Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics - Internet Security | DShield HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
Cache-Control
X-Powered-By
Vary
Expires
Content-Length
Last-Modified
Pragma
Accept-Ranges
Link
ETag
X-Content-Type-Options
X-XSS-Protection
X-Frame-Options
X-Pingback
P3P
X-Cache
X-AspNet-Version
Content-Language
Age
CF-RAY
X-UA-Compatible
Strict-Transport-Security
Via
X-Adblock-Key
Access-Control-Allow-Origin
X-Varnish
X-Template
X-Language
X-Check
P3p
X-Buckets
X-Generator
X-Cacheable
X-Drupal-Cache
Content-Location
X-Hacker
X-Ac
X-AspNetMvc-Version
X-Request-Id
X-Powered-By-Plesk
MS-Author-Via
X-Type
X-Pass-Why
X-Cache-Group
X-Runtime
WP-Super-Cache
X-Cache-Hits
X-Powered-CMS
Ngpass-Ngall
Status
Host-Header
Access-Control-Allow-Credentials
X-Iinfo
Content-Security-Policy
Keep-Alive
Access-Control-Allow-Headers
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Mod-Pagespeed
Access-Control-Allow-Methods
X-ShardId
X-ShopId
X-Dc
X-Alternate-Cache-Key
Upgrade
X-Pad
X-UA-Device
X-Via
X-Backend
X-Logged-In
X-Served-By
X-Host
X-Server
X-Contextid
X-PC-Key
X-Tumblr-Pixel-0
X-PC-Hit
X-Tumblr-User
X-Tumblr-Pixel
Content-Encoding
X-Cache-Status
Powered-By
X-CDN
X-Request-ID
X-Tumblr-Pixel-1
X-ServedBy
X-Cache-Hit
X-Cnection
X-Accel-Version
X-Tumblr-Pixel-2
X-Robots-Tag
X-Port
X-Varnish-Cache
X-PC-Date
X-PC-Host
X-PC-AppVer
X-Timer
SPRequestGuid
X-Cache-Lookup
X-SharePointHealthScore
X-Amz-Cf-Id
X-XRDS-Location
MicrosoftSharePointTeamServices
X-MS-InvokeApp
X-Request-Country
MicrosoftOfficeWebServer
CF-Cache-Status
Alt-Svc
X-Rack-Cache
X-Content-Powered-By
X-AH-Environment
X-Tumblr-Pixel-3
X-Turbo-Charged-By
X-Server-Powered-By
X-Safe-Firewall
X-Node
X-Page-Speed
X-Webserver
X-Wix-Request-Id
X-Seen-By
X-Wix-Renderer-Server
Request-Id
X-Content-Digest
X-PhApp
X-INKT-SITE
X-INKT-URI
Public-Key-Pins
X-Cache-Enabled
X-FullPageCaching
SPIisLatency
X-GitHub-Request-Id
SPRequestDuration
Timing-Allow-Origin
X-Cdn
Composed-By
X-Proxy-Cache
X-Drupal-Dynamic-Cache
Served-By
Cf-Railgun
Liferay-Portal
X-SERVER
X-Styx-Version
Permitted-Cross-Domain-Policies
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Xkey
X-HeyJason
Surrogate-Key-Raw
X-Amz-Id-2
X-Server-Name
X-Amz-Request-Id
X-XN-XNHTML
X-XN-Trace-Token
Charset
X-Content-Security-Policy
X-Hits
Access-Control-Expose-Headers
Content-Security-Policy-Report-Only
Rating
Surrogate-Key
X-FW-Hash
X-Nginx-Cache-Status
Grace
X-Swift-SaveTime
X-Swift-CacheTime
X-FW-Static
X-FW-Type
X-FW-Serve
X-Spip-Cache
Content-Script-Type
Content-Style-Type
EagleId
X-Tumblr-Content-Rating
