Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
Link
ETag
X-Content-Type-Options
P3P
X-Frame-Options
X-XSS-Protection
X-Pingback
X-Cache
X-AspNet-Version
Content-Language
Age
CF-RAY
X-UA-Compatible
Strict-Transport-Security
Via
X-Adblock-Key
Access-Control-Allow-Origin
X-Varnish
X-Template
X-Language
X-Check
X-Buckets
X-Generator
X-Cacheable
Content-Location
X-Drupal-Cache
X-Request-ID
X-AspNetMvc-Version
X-Powered-By-Plesk
X-Ac
X-Hacker
X-Cache-Group
X-Pass-Why
X-Type
X-Runtime
MS-Author-Via
Ngpass-Ngall
WP-Super-Cache
Host-Header
X-Powered-CMS
X-Cache-Hits
Status
Keep-Alive
X-Iinfo
Access-Control-Allow-Credentials
Content-Security-Policy
Access-Control-Allow-Methods
X-Permitted-Cross-Domain-Policies
Access-Control-Allow-Headers
X-Download-Options
X-Via
X-Pad
X-Backend
X-ShopId
X-Dc
X-Cdn
X-ShardId
X-Alternate-Cache-Key
Upgrade
X-Mod-Pagespeed
X-Logged-In
X-UA-Device
X-SERVER
X-Served-By
Powered-By
X-ServedBy
X-PC-Key
X-PC-Hit
Content-Encoding
X-Contextid
X-Cache-Hit
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Cache-Status
X-Port
X-Host
X-Tumblr-Pixel-1
X-Varnish-Cache
X-PC-Host
X-PC-Date
X-Accel-Version
X-PC-AppVer
X-Cnection
X-Robots-Tag
X-Tumblr-Pixel-2
X-Timer
X-Cache-Lookup
X-Amz-Cf-Id
CF-Cache-Status
X-Rack-Cache
MicrosoftOfficeWebServer
X-XRDS-Location
SPRequestGuid
Alt-Svc
X-SharePointHealthScore
X-Page-Speed
X-Webserver
X-PhApp
MicrosoftSharePointTeamServices
X-Safe-Firewall
X-Content-Powered-By
X-AH-Environment
X-Request-Country
X-Server-Powered-By
X-Turbo-Charged-By
X-MS-InvokeApp
X-Tumblr-Pixel-3
Request-Id
Public-Key-Pins
X-Content-Digest
X-INKT-URI
Timing-Allow-Origin
X-INKT-SITE
X-GitHub-Request-Id
X-Cache-Enabled
X-Node
Grace
X-Swift-SaveTime
Liferay-Portal
EagleId
X-Swift-CacheTime
X-HeyJason
Permitted-Cross-Domain-Policies
X-Seen-By
X-Content-Security-Policy
SPIisLatency
X-Server-Name
X-Wix-Renderer-Server
X-Wix-Request-Id
SPRequestDuration
Served-By
X-Cf-Powered-By
Rating
X-Proxy-Cache
X-LiteSpeed-Cache
X-Nginx-Cache-Status
X-Hits
Xkey
DynaTrace
X-Styx-Req-Id
PageSpeed
X-Pantheon-Styx-Hostname
X-Styx-Version
X-Pantheon-Endpoint
Access-Control-Expose-Headers
Access-Control-Max-Age
X-Amz-Request-Id
Composed-By
Surrogate-Key-Raw
X-Amz-Id-2
Content-Security-Policy-Report-Only
X-TNCMS
Content-Script-Type
X-Tumblr-Content-Rating
X-FW-Serve
X-Drupal-Dynamic-Cache
X-XN-XNHTML
X-Loop
Cf-Railgun
X-Firenze-Processing-Times
Surrogate-Key
X-XN-Trace-Token
X-VCache
X-FW-Static
X-FW-Hash
X-FW-Type
Real-Hostname
Content-Style-Type
X-Tumblr-Pixel-4
X-Fastly-Request-ID
Access-Control-Allow-Method
X-Whom
X-FB-Debug
X-CDN-Pop
X-AOL-HN
Public-Key-Pins-Report-Only
X-ServerName
X-CDN-Pop-IP
X-FullPageCaching
Charset
X-Cached-By
X-Dw-Request-Base-Id
X-Hyper-Cache
Display
X-Sol
X-Middleton-Display
X-DDC-Arch-Trace
