Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
Alternate-Protocol
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
Access-Control-Allow-Origin
X-Pad
X-Powered-By-Plesk
X-Cacheable
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Host
X-Server
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
MicrosoftSharePointTeamServices
X-Mod-Pagespeed
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-SharePointHealthScore
SPRequestGuid
X-Tumblr-Pixel-2
Host-Header
X-W3TC-Minify
X-PhApp
X-Cnection
X-Webserver
X-Ua-Compatible
X-Varnish-Cache
X-CF-Powered-By
Composed-By
X-Via
Served-By
X-Page-Speed
X-Firenze-Processing-Times
X-Forwarded-For
X-ServedBy
Strict-Transport-Security
X-Served-By
X-Url
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
X-MS-InvokeApp
Access-Control-Allow-Headers
X-Mobilized-By
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-CDN
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-Umbraco-Version
X-Stats-Visit-Token
X-Stats-Unique-Token
X-AH-Environment
X-Backend
Content-Style-Type
X-Powered-By-360WZB
Content-Script-Type
Liferay-Portal
Refresh
X-Cache-Info
X-Server-Name
Magicmarker
Powered-By-ChinaCache
Thanks
X-PC-Hit
X-PC-AppVer
X-PC-Host
X-PC-Key
X-PC-Date
X-HeyJason
X-Cache-Server
Rating
TCN
X-Outils-CS
X-Amz-Id-2
X-From
X-Geo
X-Geo-Port
Cf-Railgun
X-FB-Debug
X-Amz-Request-Id
X-Powered-By-Anquanbao
Page-Completion-Status
X-Content-Digest
X-Original-Content-Length
Real-Hostname
X-TN-ServedBy
X-Loop
X-PHP-Engine
Imagetoolbar
IBM-Web2-Location
X-Tumblr-Pixel-4
NS-RTIMER-COMPOSITE
X-Px
X-Generated-By
X-Amz-Cf-Id
X-Matrix-Proxy
X-Matrix-Server
X-Tumblr-Content-Rating
X-Spip-Cache
X-URL
X-TNCMS-Memory-Usage
X-TNCMS-Render-Time
X-TNCMS-Version
X-Content-Encoded-By
X-TNCMS-Served-By
X-ChromeLogger-Data
PICS-Label
X-Drectory-Script
SPIisLatency
Request-Id
SPRequestDuration
Set-Cookie2
X-Cache-Status
X-Cached-By
X-Device
X-CDN-Geo
X-CDN-Any-IP
X-CDN-Geo-IP
X-Tumblr-Pixel-5
ServerName
X-Trace-App
X-Node
X-Cached
X-Firenze-Processing-Time
Access-Control-Max-Age
X-CMS-Version
IISExport
Retry-After
X-PF-Uncompressing
CF-Cache-Status
X-SERVER
RTSS
X-Age
X-DynaTrace
Pics-Label
DynaTrace
Accept-Encoding
X-Timer
Generator
SID
COMMERCE-SERVER-SOFTWARE
X-FORWARDED-FOR
ServedBy
Lsrequestid
X-ATG-Version
Powered-By
X-I
MIME-Version
X-Cache-Debug
X-DDC-Arch-Trace
X-Vary-Options
Time
X-Backend-Server
X-Cache-Hit
X-SDS
X-Art-Request-Id
Product
X-Hosted-By
Machine
X-UD-Method
X-UD-Host
Access-Control-Request-Method
X-ApacheServer
SFY
LFY
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Processed-By
X-Nitra-Side
