Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Set-Cookie
Connection
Cache-Control
Vary
X-Powered-By
Expires
Content-Length
Pragma
Link
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-Frame-Options
CF-RAY
X-AspNet-Version
X-XSS-Protection
X-Cache
Age
Strict-Transport-Security
P3P
Content-Language
X-Pingback
Via
X-UA-Compatible
X-Adblock-Key
Access-Control-Allow-Origin
X-Cacheable
X-Language
X-Check
X-Template
Content-Security-Policy
X-Varnish
X-Buckets
Upgrade
X-Request-ID
X-Generator
X-AspNetMvc-Version
X-Drupal-Cache
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Type
X-Cache-Group
X-Pass-Why
X-ShopId
Host-Header
X-ShardId
X-Alternate-Cache-Key
X-Sorting-Hat-Section
X-Sorting-Hat-PodId-Cached
X-Sorting-Hat-ShopId
X-Sorting-Hat-ShopId-Cached
X-Dc
X-Sorting-Hat-PodId
X-Runtime
Content-Location
X-Powered-By-Plesk
X-Amz-Cf-Id
X-UA-Device
X-Cache-Hits
Alt-Svc
Status
X-Served-By
P3p
X-Backend
X-IPLB-Instance
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Seen-By
X-Tumblr-User
X-Wix-Renderer-Server
X-Wix-Request-Id
X-Ac
X-Hacker
X-CST
X-Wix-PunisherID
X-Tumblr-Pixel-1
X-Died
X-Forwarded-For
X-Powered-CMS
Cartoon
X-Request-Id
X-Forwarded-Proto
X-Cache-Hit
X-Tumblr-Pixel-2
X-Via
X-Port
Access-Control-Allow-Headers
Powered-By
MS-Author-Via
X-Cache-Status
X-Timer
Access-Control-Allow-Methods
X-ServedBy
X-Contextid
Access-Control-Allow-Credentials
X-PC-Key
X-PC-Hit
X-Cache-Enabled
X-Tumblr-Pixel-3
X-PC-Date
X-PC-Host
X-PC-AppVer
X-TEC-API-ROOT
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Turbo-Charged-By
Keep-Alive
X-Iinfo
X-Server-Powered-By
CF-Cache-Status
X-Logged-In
Content-Encoding
X-Nginx-Cache-Status
X-Server
X-Page-Speed
X-Endurance-Cache-Level
X-Robots-Tag
X-Pantheon-Styx-Hostname
Surrogate-Key-Raw
X-Styx-Req-Id
X-Mod-Pagespeed
Fastly-Debug-Digest
Referrer-Policy
X-CDN
WP-Super-Cache
Rating
X-Tumblr-Pixel-4
X-Tumblr-Content-Rating
X-Host
X-Rack-Cache
X-CF-Powered-By
X-GitHub-Request-Id
X-Proxy-Cache
X-Content-Digest
X-Original-Date
X-Accel-Version
X-DIS-Request-ID
X-Drupal-Dynamic-Cache
Content-Security-Policy-Report-Only
Content-MD5
X-Content-Powered-By
X-AWS-Id
X-VWS-Id
X-LJ-Flow-ID
X-Safe-Firewall
X-Pad
X-Varnish-Cache
X-SharePointHealthScore
SPRequestGuid
X-LiteSpeed-Cache
MicrosoftSharePointTeamServices
Cf-Railgun
X-MS-InvokeApp
X-FW-Hash
X-FW-Type
X-FW-Static
X-FW-Serve
Charset
X-Amz-Request-Id
Request-Id
Xkey
X-Amz-Id-2
X-Cnection
SPRequestDuration
SPIisLatency
Timing-Allow-Origin
X-Hits
X-CDN-Pop-IP
X-CDN-Pop
X-FullPageCaching
Surrogate-Key
X-Content-Security-Policy
X-AH-Environment
X-Pantheon-Site
X-Cache-Lookup
X-Pantheon-Phpreq
X-Pantheon-Environment
X-Microcache
X-ServerName
Public-Key-Pins
EagleId
X-Swift-SaveTime
MicrosoftOfficeWebServer
X-Swift-CacheTime
X-Hyper-Cache
X-Fastly-Request-ID
Liferay-Portal
X-Tumblr-Pixel-5
Access-Control-Max-Age
X-Cloud-Trace-Context
X-XRDS-Location
Fpc-Cache-Id
X-Device
X-Cached
X-Backend-Server
X-DDC-Arch-Trace
Edge-Control
X-Acc-Exp
X-Server-Name
Front-End-Https
X-Sol
X-Middleton-Response
X-Amz-Version-Id
