Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Vary
Cache-Control
Link
Expires
X-Powered-By
Content-Length
Pragma
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-XSS-Protection
Strict-Transport-Security
X-Cache
X-Frame-Options
CF-RAY
Content-Language
Age
X-Wix-Server-Artifact-Id
X-Accel-Buffering
X-Pingback
Via
P3P
Expect-CT
X-AspNet-Version
X-Cacheable
X-UA-Compatible
Content-Security-Policy
X-Via
X-ServedBy
X-Contextid
X-PC-Key
X-PC-Hit
X-Request-Id
X-Wix-Request-Id
X-Seen-By
X-PC-Host
X-PC-Date
X-PC-AppVer
WPE-Backend
X-Type
X-Pass-Why
X-Cache-Group
Access-Control-Allow-Origin
X-UA-Device
X-Ua-Compatible
X-Rid
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-1
X-NewRelic-App-Data
X-Tumblr-Pixel-2
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Adblock-Key
X-Check
X-Sorting-Hat-PrivacyLevel
X-Sorting-Hat-Section
X-Sorting-Hat-ShopId-Cached
X-Sorting-Hat-PodId-Cached
X-Sorting-Hat-ShopId
X-ShopId
X-Sorting-Hat-PodId
Upgrade
X-Dc
X-Alternate-Cache-Key
X-ShardId
X-Sorting-Hat-FeatureSet
Referrer-Policy
X-Language
X-Template
Alt-Svc
Host-Header
X-Tumblr-Pixel-3
X-Buckets
X-Ac
X-Hacker
X-Runtime
X-Varnish
X-Cache-Hits
X-Generator
X-WPE-Loopback-Upstream-Addr
X-Served-By
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Host
P3p
X-CST
X-Drupal-Cache
X-Tumblr-Pixel-4
X-Timer
X-Backend
X-Endurance-Cache-Level
X-Cache-Hit
X-Port
X-Newrelic-App-Data
X-AspNetMvc-Version
CF-Cache-Status
Access-Control-Allow-Headers
Status
Access-Control-Allow-Methods
X-Amz-Cf-Id
X-Powered-By-Plesk
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
X-Cache-Enabled
X-Request-ID
X-Iinfo
Content-Location
X-Cache-Status
X-FW-Hash
X-FW-Server
X-Webcom-Cache-Status
X-FW-Static
X-FW-Serve
X-FW-Type
Keep-Alive
X-Server
X-Robots-Tag
X-Wix-Punisher
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-CDN
X-Hits
X-GitHub-Request-Id
X-Proxy-Cache
Content-Encoding
X-Rack-Cache
Edge-Control
Rating
X-FullPageCaching
X-Tumblr-Content-Rating
MS-Author-Via
X-Trace
X-HS-Cache-Config
Edge-Cache-Tag
X-DDC-Arch-Trace
X-HS-Content-Id
X-BC-Stapler
X-Tumblr-Pixel-6
X-Pad
X-Server-Powered-By
Powered-By
X-DIS-Request-ID
X-HS-Combine-CSS
X-Amz-Request-Id
X-Amz-Id-2
X-Mod-Pagespeed
X-Turbo-Charged-By
X-Nginx-Cache-Status
X-Drupal-Dynamic-Cache
X-INKT-SITE
X-INKT-URI
X-IPLB-Instance
Content-Security-Policy-Report-Only
Request-Context
X-LiteSpeed-Cache
X-Fastly-Request-ID
X-XRDS-Location
P-WS
P-LB
X-Logged-In
X-CF-Powered-By
X-Version
X-Content-Digest
Allow
X-Accel-Version
X-Page-Speed
X-Acc-Exp
Last-Published
Charset
X-SVR-IIS
X-Request-Country
Timing-Allow-Origin
X-Svr-Proxy
X-Zen-Fury
X-SSLUpstream
X-SSLProxy
Access-Control-Max-Age
Cf-Railgun
X-Cdn
X-Cnection
X-Upstream
X-Server-Name
X-Content-Powered-By
X-AH-Environment
X-Varnish-Cache
MicrosoftOfficeWebServer
X-Cache-Lookup
X-LW-Cache
X-HeyJason
Permitted-Cross-Domain-Policies
X-Do-Not-Hack
X-Amz-Version-Id
MicrosoftSharePointTeamServices
WP-Super-Cache
X-SharePointHealthScore
X-Varnish-TTL
X-Device
SPRequestGuid
EagleId
Access-Control-Expose-Headers
X-Safe-Firewall
X-Varnish-Count
Cartoon
X-MS-InvokeApp
X-Cloud-Trace-Context
X-Varnish-HitMiss
X-Swift-CacheTime
X-Swift-SaveTime
X-Source
X-StackifyID
X-Webserver
X-SS-Location
X-VCache
X-PhApp
X-Backend-Server
X-Kinsta-Cache
X-SS-Conf
X-ET-API-ROOT
X-ET-API-VERSION
X-ET-API-ORIGIN
X-Sol
SiteSpeed
Display
X-Middleton-Display
Response
X-Middleton-Response
X-Whom
X-TNCMS
X-Loop
X-Cache-Config
X-User-Agent
X-Powered-CMS
Liferay-Portal
X-Litespeed-Cache
Strikingly-Cache-Region
Strikingly-Cached
Strikingly-Cached-Version
X-RESOURCE