X-Tumblr-Pixel-4
X-Firenze-Processing-Times
Access-Control-Max-Age
X-Hyper-Cache
X-VCache
Access-Control-Allow-Method
X-FB-Debug
X-Loop
Real-Hostname
X-TNCMS
X-CDN-Pop-IP
X-CDN-Pop
Public-Key-Pins-Report-Only
X-Cache-Server
X-Servedby
X-LiteSpeed-Cache
X-Dw-Request-Base-Id
X-Device
X-CF-Powered-By
X-Age
X-Cache-Result
X-Fastly-Request-ID
X-Clacks-Overhead
DynaTrace
Cartoon
X-Tumblr-Pixel-5
X-ServerName
Fastly-Debug-Digest
X-DynaTrace
X-Whom
X-Cached-By
X-Backend-Server
X-Generated-By
Fpc-Cache-Id
PageSpeed
X-Cached
Surrogate-Control
X-User-Agent
NS-RTIMER-COMPOSITE
X-DDC-Arch-Trace
TCN
X-DynaTrace-JS-Agent
X-Newrelic-App-Data
X-Cache-Config
Edge-Control
X-MiniProfiler-Ids
X-Cloud-Trace-Context
Refresh
X-Art-Request-Id
X-Px
X-Content-Options
ServedBy
X-Matrix-Server
X-Matrix-Proxy
X-Msg-2-Log
Product
X-Tumblr-Adult-Blog
X-URL
X-BC-Stapler
X-From
Imagetoolbar
X-Tumblr-Pixel-6
X-AspNetWebPages-Version
X-TTL
X-Outils-CS
X-Umbraco-Version
X-EC-Security-Audit
X-CMS-Version
X-Magnolia-Registration
X-Jimdo-Instance
Rt-Fastcgi-Cache
X-Jimdo-Wid
X-Varnish-Cache-Hits
X-Varnish-Host
X-WebKit-CSP
X-Server-ID
X-Expires-Orig
X-Recruiting
Origin
X-FORWARDED-FOR
Response
X-Micro-Cache
X-Country-Code
Front-End-Https
X-Passed-To-BeforeDispatch
X-Passed-To
X-Original-Request
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Returned-From-PostProcessResponse
MIME-Version
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-LiteSpeed-Cache-Control
X-Returned-From
X-Url
X-Actual-URL
X-Handled-By
X-Fastcgi-Cache
X-Goog-Hash
X-Middleton-Response
X-Sol
SN
Display
X-Middleton-Display
X-Cache-Info
X-Stale
X-Zen-Fury
Server-Info
X-Forwarded-For
WZWS-RAY
X-Duration
X-Platform
X-Powered-By-360WZB
Surrogate-Keys
Alternate-Protocol
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
X-Engine
X-CJ-Soft
X-Gamma-Serve
X-Varnish-Beresp-Grace
X-App-Hosting
X-Daa-Tunnel
ServerID
Pics-Label
X-Cf-Powered-By
Referrer-Policy
X-Microcachable
X-PERF
X-UD-Method
X-DNS-Prefetch-Control
X-ApacheServer
Node
X-Request-Time
X-AOL-HN
Fastcgi-Cache
Ag-Server-Time
Ag-Execution-Time
Ag-Send-Time
ServerName
Generator
X-Varnish-Cacheable
X-NetCat-Version
IBM-Web2-Location
X-BS
Powered-By-ChinaCache
X-Cache-Debug
X-Cache-Rule
X-Varnish-TTL
Content-Security-Policy-Rerport-Only
X-Varnish-Backend
X-Location-Id
RTSS
Host
X-Translation
X-SV-Duration
X-Device-Type
X-SV-Edge
X-SV-Expires
X-SV-FromDBCache
X-SV-Pid
X-SV-CacheTags
X-SV-CreatedAt
Content-Disposition
X-I-Sp
X-SV-Nginx-Duration
X-Microcache-Status
X-Track
X-Varnish-Age
X-NFE
X-I
X-Mobile-URL
X-B2f-Cache-Load
X-Nhost
Fhost
