Threat Level: green Handler on Duty: Russ McRee

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-Content-Type-Options
X-XSS-Protection
Age
X-Cache
Alternate-Protocol
Content-Language
X-UA-Compatible
Content-Location
Via
Keep-Alive
P3p
X-Frame-Options
CF-RAY
X-Varnish
X-Adblock-Key
X-Check
X-Cacheable
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
Access-Control-Allow-Origin
X-Drupal-Cache
WP-Super-Cache
Status
MS-Author-Via
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Pad
X-Runtime
X-Geo-Port
X-Geo
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Server
X-Cache-Lookup
X-Host
Access-Control-Allow-Credentials
X-Type
X-Cache-Group
X-Logged-In
X-Ua-Compatible
Strict-Transport-Security
Ngpass-All
X-Mod-Pagespeed
X-Rack-Cache
MicrosoftSharePointTeamServices
X-XRDS-Location
X-Cache-Hits
X-UA-Device
Host-Header
Content-Encoding
X-Xss-Protection
SPRequestGuid
X-SharePointHealthScore
X-Via
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Robots-Tag
X-INKT-SITE
X-INKT-URI
X-Url
X-CF-Powered-By
X-Tumblr-Pixel-1
X-Webserver
X-Varnish-Cache
X-Iinfo
X-Accel-Version
X-PhApp
X-Cnection
X-Forwarded-For
X-Page-Speed
Composed-By
X-ServedBy
X-Tumblr-Pixel-2
X-Served-By
X-MS-InvokeApp
X-Firenze-Processing-Times
Served-By
Access-Control-Allow-Headers
X-Backend
X-Hostname
X-CDN
Access-Control-Allow-Methods
X-ContextId
X-Ac
X-ShardId
X-ShopId
X-Alternate-Cache-Key
X-XN-Trace-Token
X-XN-XNHTML
X-Request-ID
X-AH-Environment
X-Tumblr-Pixel-3
X-Powered-By-360WZB
X-FRAME-OPTIONS
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-PC-Key
X-PC-Hit
X-Age
X-PC-Host
X-PC-Date
X-PC-AppVer
X-Umbraco-Version
X-Server-Name
X-Cache-Info
Refresh
X-Spip-Cache
X-Cache-Server
X-HeyJason
Cartoon
Powered-By-ChinaCache
X-Port
X-Mobilized-By
X-Cache-Result
X-Amz-Id-2
Cf-Railgun
X-Content-Digest
Request-Id
SPRequestDuration
SPIisLatency
TCN
X-FB-Debug
X-Amz-Request-Id
X-Amz-Cf-Id
X-Px
Rating
Real-Hostname
X-TN-ServedBy
X-W3TC-Minify
X-VCache
X-PHP-Engine
X-Loop
X-Cache-Status
X-Outils-CS
Page-Completion-Status
Thanks
Magicmarker
X-From
X-TNCMS-Version
X-PersistenceNode
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-Safe-Firewall
X-Original-Content-Length
X-Node
IBM-Web2-Location
X-Cached-By
X-Device
Imagetoolbar
NS-RTIMER-COMPOSITE
X-Content-Encoded-By
X-Generated-By
X-Varnish-Cacheable
X-Pass-Why
X-Served-From-Cache
X-Tumblr-Pixel-4
X-Cached
X-Timer
X-Matrix-Proxy
X-Matrix-Server
X-Hyper-Cache
PICS-Label
X-Firenze-Processing-Time