X-PERF
X-PwB-Node
X-Original-Request
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
Host
Edge-Control
Content-Encoding-Handler
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Passed-To
X-Passed-To-PostProcessResponse
X-Passed-To-DLL
X-App-Hosting
X-Speed-Cache-Key
X-Returned-From
X-Handled-By
X-Actual-URL
X-Passed-To-BeforeDispatch
Surrogate-Control
X-NoCache
X-Director
X-Purge-Host
X-Srv
X-DNS-Prefetch-Control
X-DynaTrace-JS-Agent
X-LiteSpeed-Cache
Node
X-Cache-Enabled
MW-Webserver
X-Yadis-Location
X-Speed-Cache
X-FIRSTBase
X-Cookie-Domain
X-Cache-Expires
X-Varnish-Backend
Cm-Server
Location
WWW-Authenticate
X-GeoIP-Country-Code
AMF-Ver
Charset
Content-Disposition
X-Purge-URL
X-Trace-Cache
Proxy-Agent
X-Orig-Vary
X-GeoIP-Country-Name
X-B2f-Cache-Load
X-ACMCache
NODE
X-Content-Options
Proxy-Connection
X-CJ-Soft
X-LIGHTHTTP-PCDID
Fhost
X-Served-From-Cache
Cache
VAR-Cache
X-Expires-Orig
X-ServerID
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Track
X-Old-Content-Length
X-ServerName
X-Duration
S
Filter-Revision
X-Request-ID
Server-Info
Website-Info
Req-Id
X-TTL
X-Cache-Control-Orig
Accept-Charset
Hamster
X-Cocoon-Version
X-App-Start
X-Pangea-Version
X-Source-Host
SN
X-MJ-Upstream-Addr
X-Powered-By-Yqk
X-Yqk-Set
X-Session-Reinit
X-MJ-Serve-Req-Time
X-Microcachable
X-Varnish-TTL
X-Time
X-Blog
X-Micro-Cache
CT
X-AspNetWebPages-Version
Nodo
X-Adobe-Content
X-Sys-Req-ID
UniqueName
X-SRV
X-FW
ORIGIN
X-Device-Type
X-Server-Web
X-N
X-Server-ID
CommunityServer
X-Header
X-Microcache-Status
NetMindSessionID
X-Front
X-Cache-Rule
X-Highwire-SessionId
X-Highwire-RequestId
ServerID
X-AOL-SNH
Debug-Begin-IP
Id
X-WR-Flags
QOR-Cache
Debug-IP-Cntry
Debug
X-CHSN
X-Info
X-Gamma-Serve
X-Hits
Pagely
X-Trash-Talk
X-Target
X-Varnish-IP
X-Cluster-Node
X-Distil-CS
X-Varnish-Host
X-App
X-Varnish-Hits
Webluker-Edge
X-UPSTREAM
X-Cache-TTL
X-PvInfo
X-WebServer
A-Powered-By
X-Accelerated-By
X-Engine
NtCoent-Length
X-ID
X-Atraveo-From-Varnish-Cache
WP-Cache
X-Atraveo-TTL
MvcResult
From
X-Cache-Action
X-Atraveo-NC
X-Atraveo-Varnish-Server-Id
Server2
X-Wily-Info
X-HS-MC-Reqs
X-Atraveo-Cache-Control
X-Channel-Maxage
X-Varnish-Action
X-Machine-Name
X-Wily-Servlet
X-ASTRO-REWRITE
OHS-WebNode
X-Cache-Operation
X-Source
X-Src-Webcache
X-ACCELERATE
X-Source-ID
X-Phpwcms-Page-Processed-In
X-CacheHits
X-Turbo-Control
X-Grid-Server
X-Ttl
X-Phpwcms-Release
ScoreTracker
X-Varnish-Age
X-Enhanced-By
Pool-Info
X-Pass-Why
X-Country-Code
X-REDIRECTSERVER
X-Geo-IP
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx
X-Kirra-SiteId
OriginServer
X-Benchmark-Sphinx-Count