X-Nurl
X-Akamai-Device-Characteristics
X-Akamai-Device-Model
X-Client-IP
X-HOSTNAME
X-Nginx-Host
Backend
X-Cache-Control-Orig
X-Cache-Operation
X-Storage
X-S
X-CacheServer
X-Hostname
X-Varnish-RemainingTTL
X-Rocket-Nginx-Bypass
X-Varnish-RemainingLife
MJ12bot
Content-Encoding-Handler
X-Varnish-Seen-By
X-Varnish-ObjectSource
X-Varnish-GracePeriod
X-Origin
SEOMOZ
X-BKSrc
X-URLSCHEME
X-Hosted-By
Edge-Control-Message
X-ATG-Version
X-NoCache
USPLoggingUUID
X-Microcache
X-RESOURCE
X-CDN-Forward
X-Content-Age
X-UPSTREAM
X-Varnish-HitMiss
X-Varnish-Hits
X-Abuse
X-Cache-Expires
Lsrequestid
X-Varnish-Count
Access-Control-Request-Method
Server-Name
Proxy-Agent
Cache
X-Response-Time
CC-CACHE
X-Amz-Version-Id
X-Cookie-Domain
X-Nbs
A-Powered-By
X-Symfony-Cache
Content-MD5
X-ServerID
X-Debug
X-Version
Powered
Magicmarker
SRV
PICS-Label
X-Firenze-Processing-Time
X-VTEX-Janus-Router-Backend-App
X-VTEX-Cache-Status-Janus-Edge
X-VTEX-Cache-Status-Janus-ApiCache
X-Cache-Control
X-Source
X-Powered-By-VTEX-Janus-Edge
Filter-Revision
X-IIJ-Cache
No
Mobiquo-Is-Login
Req-Id
X-SRCache-Fetch-Status
X-Vtex-Processado-Em:
X-Powered-By-VTEX-Janus-ApiCache
X-SRCache-Store-Status
X-ID
X-Worker
X-Vtex-Processed-At
Akamai-IP
X-Cache-Doesi
X-Varnish-Ttl
CT
Content-Hash
S
X-Provisioner-Version
X-Domain-Checked
X-Vtex-Remote-Cache
X-App-Status
Beyond-Iis
X-PwB-Node
Bios
X-Grace
COMMERCE-SERVER-SOFTWARE
Content-Transfer-Encoding
X-Goog-Stored-Content-Encoding
X-Kinsta-Cache
X-Yadis-Location
X-Mobilized-By
X-GUploader-UploadID
X-Directory-Script
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Developer
X-N
X-HP-Trace-Project
X-HP-Trace-ID
X-ServerIndex
X-Geo-IP
X-Nginx-Cache
X-Content-Encoded-By
Retry-After
X-Vcap-Request-Id
X-Resolver-IP
Cmstype
X-Atraveo-Set-Cookie
Accept-Charset
IISExport
Qs-Cache
X-Atraveo-From-Varnish-Cache
X-Atraveo-Param-Rm
X-Source-ID
Last-Published
Cmsid
X-Purge-Host
Arr-Disable-Session-Affinity
Ngpass-Vcall
X-Purge-URL
X-Varnish-IP
X-Amz-Storage-Class
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
SSPAppContext
X-Force
X-Grid-Server
WWW-Authenticate
X-Atraveo-Zone
X-Dispatcher
X-We-Are-Hiring
MW-Webserver
X-Varnish-Server
X-Captured
X-Time
X-Supported-By
X-Atraveo-Cache-Control
X-Amz-Meta-S3cmd-Attrs
X-Atraveo-Expires
X-GeoIP
X-Atraveo-ETag
X-EDGECONNECT-GUID-DEBUG
X-PRAM
X-Front
Realaction
Page-Completion-Status
X-Geo-IP-Country
Author
X-Empowered-By
X-Geo-IP-Metro
X-DefendeR-Status
X-Geo-IP-Region
X-Geo-IPV
X-Processing-Time
X-Dns-Prefetch-Control
X-Litespeed-Cache-Control
X-DefendeR-Runtime
X-DB-Content-Length
Actioncode
