Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
X-Cache
Set-Cookie
Vary
Connection
Date
Content-Type
X-Cache-Lookup
Server
Cache-Control
Via
X-Amz-Cf-Pop
X-Amz-Cf-Id
Content-Length
X-Edge-Origin-Shield-Skipped
X-Frame-Options
X-Content-Type-Options
Strict-Transport-Security
ETag
Expires
X-XSS-Protection
Link
X-Powered-By
Accept-CH
Last-Modified
Accept-Ranges
Age
EagleId
Content-Security-Policy
Pragma
Referrer-Policy
Expect-CT
CF-RAY
CF-Cache-Status
Access-Control-Allow-Origin
Report-To
NEL
Content-Language
Alt-Svc
X-Download-Options
X-Request-Id
X-Cache-Hits
Access-Control-Allow-Methods
Access-Control-Allow-Headers
X-Dns-Prefetch-Control
X-UA-Compatible
X-Adblock-Key
X-Varnish
X-Served-By
Content-Security-Policy-Report-Only
Access-Control-Allow-Credentials
X-Permitted-Cross-Domain-Policies
Accept-CH-Lifetime
X-Amz-Version-Id
X-Envoy-Upstream-Service-Time
P3P
X-Runtime
X-Timer
X-Generator
X-Aspnet-Version
X-Cacheable
X-Drupal-Dynamic-Cache
X-Drupal-Cache
Permissions-Policy
X-Amz-Request-Id
X-Vhost
X-Amz-Id-2
X-Dispatcher
X-CDN
Server-Timing
Access-Control-Max-Age
X-Iinfo
X-Element-Page-Cache
X-Content-Type
X-D2id
X-Request-Device-Id
X-Content-Security-Policy
X-Meli-Trace-Bu
X-Meli-Trace-Site
X-Meli-Trace-Platform
X-Via
X-Backend
Feature-Policy
X-Navigation-Version
X-Ws-Request-Id
X-Turbo-Charged-By
X-Cache-Status
Access-Control-Expose-Headers
X-Server
Status
X-Proxy-Cache
Timing-Allow-Origin
Content-Encoding
X-Varnish-Cache
X-Amz-Server-Side-Encryption
X-AspNetMvc-Version
Request-Id
Xkey
X-Ua-Compatible
Cf-Edge-Cache
X-WebKit-CSP
X-SharePointHealthScore
X-ProcessESI
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Apigw-Requestid
X-MS-InvokeApp
X-Node
X-RemovedCookies
SPRequestGuid
X-AH-Environment
X-CST
SPRequestDuration
SPIisLatency
X-Cache-Group
Cache-Tag
X-Timing-Wait
X-Amzn-Trace-Id
Selected-Fe
X-Proxy-Build
Grace
X-Robots-Tag
X-Redirect
X-LiteSpeed-Cache
X-Amz-Rid
Cf-Apo-Via
Fastly-Restarts
X-Provided-By
X-Page-Speed
X-Mly-Id
X-Age
X-OneAgent-JS-Injection
MicrosoftSharePointTeamServices
AMP-Access-Control-Allow-Source-Origin
X-Device
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Host
X-Cacheable-TTL
X-Powered-By-Plesk
X-Ruxit-JS-Agent
Front
X-Amz-Replication-Status
CloudFront-Viewer-Country
X-Language
X-Mod-Pagespeed
X-HW
X-Correlation-Id
X-Cache-TTL
X-Cache-Time
X-Country-Code
Odigeo-Trace-Id
Xet-Cookie
X-Trace
X-Backend-Server
X-Status
X-Vcl-Version
X-Rq
X-SRCache-Key
X-Readtime
Content-Location
Protected
Expect-Staple
P3p
X-B3-TraceId
Allow
X-Viewer-Country
X-Akam-SW-Version
AKAMAI-GRN
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
X-ID
X-Yottaa-Optimizations
Request-ID
X-AspNet-Version
X-Yottaa-Metrics
X-Server-ID
X-Generated-By
X-User
X-Envoy-Decorator-Operation
X-Template
X-Debug-Info
X-Hl-Ver
Pinterest-Version
Request-Context
We-Hiring
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Clientip
Pinterest-Generated-By
X-Pinterest-Rid
Countrycode
Cf-Railgun
X-Azure-Ref
X-Server-Powered-By
X-Server-Id
Mail-Subject
Liferay-Portal
X-UA-Device