X-Powered-By-Anquanbao
X-Pantheon-Styx-Hostname
Retry-After
X-Pantheon-Endpoint
X-SERVER
X-Tumblr-Content-Rating
IISExport
Set-Cookie2
X-Varnish-TTL
X-DynaTrace
Product
Generator
X-CMS-Version
X-HOST
Content-Security-Policy
X-Art-Request-Id
X-Cache-Enabled
CF-Cache-Status
X-FORWARDED-FOR
DynaTrace
X-Tumblr-Pixel-5
X-Trace-App
Access-Control-Max-Age
X-Cache-Hit
MIME-Version
X-Served-With
X-SDS
X-Drectory-Script
X-DDC-Arch-Trace
X-Backend-Server
X-App-Hosting
Powered-By
X-Rendering-Engine
X-URL
X-DynaTrace-JS-Agent
X-Cache-Debug
Node
Access-Control-Request-Method
X-Duration
X-Microcachable
Time
X-PF-Uncompressing
X-Nitra-Side
X-Processed-By
X-Xrds-Location
X-ATG-Version
ServedBy
Pics-Label
Lsrequestid
X-PERF
X-ApacheServer
SID
X-Sol
X-Cookie-Domain
COMMERCE-SERVER-SOFTWARE
X-I
X-CDN-Geo
X-CDN-Geo-IP
X-NoCache
X-CDN-Any-IP
X-Content-Options
Response
X-UD-Host
X-VARNISH-Cache
ServerName
X-SRV
X-UD-Method
X-Expires-Orig
S
X-Director
X-Purge-Host
Charset
Cache
Ngpass-Vcall
X-Cache-Control-Orig
RTSS
AMF-Ver
X-BackEnd
X-Orig-Vary
Vacache
X-Vary-Options
X-DNS-Prefetch-Control
X-Sharepointhealthscore
X-Middleton-Response
Sprequestguid
X-Cache-Expires
X-Hits
Proxy-Agent
Content-Encoding-Handler
X-Speed-Cache-Key
Accept-Encoding
X-ServerID
X-Speed-Cache
X-Original-Request
Host
X-Styx-Version
X-Styx-Build-Date
X-Purge-URL
X-Styx-Build-Num
X-Styx-Build-Sha
X-LiteSpeed-Cache
X-Styx-Req-Id
X-Varnish-Backend
Content-Disposition
X-GeoIP-Country-Code
X-B2f-Cache-Load
MJ12bot
Fhost
SEOMOZ
Filter-Revision
X-GeoIP-Country-Name
X-ServerName
Edge-Control
Surrogate-Control
X-Yadis-Location
X-Passed-To-BeforeDispatch
X-Returned-From
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-Passed-To-PostProcessResponse
X-Passed-To-DLL
NODE
X-Actual-URL
X-Handled-By
X-Returned-From-PostProcessResponse
X-Passed-To
X-Directory-Script
Accept-Charset
X-Vtex-Remote-Cache
X-Front
X-Vtex-Cache-Key
X-Server-ID
X-FW
X-Gamma-Serve
X-PwB-Node
X-FW-Static
CT
WWW-Authenticate
X-Trace-Cache
X-Micro-Cache
X-CJ-Soft
X-Cluster-Node
X-App-Start
X-FIRSTBase
UniqueName
X-Cache-TTL
X-AOL-SNH
X-Pangea-Version
X-Content-Security-Policy
Website-Info
Server-Info
X-Hosted-By
Cm-Server
NtCoent-Length
CommunityServer
X-MJ-Upstream-Addr
X-Source-Host
NetMindSessionID
X-ACMCache
Id
Webluker-Edge
X-Track
SN
X-TTL
X-Cocoon-Version
X-Geo-IP
X-Id
MIH-CLIENT-FARM
X-CHSN
Req-Id
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
X-Info
X-Highwire-RequestId
X-Highwire-SessionId
X-Varnish-Host
