Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
Link
ETag
X-Content-Type-Options
P3P
X-Frame-Options
X-XSS-Protection
X-Pingback
X-Cache
X-AspNet-Version
Content-Language
Age
CF-RAY
X-UA-Compatible
Via
Strict-Transport-Security
X-Adblock-Key
Access-Control-Allow-Origin
X-Varnish
X-Language
X-Template
X-Check
X-Buckets
X-Generator
X-Cacheable
X-Drupal-Cache
Content-Location
X-AspNetMvc-Version
X-Powered-By-Plesk
X-Type
X-Pass-Why
X-Cache-Group
MS-Author-Via
X-Hacker
X-Ac
X-Runtime
X-Request-Id
X-Cache-Hits
WP-Super-Cache
Ngpass-Ngall
X-Powered-CMS
Host-Header
Status
X-Iinfo
Keep-Alive
Access-Control-Allow-Credentials
Content-Security-Policy
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-ID
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Mod-Pagespeed
X-ShardId
X-ShopId
X-Dc
X-Alternate-Cache-Key
X-Pad
X-Via
X-Backend
X-UA-Device
Upgrade
X-Host
X-Served-By
X-Logged-In
X-ServedBy
Content-Encoding
Powered-By
X-Contextid
X-Cnection
X-PC-Hit
X-PC-Key
X-Cache-Status
X-Cache-Hit
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-CDN
X-Server
X-Varnish-Cache
X-Tumblr-Pixel-1
X-Port
X-PC-AppVer
X-PC-Date
X-PC-Host
X-Accel-Version
X-Robots-Tag
X-Tumblr-Pixel-2
X-Cache-Lookup
X-Timer
CF-Cache-Status
MicrosoftOfficeWebServer
X-Amz-Cf-Id
SPRequestGuid
X-Rack-Cache
X-SharePointHealthScore
X-XRDS-Location
MicrosoftSharePointTeamServices
X-Request-Country
X-Content-Powered-By
X-AH-Environment
X-Cdn
X-Safe-Firewall
X-Server-Powered-By
X-MS-InvokeApp
X-Webserver
Alt-Svc
X-PhApp
X-Turbo-Charged-By
X-SERVER
X-Tumblr-Pixel-3
X-INKT-URI
X-Page-Speed
X-INKT-SITE
X-Node
X-Content-Digest
Public-Key-Pins
Request-Id
X-GitHub-Request-Id
Timing-Allow-Origin
X-Wix-Request-Id
X-Seen-By
X-Wix-Renderer-Server
X-Cache-Enabled
X-Proxy-Cache
SPRequestDuration
SPIisLatency
Served-By
X-Server-Name
Liferay-Portal
X-Swift-CacheTime
X-Content-Security-Policy
X-Swift-SaveTime
X-XN-Trace-Token
X-HeyJason
X-Firenze-Processing-Times
Cf-Railgun
Permitted-Cross-Domain-Policies
X-XN-XNHTML
X-Styx-Version
X-Styx-Req-Id
Surrogate-Key-Raw
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
EagleId
Content-Security-Policy-Report-Only
Xkey
X-Drupal-Dynamic-Cache
X-Nginx-Cache-Status
X-Hits
Surrogate-Key
Access-Control-Expose-Headers
Grace
X-Amz-Request-Id
Content-Script-Type
X-Amz-Id-2
X-VCache
Composed-By
Rating
X-TNCMS
X-FullPageCaching
Content-Style-Type
Real-Hostname
X-Loop
Charset
DynaTrace
Access-Control-Max-Age
X-FW-Serve
X-FW-Type
X-LiteSpeed-Cache
X-FW-Static
X-FW-Hash
X-Dw-Request-Base-Id
PageSpeed
X-Tumblr-Content-Rating
X-FB-Debug
X-DynaTrace
X-CDN-Pop
X-CDN-Pop-IP
X-Whom
Access-Control-Allow-Method
X-Tumblr-Pixel-4
