Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Via
Content-Location
X-Frame-Options
CF-RAY
Keep-Alive
X-Varnish
X-Adblock-Key
P3p
X-Check
X-Cacheable
X-Language
X-Template
X-Buckets
X-Generator
Access-Control-Allow-Origin
X-Hacker
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Ac
X-Pad
X-Geo
X-Geo-Port
X-Runtime
X-Request-Id
MicrosoftOfficeWebServer
X-Powered-CMS
X-Server
X-Host
Strict-Transport-Security
X-Type
X-Cache-Group
Access-Control-Allow-Credentials
X-Cache-Lookup
X-Logged-In
X-Mod-Pagespeed
X-UA-Device
X-Cache-Hits
X-Rack-Cache
MicrosoftSharePointTeamServices
X-XRDS-Location
Ngpass-Ngall
Host-Header
X-Url
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Via
SPRequestGuid
Content-Encoding
X-SharePointHealthScore
X-Forwarded-For
X-Tumblr-Pixel-1
X-Varnish-Cache
X-Iinfo
X-Robots-Tag
X-CF-Powered-By
X-ServedBy
Access-Control-Allow-Headers
X-INKT-SITE
X-INKT-URI
X-PhApp
X-Served-By
X-Webserver
X-Accel-Version
X-Tumblr-Pixel-2
X-Backend
X-Cnection
Access-Control-Allow-Methods
X-MS-InvokeApp
Composed-By
X-Page-Speed
X-ContextId
Served-By
X-ShardId
X-ShopId
X-BC-Is-HA
X-Alternate-Cache-Key
X-CDN
X-Hostname
X-Safe-Firewall
X-Request-ID
X-Firenze-Processing-Times
X-XN-Trace-Token
X-XN-XNHTML
X-PC-Hit
X-PC-Key
X-Ua-Compatible
X-Tumblr-Pixel-3
X-AH-Environment
X-PC-Host
X-PC-AppVer
X-PC-Date
X-Served-With
Content-Script-Type
Content-Style-Type
X-Age
X-Pass-Why
Liferay-Portal
X-Port
X-Umbraco-Version
X-Powered-By-360WZB
X-Spip-Cache
X-Server-Name
Powered-By-ChinaCache
X-HeyJason
X-Amz-Id-2
X-Cache-Info
Request-Id
SPIisLatency
SPRequestDuration
Refresh
Cf-Railgun
X-Amz-Request-Id
Ngpass-All
X-Cache-Server
X-FB-Debug
X-Amz-Cf-Id
X-Cache-Result
X-Content-Digest
Content-Security-Policy
X-SERVER
Cartoon
Rating
X-Outils-CS
X-Cache-Status
TCN
X-From
X-Px
X-Mobilized-By
X-Hyper-Cache
X-Device
X-Varnish-Cacheable
Real-Hostname
X-TN-ServedBy
Page-Completion-Status
X-PHP-Engine
X-Loop
X-VCache
X-Cached-By
X-Served-From-Cache
CF-Cache-Status
Magicmarker
X-Tumblr-Pixel-4
X-DynaTrace
X-TNCMS-Version
X-PersistenceNode
X-Timer
Thanks
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-Generated-By
X-TNCMS-Render-Time
NS-RTIMER-COMPOSITE
X-W3TC-Minify
Imagetoolbar
DynaTrace
X-Styx-Build-Sha
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Build-Date
X-Styx-Build-Num
X-Varnish-TTL
X-Styx-Version
X-Styx-Req-Id
X-Varnish-IP
X-Content-Encoded-By
X-Cached
X-Original-Content-Length
IBM-Web2-Location
X-Tumblr-Content-Rating
X-Powered-By-Anquanbao
X-Varnish-Forwarded-For
X-HOST
X-CMS-Version
Access-Control-Max-Age
X-Matrix-Server
X-Matrix-Proxy
X-Node
X-Tumblr-Pixel-5
IISExport
X-Processed-By
PICS-Label
X-Content-Options
Retry-After
Product
X-Firenze-Processing-Time
Generator
X-Backend-Server
X-CDN-Geo-IP
X-CDN-Geo