X-AspNetWebPages-Version
X-Blog
X-Session-Reinit
Pool-Info
X-Cache-Action
X-Srv
X-Ttl
VAR-Cache
Machine
Cache-By-Node
X-Sys-Req-ID
QOR-Cache
Proxy-Connection
X-Machine-Name
X-User-Agent
X-LIGHTHTTP-PCDID
Nodo
X-MJ-Serve-Req-Time
MW-Webserver
X-Time
A-Powered-By
ServerID
Srv
X-ProStores-StoreApiEntryPoint
X-StoreSense
X-Transaction
X-Atraveo-From-Varnish-Cache
X-Atraveo-NC
Ms
X-Atraveo-TTL
Hamster
X-ServerCache-Info
REFRESH
X-Ms-Invokeapp
X-Engine
X-Atraveo-Varnish-Server-Id
Content-Security-Policy-Report-Only
X-Atraveo-Cache-Control
X-Bettercache-Proxy
X-Src-Webcache
Server-Name
X-Varnish-Hits
X-Distil-CS
X-ACCELERATE
X-WR-Flags
X-Permitted-Cross-Domain-Policies
From
F-In-Cache
X-Varnish-Server
X-HOSTNAME
X-Turbo-Control
X-Object-Id
X-FreeTag-Count
X-Wily-Servlet
X-Microcache-Status
X-Object-Type
X-Beep
X-CacheHits
X-Device-Type
X-Wily-Info
X-Country-Code
OriginServer
Origin
X-WebKit-CSP
X-Expires
X-ROUTE-DATA
7e-Page-Cache
Server2
X-Response-Time
X-Varnish-IP
Apache
X-Yqk-Set
X-SN
X-Force
PageSpeed
X-Frontend
X-Powered-By-Yqk
Cteonnt-Length
X-Source-ID
X-LI-UUID
X-Li-Fabric
X-FS-UUID
X-PRAM
X-Li-Pop
MirrorName
X-Amz-Id-1
X-Varnish-Object-Age
X-Accelerated-By
X-UPSTREAM
X-Trace
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
Backend
X-Cms-Mode
X-Channel-Maxage
SynthaSite-ID
X-EdgeRouter
Content-MD5
X-Cache-Rule
LBVIS
X-REDIRECTSERVER
X-Domain-Checked
X-Provisioner-Version
X-LB
X-Magento-Lifetime
X-App-Status
Worker
Aoestatic
X-Magento-Action
X-Translation
X-Jphone-Copyright
X-Dev
X-GeoIP
X-N
X-Cache-Config
X-MobileDetected
X-Cache-Age
X-T3CacheInfo
Pool
MASTERWEBLET
Be-Va
X-Recruiting
X-Old-Content-Length
X-Hrouter
X-Developer
X-Cached-Status
ORIGIN
Be-Ip
X-Powered-By-Server
SRV
Author
X-Amz-Meta-S3cmd-Attrs
Front
X-Outils-Cs
X-ERM-RunTime
X-ERM-ServerName-AppPage
X-T3Cache
X-ERM-ServerName
NLCacheNote
X-GSL-Server
X-Goog-Hash
X-Framework
X-VarnCache
X-VarnPar2
X-Artvisual-Server
SIP
X-TISSERVER
X-Origin
X-Debug
X-Grid-Server
X-JAL
X-User-Id
X-JSL
X-Varnish-Cache-Local
X-B2f-Not-Route
Compression-Control
X-Via-Kemp
X-Origin-Id
No
X-Vtex-Processado-Em
X-Vhost-ID
X-Vhost
X-ID
CountryCode
X-Powered
X-ASTRO-REWRITE
Web-Server
X-DeliveryServer
X-Haiku
X-GLaDOS
X-Response
X-Cache-On
Rt-Server
Ksid
X-ATM-RTime
X-CS
X-Varnish-Cache-Server
Buuteeq-Source
X-ATM-RServer
X-Version
Il-Cl
X-TempDebug
Cache-Ctrol
X-Oracle-DMS-ECID
Powered-By-VeryCDN
X-Vivastreet-KiwiiPage
X-Vivastreet
X-Geo-IP-Metro
X-Geo-IP-Country
X-Geo-IPV
X-Geo-IP-Region