X-Middleton-Response
Refresh
X-Age
Response
X-DynaTrace
X-Cache-Server
Cartoon
X-URL
X-Device
X-Microcache
X-Server-ID
X-Cached
X-Backend-Server
X-Cloud-Trace-Context
Product
Fastly-Debug-Digest
TCN
X-AspNetWebPages-Version
X-Content-Options
X-Micro-Cache
X-Newrelic-App-Data
X-Tumblr-Pixel-5
MIME-Version
X-Cache-Result
X-Spip-Cache
X-Hostname
X-UD-Method
Origin
X-Mobile-URL
X-Expires-Orig
X-Generated-By
Content-Encoding-Handler
X-Umbraco-Version
X-User-Agent
Fpc-Cache-Id
X-DynaTrace-JS-Agent
X-BC-Stapler
X-Goog-Hash
X-Nurl
X-NFE
X-Nhost
Pics-Label
Cache
Rt-Fastcgi-Cache
NS-RTIMER-COMPOSITE
Fastcgi-Cache
MJ12bot
Generator
X-LiteSpeed-Cache-Control
X-Jimdo-Instance
X-Vcap-Request-Id
X-Tumblr-Pixel-6
X-WebKit-CSP
X-Jimdo-Wid
X-CDN-Forward
X-Matrix-Proxy
X-Clacks-Overhead
X-CJ-Soft
Backend
X-Daa-Tunnel
X-Duration
ServedBy
ServerID
X-Forwarded-For
X-Matrix-Server
X-Cache-Config
SEOMOZ
ServerName
X-HP-Trace-Project
RTSS
X-HP-Trace-ID
X-MiniProfiler-Ids
X-Recruiting
X-Px
Edge-Control
A-Powered-By
Server-Name
X-Cache-Debug
X-ApacheServer
Arr-Disable-Session-Affinity
X-Developer
Host
X-DNS-Prefetch-Control
Content-Hash
X-Domain-Checked
X-BS
CC-CACHE
Content-MD5
Alternate-Protocol
X-App-Status
X-Varnish-Ttl
X-I-Sp
X-Varnish-IP
X-Fastcgi-Cache
X-CMS-Version
X-Cache-Doesi
X-Provisioner-Version
X-PERF
CT
X-Purge-Host
Akamai-IP
SN
X-Purge-URL
X-Gamma-Serve
X-Webcelerate
X-GUploader-UploadID
X-Returned-From-PostProcessResponse
X-Directory-Script
X-SV-Duration
X-Empowered-By
X-SV-Edge
X-DefendeR-Runtime
X-Handled-By
X-Engine
Author
Magicmarker
X-Symfony-Cache
Cm-Server
Last-Published
WZWS-RAY
Ram:
Mobiquo-Is-Login
X-SV-FromDBCache
X-SV-Nginx-Duration
X-SV-Pid
X-SV-Expires
X-Goog-Metageneration
X-Cache-Expires
X-Cache-Control-Orig
X-Goog-Generation
X-Varnish-Beresp-Status
X-Varnish-Cacheable
X-Kinsta-Cache
X-Varnish-Beresp-Grace
X-Varnish-Cache-Hits
X-Varnish-Beresp-Ttl
X-I
X-Cache-Key
X-Debug
X-DB-Content-Length
X-Frames-Options
X-Goog-Stored-Content-Length
Beyond-Iis
X-DefendeR-Status
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
Imagetoolbar
X-Device-Type
X-ID
X-Atraveo-Zone
X-Microcachable
X-Microcache-Status
X-Atraveo-ETag
X-Atraveo-Varnish-Server-Id
X-Atraveo-Expires
X-Mobilized-By
Cpu:
X-Atraveo-Set-Cookie
X-Atraveo-TTL
Fhost
X-Atraveo-Cache-Control
X-Outils-CS
Front-End-Https
X-Original-Request
X-Actual-URL
X-Passed-To-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Passed-To
X-Passed-To-DLL
X-Tumblr-Adult-Blog
X-Atraveo-Param-Rm
X-Location-Id
X-Request-Time
X-ServerID
PServer
X-ServerIndex
X-Returned-From
X-Returned-From-BeforeDispatch
X-Translation
X-SV-CreatedAt
X-Atraveo-From-Varnish-Cache
X-Returned-From-DLL
Noq:
WWW-Authenticate
X-Powered-By-360WZB
X-SV-CacheTags
X-Varnish-Age
Node
X-Stale
X-Amz-Version-Id
X-Processing-Time
