Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
Link
ETag
X-Content-Type-Options
X-XSS-Protection
X-Frame-Options
X-Pingback
P3P
X-Cache
X-AspNet-Version
Content-Language
Age
CF-RAY
X-UA-Compatible
Strict-Transport-Security
Via
X-Adblock-Key
Access-Control-Allow-Origin
X-Varnish
X-Language
X-Template
X-Check
P3p
X-Buckets
X-Generator
X-Cacheable
X-Drupal-Cache
Content-Location
X-Hacker
X-Ac
X-AspNetMvc-Version
X-Powered-By-Plesk
MS-Author-Via
X-Type
X-Pass-Why
X-Cache-Group
X-Request-Id
X-Runtime
WP-Super-Cache
X-Cache-Hits
X-Powered-CMS
Status
Ngpass-Ngall
Host-Header
Access-Control-Allow-Credentials
X-Permitted-Cross-Domain-Policies
Keep-Alive
X-Iinfo
X-Download-Options
Content-Security-Policy
Access-Control-Allow-Headers
X-UA-Device
X-Request-ID
X-Alternate-Cache-Key
X-Dc
X-ShardId
X-ShopId
Access-Control-Allow-Methods
X-Mod-Pagespeed
X-Via
Upgrade
X-Pad
X-Logged-In
X-Served-By
X-Backend
X-Host
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Server
X-Tumblr-Pixel-1
X-Contextid
X-PC-Key
X-PC-Hit
Powered-By
X-ServedBy
X-Tumblr-Pixel-2
X-Cache-Status
Content-Encoding
X-CDN
X-PC-Date
X-PC-Host
X-PC-AppVer
X-Cache-Hit
X-Port
X-Cnection
X-Accel-Version
X-Robots-Tag
X-Timer
X-Varnish-Cache
X-Cache-Lookup
X-Tumblr-Pixel-3
SPRequestGuid
X-SharePointHealthScore
X-Amz-Cf-Id
X-XRDS-Location
MicrosoftSharePointTeamServices
X-MS-InvokeApp
MicrosoftOfficeWebServer
X-Request-Country
X-Server-Powered-By
X-Content-Powered-By
X-Rack-Cache
CF-Cache-Status
X-Page-Speed
X-Safe-Firewall
Alt-Svc
X-AH-Environment
X-Turbo-Charged-By
X-Node
X-Webserver
X-Content-Digest
X-PhApp
X-INKT-URI
X-INKT-SITE
Request-Id
X-FullPageCaching
X-Wix-Renderer-Server
X-Seen-By
X-Wix-Request-Id
X-Cache-Enabled
Public-Key-Pins
X-GitHub-Request-Id
SPIisLatency
SPRequestDuration
Timing-Allow-Origin
Rating
X-Tumblr-Content-Rating
Composed-By
Served-By
X-Proxy-Cache
Content-Security-Policy-Report-Only
X-Tumblr-Pixel-4
X-Drupal-Dynamic-Cache
Liferay-Portal
X-Amz-Id-2
Cf-Railgun
X-Amz-Request-Id
X-Server-Name
Permitted-Cross-Domain-Policies
X-Nginx-Cache-Status
X-HeyJason
Xkey
Charset
X-Cdn
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Version
X-Styx-Req-Id
Surrogate-Key-Raw
X-XN-XNHTML
X-XN-Trace-Token
X-Swift-SaveTime
X-Swift-CacheTime
Refresh
Grace
X-Content-Security-Policy
X-Spip-Cache
Access-Control-Expose-Headers
Surrogate-Key
X-SERVER
X-Hits
EagleId
Access-Control-Max-Age
X-Firenze-Processing-Times
X-FW-Hash
X-Hyper-Cache
X-VCache
X-FW-Type
X-FW-Static
X-FW-Serve
Content-Script-Type
Content-Style-Type
Access-Control-Allow-Method
Real-Hostname
X-Loop
X-TNCMS
X-FB-Debug
X-CDN-Pop-IP
X-CDN-Pop
X-Tumblr-Pixel-5
X-Device
Public-Key-Pins-Report-Only
X-LiteSpeed-Cache
