Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
X-Cache
Set-Cookie
Date
Connection
Content-Type
X-Cache-Lookup
Vary
Server
Cache-Control
Via
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Edge-Origin-Shield-Skipped
Content-Length
X-Frame-Options
X-Content-Type-Options
Strict-Transport-Security
ETag
Expires
X-Powered-By
Link
Last-Modified
X-XSS-Protection
Accept-Ranges
Age
Accept-CH
Content-Security-Policy
Pragma
Referrer-Policy
Access-Control-Allow-Origin
Expect-CT
CF-Cache-Status
CF-RAY
EagleId
Content-Language
Report-To
NEL
X-Download-Options
X-Request-Id
Alt-Svc
X-Xss-Protection
Access-Control-Allow-Methods
X-UA-Compatible
Access-Control-Allow-Headers
X-Cache-Hits
X-Varnish
Content-Security-Policy-Report-Only
X-DNS-Prefetch-Control
X-Adblock-Key
X-Served-By
X-Permitted-Cross-Domain-Policies
X-Amz-Version-Id
X-Envoy-Upstream-Service-Time
Access-Control-Allow-Credentials
Accept-CH-Lifetime
P3P
X-Runtime
X-Generator
X-Dns-Prefetch-Control
Permissions-Policy
X-Drupal-Cache
X-Cacheable
X-Drupal-Dynamic-Cache
X-Amz-Request-Id
X-Dispatcher
X-Vhost
X-Amz-Id-2
X-Timer
X-Meli-Trace-Site
X-Request-Device-Id
X-Meli-Trace-Platform
X-D2id
X-Meli-Trace-Bu
X-Element-Page-Cache
X-Content-Type
X-Navigation-Version
Server-Timing
Feature-Policy
X-CDN
X-Iinfo
X-AspNet-Version
Access-Control-Max-Age
X-Backend
X-Cache-Status
X-Via
X-Content-Security-Policy
Status
Access-Control-Expose-Headers
X-Server
X-Turbo-Charged-By
X-Proxy-Cache
X-Aspnet-Version
X-Ws-Request-Id
Content-Encoding
X-Varnish-Cache
X-Amz-Server-Side-Encryption
X-Amzn-Trace-Id
Timing-Allow-Origin
X-AspNetMvc-Version
Xkey
Request-Id
X-MS-InvokeApp
X-ProcessESI
X-RemovedCookies
X-WebKit-CSP
X-AH-Environment
X-SharePointHealthScore
SPRequestGuid
SPRequestDuration
SPIisLatency
X-Amz-Rid
Cache-Tag
Cf-Edge-Cache
X-OneAgent-JS-Injection
Apigw-Requestid
X-Node
Selected-Fe
X-Robots-Tag
X-Timing-Wait
X-Proxy-Build
X-LiteSpeed-Cache
AMP-Access-Control-Allow-Source-Origin
X-Mly-Id
X-Page-Speed
MicrosoftSharePointTeamServices
X-Redirect
Xet-Cookie
CloudFront-Viewer-Country
X-Ruxit-JS-Agent
X-Styx-Req-Id
Front
X-Host
X-CST
X-Cacheable-TTL
X-Amz-Replication-Status
X-Pantheon-Styx-Hostname
X-Cache-Group
Grace
Fastly-Restarts
X-Mod-Pagespeed
X-Provided-By
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Age
Cf-Apo-Via
X-Device
Content-Location
X-Backend-Server
X-SRCache-Key
Expect-Staple
X-Cache-Time
X-Readtime
Protected
X-Rq
X-Correlation-Id
X-Cache-TTL
X-Server-Powered-By
X-Ua-Compatible
Request-Context
X-Amz-Apigw-Id
X-Amzn-RequestId
We-Hiring
X-User
X-Viewer-Country
X-Status
X-HW
Allow
X-Server-Id
Mail-Subject
X-Azure-Ref
X-Clientip
Countrycode
X-Hl-Ver
X-Debug-Info
Liferay-Portal
X-Powered-By-Plesk
X-Language
Odigeo-Trace-Id
X-Trace
Resin-Trace
X-Vcl-Version
X-Country-Code
Cf-Railgun
P3p
X-B3-TraceId
X-Server-ID
X-ID
X-Generated-By
AKAMAI-GRN
X-Envoy-Decorator-Operation
X-Yottaa-Optimizations
X-Yottaa-Metrics
Request-ID
X-B3-TraceId-Primal
X-UA-Device
X-Template
X-Pinterest-Rid
Mrf-Cache-Status
MRF-Tech
X-Akam-SW-Version
Pinterest-Generated-By
Pinterest-Version