X-CDN-Any-IP
X-Rendering-Engine
Set-Cookie2
Proxy-Agent
X-Cache-Enabled
X-URL
X-I
X-App-Hosting
Time
ServedBy
X-Content-Security-Policy
X-DDC-Arch-Trace
Microsoftsharepointteamservices
X-Expires-Orig
Pics-Label
X-UD-Host
X-UD-Method
X-SDS
X-DynaTrace-JS-Agent
Edge-Control
Node
X-Cache-Debug
Charset
X-Drectory-Script
Sprequestguid
X-Sharepointhealthscore
X-Purge-Host
X-Duration
X-PF-Uncompressing
Response
Powered-By
X-ATG-Version
X-DNS-Prefetch-Control
Content-Encoding-Handler
X-Varnish-Backend
X-Original-Request
X-ApacheServer
X-WebKit-CSP
X-Cache-Hit
X-Returned-From-DLL
X-Passed-To-PostProcessResponse
X-Passed-To-DLL
X-Returned-From-PostProcessResponse
X-Passed-To
X-Handled-By
X-Returned-From
X-Actual-URL
X-Passed-To-BeforeDispatch
X-Returned-From-BeforeDispatch
MIME-Version
X-Sol
X-Cache-Control-Orig
X-NoCache
X-PERF
Lsrequestid
X-FW
X-Xrds-Location
SID
X-Nitra-Side
X-Varnish-Host
COMMERCE-SERVER-SOFTWARE
X-Middleton-Response
X-Cache-Expires
Cache-By-Node
AMF-Ver
ServerName
X-Purge-URL
X-Director
X-BackEnd
X-Whom
Host
Grace
X-Micro-Cache
X-HOSTNAME
S
X-Srv
X-User-Agent
X-FW-Hash
Accept-Encoding
X-Front
X-Speed-Cache
Filter-Revision
X-Permitted-Cross-Domain-Policies
X-Speed-Cache-Key
X-FORWARDED-FOR
Content-Disposition
X-Orig-Vary
X-Ms-Invokeapp
NtCoent-Length
X-Cookie-Domain
X-PwB-Node
X-FW-Serve
X-FW-Type
X-FW-Static
X-Hits
X-Yadis-Location
X-LiteSpeed-Cache
Access-Control-Request-Method
X-TTL
Fhost
Cache
X-Cocoon-Version
X-Vary-Options
X-Cache-TTL
X-CJ-Soft
X-ACMCache
X-SRV
NODE
Accept-Charset
WWW-Authenticate
X-ServerID
X-Track
Cm-Server
X-AspNetWebPages-Version
RTSS
X-Hosted-By
X-FIRSTBase
X-FullPageCaching
X-Art-Request-Id
Surrogate-Control
X-BackendServer
Server-Info
Website-Info
UniqueName
Id
SEOMOZ
X-GeoIP-Country-Code
MJ12bot
X-GeoIP-Country-Name
X-Varnish-Hits
X-ServerName
A-Powered-By
X-Sys-Req-ID
X-Geo-IP
X-Swift-SaveTime
X-Trace-Cache
X-Trace-App
X-Swift-CacheTime
Srv
X-Distil-CS
X-CHSN
X-Blog
X-Version
Nodo
ServerID
NetMindSessionID
X-Bettercache-Proxy
X-Session-Reinit
X-Cache-Config
X-WEBSERVER
X-Source-Host
X-Engine
X-SN
X-Object-Id
X-Gamma-Serve
X-Cf-Powered-By
X-Cluster-Node
X-Object-Type
SN
Machine
X-Response-Time
X-Highwire-RequestId
X-Highwire-SessionId
X-MJ-Upstream-Addr
X-LIGHTHTTP-PCDID
X-Varnish-Server
X-Time
CT
X-Wily-Info
X-Domain-Checked
VAR-Cache
From
X-Wily-Servlet
X-Src-Webcache
X-Vtex-Remote-Cache
X-Provisioner-Version
X-App-Status
X-Server-ID
X-Ttl
MW-Webserver
Qs-Cache
X-Request-Locale
X-Microcache-Status
X-Microcachable
X-Device-Type
X-WR-Flags
Server2
X-TempDebug
X-Machine-Name
X-ID
Req-Id
X-Secret
X-Transaction
Ms
X-Vtex-Processado-Em
No
Ngpass-Vcall
Webluker-Edge
X-Connection-Hash
Location
MIH-PUBLIC-IDENTIFIER
Content-Transfer-Encoding
Buuteeq-Source
MIH-CLIENT-FARM