X-CF-Powered-By
X-Cache-Server
X-Fastly-Request-ID
X-Tumblr-Adult-Blog
X-Dw-Request-Base-Id
X-Age
X-Clacks-Overhead
X-Servedby
X-Cache-Result
Cartoon
X-Whom
X-URL
Fastly-Debug-Digest
X-Generated-By
X-ServerName
X-Cached-By
X-Backend-Server
X-User-Agent
NS-RTIMER-COMPOSITE
Edge-Control
DynaTrace
X-Jimdo-Wid
X-Jimdo-Instance
Fpc-Cache-Id
X-DDC-Arch-Trace
X-Tumblr-Pixel-6
X-MiniProfiler-Ids
X-Cloud-Trace-Context
X-Cached
X-Cache-Config
X-Px
X-DynaTrace
TCN
PageSpeed
Surrogate-Control
ServedBy
X-Outils-CS
X-Content-Options
Product
X-Newrelic-App-Data
X-DynaTrace-JS-Agent
X-CMS-Version
X-FORWARDED-FOR
X-Umbraco-Version
Imagetoolbar
X-TTL
X-Msg-2-Log
X-BC-Stapler
X-Micro-Cache
Origin
X-Handled-By
X-AspNetWebPages-Version
X-Matrix-Server
X-Matrix-Proxy
X-Art-Request-Id
X-From
X-Passed-To-PostProcessResponse
X-Country-Code
X-Returned-From-BeforeDispatch
X-Passed-To-DLL
X-Passed-To-BeforeDispatch
X-Actual-URL
X-Original-Request
X-Passed-To
X-B2f-Cache-Load
X-Returned-From
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
Response
X-Powered-By-360WZB
X-Varnish-Host
WZWS-RAY
X-Stale
X-Expires-Orig
X-EC-Security-Audit
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-Platform
X-WebKit-CSP
X-Varnish-Cache-Hits
Front-End-Https
X-Goog-Hash
X-Cache-Info
X-LiteSpeed-Cache-Control
X-DNS-Prefetch-Control
X-Magnolia-Registration
Rt-Fastcgi-Cache
X-ApacheServer
X-PERF
X-Sol
Fhost
X-App-Hosting
X-Middleton-Display
SN
Alternate-Protocol
Referrer-Policy
X-Middleton-Response
Display
X-Recruiting
X-Server-ID
Server-Info
X-Hostname
X-Zen-Fury
X-Gamma-Serve
Content-MD5
X-Duration
X-Daa-Tunnel
MIME-Version
Surrogate-Keys
X-Url
X-Engine
X-Fastcgi-Cache
X-Forwarded-For
X-Varnish-Cacheable
X-UD-Method
ServerName
X-NetCat-Version
X-CJ-Soft
X-BS
Content-Security-Policy-Rerport-Only
X-Cache-Debug
Generator
X-I-Sp
X-Track
X-UPSTREAM
X-Microcachable
X-Rocket-Nginx-Bypass
X-Location-Id
X-Varnish-Backend
X-CacheServer
X-Cf-Powered-By
RTSS
ServerID
X-Varnish-Age
Pics-Label
Host
Ag-Send-Time
Fastcgi-Cache
X-RESOURCE
Node
Ag-Server-Time
Access-Control-Request-Method
X-ATG-Version
X-URLSCHEME
X-Request-Time
X-Hosted-By
Lsrequestid
Ag-Execution-Time
Proxy-Agent
IBM-Web2-Location
X-AOL-HN
X-I
X-Storage
Powered
X-Device-Type
X-SV-Expires
X-Translation
X-SV-CacheTags
X-SV-Edge
X-SV-CreatedAt
X-SV-Duration
X-SV-FromDBCache
X-SV-Nginx-Duration
X-Cache-Rule
Powered-By-ChinaCache
X-SV-Pid
X-S
X-Microcache-Status
X-Version
Edge-Control-Message
X-Varnish-TTL
X-Varnish-Seen-By
Req-Id
Content-Disposition
X-Varnish-RemainingTTL
Cache
X-Varnish-RemainingLife
X-Varnish-GracePeriod
X-Varnish-ObjectSource
X-VTEX-Cache-Status-Janus-Edge
X-VTEX-Janus-Router-Backend-App
X-Vtex-Processado-Em:
X-VTEX-Cache-Status-Janus-ApiCache
X-Nurl
X-Powered-By-VTEX-Janus-Edge
X-Nginx-Host
X-Akamai-Device-Characteristics
X-Akamai-Device-Model
X-Content-Encoded-By
Magicmarker
X-Vtex-Remote-Cache
X-NoCache
X-Vtex-Processed-At
X-Powered-By-VTEX-Janus-ApiCache
X-VWS-Id
No
USPLoggingUUID
Backend
X-LJ-Flow-ID
X-AWS-Id
X-Content-Age
X-Client-IP
X-HOSTNAME
X-Nhost
X-Mobile-URL
X-Cache-Doesi
Last-Published
X-Nbs
Arr-Disable-Session-Affinity
X-NFE
X-Cookie-Domain
X-ServerID
X-Amz-Version-Id
CC-CACHE
X-Cache-Operation
X-Cache-Control-Orig
Content-Encoding-Handler
X-Origin
X-Grace
X-SRCache-Fetch-Status
SEOMOZ
X-SRCache-Store-Status
X-Mobilized-By
MJ12bot
X-BKSrc
X-Domain-Checked
X-App-Status
X-Front
X-Provisioner-Version
X-Varnish-Hits
X-CDN-Forward
X-Firenze-Processing-Time
X-Microcache
X-Cache-Expires
X-Varnish-HitMiss
Server-Name
X-Varnish-Count
X-ID
X-Abuse
SRV
X-GUploader-UploadID
X-Debug
X-Goog-Stored-Content-Encoding
X-Developer
X-Goog-Metageneration
X-Symfony-Cache
X-Response-Time
X-Goog-Generation
A-Powered-By
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
Retry-After
X-Geo-IP
Ngpass-Vcall
X-Hypernode
X-Trace
X-Route-Server
X-Empowered-By
X-Instart-Request-ID
S
X-Do-Not-Hack
X-Resolver-IP
Beyond-Iis
X-Supported-By
Akamai-IP
X-IIJ-Cache
CT
Filter-Revision
X-Source
Mobiquo-Is-Login
PICS-Label
X-Worker
X-Varnish-Ttl
X-B-Cache
Content-Hash
X-Cache-Control
X-Purge-URL
X-DefendeR-Status
Page-Completion-Status
X-DefendeR-Runtime
Version
Content-Transfer-Encoding
COMMERCE-SERVER-SOFTWARE
X-Nginx-Cache
X-Directory-Script
X-ServerIndex
Bios
X-N
X-Cache-Engine
X-Vcap-Request-Id
X-HP-Trace-Project
X-HP-Trace-ID
X-Hiawatha-Cache
X-Speed-Cache
X-Geo-IPV
X-Geo-IP-Region
X-PwB-Node
X-Speed-Cache-Key
X-Yadis-Location
X-Geo-IP-Metro
AMF-Ver
Buuteeq-Source
Cache-Key
X-Kinsta-Cache
X-Processing-Time
X-Geo-IP-Country
X-EDGECONNECT-GUID-DEBUG
Qs-Cache
X-Atraveo-Param-Rm
X-Atraveo-From-Varnish-Cache
X-Grid-Server
X-Purge-Host
X-Amz-Meta-S3cmd-Attrs
X-Atraveo-Expires
X-Varnish-IP
X-Platform-Server
X-Atraveo-Cache-Control
X-Varnish-Server
X-Time
X-Browser
WWW-Authenticate
X-ARC
X-PRAM
X-We-Are-Hiring
X-Atraveo-Set-Cookie
X-Atraveo-ETag
X-GeoIP-Country-Code
X-GeoIP
X-Force
X-Captured
IISExport
SSPAppContext
X-Dispatcher
X-Route
MW-Webserver
Cmsid
Cached
X-GeoIP-Country-Name
X-F-Cache
X-Environment
X-Amz-Storage-Class
X-Source-ID
Cmstype
X-Atraveo-Varnish-Server-Id
X-Atraveo-Zone
X-StackifyID
X-Atraveo-TTL
Accept-Charset
X-Discourse-Route
Realaction
X-Pj-Cache-Status
X-RateLimit-Remaining
Cm-Server
PServer
Author
X-Cache-Key
X-DB-Content-Length
Thanks
X-Litespeed-Cache-Control
X-SmugMug-Hiring
X-Prefetched
Actioncode
X-Cache-Lifetime
X-SmugMug-Values
X-TTFB
X-App
NLCacheNote