X-Nginx-Cache
Thanks
Surrogate-Control
X-Cookie-Domain
X-Front
X-From
X-Country-Code
X-Content-Encoded-By
X-Cluster
X-DPWN-IS-SECURE
X-Config-By
X-Content-Age
X-Content-Type
Tracecode
Ttl
X-Powered-By-Anquanbao
WWW
X-GeoIP
X-Powered-By-VTEX-Janus-ApiCache
X-Powered-By-VTEX-Janus-Edge
Realaction
SRV
Surrogate-Keys
X-ProcessTime
X-B
X-Key
X-Goog-Meta-Policy
X-F-Cache
X-Environment
X-ENV
X-Goog-Meta-Replace
X-Grid-Server
X-Domino-CacheValidationWithETagResult
X-Platform-Server
X-Cache-CFC
X-Cache-Control
X-EDGECONNECT-GUID-DEBUG
X-Ec-Custom-Error
X-Domino-CacheValidationWithETagReason
X-Firenze-Processing-Time
X-Framework
X-Client-IP
X-Drupal-Cache-Tags
X-Does-He-Have-Time
X-Discourse-Route
X-DN-Cache-Control
X-Do-Not-Hack
X-DSMX-Rewrite-MS
X-ClientSide-Caching
X-Origin
X-App-Hosting
X-APP
X-Pj-Cache-Key
X-Pj-Cache-Gzip
X-Name
X-Nbs
X-ATG-Version
X-NoCache
X-Nginx-Host
X-NetCat-Version
X-Pj-Cache-Flags
X-Pj-Cache-Expires
X-Analytics
X-Apm-Telemetry-Syncmark
X-AWS-Id
X-Browser
X-Amz-Meta-S3cmd-Attrs
X-Akamai-Device-Model
X-Pixelsilk-Version
X-Pixelsilk-Server
X-ACLR-Version
X-Akamai-Device-Characteristics
X-OneAgent-JS-Injection
X-OPNET-Transaction-Trace
X-Response-Time
X-RESOURCE
X-Resolver-IP
X-RequestId
Referrer-Policy
X-Rocket-Nginx-Bypass
X-Plat-Be-Ip
X-Rack-Cors
X-RateLimit-Limit
X-Route
S
Section-Io-Id
X-Pj-Cache-Status
X-Pagename
X-ARC
X-Original-Host
X-Pj-Cache-Time
X-Plat
Server-Info
X-RateLimit-Reset
X-RateLimit-Remaining
X-Plat-Va-Ip
Cneonction
Cmstype
X-Varnish-HitMiss
Ews
X-Varnish-Hits
X-We-Are-Hiring
X-Source
X-Worker
No
Backend-Timing
X-Your-GrandPa-Would-Wait
X-Varnish-Host
Filter-Revision
X-URLSCHEME
COMMERCE-SERVER-SOFTWARE
X-UPSTREAM
Cmsid
CpuTime
X-Varnish-Count
From-Origin
X-Varnish-ObjectSource
X-Varnish-RemainingLife
X-Varnish-GracePeriod
Proxy-Agent
X-Session-Reinit
NetMindSessionID
MC
Qs-Cache
MW-Webserver
X-Storage
Bios
Yoncu-Errno
Ngpass-Vcall
Proxy-Cache
Buuteeq-Source
NtCoent-Length
Access-Control-Request-Method
Actioncode
X-Would-Your-GrandPa-Wait
Powered
Ozcache
Page-Completion-Status
X-Yadis-Location
X-Zen-Fury
X-Server-IP
PowerCDN
Content-Instance
X-Varnish-Cache-Control
X-CacheServer
X-Captured
X-Hit-Cache
X-CCM
X-Cache-Set
X-Cache-Rule
X-S
X-B2f-Not-Route
X-Cache-Info
X-Cache-Operation
X-Hash
X-Checkout
X-Beatles-Hits
X-BKSrc
X-Blog
X-LJ-Flow-ID
X-Beatles
X-Balanceador
X-HA
X-Gyrobase-Publication
X-IIJ-Cache
X-IP-Address
X-VWS-Id
Cdate
X-VTEX-Cache-Status-Janus-Edge
X-VTEX-Janus-Router-Backend-App
X-Vtex-Processado-Em:
X-Vtex-Processed-At
X-VTEX-Cache-Status-Janus-ApiCache
Cached
X-Varnish-Cache-Local
X-Varnish-RemainingTTL
X-Varnish-Seen-By
X-Varnish-Backend
X-Vtex-Remote-Cache
X-Track
Il-Cl
X-TTL-Age
X-VC-TTL
X-TTL
Hostname
CLMOB
X-Transaction-Id
X-VERSION
Host-Name
X-DSMX-Render-MS