Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Set-Cookie
Server
Connection
Cache-Control
Vary
X-Powered-By
Expires
Content-Length
Pragma
Link
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
P3P
CF-RAY
X-AspNet-Version
Strict-Transport-Security
X-Cache
Age
Content-Language
X-Pingback
X-UA-Compatible
Via
Access-Control-Allow-Origin
X-Cacheable
Content-Security-Policy
X-Varnish
X-Request-ID
X-Adblock-Key
Upgrade
X-Generator
X-Download-Options
X-Permitted-Cross-Domain-Policies
X-ShopId
X-Sorting-Hat-ShopId-Cached
X-Alternate-Cache-Key
X-Sorting-Hat-ShopId
X-Sorting-Hat-Section
X-ShardId
X-Sorting-Hat-PodId
X-Sorting-Hat-PodId-Cached
X-Dc
X-Type
X-Pass-Why
X-Cache-Group
X-AspNetMvc-Version
X-Drupal-Cache
X-UA-Device
X-Check
X-Language
X-Template
X-Runtime
Host-Header
X-Powered-By-Plesk
X-Buckets
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-User
X-Cache-Hits
Alt-Svc
X-Tumblr-Pixel-1
X-Ac
X-Hacker
Status
Content-Location
X-IPLB-Instance
X-Tumblr-Pixel-2
X-Powered-CMS
X-Amz-Cf-Id
X-Request-Id
X-Backend
X-Served-By
Powered-By
X-Via
X-CST
MS-Author-Via
X-Tumblr-Pixel-3
X-ServedBy
Access-Control-Allow-Headers
X-Contextid
X-PC-Key
X-PC-Hit
X-Cache-Hit
X-PC-AppVer
X-PC-Host
X-PC-Date
X-Port
X-Cache-Status
Access-Control-Allow-Methods
X-Iinfo
Access-Control-Allow-Credentials
X-Wix-Request-Id
X-Wix-Renderer-Server
X-Seen-By
X-Logged-In
X-TEC-API-ORIGIN
X-Wix-PunisherID
X-TEC-API-ROOT
X-Cache-Enabled
X-TEC-API-VERSION
X-Timer
X-Forwarded-For
X-Forwarded-Proto
Content-Encoding
CF-Cache-Status
Rating
Keep-Alive
X-Turbo-Charged-By
X-Tumblr-Pixel-4
X-Page-Speed
X-Robots-Tag
X-CDN
X-Server-Powered-By
X-Server
X-Tumblr-Content-Rating
X-Mod-Pagespeed
X-Endurance-Cache-Level
X-Nginx-Cache-Status
WP-Super-Cache
Referrer-Policy
X-Host
X-Died
X-Original-Date
Content-MD5
X-GitHub-Request-Id
X-AWS-Id
X-LJ-Flow-ID
X-VWS-Id
X-Content-Powered-By
Fastly-Debug-Digest
X-Rack-Cache
Content-Security-Policy-Report-Only
X-Accel-Version
X-Content-Digest
X-Pantheon-Styx-Hostname
X-Pad
X-Styx-Req-Id
Surrogate-Key-Raw
X-LiteSpeed-Cache
X-CF-Powered-By
X-Drupal-Dynamic-Cache
X-Proxy-Cache
X-Varnish-Cache
X-DIS-Request-ID
Charset
Cf-Railgun
X-Amz-Request-Id
X-Amz-Id-2
X-FullPageCaching
X-ServerName
SPRequestGuid
X-SharePointHealthScore
Timing-Allow-Origin
Cartoon
X-Cloud-Trace-Context
X-FW-Hash
X-FW-Type
X-FW-Serve
X-FW-Static
X-Content-Security-Policy
X-CDN-Pop-IP
X-Cnection
X-CDN-Pop
X-Fastly-Request-ID
MicrosoftSharePointTeamServices
X-Safe-Firewall
X-AH-Environment
X-Tumblr-Pixel-5
Access-Control-Max-Age
X-MS-InvokeApp
X-Hits
Request-Id
X-Microcache
X-Swift-CacheTime
X-Hyper-Cache
X-Device
EagleId
X-Swift-SaveTime
X-DDC-Arch-Trace
X-XRDS-Location
X-SRCache-Fetch-Status
X-SRCache-Store-Status
SPIisLatency
SPRequestDuration
X-Backend-Server
Liferay-Portal
Fpc-Cache-Id
X-Cache-Lookup
Front-End-Https
X-Acc-Exp