Nitro-Cache
X-TTFB-L
Webluker-Edge
W
X-Edge-Location
Section-Io-Id
Id
Srv
Host-Service
Identity
Smug-CDN
Machine
Location
X-Cache-Tags
X-Env
X-Flow-Powered
X-NginX-Server
Eomportal-Instance
X-Vary-Options
X-NginX-Cache
A
X-Drectory-Script
X-EPiphany-Vid
X-Cache-TTL
X-Cocoon-Version
X-Client-Image-Vid
X-Client-Vid
X-Dns-Prefetch-Control
X-FW
X-Cache-Source
X-Custom-Header
X-Cache-Provider
X-Blog
X-Plat-Va-Ip
X-Session-Reinit
X-Turpentine-Cache
X-Varnish-Currency
X-Key
X-Pagename
X-Plat
X-Hit-Cache
X-DTC
X-Nginx
NnCoection
X-Plat-Be-Ip
X-RealServer
X-WA-Info
X-Goog-Meta-Replace
Hamster
X-OneAgent-JS-Injection
X-Signature
X-Qnm-Cache
X-Proxy-Cache-Key
Cache-Rule
If-Modified-Since
X-Server-Upstream
Myheader
X-PG
X-PBY
X-Server-By
X-Cache-Set
X-V
X-SE-Debug
NetMindSessionID
OT-RequestId
X-Gyrobase-Publication
X-Pj-Cache-Key
X-Pj-Cache-Gzip
X-Pj-Cache-Time
X-Powered-By-Anquanbao
X-RateLimit-Limit
X-ProcessTime
X-Pj-Cache-Flags
X-Pj-Cache-Expires
X-IP-Address
X-HA
X-Name
X-OPNET-Transaction-Trace
X-Original-Host
Proxy-Connection
X-RateLimit-Reset
X-RequestId
X-HostName
X-Connection-Hash
X-LB
X-Transaction
HAVer
X-Twitter-Response-Tags
X-B
X-Ttl
X-Transaction-Id
X-Dynatrace
X-Varnish-Cache-Control
X-Varnish-Cache-Local
Yoncu-Errno
HCVer
X-Framework
CLMOB
Cdate
Cneonction
Host-Name
NtCoent-Length
Sid
Backend-Timing
X-Varnish-Store
X-FIRSTBase
X-Frontend
X-Edge-IP
X-Varnish-Esi-Access
X-Varnish-Set-Cookie
X-Varnish-Esi-Method
Rewriter
PowerCDN
X-ClientSide-Caching
X-CCM
X-Content-Type
X-DN-Cache-Control
X-DSMX-Rewrite-MS
X-DSMX-Render-MS
X-B2f-Not-Route
X-APP
WWW
Tracecode
X-ACLR-Version
X-Analytics
Front
X-Goog-Meta-Policy
X-Revision
X-Esi
X-Avvio-Cms-Cacheload
Allow
Disablevcache
X-Artvisual-Server
X-Airee-Node
Provider
X-EdgeConnect-MidMile-RTT
NZSpeedy
X-EdgeConnect-Origin-MEX-Latency
Accept-Encoding
INCOMING-TIME
X-Machine-Name
X-Server-Id
Noq:
Cpu:
Ram:
X-Frames-Options
X-Webcelerate
X-Stage
X-HW
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Cluster-Node
X-Turpentine-Esi
X-ACCELERATE
Frame-Options
NODE
MageStack-Cache-Hits
MageStack-Cache
MageStack-Cache-Lifetime
MageStack-Cache-Status
MageStack-Cache-Warning
MageStack-Area
Logging-CorrelationId
X-Accel-Expires
Warning
Ufe-Result
Svr
MageStack-Cacheable
MageStack-Cacheable-Reason
MageStack-Web-Node
MageStack-Tag
Server-Ip
MSThemeCompatible
MSSmartTagsPreventParsing
MageStack-Response-Ttl
MageStack-PageSpeed
MageStack-Config
MageStack-Debug
MageStack-Loadbalancer
MageStack-Magento-Version
CACHED-RESPONSE
X-Cache-Backend
X-Server-Instance
X-Rewritten-By
X-LB-Server
X-Sucuri-Cache
X-Sucuri-ID
X-Real-Server
X-Optimization
X-Layout
X-ManagedFusion-Rewriter-Version
X-Max-Age
X-Magento-Tags