X-RateLimit-Remaining
X-Pj-Cache-Status
Cm-Server
PServer
X-Cache-Key
Thanks
X-Discourse-Route
X-Speed-Cache-Key
X-Vary-Options
W
Srv
Machine
Location
X-Flow-Powered
X-Cache-TTL
NLCacheNote
X-App
X-Cache-Lifetime
X-Cache-Tags
X-Instart-Request-ID
X-Route-Server
X-Hiawatha-Cache
X-Speed-Cache
X-Trace
X-Cocoon-Version
Eomportal-Instance
HAVer
X-Pj-Cache-Expires
X-F-Cache
X-IP-Address
NetMindSessionID
X-Pj-Cache-Flags
X-Twitter-Response-Tags
X-Original-Host
X-OPNET-Transaction-Trace
X-Name
X-Custom-Header
X-LJ-Flow-ID
X-Platform-Server
X-RequestId
X-Cache-Set
X-Connection-Hash
HCVer
X-Transaction
Hamster
X-Pj-Cache-Time
X-Pj-Cache-Key
X-LB
Cache-Rule
X-Powered-By-Anquanbao
X-ProcessTime
Cached
Buuteeq-Source
X-RateLimit-Limit
AMF-Ver
X-Pj-Cache-Gzip
X-Transaction-Id
X-RateLimit-Reset
X-Route
X-Varnish-Cache-Control
X-HA
X-WA-Info
X-Browser
X-Cache-Provider
X-Blog
X-Cache-Source
Host-Name
Cneonction
OT-RequestId
Myheader
Tracecode
PowerCDN
X-V
NtCoent-Length
CLMOB
Cdate
X-Nginx
X-Turpentine-Cache
X-Session-Reinit
X-StackifyID
X-Varnish-Currency
X-Varnish-Esi-Access
Backend-Timing
X-Varnish-Store
X-Varnish-Set-Cookie
X-Varnish-Esi-Method
WWW
X-ACLR-Version
X-DSMX-Rewrite-MS
X-OneAgent-JS-Injection
X-Proxy-Cache-Key
X-DSMX-Render-MS
X-Qnm-Cache
X-Environment
X-HostName
X-FW
X-GeoIP-Country-Code
X-GeoIP-Country-Name
X-Framework
X-Do-Not-Hack
X-DN-Cache-Control
X-AWS-Id
X-ARC
X-APP
X-Analytics
X-B2f-Not-Route
X-Varnish-Cache-Local
X-Content-Type
X-Server-By
X-ClientSide-Caching
X-CCM
X-Gyrobase-Publication
X-DTC
NnCoection
X-B
X-Ttl
Cache-Key
X-Key
X-Hit-Cache
X-Hypernode
If-Modified-Since
X-Pagename
X-Plat-Va-Ip
X-VWS-Id
X-Plat-Be-Ip
X-Plat
Version
Yoncu-Errno
A
X-Yottaa-Optimizations
Accept-Encoding
Host-Service
INCOMING-TIME
Identity
X-Yottaa-Metrics
X-Turpentine-Esi
Cpu:
Noq:
Ram:
X-Frames-Options
X-Stage
X-HW
X-Cluster-Node
Provider
X-ACCELERATE
NODE
Webluker-Edge
Disablevcache
X-Env
Nitro-Cache
X-Artvisual-Server
X-Esi
X-Prefetched
X-SmugMug-Values
X-TTFB
X-TTFB-L
Allow
X-Cache-Engine
X-Avvio-Cms-Cacheload
X-Machine-Name
X-NginX-Cache
X-NginX-Server
X-Server-Id
X-Airee-Node
X-EPiphany-Vid
X-Client-Image-Vid
X-Client-Vid
X-Drectory-Script
Smug-CDN
X-Webcelerate
X-SmugMug-Hiring
X-Apm-Telemetry-Syncmark
X-PM-ID
Logging-CorrelationId
Ttl
Section-Io-Id
Ozcache
Proxy-Cache
X-Balanceador
MageStack-Area
MageStack-Cacheable
MageStack-Cacheable-Reason
X-Beatles
MageStack-Cache-Warning
MageStack-Cache-Status
MageStack-Cache
MageStack-Cache-Hits
MageStack-Cache-Lifetime
MC
CACHED-RESPONSE
X-Unbounce-PageId
X-SDS
X-Unbounce-Variant
X-Search-Id
X-Title