X-ServerName
X-Fastly-Request-ID
Public-Key-Pins-Report-Only
X-Hyper-Cache
X-Device
X-Cache-Server
Fastly-Debug-Digest
Cartoon
X-Age
X-Spip-Cache
X-DDC-Arch-Trace
X-CF-Powered-By
X-Middleton-Response
X-Middleton-Display
ServedBy
X-Sol
X-Px
X-Matrix-Server
X-EC-Security-Audit
Fpc-Cache-Id
Product
Response
X-Msg-2-Log
Display
Refresh
X-Matrix-Proxy
X-AspNetWebPages-Version
X-Content-Options
X-Cached-By
X-Cache-Result
Origin
TCN
X-DynaTrace-JS-Agent
X-Tumblr-Pixel-5
X-Micro-Cache
X-Backend-Server
X-Cloud-Trace-Context
X-URL
X-From
X-Magnolia-Registration
X-Recruiting
Pics-Label
X-Cf-Powered-By
NS-RTIMER-COMPOSITE
X-Duration
X-Clacks-Overhead
X-Cached
X-Server-ID
Edge-Control
MIME-Version
X-Newrelic-App-Data
Ag-Server-Time
X-Goog-Hash
Ag-Send-Time
X-User-Agent
Ag-Execution-Time
X-WebKit-CSP
X-Cache-Config
RTSS
X-Jimdo-Instance
X-Jimdo-Wid
ServerID
X-UD-Method
X-Returned-From-PostProcessResponse
X-FORWARDED-FOR
X-Passed-To
X-Original-Request
X-Actual-URL
X-Returned-From-DLL
X-Handled-By
X-Passed-To-BeforeDispatch
X-Art-Request-Id
X-Returned-From
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Returned-From-BeforeDispatch
Imagetoolbar
X-Umbraco-Version
X-Generated-By
ServerName
X-Gamma-Serve
X-BC-Stapler
X-LiteSpeed-Cache-Control
SN
X-AOL-HN
X-Nurl
X-NFE
X-Expires-Orig
X-Stale
X-Nhost
Rt-Fastcgi-Cache
X-Varnish-Beresp-Status
X-MiniProfiler-Ids
X-Varnish-Beresp-Grace
X-ApacheServer
X-Varnish-Beresp-Ttl
Surrogate-Control
Alternate-Protocol
X-PERF
X-Hostname
X-Tumblr-Pixel-6
X-Fastcgi-Cache
X-Nginx-Host
X-Tumblr-Adult-Blog
X-Forwarded-For
X-Varnish-Host
X-CDN-Forward
Cache
X-Country-Code
X-Mobile-URL
X-Microcache
X-Daa-Tunnel
X-Origin
X-Debug
X-Device-Type
X-Cache-Debug
X-Microcache-Status
X-Microcachable
X-Request-Time
X-Translation
X-Varnish-Cache-Hits
Content-Encoding-Handler
X-Engine
X-Url
Fastcgi-Cache
Backend
X-ServerID
X-SV-Edge
Content-Hash
X-Varnish-Ttl
X-SV-Expires
X-SV-Nginx-Duration
X-I-Sp
X-Varnish-Age
X-SV-Duration
X-SV-FromDBCache
X-CMS-Version
X-Zen-Fury
X-Client-IP
X-SV-CacheTags
X-Varnish-Backend
Beyond-Iis
X-SV-Pid
X-Outils-CS
Server-Info
X-App-Hosting
X-SV-CreatedAt
Fhost
X-Cache-Rule
X-Cache-Doesi
Front-End-Https
X-CJ-Soft
SEOMOZ
Generator
MJ12bot
Content-Security-Policy-Rerport-Only
Akamai-IP
X-NoCache
CT
Host
X-BS
Server-Name
X-TTL
X-Goog-Stored-Content-Encoding
X-Cookie-Domain
X-Goog-Storage-Class
Proxy-Agent
X-Goog-Metageneration
X-Goog-Generation
Surrogate-Keys
X-Goog-Stored-Content-Length
X-Cache-Info
Referrer-Policy
X-GUploader-UploadID
X-DNS-Prefetch-Control
X-Platform
A-Powered-By
X-ServerIndex
X-Nginx-Cache
X-Amz-Version-Id
X-Vcap-Request-Id
CC-CACHE
X-Storage
X-Developer
