Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
Link
ETag
X-Content-Type-Options
P3P
X-Frame-Options
X-XSS-Protection
X-Pingback
X-AspNet-Version
X-Cache
Content-Language
Age
CF-RAY
X-UA-Compatible
Strict-Transport-Security
Via
X-Adblock-Key
Access-Control-Allow-Origin
X-Varnish
X-Template
X-Check
X-Language
X-Buckets
X-Generator
X-Cacheable
X-Drupal-Cache
Content-Location
X-AspNetMvc-Version
X-Powered-By-Plesk
X-Hacker
X-Ac
X-Type
X-Cache-Group
X-Pass-Why
X-Runtime
MS-Author-Via
Ngpass-Ngall
WP-Super-Cache
Host-Header
X-Request-ID
X-Cache-Hits
X-Powered-CMS
Status
X-Request-Id
Keep-Alive
X-Iinfo
Content-Security-Policy
Access-Control-Allow-Credentials
X-Permitted-Cross-Domain-Policies
X-Download-Options
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Via
X-ShardId
X-Dc
X-Alternate-Cache-Key
X-Backend
X-ShopId
X-Pad
X-Mod-Pagespeed
X-UA-Device
Upgrade
X-Logged-In
X-Served-By
X-ServedBy
Powered-By
X-Contextid
X-PC-Key
X-PC-Hit
X-Cache-Hit
Content-Encoding
X-Cache-Status
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-0
X-Port
X-Host
X-Tumblr-Pixel-1
X-PC-Date
X-PC-Host
X-PC-AppVer
X-Cnection
X-Varnish-Cache
X-Tumblr-Pixel-2
X-Accel-Version
X-Robots-Tag
X-Timer
X-Cdn
X-Amz-Cf-Id
X-CDN
X-Server
CF-Cache-Status
X-SERVER
X-Cache-Lookup
X-XRDS-Location
X-Rack-Cache
X-Server-Powered-By
MicrosoftOfficeWebServer
SPRequestGuid
X-SharePointHealthScore
Alt-Svc
MicrosoftSharePointTeamServices
X-Content-Powered-By
X-Tumblr-Pixel-3
X-Page-Speed
X-Turbo-Charged-By
X-Safe-Firewall
X-Webserver
X-Request-Country
X-PhApp
X-AH-Environment
X-MS-InvokeApp
X-INKT-SITE
X-INKT-URI
X-GitHub-Request-Id
Public-Key-Pins
Timing-Allow-Origin
Request-Id
X-Content-Digest
X-Node
X-Cache-Enabled
X-Server-Name
X-Swift-CacheTime
X-Swift-SaveTime
EagleId
Liferay-Portal
X-Content-Security-Policy
X-Nginx-Cache-Status
SPIisLatency
SPRequestDuration
X-HeyJason
Permitted-Cross-Domain-Policies
DynaTrace
X-Proxy-Cache
X-Hits
Served-By
X-Amz-Request-Id
Rating
X-Amz-Id-2
X-Wix-Renderer-Server
X-Wix-Request-Id
X-Loop
X-TNCMS
X-VCache
Real-Hostname
X-Firenze-Processing-Times
Cf-Railgun
X-Seen-By
X-XN-XNHTML
X-XN-Trace-Token
Grace
X-Styx-Version
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Content-Script-Type
X-Tumblr-Content-Rating
Content-Style-Type
X-Pantheon-Endpoint
Surrogate-Key-Raw
Charset
Access-Control-Max-Age
X-LiteSpeed-Cache
Content-Security-Policy-Report-Only
X-FW-Serve
X-Whom
X-FW-Static
X-FW-Hash
X-FW-Type
X-Tumblr-Pixel-4
X-Drupal-Dynamic-Cache
Composed-By
Xkey
PageSpeed
X-DynaTrace
Access-Control-Expose-Headers
Surrogate-Key
X-ServerName
X-FullPageCaching
X-Fastly-Request-ID
X-FB-Debug
X-Cache-Server
X-Age
X-Device
Access-Control-Allow-Method
Public-Key-Pins-Report-Only
Cartoon
Product
X-Hyper-Cache
X-Dw-Request-Base-Id
X-DDC-Arch-Trace
X-CDN-Pop-IP
X-CDN-Pop
X-Middleton-Display
X-Middleton-Response
TCN
Fastly-Debug-Digest
Origin
X-Sol
Display
X-Cf-Powered-By
Response
X-AspNetWebPages-Version
Refresh
X-Cloud-Trace-Context
X-Tumblr-Pixel-5
X-Server-ID
X-Cache-Result
X-Spip-Cache
X-Micro-Cache
X-Content-Options
X-Cached
X-Backend-Server
X-Cached-By
X-DynaTrace-JS-Agent
Rt-Fastcgi-Cache
X-CF-Powered-By