X-Dealeron-Original-Url
X-Cluster-Node
X-Abgroup
X-Dealeron-Backend
X-URLSCHEME
X-Cache-Key
X-DealerOn
X-Vip
Access-Control-Request-Method
X-Pool
Cache-Key
Request-Id
X-Clacks-Overhead
X-Goog-Hash
Fastcgi-Cache
X-Node
X-LiteSpeed-Cache-Control
Generator
X-Handled-By
Req-Id
X-N-OperationId
X-Xss-Protection
Public-Key-Pins-Report-Only
X-Micro-Cache
CS-SERVER
X-S
W
X-Hostname
X-ServerName
WP-FROM-CACHE
Surrogate-Control
X-Server-Instance
X-Storage-Cache-Date
X-Storage-Cache-Expires
X-AspNetWebPages-Version
X-Storage-Cache
X-Cached
X-Unbounce-Variant
X-Unbounce-PageId
X-SRV
X-Unbounce-VisitorID
FindLaw
X-Cache-Info
X-LB-Server
Pagespeed
X-HS-Content-Campaign-Id
X-Ruxit-JS-Agent
PageSpeed
X-OneAgent-JS-Injection
X-Wikidot-Backend
X-TTFB
X-TTFB-L
SN
Public-Key-Pins
X-SmugMug-Values
Grace
X-Generated
X-Wikidot-Static-Cache
X-Locale
X-SP-UniqueName
X-Content-Security-Policy
X-Env
SPRequestDuration
X-ARC
X-Path-Route
X-SP-Farm
X-SmugMug-Hiring
X-Hosted-By
Smug-CDN
X-Device-Type
SPIisLatency
X-SRCache-Store-Status
X-FORWARDED-FOR
X-SRCache-Fetch-Status
X-Microcachable
X-Request-Time
X-Span
X-Hstore
X-Hrouter
Retry-After
Cache-Provider
X-Key
X-Microcache-Status
X-Varnish-Debug-Age
X-Varnish-Debug-TTL
X-Translation
X-Lambda-Id
USPLoggingUUID
Content-Style-Type
Content-Script-Type
X-Origin-Id
X-Hyper-Cache
Powered-By-ChinaCache
X-ENDPOINT
X-Sedo-Request-Id
X-Dns-Prefetch-Control
X-Ezoic-Cdn
X-FIRSTBase
X-ORIKEY
X-Forwarded-For
X-Instart-Request-ID
X-ROUTING
X-Application-Context
X-Jimdo-Instance
X-Via-S
X-Topify-Platform
X-XN-XNHTML
X-Appmachine-Environment
ServerID
X-Varnish-Debug-Hits
X-Jimdo-Wid
X-RateLimit-Remaining
X-RateLimit-Reset
IM-Version
X-Supported-By
X-RateLimit-Limit
Content-Encoding-Handler
X-XN-Trace-Token
X-Cache-Miss-From
SSPAppContext
VSID
ViewMode
X-Response-Time
X-PHP-Backend
ServerNode
X-APIAUTH-VAL
*
X-Cached-By
X-Sapient
X-APIVERSION
X-ApacheServer
Request-Country
Request-EU
X-Accel-Expires
X-SSL-Cipher
Node
Use-Proxy
X-Vcache
X-SSL-Protocol
X-Microcache
Rt-Fastcgi-Cache
Firespring-Website-Id
MC
X-Middleware-Start
X-PERF
ServedBy
X-Trace-Id
X-Server-Upstream
X-Engine
Aurora-Node
Version
X-4ormat-Cacheable
X-Magento-Cache-Debug
X-Magento-Cache-Control
X-Origin
X-Passed-To
X-Ratelimit-Limit
X-Passed-To-DLL
X-HS-Status
X-Original-Request
X-Firefox-Spdy
X-App-Status
X-Expires-Orig
X-CPU-Time
X-Fastcgi-Cache
X-Cache-Handler
X-Ratelimit-Remaining
X-Edge-IP
X-NWS-LOG-UUID
X-FromPodPressCache
X-Daa-Tunnel
X-Dscp-Value
X-Fedora-School-Id
X-Varnish-Beresp-Grace
X-UD-Method
TCN
X-FB-Debug
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
Accept-Encoding
X-Generated-Timestamp
X-VARITI-CCR
X-Ratelimit-Reset
X-Edge-Location
X-Varnish-Server
X-Returned-From
X-Returned-From-DLL
X-Sucuri-ID
X-Sucuri-Cache
X-Stale
X-DNS-Prefetch-Control
Service-Worker-Allowed
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-GUploader-UploadID
X-HeBS-Cache-Status
X-Original-Date
X-Pantheon-Environment
X-Mighty-Proxy
X-Matrix-Server
X-Matrix-Proxy
X-Environment
X-Empowered-By
Ssl-Proxy-Server
Surrogate-Key
RequestId
Imagetoolbar
Feature-Policy
Surrogate-Key-Raw
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Discourse-Route
X-Debug-Info
X-Consent-Required
X-Pantheon-Phpreq
X-Pantheon-Site
X-Speed-Cache-Key
X-URL
X-Speed-Cache
X-Proxy-Backend
X-Processing-Time
X-VC-Enabled
X-WEBMGR-CACHE
X-Actual-URL
REFRESH
PBS
Fpc-Cache-Id
X-NoCache
X-GeoIP-Country-Name
Composed-By
Hummingbird-Cache
Xkey
X-Umbraco-Version
X-Rocket-Nginx-Bypass
IES-Server
Load-Balancer
X-GeoIP-Country-Code
X-Cookie-Domain
Origin
MIME-Version
X-Cache-Control-Orig