X-This-Proto
X-Title
X-Varnish-Max-Age
X-Config-Blacklist-Version
X-CB-Server
X-Cache-Only-Varnish
X-Cache-Device-Type
X-Dispatch
X-HydroSheep
X-Instance-Name
X-Unbounce-PageId
X-Unbounce-Variant
X-Unbounce-VisitorID
IM-Version
Ibf5scheme
X-Reason-Bp
X-Real-IP
X-Beatles
X-SDS
X-Search-Id
X-Beatles-Hits
X-Cache-CFC
X-Config-By
X-PM-ID
X-Cluster
X-Checkout
X-Server-Response-Time
X-Server-Start-Time
From-Origin
Ews
Hostname
Il-Cl
MC
CpuTime
Content-Instance
X-Balanceador
X-Apm-Telemetry-Syncmark
Ttl
Proxy-Cache
X-Does-He-Have-Time
X-Domino-CacheValidationWithETagReason
X-TTL-Age
X-VC-TTL
X-Server-IP
X-Rack-Cors
X-Pixelsilk-Version
X-VERSION
X-Would-Your-GrandPa-Wait
Httpd-Identifier
Expiries
X-Your-GrandPa-Would-Wait
X-Cache-UA
X-Pixelsilk-Server
X-Hash
X-Origin-Id
X-Origin-Cache
X-Drupal-Cache-Tags
X-DPWN-IS-SECURE
X-Domino-CacheValidationWithETagResult
X-Ec-Custom-Error
X-Obr-Rule
X-Id
X-Last-Modified
X-ENV
X-Nitra-Side
Ozcache
X-Hcom-Styx-Info
Content-Generator
Cteonnt-Length
DrivedBy
HostName
CD2
B-Powered-By
Imx-Cookies-Used
CmsCacheEngine
Debug-Cache-Control
X-Venda-Hitid
Hosted-By
Debug-Status
Debug-Expires
BKREF
Aurora-Node
Nodo
Pool-Info
Actual-Object-TTL
AGI-Request-ID
X-Catalyst
X-Content-Parsed-By
X-Distributor
X-W-DC
X-Cache-Handler
X-Built-By
Set-Cookie2
AsisCache
VANITY-HOST
WSCLoggingUUID
X-AWS
X-Appmachine-Environment
MwpReleaseVersion
S-Cnection
X-4ormat-Cacheable
X-AG-MIPS
X-App-Server
X-Matched-Rule
X-Ocache
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
X-FCMS-Cache
X-Enhanced-By
X-ASAP-Cache
X-Cache-Age
X-Cache-Level
X-Clara-ASAP
X-ASAP-Age
X-DataDome
Thinkindot-Control
X-PF-Uncompressing
X-Span
ServerSignature
X-Srv
X-SSL-Cipher
X-Trace-Id
X-SSL-Protocol
X-RSS-CACHE-STATUS
X-RequesterIP
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
ServerTokens
X-PoweredBy
X-Processed-By
X-Pressidium-NinukisWP-Ver
X-ESI-Enable
X-FFX-B
Pv
Pool
P-WS
WFE
Www.Aujourdhui.Com
X-AEM
X-ACMCache
P-LB
X-Page-Cache
X-Restarts
X-Server-Addr
Fastly-Backend-Name
Language
X-Proto
M
X-Page
X-Backend-Name
X-Flex-Lastmod
X-Flex-Lang
X-Flex-Tag
X-Flex-Tags
X-Meta-Imagetoolbar
X-Generated
X-Flex-Evstart
X-Flex-Evend
X-MrHost
X-Nginx-Page-Cache
X-Meta-MSThemeCompatible
X-Cjtype
X-Flex-Community
X-Meta-MSSmartTagsPreventParsing
CacheControlHeader
X-Vhost-ID
X-SL-Notranslate
X-Pubstack
X-Render-Time
X-Request-Processing-Time
X-SL-Norewrite
X-Request-Received
X-Src-Webcache
X-SV
X-Upstream-Backend
X-Fstrz
X-Hit
X-UA
X-MSEdge-Ref
X-IP
X-Seschat-URL
X-SeschatDID
X-UUID
X-Unique-Id
X-SERVER-ID
X-VARITI-CCR
X-Varnish-Debug-TTL
X-Varnish-Debug-Age
X-Tile-Url
X-SRV
X-SeschatRedID
X-SeschatLayout
X-SeschatTemplateID
X-SP-AP
X-SP-TE
X-SP-PR
X-BackendServer