X-ServerCache-Info
Content-Transfer-Encoding
Provided-Host
X-Benchmark-Total
X-Database-Slave-Connection
X-Request-Duration
X-Magento-Lifetime
X-Magento-Action
MirrorName
Server-Name
X-PRAM
X-Translation
X-Force
X-SN
X-FreeTag-Count
X-EdgeRouter
X-DeliveryServer
X-Hrouter
-Onnection
X-Directory-Script
X-Varnish-Server
Author
SynthaSite-ID
Warning
X-USERNAME
X-HOSTTYPE
X-Frontend
ProxiaInstanceId
X-Whom
X-Varnish-Debug-Hits
X-Debug
X-App-Server
X-Varnish-Cache-Local
X-User-Id
X-SV
NLCacheNote
X-Ms-Invokeapp
X-Bettercache-Proxy
X-JAL
X-Varnish-Debug-Age
X-S
X-Cdn
X-JSL
X-Framework
RequestTime
Backend
X-Version
X-Nginx-Cache
X-Amz-Id-1
X-Transaction
X-Max-Age
X-Uid
MJ12bot
SEOMOZ
X-Response-Time
X-Monstercache-Timeout
X-WP
X-LI-UUID
X-NewRelic-App-Data
Bs-Header
Front
X-Expires
X-HOSTNAME
X-Li-Pop
X-Li-Fabric
F-In-Cache
Content
X-WLD-LB
X-CMS-Server
Aoestatic
X-FS-UUID
Cmstype
Cmsid
Cache-Ctrol
X-MSG-06
X-Mii-Cache-Hit
X-B
X-MSG-00
LBVIS
X-Powered
X-Pb-Mii
X-MSG-01
X-Id
X-MSG-04
X-Ocache
X-MSG-03
X-MSG-02
X-MSG-05
X-DEBUG-X-Id
X-Vivastreet
X-Garden-Version
X-Vivastreet-KiwiiPage
X-Conf
NodeID
X-Device-Group
X-Varnish-ID
Ec
X-Response
X-Varnish-Device
X-DEBUG-Obj-Ttl
PUBLISH
X-TISSERVER
X-T
If-Modified-Since
X-Vtex-Processado-Em
No
Cluster-ID
X-Haiku
X-GLaDOS
Jobb.Gil.Se
Jobb.Assistentpoolen.Se
X-Permitted-Cross-Domain-Policies
Jobb.Passal.Se
X-Apache-Backend
P3P:CP
X-Venda-Hitid
Open.Jobgate.Se
X-Jcms-Ajax-Id
Srv
X-Varnish-Cache-Hits
X-Cache-Me-Harder
MASTERWEBLET
X-MidCOM-Meta-Cache
A1B2C3
Hash
X-Amz-Meta-S3cmd-Attrs
X-Farm-Server
X-NGINX-CACHED
X-NGINX-CACHED-AT
CDN
X-Actindo-RS
Compression-Control
SiteSpect-Identity
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-Via-Kemp
Ssl-Enabled
Powered
Beyond-Iis
X-Artvisual-Server
X-UD-Target
Www.Myjob.Se
D
Backend-Host
X-B2f-Not-Route
Www.Mabracertifiering.Se
Test.Executivepeople.Se
X-Cf-Powered-By
X-Object-Id
Www.Mirrorgate.Se
Content-MD5
X-Object-Type
X-ATP-Server
X-Geo-IPV
SRV
At-Shoptype
X-Recruiting
X-Jphone-Copyright
Content-Instance
X-Varnish-Debug-Fetch-Host
At-Isb
X-DELIVERYSERVER
X-Rewritten-By
X-Route
X-ManagedFusion-Rewriter-Version
Mobiquo-Is-Login
Atp-Isdpp
PowerCDN
X-Cms-Mode
X-Geo-IP-Metro
X-Geo-IP-Region
WEBO
X-Geo-IP-Country
X-GC-App
CacheControlHeader
X-MCB-Server
X-GC-Read
X-Provisioner-Version
X-GC-Write
CacheControlMode
Ms
Proxy-From
X-Domain-Checked
X-Author
VTag
X-Nginx-Server
X-Powered-By-Server
SS
X-PM-ID
X-Hosting-Env
X-View
CountryCode
X-Cache-Term
X-PangeaVersion
Content-Security-Policy
Rt-Server
X-VarnCache
X-Flex-Evend
X-Flex-Tags
X-Flex-Tag
X-Flex-Lastmod