MicrosoftOfficeWebServer
Edge-Control
Xkey
X-Cached
X-Tumblr-Pixel-6
X-Server-Name
X-Jimdo-Instance
X-RateLimit-Remaining
Composed-By
X-RateLimit-Limit
X-RateLimit-Reset
X-Jimdo-Wid
Public-Key-Pins
X-Request-Country
X-Page-Cache
X-Revision
X-Dispatch
X-Cache-Only-Varnish
X-URL
X-Content-Options
X-Spip-Cache
X-Px
X-HS-Content-Id
Refresh
X-Correlation-Id
X-HS-Cache-Config
X-WebKit-CSP
X-BC-Stapler
Access-Control-Expose-Headers
X-Newrelic-App-Data
X-INKT-SITE
X-INKT-URI
X-Amz-Version-Id
Edge-Cache-Tag
Served-By
X-Dw-Request-Base-Id
Fhost
Access-Control-Request-Method
X-Node
Surrogate-Key
X-Cache-Config
Grace
X-Cache-Rule
X-Pantheon-Phpreq
X-I-Sp
X-MiniProfiler-Ids
X-VCache
X-User-Agent
Alternate-Protocol
X-Generated-By
X-Pantheon-Environment
X-SE-Debug
X-Pantheon-Site
X-Goog-Hash
X-BS
X-Loop
X-TNCMS
X-Dns-Prefetch-Control
Real-Hostname
Request-Context
Content-Script-Type
X-Magento-Tags
X-Proxy
X-Micro-Cache
Content-Style-Type
Surrogate-Control
X-Clacks-Overhead
Product
X-Zen-Fury
X-DynaTrace-JS-Agent
X-CMS-Version
X-Handled-By
X-LB
X-Hostname
X-N-OperationId
HTTPS
X-Request-Time
X-Powered-By-VTEX-Janus-Edge
X-Powered-By-VTEX-Janus-ApiCache
X-Shop-Id
X-Umbraco-Version
X-Vtex-Processed-At
No
X-Track
X-VTEX-Cache-Status-Janus-ApiCache
X-VTEX-Janus-Router-Backend-App
X-Fastcgi-Cache
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Powered
X-CacheServer
X-Platform
X-Runtime-Memory
TCN
X-Defender
X-Developer
X-Middleton-Response
X-Cached-By
X-Middleton-Display
IM-Version
X-Magento-Cache-Debug
X-Sol
Accept-Encoding
X-SRCache-Key
Pv
Fw-Via
X-Served-Server
X-ARC
X-FB-Debug
X-Varnish-Cache-Hits
Cache-Key
X-Application-Context
X-Route-Server
X-Traffic
X-Route-To
Response
PageSpeed
Display
X-Cache-Engine
X-Kinsta-Cache
SiteSpeed
Host
P-WS
P-LB
Strikingly-Cached
X-Rocket-Nginx-Bypass
X-DNS-Prefetch-Control
X-Ruxit-JS-Agent
X-Session-ID
X-XN-XNHTML
X-VARITI-CCR
Strikingly-Cached-Version
X-Source
X-Signature
X-XN-Trace-Token
X-Hosted-By
X-VC-TTL
FAI-W-FLOW
X-VC-Enabled
X-Age
Pool
Content-Encoding-Handler
X-AspNetWebPages-Version
X-Optimization
X-Varnish-Age
X-Browser
X-Front
X-DynaTrace
Generator
X-Device-Type
X-OneAgent-JS-Injection
X-RequestId
X-NetCat-Version
X-Author
X-AF-Userserver
WZWS-RAY
OriginServer
Traffic-Origin
X-Data-Request
X-Original-Request
X-Lambda-Id
X-Magento-Cache-Control
X-Instart-Request-ID
DynaTrace
X-HA-Backend
X-HA-Frontend
Last-Published
CP
X-GeoIP-Country-Code
X-Hypernode
X-Fedora-School-Id
X-Discourse-Route
X-Actual-URL
Use-Proxy
X-JG-Page-Cache
X-LiteSpeed-Cache-Control
X-Middleware-Start
X-NB-Cached-Page
Rt-Fastcgi-Cache
X-Microcache-Status
ServedBy
X-Microcachable
X-Passed-To
X-HashTwo
X-Returned-From-PostProcessResponse
X-StackifyID
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Resty-Request-Id
X-Pageid
X-Stale
X-Supported-By
X-UPSTREAM
X-Translation
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