X-NetCat-Version
Content-MD5
X-Cache-Expires
X-Varnish-Cacheable
X-Atraveo-Expires
X-Atraveo-Varnish-Server-Id
X-Atraveo-TTL
X-Atraveo-Zone
X-Cache-Control-Orig
X-Symfony-Cache
X-Atraveo-Set-Cookie
X-Atraveo-Param-Rm
X-Atraveo-Cache-Control
WWW-Authenticate
X-Atraveo-ETag
Access-Control-Request-Method
X-Atraveo-From-Varnish-Cache
Node
Cmsid
X-Varnish-Count
X-UPSTREAM
X-Varnish-IP
X-Varnish-HitMiss
X-S
X-EDGECONNECT-GUID-DEBUG
X-Firenze-Processing-Time
X-Purge-URL
X-Purge-Host
X-Grid-Server
X-IIJ-Cache
X-Source
X-App-Status
X-Time
X-Provisioner-Version
X-Domain-Checked
X-Dispatcher
X-Varnish-Hits
X-Content-Age
X-Amz-Meta-S3cmd-Attrs
Powered-By-ChinaCache
X-PRAM
Cmstype
Filter-Revision
X-Cache-Control
S
X-Cache-Operation
X-We-Are-Hiring
X-Force
Thanks
WZWS-RAY
X-Vtex-Processed-At
PServer
Mobiquo-Is-Login
Author
X-Empowered-By
Magicmarker
X-Vtex-Remote-Cache
X-Directory-Script
X-Vtex-Processado-Em:
X-Location-Id
X-ID
X-I
X-Mobilized-By
X-Powered-By-360WZB
X-DB-Content-Length
X-DefendeR-Runtime
X-DefendeR-Status
X-Cache-Key
X-VTEX-Cache-Status-Janus-ApiCache
X-Dns-Prefetch-Control
Realaction
X-Akamai-Device-Characteristics
X-Akamai-Device-Model
X-Discourse-Route
X-CacheServer
Powered
Page-Completion-Status
Edge-Control-Message
X-VTEX-Janus-Router-Backend-App
Actioncode
Content-Disposition
No
X-Grace
X-Pj-Cache-Status
X-HP-Trace-Project
X-Track
X-ATG-Version
X-VTEX-Cache-Status-Janus-Edge
X-HP-Trace-ID
X-Rocket-Nginx-Bypass
X-RateLimit-Remaining
X-Powered-By-VTEX-Janus-Edge
X-Powered-By-VTEX-Janus-ApiCache
X-Varnish-Store
X-Varnish-RemainingTTL
X-Varnish-Set-Cookie
X-Gyrobase-Publication
X-HA
Backend-Timing
Bios
Cneonction
COMMERCE-SERVER-SOFTWARE
Host-Name
X-Varnish-ObjectSource
X-Front
CLMOB
X-IP-Address
X-Varnish-RemainingLife
Cdate
X-GeoIP
X-Varnish-Seen-By
Yoncu-Errno
X-Pj-Cache-Flags
X-Pj-Cache-Gzip
X-StackifyID
X-OPNET-Transaction-Trace
X-Response-Time
X-Session-Reinit
X-Pj-Cache-Expires
X-Turpentine-Cache
X-Worker
X-Varnish-Esi-Access
X-Varnish-Esi-Method
X-LJ-Flow-ID
X-Varnish-Currency
X-Name
X-VWS-Id
X-Framework
X-Nbs
X-Pj-Cache-Key
NtCoent-Length
X-DSMX-Render-MS
X-B2f-Not-Route
X-Do-Not-Hack
X-DSMX-Rewrite-MS
X-AWS-Id
X-Analytics
X-APP
X-ARC
X-BKSrc
X-DN-Cache-Control
X-Captured
X-CCM
X-Nginx
X-Powered-By-Anquanbao
X-ClientSide-Caching
X-Content-Type
X-Browser
X-ProcessTime
X-ACLR-Version
X-Platform-Server
X-RESOURCE
X-Resolver-IP
X-RequestId
X-Route
X-Transaction-Id
X-Varnish-Cache-Local
X-Varnish-Cache-Control
X-URLSCHEME
MW-Webserver
Ngpass-Vcall
X-RateLimit-Limit
WWW
X-Environment
X-Pj-Cache-Time
Tracecode
PowerCDN
X-RateLimit-Reset
SRV
X-Varnish-GracePeriod
IISExport
X-Blog
Qs-Cache
IBM-Web2-Location