Hash
Dispatcher
X-Empowered-By
X-Ocache
X-T
X-Cache-Ttl
RequestTime
X-B
Copyright
X-Cache-Me-Harder
Progma
A1B2C3
Powered
X-PageCached
X-Cache-Term
X-Farm-Server
X-NGINX-CACHED
ScoreTracker
X-NGINX-CACHED-AT
X-Nginx-Backend
CDN
SS
Cluster-ID
X-Actindo-RS
X-DTC
X-T3CacheTags
WEBO
X-Uid
X-NginX-Cache
X-SilverStripe-Cache
WP-Cache
X-Frames-Options
X-NginX-Server
Content-Transfer-Encoding
Publisher
X-ORACLE-DMS-ECID
X-Hash
Provided-Host
X-MCB-Server
LBC
X-Varnish-Debug-Age
X-Varnish-Debug-Hits
X-PM-ID
X-S
X-7d-Version
X-Kirra-SiteId
X-Nginx-Cache
X-Web-Node
LFY
X-Varnish-Action
X-ChromeLogger-Data
X-7dig
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-Nginx-Server
Ttl
X-Varnish-Cache-Hits
X-Conf
X-Monstercache-Timeout
Ec
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
X-WP
X-Powered-Developer
Content-Instance
SFY
Www.Myjob.Se
X-Catalyst
Location
X-Remote-Addr
Www.Mabracertifiering.Se
X-Cache-Set
Www.Mirrorgate.Se
Test.Executivepeople.Se
X-Nocache
X-Upstream
X-Varnish-Age
X-Flex-Tags
X-UD-Loopcounter
X-Flex-Lastmod
X-NID
X-UD-REMOTE-ADDR
X-Cache-Lifetime
X-V
Accept
X-Real-IP
-GCR
Hej
X-WHOIS-Cached
Beyond-Iis
X-Flex-Tag
X-UD-Target
CP
X-App
Provider
X-Whom
POOL
SiteName
X-Flex-Community
X-Real-Server
X-Cache-Operation
X-Flex-Lang
X-Flex-Evstart
X-Flex-Evend
Cmstype
X-Ar-Debug
Cmsid
Atp-Isdpp
PowerCDN
Allow
At-Shoptype
Http
X-Ar-Forwarded-For
Bs-Header
At-Isb
X-Router
X-Webapp
X-Kermit
X-UseReverse-Proxy
Pagely
X-App-Server
X-Max-Age
X-Generation-Time
X-S-Misc
Edgecast
X-Router-Backend
X-Varnish-Abtest-Expires
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Time-Microsecs
X-Connection-Hash
X-Jcms-Ajax-Id
X-Varnish-Beresp-Ttl
X-D-Time
OGHopCount
SVR
Cdate
X-Pixelsilk-Version
X-Node-Name
XX
X-MidCOM-Meta-Cache
X-TLServer
Telligent-Evolution
X-Servername
Requested-Host
X-Box
X-VG-WebCache
Svr
Accept-Language
Server-IP
X-PoweredBy
X-Mobile
X-Pixelsilk-Server
X-WorkerInstancename
X-WR-MODIFICATION
X-ProcessESI
X-RemovedCookies
X-Enhanced-By
X-Hc-Host
X-Hosting-Env
Ssl-Enabled
X-PvInfo
X-Client-Addr
Servername
X-IDS-WS
X-Continum-Server
X-Request-Duration
X-Agentscape-Info
X-Config-By
X-XHR-Current-Location
CachedXSLT
X-CCM
D
X-Locale
X-JSON-API-TTL
X-Page-Generated-At
X-UserAgent
X-Page-Generation-Time
X-JSON-API-LATENCY
X-JSON-API-AGE
X-Internal-IP
X-Route
Content
ExecutionTime
X-MadeOn
WebDevSrc
X-MSEdge-Ref
X-Nucleus-Cache
BM-Cache-Key
BM-Cache-Node
UNIQUE-ID
BM-Cache-Status
Www.Aujourdhui.Com
X-Device-Group