X-Resolver-IP
X-Varnish-Object-Age
X-Country-Code
X-Cache-Rule
X-Pangea-Version
X-App-Start
MIH-PLATFORM
X-Recruiting
X-MJ-Serve-Req-Time
X-Varnish-Cache-Hits
X-Directory-Script
X-Cache-Action
Beyond-Iis
Server-Name
NLCacheNote
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
-GCR
X-Turbo-Control
X-Proxy-Cache
X-Tumblr-Pixel-6
Origin
PageSpeed
X-Atraveo-NC
X-Atraveo-From-Varnish-Cache
X-VTEX-Router-JanusNet-AspNetLatency
X-VTEX-Cache-Status-Janus-Edge
X-VTEX-Router-Backend-App
CommunityServer
Cteonnt-Length
X-Vtex-Processed-At
Proxy-Connection
X-VTEX-Router-JanusNet-BackEndLatency
X-GeoIP
X-VTEX-Router-Powered-By
X-VTEX-Router-JanusNet-JanusLatency
X-Atraveo-Cache-Control
X-Powered-By-VTEX-Janus-Edge
X-App
LBVIS
X-ProStores-StoreApiEntryPoint
X-Trace
X-Expires
X-StoreSense
X-Old-Content-Length
X-Info
X-Nginx-Server
X-Geo-IP-Metro
X-Geo-IP-Region
X-Geo-IP-Country
Be-Ip
X-FreeTag-Count
X-ACCELERATE
X-CacheHits
Author
Be-Va
X-AOL-SNH
X-Geo-IPV
Front
X-Amz-Meta-S3cmd-Attrs
X-S
X-Empowered-By
SVR
X-Grid-Server
X-Server-Id
SS
X-Dynatrace
SiteName
X-Stage
X-Translation
X-MidCOM-Meta-Cache
X-CS
X-NGINX-CACHED
X-NGINX-CACHED-AT
XX
X-DTC
X-Header
Dispatcher
X-Amz-Id-1
Upgrade
X-ATM-RTime
X-N
X-ServerCache-Info
X-ATM-RServer
X-Nginx-Backend
X-Cached-Status
CDN
REFRESH
X-Actindo-RS
X-CacheServer
X-Debug
X-Cms-Mode
X-Force
X-Dev
Apache
7e-Page-Cache
Worker
Mime-Version
MirrorName
X-Powered-By-Server
Hamster
X-Jphone-Copyright
X-Stale
X-Country
X-PRAM
X-Id
X-Cache-Age
X-UPSTREAM
LBC
Backend
ORIGIN
X-Cache-Lifetime
X-SilverStripe-Cache
X-Hosting-Env
Pool
X-Frontend
X-Uid
X-MSEdge-Ref
X-Developer
X-Yqk-Set
BALANCEDTO
X-T3CacheInfo
X-Catalyst
X-Powered-By-Yqk
X-Cache-Ttl
RequestTime
X-Gannett-Site-Version
X-Varnish-ID
X-Conf
Cluster-ID
Provided-Host
Edgecast
Content-MD5
X-ManagedFusion-Rewriter-Version
Ttl
X-Source-ID
X-Frames-Options
X-Kirra-SiteId
X-Block
X-Varnish-Age
X-Origin
X-Channel-Maxage
X-Content-Age
X-Accelerated-By
X-Farm-Server
X-PvInfo
X-Rewritten-By
X-Magento-Action
Allow
Aoestatic
X-Origin-Id
X-Varnish-Cookie-Debug
X-Cdn
Content-Instance
X-Magento-Lifetime
X-Node-Name
Ksid
X-B2f-Cache-Load
SRV
X-ChromeLogger-Data
X-ORACLE-DMS-ECID
BM-Cache-Key
SIP
X-Varnish-Cache-Local
QOR-Cache
OriginServer
X-Varnish-Cache-Server
X-REDIRECTSERVER
X-Geolocation
X-VarnPar1
Compression-Control
Web-Server
X-Varnish-Device
X-VarnCache
Cache-Ctrol
X-TISSERVER
X-Cache-Operation
X-Mobile
Il-Cl
Accept-Language
X-Vivastreet-KiwiiPage
X-Vivastreet
No-Cookie
X-App-Server
X-Monstercache-Timeout
X-WP
F-In-Cache
X-Varnish-Action
X-Venda-Hitid
X-Server-By
ScoreTracker
Rt-Server
X-Cache-On
X-GSL-Server
X-NID
X-CacheTTL
X-Adobe-Content
BM-Cache-Node
Www.Mirrorgate.Se
Www.Mabracertifiering.Se
Noq
X-Box
Www.Myjob.Se
Jobb.Passal.Se
X-Vhost
X-Via-Kemp