X-Server-Start-Time
X-Server-Response-Time
X-This-Proto
X-Unbounce-VisitorID
Content-Instance
X-Real-IP
Hostname
Il-Cl
From-Origin
X-Varnish-Max-Age
X-Reason-Bp
CpuTime
Ews
X-Beatles-Hits
MageStack-Config
X-Goog-Meta-Replace
X-Hash
X-Sucuri-ID
X-Goog-Meta-Policy
X-Last-Modified
X-Ec-Custom-Error
X-Cache-UA
X-ENV
X-Pixelsilk-Server
X-Your-GrandPa-Would-Wait
X-Pixelsilk-Version
X-TTL-Age
X-Server-IP
X-Edge-Location
X-VC-TTL
X-Would-Your-GrandPa-Wait
X-VERSION
X-Edge-IP
X-Nitra-Side
X-Drupal-Cache-Tags
MageStack-PageSpeed
MageStack-Response-Ttl
MageStack-Tag
X-Checkout
X-Cache-CFC
MageStack-Debug
MageStack-Loadbalancer
MageStack-Magento-Version
MageStack-Web-Node
X-Cluster
X-Domino-CacheValidationWithETagResult
X-Obr-Rule
X-DPWN-IS-SECURE
X-Origin-Cache
X-Origin-Id
X-Config-By
X-Does-He-Have-Time
X-Domino-CacheValidationWithETagReason
X-Rack-Cors
X-RealServer
X-Server-Upstream
X-SE-Debug
X-RSS-CACHE-STATUS
X-Span
X-Srv
X-SSL-Protocol
X-SSL-Cipher
X-RequesterIP
X-Processed-By
X-ORACLE-DMS-ECID
X-Ocache
X-ORACLE-DMS-RID
X-PF-Uncompressing
X-Pressidium-NinukisWP-Ver
X-PoweredBy
X-Trace-Id
X-Venda-Hitid
WSCLoggingUUID
VANITY-HOST
Set-Cookie2
X-Appmachine-Environment
X-AWS
X-Built-By
X-B-Cache
Pool-Info
Nodo
BKREF
Aurora-Node
CmsCacheEngine
DrivedBy
Imx-Cookies-Used
HostName
X-Matched-Rule
X-FCMS-Cache
Hosted-By
Debug-Status
Debug-Expires
Id
MwpReleaseVersion
S-Cnection
Rewriter
Debug-Cache-Control
Cteonnt-Length
AGI-Request-ID
Actual-Object-TTL
AsisCache
B-Powered-By
Content-Generator
CD2
ServerSignature
ServerTokens
X-Cache-Age
X-BackendServer
X-ASAP-Cache
X-Cache-Level
X-Clara-ASAP
X-Enhanced-By
X-DataDome
X-ASAP-Age
X-App-Server
Thinkindot-CacheControl
Sid
Thinkindot-CacheControl-Type
Thinkindot-Control
X-AG-MIPS
X-4ormat-Cacheable
X-Cache-Handler
X-Catalyst
X-ACMCache
Www.Aujourdhui.Com
WFE
X-AEM
X-Backend-Name
X-Flex-Community
X-Cjtype
Pv
Pool
Front
Fastly-Backend-Name
Language
M
P-WS
P-LB
X-Flex-Evend
X-Flex-Evstart
X-Max-Age
X-ManagedFusion-Rewriter-Version
X-Layout
X-Optimization
X-Real-Server
X-Server-Instance
X-Rewritten-By
X-Id
X-Hcom-Styx-Info
X-Flex-Lastmod
X-Flex-Lang
X-Flex-Tag
X-Flex-Tags
X-Generated
X-Frontend
CacheControlHeader
X-Vhost-ID
X-PG
X-PBY
X-MSEdge-Ref
X-Pubstack
X-Render-Time
X-Request-Received
X-Request-Processing-Time
X-IP
X-Hit
X-Distributor
X-Content-Parsed-By
X-ESI-Enable
X-FFX-B
X-Fstrz
X-FIRSTBase
X-Seschat-URL
X-SeschatDID
X-Unique-Id
X-Tile-Url
X-UUID
X-VARITI-CCR
X-Varnish-Debug-TTL
X-Varnish-Debug-Age
X-SRV
X-SP-TE
X-SeschatRedID
X-SeschatLayout
X-SeschatTemplateID
X-Signature
X-SP-PR
X-SP-AP
X-Sucuri-Cache