X-Mii-Cache-Hit
X-Pb-Mii
X-ATP-Server
X-Client-IP
X-Allow-Redis
X-VTEX-Router-JanusNet-BackEndLatency
X-VTEX-Router-JanusNet-JanusLatency
X-VTEX-Router-Powered-By
X-DELIVERYSERVER
X-VTEX-Router-JanusNet-AspNetLatency
X-Fett
X-Purge-Level
X-VTEX-Cache
X-Nginx-Host
X-VTEX-Router-Backend-App
X-TTL-Age
X-Database-Slave-Connection
X-Server-IP
User-Cache-Control
Server-Optimized-By
X-Content-Age
X-PP
X-Seschat-URL
X-Test
X-DC-Origin-IP
X-Hit
X-Venda-Hitid
X-Platform
X-Host-Url
X-Garden-Version
X-Ratelimit
X-Author
MachineName
Test
X-Varnish-Hashed-On
X-Header
X-Uplex
X-Would-Your-GrandPa-Wait
X-Dokk-PortalId
X-Execution-Time
X-Your-GrandPa-Would-Wait
Expire
X-Monstercache-Host
X-Varnish-Debug-Fetch-Host
X-SeschatLayout
X-SeschatDID
X-Monstercache
X-SeschatRedID
X-SeschatTemplateID
X-Monstercache-Hash
X-Server-Id
X-Tumblr-Pixel-6
Hostname
X-Caching-Rule-Id
X-Header-Set-Id
X-Benchmark-Sphinx
X-Benchmark-Sphinx-Count
SAVVIS
X-Original-IP
X-Benchmark-Db
X-Benchmark-Cache
X-GitHub-Request-Id
HTTP
X-Feed
X-PoolMember
AcceptLangage
Source
If-Modified-Since
Warning
DCGI-Server
X-Swift-SaveTime
X-OPNET-Transaction-Trace
X-Swift-CacheTime
X-ServerID-App
X-Benchmark-Total
X-Head
X-Webstats-RespID
X-Url-Store
X-Cookie-Store
Ozcache
X-Backend-Status
X-Cache-Backend
Mime-Version
X-CMS-Collection
X-CMS-Server
X-Sw-Accesskey
X-CMS-CRMSet
X-BackendServer
X-CMS-Live
X-CMS-Tid
X-CMS-State
Ngpass-Static
WP-AdvCache-MemCached
X-Secret
X-XFPC-Cache
X-Cache-Key
X-XFPC-Cache-Active
X-CMS-Nid
X-CMS-Sid
HAVer
HCVer
X-Bcwwwid
X-DefendeR-Runtime
BKREF
X-BKSrc
Apple-Itunes-App
XDisk
Content-ID
X-CMS-Stage
X-Varnish-ID
Noahs-Classifieds
Mobiquo-Is-Login
X-PBY
Content-Cache
X-Life
X-Loc
X-Hop-By
X-Fortrabbit
X-Server-Node
AV1080
ProxiaInstanceId
X-GC-App
X-Process-Time
Head
X-Pagecache
HostGen
X-GC-Read
X-GC-Write
No-Cookie
RATING
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
Access-Control-Expose-Headers
X-HITS
X-SV
Web-Head
X-PS-MURDOCK-CASE-NORMALIZATION
X-Panel-Id
Host-Service
X-Varnish-Id
X-Panel-Name
X-Wm-VIP
X-Wm-1
Front-End-Https
Esi-Enabled
Tpt.Renderer1
Language
Tpt.Renderer
Tpt
Render
ServerConfigManager.WebBugTracker
CacheControlHeader
X-Server-By
Foglight-Request-UUID
X-Proxy
X-Location-Id
X-EPiphany-Vid
X-Client-Vid
IsFullSiteRequest
Before
X-AISO-Server
X-RSS-CACHE-STATUS
X-AISO-Cache
X-Gondor-Server
INCOMING-TIME
X-FCMS-Cache
X-Binarysec-Via
X-Varnish-Count
X-RequesterIP
After
X-Location
B-Powered-By
X-Varnish-HitMiss
X-Mii-Uncompressed-Size