Response
X-Middleton-Display
PageSpeed
Display
Request-Context
X-Node
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Dw-Request-Base-Id
Composed-By
X-Tumblr-Pixel-6
X-Clacks-Overhead
Grace
X-INKT-SITE
X-INKT-URI
X-RateLimit-Limit
X-Jimdo-Instance
X-Jimdo-Wid
X-RateLimit-Remaining
X-RateLimit-Reset
X-Correlation-Id
Access-Control-Expose-Headers
X-User-Agent
X-Cache-Config
X-Request-Country
Served-By
X-Cache-Only-Varnish
X-URL
X-Revision
X-Page-Cache
X-Fastcgi-Cache
X-Dispatch
X-LiteSpeed-Cache-Control
X-HS-Content-Id
X-HS-Cache-Config
X-WebKit-CSP
X-Magento-Tags
X-Px
Content-Hash
Edge-Cache-Tag
X-Newrelic-App-Data
Content-Style-Type
Content-Script-Type
X-Content-Options
X-BC-Stapler
X-Spip-Cache
X-Goog-Hash
X-Cache-Rule
X-SE-Debug
X-Varnish-Cache-Hits
X-FB-Debug
X-Age
X-I-Sp
X-Recruiting
X-Rocket-Nginx-Bypass
Cache-Key
Refresh
X-VCache
Fhost
Alternate-Protocol
X-Generated-By
Access-Control-Request-Method
X-BS
HTTPS
X-MiniProfiler-Ids
X-Varnish-Backend
Real-Hostname
X-DynaTrace
X-Dns-Prefetch-Control
X-Loop
X-TNCMS
Pool
X-Micro-Cache
Product
X-XN-Trace-Token
X-XN-XNHTML
IM-Version
X-Zen-Fury
X-Cached-By
X-StackifyID
X-Application-Context
X-Handled-By
X-Srv
X-PERF
X-CMS-Version
Surrogate-Control
X-LB
X-Request-Time
X-ApacheServer
X-N-OperationId
X-DynaTrace-JS-Agent
X-Origin
X-Hostname
Powered
X-Engine
X-CacheServer
X-Powered-By-VTEX-Janus-ApiCache
X-VTEX-Janus-Router-Backend-App
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
X-VTEX-Cache-Status-Janus-ApiCache
X-Track
X-Vtex-Processed-At
X-Powered-By-VTEX-Janus-Edge
X-Proxy
X-Platform
No
X-Hosted-By
X-DNS-Prefetch-Control
X-Shop-Id
DynaTrace
X-Developer
X-Defender
X-AspNetWebPages-Version
TCN
X-Umbraco-Version
X-Varnish-Host
X-Route-Server
P-LB
X-NWS-LOG-UUID
X-Traffic
X-Amz-Meta-S3cmd-Attrs
X-ARC
Web-App-Origin-Name
X-Varnish-Cacheable
X-Supported-By
X-Route-To
Accept-Encoding
Host
X-Served-Server
X-Hypernode
X-Discourse-Route
P-WS
X-Cache-Engine
X-Magento-Cache-Debug
SiteSpeed
X-Kinsta-Cache
X-RequestId
X-Ruxit-JS-Agent
X-Session-ID
X-Location-Id
X-OneAgent-JS-Injection
X-Loopia-Node
X-Optimization
X-Runtime-Memory
X-Hiawatha-Cache
X-Device-Type
X-Front
Content-Encoding-Handler
Strikingly-Cached
X-SRCache-Key
X-Browser
X-Source
X-VARITI-CCR
Generator
X-Signature
X-VC-Enabled
X-Varnish-Age
X-VC-TTL
Strikingly-Cached-Version
X-Content-Encoded-By
X-AF-Userserver
Rt-Fastcgi-Cache
Last-Published
WZWS-RAY
S
OriginServer
Traffic-Origin
X-Author
X-HA-Backend
WWW-Authenticate
X-Culture
SBMCLOUD
Max-Age
Ufe-Result
ViewMode
X-Internal-ReqID
X-JSESSIONID
X-UA
X-Whom
X-TransIP-Balancer
X-TransIP-Backend
X-LBPoolMember
EagleEye-TraceId
Dispatcher
X-Instart-Request-ID
X-Lambda-Id
X-HashTwo
X-HA-Frontend
X-Data-Request
X-Flow-Powered
X-Magento-Cache-Control
X-Pageid
X-VTEX-Cache-Status-Janus-Edge
X-Webserver
X-Sucuri-ID
X-Sucuri-Cache
X-Powered-By-360WZB
X-Daa-Tunnel
CP
X-JG-Page-Cache
X-GeoIP-Country-Code
X-Microcachable
X-Microcache-Status
X-Returned-From-PostProcessResponse
X-Returned-From-DLL
X-Fedora-School-Id
Imagetoolbar
