Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Vary
Cache-Control
Link
Expires
X-Powered-By
Content-Length
Pragma
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-XSS-Protection
Strict-Transport-Security
X-Cache
X-Frame-Options
Content-Language
CF-RAY
Age
X-Wix-Server-Artifact-Id
X-Accel-Buffering
X-Pingback
Via
P3P
Expect-CT
X-AspNet-Version
X-Cacheable
X-UA-Compatible
Content-Security-Policy
X-Via
X-ServedBy
X-Contextid
X-PC-Key
X-PC-Hit
X-Request-Id
X-Wix-Request-Id
X-Seen-By
X-PC-Host
X-PC-Date
X-PC-AppVer
WPE-Backend
X-Type
X-Pass-Why
X-Cache-Group
Access-Control-Allow-Origin
X-UA-Device
X-Ua-Compatible
X-Rid
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-1
X-NewRelic-App-Data
X-Tumblr-Pixel-2
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Adblock-Key
X-Sorting-Hat-PrivacyLevel
X-Sorting-Hat-PodId-Cached
X-Sorting-Hat-Section
X-Sorting-Hat-ShopId-Cached
X-Sorting-Hat-PodId
X-Sorting-Hat-ShopId
X-Dc
X-Alternate-Cache-Key
X-Sorting-Hat-FeatureSet
X-ShardId
X-ShopId
Upgrade
X-Check
Referrer-Policy
X-Tumblr-Pixel-3
Alt-Svc
Host-Header
X-Template
X-Language
X-Ac
X-Hacker
X-Buckets
X-Cache-Hits
X-Runtime
X-Varnish
X-Generator
X-WPE-Loopback-Upstream-Addr
X-Served-By
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Host
P3p
X-Drupal-Cache
X-CST
X-Tumblr-Pixel-4
X-Timer
X-Backend
X-Endurance-Cache-Level
X-Cache-Hit
X-Port
X-Newrelic-App-Data
X-AspNetMvc-Version
CF-Cache-Status
Access-Control-Allow-Headers
Status
Access-Control-Allow-Methods
X-Amz-Cf-Id
X-Powered-By-Plesk
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
X-Cache-Enabled
X-Request-ID
X-Iinfo
X-Cache-Status
Content-Location
X-FW-Hash
X-FW-Server
X-Webcom-Cache-Status
X-FW-Static
X-FW-Serve
X-FW-Type
Keep-Alive
X-Robots-Tag
X-Server
X-Wix-Punisher
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-CDN
X-Hits
X-GitHub-Request-Id
X-Proxy-Cache
Content-Encoding
X-Rack-Cache
Rating
Edge-Control
X-FullPageCaching
MS-Author-Via
X-Tumblr-Content-Rating
X-Trace
X-HS-Cache-Config
Edge-Cache-Tag
X-DDC-Arch-Trace
X-HS-Content-Id
X-BC-Stapler
X-Tumblr-Pixel-6
X-Pad
X-Server-Powered-By
Powered-By
X-HS-Combine-CSS
X-Amz-Request-Id
X-Amz-Id-2
X-Mod-Pagespeed
X-Turbo-Charged-By
X-Nginx-Cache-Status
X-DIS-Request-ID
X-Drupal-Dynamic-Cache
X-INKT-SITE
X-INKT-URI
X-IPLB-Instance
Content-Security-Policy-Report-Only
X-LiteSpeed-Cache
Request-Context
X-Fastly-Request-ID
P-WS
P-LB
X-XRDS-Location
X-Logged-In
X-CF-Powered-By
X-Version
X-Content-Digest
X-Accel-Version
Allow
X-Page-Speed
X-Acc-Exp
Last-Published
Charset
X-Zen-Fury
X-Request-Country
X-Svr-Proxy
X-SVR-IIS
Timing-Allow-Origin
X-SSLProxy
X-SSLUpstream
Access-Control-Max-Age
X-Cdn
Cf-Railgun
X-Cnection
X-Upstream
X-Server-Name
X-Content-Powered-By
X-AH-Environment
X-Varnish-Cache
MicrosoftOfficeWebServer
X-LW-Cache
X-Cache-Lookup
X-Amz-Version-Id
X-Varnish-TTL
X-Device
MicrosoftSharePointTeamServices
X-SharePointHealthScore
SPRequestGuid
WP-Super-Cache
EagleId
X-HeyJason
X-Do-Not-Hack
Permitted-Cross-Domain-Policies
X-Safe-Firewall
X-Varnish-Count
Access-Control-Expose-Headers
X-MS-InvokeApp
Cartoon
X-Varnish-HitMiss
X-Cloud-Trace-Context
X-Swift-CacheTime
X-Swift-SaveTime
X-StackifyID
X-Source
X-SS-Location
X-PhApp
X-Webserver
X-VCache
X-SS-Conf
X-Kinsta-Cache
X-Backend-Server
X-Middleton-Display
Display
Response
X-ET-API-ROOT
X-ET-API-VERSION
X-Sol
X-Middleton-Response
SiteSpeed
X-ET-API-ORIGIN
X-Loop
X-Whom
X-Cache-Config
X-User-Agent
X-TNCMS
Liferay-Portal
X-Litespeed-Cache
X-Powered-CMS
Strikingly-Cached-Version
X-Cluster-Node
X-Abgroup
X-URLSCHEME
Strikingly-Cached