X-XHR-Current-Location
A1B2C3
Ram
X-MiniProfiler-Ids
P3P:CP
Jobb.Assistentpoolen.Se
Open.Jobgate.Se
Jobb.Gil.Se
Test.Executivepeople.Se
AV1080
X-T3Cache
X-ASTRO-REWRITE
X-T3CacheTags
X-Route
Cpu
X-DeliveryServer
X-B2f-Not-Route
X-Vhost-ID
Cmsid
X-LI-UUID
X-Li-Pop
X-Framework
X-Artvisual-Server
X-Remote-Addr
Fpc-Cache-Id
X-FS-UUID
X-Ar-Debug
PowerCDN
Disaptch-Cache-Rule
Cmstype
X-Li-Fabric
Copyright
Powered
X-GC-Read
INCOMING-TIME
X-EPiphany-Vid
X-Pagename
Publisher
X-PM-ID
X-UD-Loopcounter
X-UD-REMOTE-ADDR
X-MCB-Server
X-LB
X-UD-Target
X-GC-Write
X-Enhanced-By
X-Hit-Cache
X-Client-Vid
X-FCMS-Cache
X-SERVERID
BM-Cache-Status
CP
X-GC-App
WP-Cache
Provider
X-Real-Server
X-Dynatrace-Js-Agent
X-OPNET-Transaction-Trace
X-Nginx-Cache
X-Purge-Level
X-Powered
X-Allow-Redis
X-Yottaa-Optimizations
X-Yottaa-Metrics
Render
ServerConfigManager.WebBugTracker
Progma
IsFullSiteRequest
Before
Tpt.Renderer1
X-Location-Id
X-Varnish-HitMiss
X-Varnish-Count
X-SSL
X-Server-Node
After
Tpt.Renderer
X-EdgeRouter
X-Max-Age
X-Distributed-By
X-Benchmark-Total
Warning
At-Isb
At-Shoptype
Atp-Isdpp
X-Web-Node
X-Benchmark-Sphinx-Count
X-Phpwcms-Release
X-Response
X-Hostingcenter
X-Benchmark-Cache
X-Phpwcms-Page-Processed-In
X-Benchmark-Sphinx
X-Benchmark-Db
Acdc-Web
X-Webapp
X-ROUTE-DATA
X-MobileDetected
X-ProcessESI
X-Uplex
X-7d-Version
WEBO
Http
X-7dig
X-RemovedCookies
X-Router
X-Time-Spent
X-Lb
X-CMS
X-UseReverse-Proxy
X-Hrouter
X-Router-Backend
X-SDE-Name
Noahs-Classifieds
X-Nginx-Host
X-Hash
X-Garden-Version
Servername
X-Caching-Rule-Id
X-IDS-WS
X-NginX-Server
Ozcache
X-NginX-Cache
X-Sto
X-ServerId
X-App-TTL
X-Header-Set-Id
X-Accel-Expires
X-Ar-Forwarded-For
X-UA-Class
X-Hit
EZ-Origin
MageStack-Cache-Hits
X-Internal-IP
X-WLD-LB
X-Forwarded-Proto
X-Vtex-Cache-Key
MageStack-Cache-Lifetime
X-Server-Instance
Keywords
XDisk
X-Varnish-Currency
S-Cnection
MageStack-Area
Pool-Info
MageStack-Cache
Description
MageStack-Cache-Status
X-Stackable-Node
X-Continum-Server
DCGI-Server
ExecutionTime
Rt-Fastcgi-Cache
SBMCLOUD
Requested-Host
X-Req-Host
X-V-I-TTL
X-Upstream
X-Req-Url
Source
X-Created
MageStack-Loadbalancer
MageStack-Debug
MageStack-Config
MageStack-PageSpeed
MageStack-Response-Ttl
Content-ID
MageStack-Tag
X-Config-By
MageStack-Cacheable
X-Pixelsilk-Version
X-TTL-Age
X-Varnish-URL
X-UserAgent
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-WAP
XDomainRequestAllowed
Ec
X-Wm-1
X-Author
X-Wm-VIP
OGHopCount
X-Webstats-RespID
X-Would-Your-GrandPa-Wait
X-Monstercache
X-Monstercache-Hash
X-Monstercache-Host
X-Powered-Developer
X-Server-IP
Portlet.Expiration-Cache
X-Your-GrandPa-Would-Wait
Xc
WP-AdvCache-MemCached
Svr
X-Symfony-Cache
X-Http-Host
X-JSON-API-TTL
X-JSON-API-LATENCY
X-Pixelsilk-Server
X-Locale
X-Hc-Host
X-JSON-API-AGE
X-Hosting