X-Expires-Orig
X-NFE
X-Nurl
X-Nhost
Pics-Label
X-UD-Method
ServedBy
X-Tumblr-Pixel-6
X-User-Agent
Fpc-Cache-Id
X-Hostname
MIME-Version
X-CDN-Forward
X-Forwarded-For
X-Clacks-Overhead
X-Daa-Tunnel
X-Cache-Config
ServerID
X-Px
X-Umbraco-Version
RTSS
X-Generated-By
X-Goog-Hash
X-Microcache
X-Newrelic-App-Data
X-Mobile-URL
X-AOL-HN
Cache
ServerName
X-URL
Fastcgi-Cache
X-Jimdo-Instance
X-LiteSpeed-Cache-Control
X-Jimdo-Wid
X-WebKit-CSP
X-Url
Content-Encoding-Handler
X-BC-Stapler
X-Recruiting
X-Cache-Doesi
X-MiniProfiler-Ids
X-Gamma-Serve
X-I-Sp
X-BS
X-Matrix-Server
Alternate-Protocol
Host
Server-Name
X-Matrix-Proxy
X-ApacheServer
CT
SN
X-PERF
Akamai-IP
X-Varnish-Ttl
MJ12bot
Generator
X-Magnolia-Registration
Front-End-Https
NS-RTIMER-COMPOSITE
Edge-Control
SEOMOZ
X-CJ-Soft
X-Translation
X-Cache-Debug
X-Developer
X-DNS-Prefetch-Control
Content-MD5
X-Microcache-Status
CC-CACHE
X-Request-Time
X-ServerIndex
A-Powered-By
X-Microcachable
X-Nginx-Cache
Surrogate-Control
Ag-Execution-Time
X-Device-Type
X-Duration
Backend
X-Vcap-Request-Id
Ag-Send-Time
Ag-Server-Time
X-Amz-Version-Id
X-Atraveo-Zone
X-Cache-Control-Orig
X-Handled-By
X-Varnish-Age
X-Engine
X-Atraveo-Varnish-Server-Id
X-Atraveo-Set-Cookie
X-Atraveo-ETag
X-Atraveo-Cache-Control
X-Atraveo-Expires
X-Atraveo-From-Varnish-Cache
X-Original-Request
X-Atraveo-Param-Rm
X-Atraveo-TTL
X-Varnish-Cache-Hits
X-Tumblr-Adult-Blog
X-Returned-From-PostProcessResponse
X-Symfony-Cache
X-Stale
X-ServerID
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Passed-To-DLL
X-Passed-To-BeforeDispatch
X-Actual-URL
X-Passed-To-PostProcessResponse
X-Returned-From
X-Passed-To
X-Varnish-IP
X-Fastcgi-Cache
X-Provisioner-Version
X-Purge-Host
X-Purge-URL
X-Domain-Checked
X-App-Status
X-EC-Security-Audit
X-Msg-2-Log
X-Nginx-Host
Content-Hash
Beyond-Iis
X-CMS-Version
Node
WWW-Authenticate
X-DefendeR-Runtime
X-Debug
X-Cache-Key
X-DB-Content-Length
X-DefendeR-Status
X-Empowered-By
X-Directory-Script
X-Varnish-Beresp-Ttl
X-Varnish-Cacheable
X-Cache-Expires
Magicmarker
Imagetoolbar
Fhost
Mobiquo-Is-Login
PServer
X-Akamai-Device-Characteristics
WZWS-RAY
Thanks
X-Goog-Generation
X-Varnish-Beresp-Status
X-Outils-CS
X-ID
X-SV-FromDBCache
X-Powered-By-360WZB
X-SV-CacheTags
X-SV-Edge
X-SV-Duration
X-SV-CreatedAt
X-SV-Nginx-Duration
X-SV-Pid
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-GUploader-UploadID
X-I
X-Varnish-Beresp-Grace
Author
X-SV-Expires
X-Goog-Metageneration
X-Client-IP
X-Discourse-Route
X-CacheServer
X-Rocket-Nginx-Bypass
Page-Completion-Status
No
Actioncode
X-RateLimit-Remaining
X-NetCat-Version
X-Zen-Fury
X-Pj-Cache-Status
X-Powered-By-VTEX-Janus-ApiCache
X-App-Hosting
X-Powered-By-VTEX-Janus-Edge
X-HP-Trace-Project
X-Track
Realaction
X-Vtex-Processado-Em:
X-Vtex-Processed-At
X-Vtex-Remote-Cache
Surrogate-Keys
Server-Info
X-VTEX-Janus-Router-Backend-App
Powered
X-Varnish-Backend
X-HP-Trace-ID
X-Varnish-Host
X-VTEX-Cache-Status-Janus-ApiCache
X-VTEX-Cache-Status-Janus-Edge
X-Akamai-Device-Model
X-Environment
X-EDGECONNECT-GUID-DEBUG
X-GeoIP
X-IP-Address
X-IIJ-Cache
X-LJ-Flow-ID
X-Name
X-Nbs
X-HA
X-Gyrobase-Publication
X-From
X-Framework
X-Front
X-DSMX-Rewrite-MS
X-Grid-Server