X-Cache-Provider
X-Cache-Source
Myheader
X-Content-Encoded-By
X-Original-Host
Content-Transfer-Encoding
X-Supported-By
X-Version
Arr-Disable-Session-Affinity
X-Ttl
OT-RequestId
X-Varnish-TTL
Lsrequestid
Noq:
Last-Published
Ram:
Cm-Server
X-Processing-Time
X-Webcelerate
X-Frames-Options
X-Kinsta-Cache
Cpu:
A
X-Hiawatha-Cache
X-Hosted-By
X-Stage
X-Cocoon-Version
SSPAppContext
Eomportal-Instance
X-Cluster-Node
NODE
X-N
X-Source-ID
X-Turpentine-Esi
X-Vary-Options
X-ACCELERATE
X-Trace
X-Speed-Cache
X-Speed-Cache-Key
X-HW
X-Server-IP
X-Real-IP
X-Reason-Bp
X-Rack-Cors
X-Yadis-Location
X-Your-GrandPa-Would-Wait
X-PM-ID
X-Would-Your-GrandPa-Wait
X-VERSION
X-VC-TTL
X-TTL-Age
X-SDS
Buuteeq-Source
X-Beatles
Cached
Content-Instance
X-Balanceador
X-Beatles-Hits
X-Cache-CFC
X-Config-By
X-Cluster
X-Checkout
X-Cache-Set
CpuTime
Ews
MC
NetMindSessionID
Ozcache
Proxy-Cache
Ttl
Il-Cl
X-B
X-Apm-Telemetry-Syncmark
From-Origin
Hostname
X-Does-He-Have-Time
X-Domino-CacheValidationWithETagReason
X-Pixelsilk-Version
X-V
X-Pixelsilk-Server
X-Pagename
X-Plat
X-Server-Start-Time
X-Plat-Be-Ip
Section-Io-Id
X-Search-Id
X-Server-Response-Time
X-OneAgent-JS-Injection
X-Key
X-Ec-Custom-Error
X-Drupal-Cache-Tags
X-DPWN-IS-SECURE
X-Domino-CacheValidationWithETagResult
X-ENV
X-F-Cache
X-Hit-Cache
X-Hash
X-Goog-Meta-Replace
X-Goog-Meta-Policy
X-Plat-Va-Ip
X-GeoIP-Country-Name
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Tags
X-Frontend
X-Flex-Lang
X-Flex-Evstart
X-Custom-Header
X-Flex-Community
X-Flex-Evend
X-FW
X-Generated
X-Max-Age
X-Optimization
X-Proxy-Cache-Key
X-PwB-Node
X-ManagedFusion-Rewriter-Version
X-Layout
X-GeoIP-Country-Code
X-Hcom-Styx-Info
X-Id
X-Cjtype
X-Backend-Name
Hamster
Language
M
NLCacheNote
Front
Fastly-Backend-Name
AMF-Ver
Cache-Rule
CacheControlHeader
NnCoection
P-LB
X-ACMCache
X-AEM
X-Amz-Storage-Class
X-App
Www.Aujourdhui.Com
WFE
P-WS
Pool
Pv
X-Qnm-Cache
X-Real-Server
MageStack-PageSpeed
MageStack-Response-Ttl
MageStack-Tag
MageStack-Web-Node
MageStack-Magento-Version
MageStack-Loadbalancer
MageStack-Cacheable-Reason
MageStack-Config
MageStack-Debug
Retry-After
USPLoggingUUID
X-Last-Modified
X-Nitra-Side
X-Obr-Rule
X-Origin-Cache
X-Flow-Powered
X-Edge-Location
X-Cache-TTL
X-Cache-UA
X-Edge-IP
MageStack-Cacheable
MageStack-Cache-Warning
X-Sucuri-Cache
X-Sucuri-ID
X-This-Proto
X-Title
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Rewritten-By
X-Server-By
X-Server-Instance
X-Unbounce-PageId
X-Unbounce-Variant
MageStack-Cache
MageStack-Cache-Hits
MageStack-Cache-Lifetime
MageStack-Cache-Status
MageStack-Area
Logging-CorrelationId
X-Unbounce-VisitorID
X-Varnish-Max-Age
CACHED-RESPONSE
X-Origin-Id