Imagetoolbar
X-Returned-From
X-Srv
Node
X-Varnish-Backend
X-Passed-To-PostProcessResponse
X-Powered-By-360WZB
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-VTEX-Cache-Status-Janus-Edge
X-Webserver
X-Cache-CFC
X-Cache-TTL
Web-App-Origin-Name
X-Accel-Expires
Dispatcher
X-Unbounce-VisitorID
X-Varnish-GracePeriod
X-URLSCHEME
X-Varnish-RemainingTTL
X-Varnish-RemainingLife
X-Worker
X-Webkit-CSP
X-Url
X-Unbounce-Variant
X-Varnish-TTL
X-Varnish-Seen-By
X-Varnish-ObjectSource
X-Goog-Metageneration
Powered-By-ChinaCache
X-Goog-Generation
X-GeoIP-Country-Name
X-F-Cache
X-Goog-Stored-Content-Encoding
Origin
Content-Disposition
Cache-Tag
Fastcgi-Cache
X-Goog-Stored-Content-Length
Lsrequestid
X-Expires-Orig
SSPAppContext
X-Cache-Server
X-Cookie-Domain
X-Cache-Operation
X-Cache-Debug
X-Cache-Control-Orig
X-Cache-Age
X-B-Cache
Webluker-Edge
X-Edge-Location
X-CSRF-Token
X-Unbounce-PageId
X-Always-Cache
Allow
X-Goog-Storage-Class
X-Platform-Cache
X-Platform-Cluster
X-Platform-Processor
X-Outils-CS
X-OpenCart-Lightning
X-Location-Id
X-Loopia-Node
X-Platform-Router
X-Platform-Server
X-Speed-Cache-Key
X-Tag-Playlist
X-Topify-Platform
X-Speed-Cache
X-Shield-Request-Id
X-RESOURCE
X-Server-Instance
X-IsCacheURL
X-NoCache
X-Hiawatha-Cache
X-GUploader-UploadID
X-Powered-By-VelaWeb
X-Wikidot-Static-Cache
X-Powered-By-Home.Pl
X-Wikidot-Backend
Access-Control-Allow-Method
X-Processing-Time
X-Version
X-Varnish-Mode
X-S
X-Recruiting
X-Purge-URL
X-Purge-Host
X-ORACLE-DMS-ECID
X-NWS-LOG-UUID
X-Req-Head-Response
X-Upstream
X-PhApp
X-Made-On
X-Node-Name
X-Magento-Action
CacheControlHeader
X-Varnish-IP
X-N
X-Magento-Lifetime
X-M
X-Map-Context
X-Server-Upstream
X-SV-Edge
X-SV-Expires
X-SV-Duration
X-SV-CreatedAt
X-SV-CacheTags
X-SV-FromDBCache
X-SV-Nginx-Duration
X-UPSTREAM-Address
X-Time
X-LP
X-SV-Pid
X-Varnish-Debug-Age
X-SV-Cacheable
X-SS-Location
X-SSL-Cipher
X-SS-Conf
X-Varnish-Debug-TTL
X-Varnish-Auto-Cache-Miss
X-SSL-Protocol
X-Storage
X-Sucuri-ID
X-Cache-Info
X-Varnish-Debug-Hits
X-Sucuri-Cache
X-Served
X-Flex-Community
If-Modified-Since
Keywords
Magicmarker
Gzip
Frame-Options
Ews
F5-IpCliente
NLCacheNote
NS-VaryByCustom-Key
S-Cnection
Set-Cookie2
S
RSB-LINK
Og
PagesDisplayed
EQ-Cache
ENV
AR-ATIME
AR-CACHE
Aoestatic
AMF-Ver
A-Powered-By
Accept-Charset
AR-PoweredBy
AR-SID
Description
Drupal-Pagecache-Memcache
Content-Transfer-Encoding
Content-Legth
ClientIP
Content-Hash
SVR
USPLoggingUUID
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Evstart
X-Flex-Evend
X-Engine
X-FireWall-Port
X-Flex-Tag
X-Flex-Tags
X-Id
X-LB-Server
X-Geo-Country
X-Gamma-Serve
X-Flow-Powered
X-Fpc
X-Edge-IP
X-Deity
X-Cache-Control
X-Cache-Expires
X-Cache-Action
X-App-Hosting
Version
X-Amz-Meta-S3cmd-Attrs
X-Cache-Fix
X-Cache-Key
X-DealerOn
X-Debug
X-Daa-Tunnel
X-Cname-TryFiles
X-Cache-PageType
X-Cache-Tags
X-Location