Strikingly-Cache-Region
X-Cache-Key
X-DealerOn
X-Dealeron-Original-Url
X-RESOURCE
X-Dealeron-Backend
Cache-Key
Access-Control-Request-Method
X-Vip
Request-Id
X-Pool
X-Goog-Hash
X-Clacks-Overhead
Fastcgi-Cache
X-LiteSpeed-Cache-Control
Generator
Req-Id
X-Handled-By
X-Xss-Protection
X-N-OperationId
Public-Key-Pins-Report-Only
X-Node
X-Micro-Cache
WP-FROM-CACHE
X-S
Surrogate-Control
X-Hostname
X-ServerName
W
CS-SERVER
X-Server-Instance
X-Storage-Cache-Date
X-Storage-Cache-Expires
X-AspNetWebPages-Version
X-Storage-Cache
X-Cached
X-Unbounce-Variant
X-Unbounce-PageId
X-SRV
X-Unbounce-VisitorID
FindLaw
X-Cache-Info
X-LB-Server
Pagespeed
X-HS-Content-Campaign-Id
X-Ruxit-JS-Agent
PageSpeed
X-OneAgent-JS-Injection
X-Wikidot-Backend
X-TTFB
X-TTFB-L
SN
Public-Key-Pins
X-SmugMug-Values
Grace
X-Generated
X-Wikidot-Static-Cache
X-Locale
X-SP-UniqueName
X-Content-Security-Policy
X-Env
SPRequestDuration
X-ARC
X-Path-Route
X-SP-Farm
X-SmugMug-Hiring
X-Hosted-By
Smug-CDN
X-Device-Type
SPIisLatency
X-SRCache-Store-Status
X-FORWARDED-FOR
X-SRCache-Fetch-Status
X-Microcachable
X-Request-Time
X-Span
X-Hstore
X-Hrouter
Retry-After
Cache-Provider
X-Key
X-Microcache-Status
X-Varnish-Debug-Age
X-Varnish-Debug-TTL
X-Translation
X-Lambda-Id
USPLoggingUUID
Content-Style-Type
Content-Script-Type
X-Origin-Id
X-Hyper-Cache
Powered-By-ChinaCache
X-ENDPOINT
X-Sedo-Request-Id
X-Dns-Prefetch-Control
X-Ezoic-Cdn
X-FIRSTBase
X-ORIKEY
X-Forwarded-For
X-Instart-Request-ID
X-ROUTING
X-Application-Context
X-Jimdo-Instance
X-Via-S
X-Topify-Platform
X-XN-XNHTML
X-Appmachine-Environment
ServerID
X-Varnish-Debug-Hits
X-Jimdo-Wid
X-RateLimit-Remaining
X-RateLimit-Reset
IM-Version
X-Supported-By
X-RateLimit-Limit
Content-Encoding-Handler
X-XN-Trace-Token
X-Cache-Miss-From
ServerNode
SSPAppContext
*
VSID
ViewMode
X-APIAUTH-VAL
X-APIVERSION
X-Cached-By
X-Response-Time
Request-EU
Request-Country
Node
X-PERF
X-ApacheServer
X-SSL-Cipher
X-Accel-Expires
ServedBy
X-SSL-Protocol
X-Microcache
Rt-Fastcgi-Cache
X-Vcache
Firespring-Website-Id
X-Middleware-Start
Use-Proxy
MC
X-Trace-Id
X-Server-Upstream
Aurora-Node
X-4ormat-Cacheable
Version
X-Engine
X-Original-Request
X-Origin
X-Expires-Orig
X-Passed-To
X-Passed-To-DLL
X-Ratelimit-Remaining
X-CPU-Time
X-Ratelimit-Limit
X-Magento-Cache-Debug
X-Magento-Cache-Control
X-NWS-LOG-UUID
X-Cache-Handler
X-Fastcgi-Cache
X-Edge-IP
X-Firefox-Spdy
X-HS-Status
X-DNS-Prefetch-Control
X-FromPodPressCache
X-App-Status
X-Edge-Location
X-FB-Debug
TCN
X-Dscp-Value
X-Fedora-School-Id
X-PHP-Backend
X-Varnish-Beresp-Status
Accept-Encoding
X-Varnish-Server
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Grace
X-UD-Method
X-Returned-From-DLL
X-Returned-From
X-Ratelimit-Reset
X-Sapient
X-Stale
X-Sucuri-Cache
X-Generated-Timestamp
X-VARITI-CCR
X-Sucuri-ID
X-Daa-Tunnel
Service-Worker-Allowed
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-GUploader-UploadID
X-HeBS-Cache-Status
X-Original-Date
X-Pantheon-Environment
X-Mighty-Proxy
X-Matrix-Server
X-Matrix-Proxy
X-Environment
X-Empowered-By
Ssl-Proxy-Server
Surrogate-Key
RequestId
Imagetoolbar
Feature-Policy
Surrogate-Key-Raw
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Discourse-Route
X-Debug-Info
X-Consent-Required
X-Pantheon-Phpreq
X-Pantheon-Site
X-Speed-Cache-Key
X-URL
X-Speed-Cache
X-Proxy-Backend
X-Processing-Time
X-VC-Enabled
X-WEBMGR-CACHE
X-Actual-URL
REFRESH
PBS
Fpc-Cache-Id
X-NoCache
X-GeoIP-Country-Name
Composed-By
Hummingbird-Cache
Xkey
X-Umbraco-Version
X-Rocket-Nginx-Bypass
IES-Server
Load-Balancer
X-GeoIP-Country-Code
X-Cookie-Domain
Origin
MIME-Version
X-Cache-Control-Orig