ID
X-Route
X-EPiphany-Vid
At-Isb
X-NginX-Server
Atp-Isdpp
SynthaSite-ID
At-Shoptype
X-NginX-Cache
Cmsid
X-Real-Server
Ibm-Web2-Location
X-EdgeRouter
X-MobileDetected
X-Hrouter
Cmstype
WEBO
X-NID
X-PM-ID
Source
POOL
X-Varnish-Beresp-Ttl
X-Web-Node
X-Yottaa-Metrics
Esi-Enabled
X-NGINX-CACHED
X-Back
X-Varnish-Beresp-Grace
7e-Page-Cache
X-Node-Name
X-UserAgent
X-B2f-Cache-Load
X-NGINX-CACHED-AT
X-Accelerated-By
X-Channel-Maxage
X-Locale
X-Jcms-Ajax-Id
X-Varnish-Beresp-Status
X-VTEX-Router-JanusNet-AspNetLatency
X-SeschatLayout
X-SeschatRedID
X-Allow-Redis
X-SeschatTemplateID
X-SeschatDID
X-Seschat-URL
Content-Instance
X-MSEdge-Ref
X-Yottaa-Optimizations
BM-Cache-Status
BM-Cache-Node
CP
ExecuteNonQuerySQLParam
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
BM-Cache-Key
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Purge-Level
X-Location
X-PvInfo
X-VTEX-Router-Backend-App
X-7dig
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
Cache-Ctrol
X-VTEX-Router-Powered-By
X-Remote-Addr
X-7d-Version
UNIQUE-ID
MASTERWEBLET
X-Binarysec-Via
Redirect
X-Internal-IP
X-Uplex
X-Hosting-Env
Servername
SVR
If-Modified-Since
Http
X-SERVER-ID
X-SilverStripe-Cache
X-Varnish-Debug-Fetch-Host
HCVer
HAVer
Noahs-Classifieds
Content-ID
X-Box
BKREF
Ttl
Requested-Host
XX
X-BKSrc
X-Gondor-Server
X-XFPC-Cache-Active
X-XFPC-Cache
Disaptch-Cache-Rule
Host-Service
X-AISO-Server
X-AISO-Cache
X-WorkerInstancename
X-UD-Target
X-Loc
X-Life
X-S-Misc
X-UD-Loopcounter
X-UD-REMOTE-ADDR
X-Time-Microsecs
X-Panel-Id
X-Test
X-VTEX-Cache-Status-Janus-Edge
BALANCEDTO
No-Cookie
B-Powered-By
X-Powered-By-VTEX-Janus-Edge
X-VarnPar1
X-Resolver-IP
X-Panel-Name
X-Varnish-Hashed-On
X-VHOST
X-ChromeLogger-Data
X-Generation-Time
X-DefendeR-Runtime
X-HOSTTYPE
PowerCDN
X-Max-Age
X-USERNAME
Accept
EI-UNIQUE-ID
X-WLD-LB
X-RemovedCookies
X-ProcessESI
X-Server-Instance
X-Varnish-Cookie-Debug
X-VG-WebCache
Accept-Language
Hej
X-CMS-Stage
X-CMS-Sid
X-CMS-State
X-CMS-Tid
X-D-Time
X-CMS-Server
X-CMS-Nid
X-Bcwwwid
SLB
X-CMS-Collection
X-CMS-CRMSet
X-CMS-Live
X-Mobile
X-ERM-ServerName
Content
DCGI-Server
Expire
LFY
X-VarnPar2
X-SATserver
X-Mii-Cache-Hit
X-Nginx-Cache
X-Nucleus-Cache
X-Pb-Mii
SBMCLOUD
WEB-CLUSTER-NODE
X-Nginx-Host
X-Oracle-DMS-ECID
X-Page-Generated-At
X-Page-Generation-Time
X-JSON-API-TTL
X-JSON-API-LATENCY
X-Continum-Server
X-ERM-RunTime
X-ERM-ServerName-AppPage
X-JSON-API-AGE
X-Goog-Hash
X-Device-Group
Foglight-Request-UUID
X-CCM
X-Client-Addr
X-IDS-WS
D
X-CacheTTL
X-APP
X-Platform
Front-End-Https
X-PP
X-Location-Id
X-MCB-Server
X-T
X-ATP-Server
X-Cache-Key
X-Client-IP
Www.Aujourdhui.Com
X-Fett
X-Server-By
X-Server-Node
ProxiaInstanceId
X-Reject
SFY
XDomainRequestAllowed
Ec
OGHopCount
X-Varnish-Abtest-Expires
X-Ratelimit
X-SERVERID
X-PoolMember
X-Powered-Developer
Publisher
X-ACLR-Version
X-Ocache
X-PBY
X-Status
X-Http-Host
X-Hit
X-Author
X-B
X-GitHub-Request-Id
X-Original-IP
Xc
SAVVIS
X-Monstercache
X-Cache-Backend
X-DC-Origin-IP
X-Feed
X-Monstercache-Host
X-Your-GrandPa-Would-Wait
X-Monstercache-Hash
X-Stackable-Node
X-TTL-Age
X-Would-Your-GrandPa-Wait
X-Garden-Version
X-XHR-Current-Location
X-TLServer
X-ServerId
X-Nocache
X-V-I-TTL
X-Url-Store
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Dokk-PortalId
X-Webstats-RespID
Mark
X-Varnish-URL
X-Varnish-Set-Cookie
AV1080
X-V-Outer
X-Varnish-Id
X-FullPageCaching
W
X-Cached-Page
X-MadeOn
AcceptLangage
CountryCode
X-MiniProfiler-Ids
X-Cookie-Store
X-Backend-Status
X-V-TTL
X-Hc-Host
X-Req-Host
X-GL-SRV
X-Created
X-Cache-Extended
X-PoweredBy
Hishop
X-Req-Url
X-Obvious-Info
X-Obvious-Tid
X-RequesterIP
X-Time-Spent
No-Cache
OutputRewritten
X-UA
X-HITS
Language
CacheControl
X-Varnish-Mode
XDisk
Cneonction
X-Extra-Header
X-FarmId
X-ErrorPage
X-Cluster
X-SDE-Name
X-ServerID-App
X-Cache-Me-Harder
CacheControlHeader
Head
Telligent-Evolution
Ngpass-Static
HostGen
X-VTEX-Cache
X-IP-Address
Svr
MachineName
Web-Head
User-Cache-Control
X-Varnish-Max-Age
HTTP
X-WAP
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
Bs-Header
X-Real-IP
X-Cluster-Host
X-PROCESSED-BY
HostName
X-TTFB-L
X-TTFB
X-DELIVERYSERVER
X-DSMX-Render-MS
X-RSS-CACHE-STATUS
X-PHP-Cache
Server-Optimized-By
X-DSMX-Rewrite-MS
X-SmugMug-Values
X-SmugMug-Hiring
X-Caching-Rule-Id
X-Header-Set-Id
X-R4L-VHOST
X-Adobe-Content
X-User-Login-Url
X-User-Authenticated
Smug-Env
Server-N
X-JG-Page-Cache
X-Execution-Time
X-Config-By