TP-L2-Cache
X-Cache-Backend
X-Cache-Host
X-Dokk-PortalId
X-Page-Generated-At
Web-Head
X-PS-MURDOCK-ORIG-PROTOCOL
X-V-TTL
Backend-Host
X-Varnish-Hit
X-Time-Microsecs
X-PS-MURDOCK-ORIG-FILEEXT
X-Page-Generation-Time
X-Papaya-Cache
X-Papaya-Gzip
X-PS-MURDOCK-CASE-NORMALIZATION
TP-Cache
X-Flex-Tag
Accept
X-Wikidot-Static-Cache
X-Binarysec-Via
X-USERNAME
X-Host-Url
X-Wikidot-Backend
X-VarnPar2
Hej
X-HasAuthorization
X-IsPremium
X-RSS-CACHE-STATUS
X-V
Cneonction
X-Cache-Set
X-GLaDOS
EI-UNIQUE-ID
X-Varnish-Debug-Age
X-Haiku
X-V-Outer
ExecuteNonQuerySQLParam
Foglight-Request-UUID
HostName
X-HOSTTYPE
Hishop
X-Back
X-CMS-Sid
X-Loc
X-CMS-Server
X-CMS-Nid
X-CMS-Live
X-Life
X-CMS-Stage
X-DefendeR-Runtime
X-Drupal-Cache-Tags
X-CMS-Tid
X-CMS-State
X-CMS-CRMSet
X-CMS-Collection
Front-End-Https
Head
X-DB-Content-Length
SLB
X-Bcwwwid
Esi-Enabled
X-WorkerInstancename
X-XFPC-Cache
X-XFPC-Cache-Active
Device
X-Varnish-Debug-Hits
Redirect
X-VG-WebCache
X-Flex-Community
X-Flex-Evend
X-Name
Www.Aujourdhui.Com
X-ATP-Server
X-Client-Addr
X-Device-Group
X-Client-IP
X-CCM
X-Fett
Server-Optimized-By
D
X-DSMX-Render-MS
X-Flex-Tags
X-Mii-Cache-Hit
X-Nucleus-Cache
X-DSMX-Rewrite-MS
X-Pb-Mii
X-DELIVERYSERVER
X-Flex-Lastmod
X-Flex-Lang
X-Flex-Evstart
B-Powered-By
X-Varnish-Beresp-Grace
X-Varnish-Debug-Pool-Recv
X-Varnish-Debug-Pool-Fetch
Dynatrace
X-Varnish-Debug-Fetch-Host
X-Varnish-Beresp-Status
POOL
Bs-Header
X-SERVER-ID
X-APP
X-Varnish-Beresp-Ttl
X-Backend-Ip
X-DC-Origin-IP
X-Unique-Id
Server-N
X-Cookie-Store
X-Compressed-By
X-Url-Store
X-Ec-Custom-Error
X-WR-MODIFICATION
X-Var-Hash
User-Cache-Control
No-Cache
X-Unbounce-VisitorID
X-Serendipity-InterfaceLang
X-Fstrz
MachineName
X-HITS
X-Confluence-Request-Time
Server-Ip
LFY
X-Debug-Serve
Pramga
X-Original-IP
X-Cluster-Host
CacheControlHeader
X-WA-Info
ProxiaInstanceId
X-RequesterIP
X-Ratelimit
X-Cache-Key
X-Environment
X-Cluster-ID
X-SATserver
X-LAvg
ServerIP
X-Backend-Status
X-Unbounce-PageId
X-Feed
CountryCode
AcceptLangage
X-Pagecache
UNIQUE-ID
SFY
X-Serendipity-InterfaceLangSource
X-HW
Title
X-Unbounce-Variant
ResourceTag
X-AISO-Cache
X-AISO-Server
Smug-Env
Server-IP
X-S-Misc
X-TLServer
X-Gondor-Server
X-SmugMug-Hiring
X-TTFB-L
MASTERWEBLET
X-TTFB
X-SV
X-SmugMug-Values
X-Generation-Time
X-FarmId
RequestId
X-BKSrc
HCVer
HAVer
BKREF
X-Cache-Term
X-PageCached
Content-Cache
X-D-Time
X-Cached-Page
W
RATING
Language
X-Lang
X-ErrorPage
X-Extra-Header
X-Cluster
If-Modified-Since
Content
Countrycode
X-RAMCache
NnCoection
X-GitHub-Request-Id
X-Job-Offer
X-ACLR-Version
X-Source
X-Rot
X-PHP-Cache
Mobiquo-Is-Login
X-SeschatLayout
X-SeschatRedID
X-SeschatDID
X-Seschat-URL
X-PROCESSED-BY
X-SeschatTemplateID
X-Varnish-Hashed-On
TIMESTAMP
X-Cdn-View
Public-Extension
HGR-NOCACHE
X-VHOST
X-Req-Counter