X-Firenze-Processing-Time
X-Content-Type
X-Cache-Control
X-Cache-Info
X-Cache-Operation
X-BKSrc
X-B2f-Not-Route
X-ARC
X-AWS-Id
X-Cache-Rule
X-Captured
X-Cookie-Domain
X-DN-Cache-Control
X-Do-Not-Hack
X-NoCache
X-Content-Age
X-CCM
X-ClientSide-Caching
X-DSMX-Render-MS
X-Route
X-VWS-Id
X-APP
X-Varnish-Seen-By
X-URLSCHEME
X-UPSTREAM
X-We-Are-Hiring
X-Transaction-Id
X-Varnish-Cache-Control
X-Varnish-RemainingTTL
X-Varnish-GracePeriod
X-Varnish-HitMiss
X-Varnish-Hits
X-Varnish-Count
X-Varnish-Cache-Local
X-Varnish-RemainingLife
X-Varnish-ObjectSource
X-Worker
X-Storage
X-Pj-Cache-Key
X-Pj-Cache-Time
X-Platform-Server
X-Pj-Cache-Gzip
X-Pj-Cache-Flags
X-Original-Host
X-Pj-Cache-Expires
X-Powered-By-Anquanbao
X-ProcessTime
X-RESOURCE
X-Source
Yoncu-Errno
X-Resolver-IP
X-RequestId
X-RateLimit-Limit
X-RateLimit-Reset
X-OPNET-Transaction-Trace
X-Browser
X-Ttl
Access-Control-Request-Method
Ngpass-Vcall
Arr-Disable-Session-Affinity
COMMERCE-SERVER-SOFTWARE
NtCoent-Length
Content-Security-Policy-Rerport-Only
Cdate
Bios
Backend-Timing
Host-Name
X-Analytics
Cmsid
Filter-Revision
PowerCDN
MW-Webserver
Cneonction
SRV
S
Cmstype
WWW
X-Amz-Meta-S3cmd-Attrs
X-ACLR-Version
CLMOB
Tracecode
Proxy-Agent
Referrer-Policy
X-Location-Id
Cm-Server
X-PRAM
X-Processing-Time
X-Webcelerate
X-HW
X-Mobilized-By
X-Kinsta-Cache
X-Stage
Last-Published
Cpu:
X-Frames-Options
X-ACCELERATE
Ram:
Noq:
X-Force
X-Balanceador
X-Beatles
X-B
MC
Hostname
Il-Cl
From-Origin
Ews
CpuTime
NetMindSessionID
Ozcache
Ttl
X-Apm-Telemetry-Syncmark
Section-Io-Id
Qs-Cache
Proxy-Cache
X-ATG-Version
X-Cache-Set
X-Plat
X-Plat-Be-Ip
X-Plat-Va-Ip
X-Rack-Cors
X-Pixelsilk-Version
X-Pixelsilk-Server
X-OneAgent-JS-Injection
X-Origin
X-Pagename
X-Response-Time
X-S
X-VERSION
X-Would-Your-GrandPa-Wait
X-Yadis-Location
X-Your-GrandPa-Would-Wait
X-VC-TTL
X-TTL-Age
X-Server-IP
X-Session-Reinit
X-TTL
X-Key
X-Hit-Cache
X-Config-By
X-Content-Encoded-By
X-Country-Code
X-Does-He-Have-Time
X-Cluster
X-Checkout
X-Blog
X-Cache-CFC
Content-Instance
X-Domino-CacheValidationWithETagReason
X-Domino-CacheValidationWithETagResult
X-Goog-Meta-Policy
X-Goog-Meta-Replace
X-Hash
X-F-Cache
X-ENV
X-DPWN-IS-SECURE
X-Drupal-Cache-Tags
X-Ec-Custom-Error
X-Beatles-Hits
X-V
MageStack-Debug
MageStack-Config
MageStack-Loadbalancer
MageStack-Magento-Version
MageStack-PageSpeed
X-Flow-Powered
X-Grace
MageStack-Cacheable-Reason
MageStack-Cache-Lifetime
X-Last-Modified
MageStack-Cache-Status
MageStack-Cache-Warning
MageStack-Cacheable
MageStack-Response-Ttl
MageStack-Tag
X-Cache-TTL
X-Cache-UA
X-Cache-Source
Retry-After
USPLoggingUUID
X-Cache-Provider
Powered-By-ChinaCache
OT-RequestId
X-Edge-IP
X-Edge-Location
MageStack-Web-Node
Myheader
X-Dispatcher
MageStack-Cache-Hits
MageStack-Cache
X-StackifyID
X-Time
X-Server-Start-Time
X-Server-Response-Time
X-SDS
X-Search-Id
X-Turpentine-Cache
X-Varnish-Currency
X-Varnish-Store
Buuteeq-Source
X-Varnish-Set-Cookie
X-Varnish-Esi-Method
X-Varnish-Esi-Access
CACHED-RESPONSE
X-Reason-Bp
X-Obr-Rule
Logging-CorrelationId
Lsrequestid
X-Nitra-Side
MageStack-Area
X-Nginx
X-Origin-Cache
X-Origin-Id
X-PM-ID
X-Real-IP
Content-Transfer-Encoding
IBM-Web2-Location
IISExport
Cached