Use-Proxy
X-Resty-Request-Id
X-Actual-URL
Node
X-Cache-TTL
X-Returned-From-BeforeDispatch
X-Passed-To-PostProcessResponse
X-Stale
X-Varnish-Beresp-Ttl
X-Original-Request
X-WN-ClientGroup
X-Passed-To
WN
X-Passed-To-BeforeDispatch
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-NB-Cached-Page
X-Middleware-Start
X-NetCat-Version
X-Passed-To-DLL
X-UPSTREAM
X-Translation
X-Returned-From
ServedBy
X-RESOURCE
Webluker-Edge
X-Goog-Metageneration
X-Platform-Server
SSPAppContext
Powered-By-ChinaCache
X-Platform-Router
X-Goog-Generation
X-Server-Instance
X-Tag-Playlist
X-Topify-Platform
X-Speed-Cache-Key
X-Speed-Cache
X-Always-Cache
X-GeoIP-Country-Name
Origin
Lsrequestid
X-OpenCart-Lightning
Allow
X-Goog-Stored-Content-Encoding
X-NoCache
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-IsCacheURL
X-Outils-CS
X-Goog-Storage-Class
Content-Disposition
Fastcgi-Cache
Cache-Tag
X-Platform-Processor
X-Platform-Cache
X-Platform-Cluster
X-Unbounce-PageId
X-Shield-Request-Id
X-Srcache-Store-Status
X-Srcache-Fetch-Status
X-Cookie-Domain
X-Cache-Server
X-Cache-Operation
X-Cache-Age
X-Unbounce-Variant
X-Cache-Debug
X-Url
X-CSRF-Token
FAI-W-FLOW
X-Worker
X-F-Cache
Fw-Via
X-Expires-Orig
Pv
X-Edge-Location
X-Varnish-TTL
X-Cache-Control-Orig
X-Varnish-GracePeriod
X-Varnish-ObjectSource
X-B-Cache
X-URLSCHEME
X-Unbounce-VisitorID
X-Varnish-RemainingLife
X-Varnish-RemainingTTL
X-Varnish-Seen-By
X-SV-Nginx-Duration
X-SV-Cacheable
X-SSL-Protocol
X-SV-Pid
X-SV-CacheTags
X-UPSTREAM-Address
X-Time
X-SV-Duration
X-Server-Upstream
X-SV-Edge
X-SV-Expires
X-Varnish-Auto-Cache-Miss
X-SS-Location
X-SSL-Cipher
X-SV-CreatedAt
X-SV-FromDBCache
X-Storage
X-SS-Conf
X-Response-Time
X-Connection-Hash
X-Served
X-Transaction
X-Cf-Powered-By
X-Amz-Storage-Class
X-Wikidot-Static-Cache
Backend
X-Twitter-Response-Tags
X-Test
X-Info
X-V
X-Debug-Token
Lb
X-WHOIS-Cached
X-Xrds-Location
X-Wikidot-Backend
X-Upstream
X-Version
Access-Control-Allow-Method
X-Varnish-Mode
X-Varnish-IP
X-Varnish-Debug-Hits
X-Varnish-Debug-TTL
CacheControlHeader
X-Accel-Expires
X-PhApp
X-Req-Head-Response
X-Node-Name
X-Map-Context
X-Cache-CFC
X-Cache-Info
X-Varnish-Debug-Age
X-FireWall-Port
NLCacheNote
NS-VaryByCustom-Key
Og
Magicmarker
Keywords
Gzip
If-Modified-Since
PagesDisplayed
RSB-LINK
Version
X-App-Hosting
X-Cache-Action
USPLoggingUUID
SVR
S-Cnection
Set-Cookie2
Frame-Options
F5-IpCliente
AR-ATIME
AR-CACHE
AR-PoweredBy
Aoestatic
AMF-Ver
A-Powered-By
Accept-Charset
AR-SID
ClientIP
ENV
EQ-Cache
Ews
Drupal-Pagecache-Memcache
Description
Content-Legth
Content-Transfer-Encoding
X-Cache-Control
X-Cache-Expires
X-LP
X-M
X-Made-On
X-Location
X-LB-Server
X-Geo-Country
X-Id
X-Magento-Action
X-Magento-Lifetime
X-Processing-Time
X-Purge-Host
X-Purge-URL
X-Powered-By-VelaWeb
X-Powered-By-Home.Pl
X-N
X-ORACLE-DMS-ECID
X-Gamma-Serve
X-Fpc
X-Cname-TryFiles
X-DealerOn
X-Debug
X-Cache-Tags
X-Cache-PageType
X-Cache-Fix
X-Cache-Key
X-Deity
X-Edge-IP
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Tags
X-Flex-Lang
X-Flex-Evstart
X-Flex-Community
X-Flex-Evend
X-S