X-Flex-Evstart
X-Flex-Lang
Access-Control-Expose-Headers
X-Fett
RequestId
X-Varnish-Cache-Server
SiteName
X-Caching-Rule-Id
X-Web-Node
Pool
X-Node-Name
X-Content-Age
7e-Page-Cache
Preview-Refresh
X-Header-Set-Id
CP
Hej
X-Vhost
X-Flex-Community
Xc
X-ERM-ServerName-AppPage
X-Test
X-ERM-ServerName
X-Frames-Options
B-Powered-By
X-Server-By
X-ERM-RunTime
Publisher
X-Monstercache
X-Monstercache-Hash
X-SilverStripe-Cache
XX
Robots
Provider
X-Monstercache-Host
X-Oracle-DMS-ECID
X-Optimization
X-Full-URL
INCOMING-TIME
X-Cache-Backend
X-7dig
X-7d-Version
MIH-PUBLIC-IDENTIFIER
VM
X-Abuse
X-WA-Info
X-OPNET-Transaction-Trace
No-Cache
X-NID
Apache
SVR
MIH-CLIENT-FARM
X-LAvg
Web-Head
MIH-PLATFORM
X-Cache-NHIT
X-Symfony-Cache
Application-Version
X-T3CacheTags
Telligent-Evolution
X-TLServer
X-Forwarded-Proto
CachedXSLT
DeleGate-Ver
X-Agentscape-Info
X-IDS-WS
X-CCM
X-Client-Vid
X-NginX-Cache
X-EPiphany-Vid
X-Execution-Time
X-Proxy
X-Host-Url
X-PP
SIP
Esi-Enabled
Rt-Fastcgi-Cache
Accept-Language
X-FCMS-Cache
X-NginX-Server
Head
Ibm-Web2-Location
EbdTrace
X-Platform
Front-End-Https
WEBSERVER
WebServer
X-FW-Static
X-Serial
Xonnection
X-Rewrite
X-Extra-Header
X-Origin-Id
X-RE-Ref
X-Ratelimit
Nbmt
X-JSON-API-AGE
TimeRestart
X-Purge-Level
X-Modules
Nbaid
X-Time-Microsecs
X-Answer
ExecutionTime
X-Would-Your-GrandPa-Wait
X-TTL-Age
X-Your-GrandPa-Would-Wait
X-Webstats-RespID
Expire
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-IP-Address
X-JSON-API-LATENCY
Web-Server
X-JSON-API-TTL
X-Page-Generated-At
X-Page-Generation-Time
X-Cluster-Host
X-Hit
X-XHR-Current-Location
X-Nucleus-Cache
X-Box
HAVer
Mime-Version
Noahs-Classifieds
HCVer
X-Cache-Ttl
X-Empowered-By
X-Secret
X-Varnish-Cookie-Debug
POOL
Spot
Copyright
X-Allow-Redis
Custom
X-Pixelsilk-Server
X-Varnish-Cacheable
X-Pixelsilk-Version
X-WorkerInstancename
X-T3Cache
Worker
X-Nocache
X-Upstream
X-SERVERID
X-T3CacheInfo
X-WEBSERVER
X-ORACLE-DMS-ECID
X-Papaya-Gzip
X-Wm-1
X-Varnish-Hit
X-BKSrc
X-Yottaa-Optimizations
INFO
X-Hc-Host
OMNI-C
X-PS-MURDOCK-ORIG-PROTOCOL
Test
RayEngine
X-Yottaa-Metrics
HTTP
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-FILEEXT
MachineName
BKREF
X-Loc
X-Backend-Host
X-Cache-Age
X-Cache-Lifetime
UNIQUE-ID
X-Catalyst
X-AISO-Server
X-Varnish-Count
X-Varnish-HitMiss
X-Developer
X-Crafted
X-Mobile
X-Backend-Name
X-R4L-VHOST
X-IP
ResourceTag
Last-Modified:
X-Server-Node
Public-Extension
X-AISO-Cache
X-BackendServer
X-Site:
X-ProcessESI
X-RemovedCookies
X-Unbounce-Instance
TypeOfContent
CacheInfoFetch
Optimizer
OriginalHost
X-ProxyInstancename
ServerId
X-Process-Time
X-User-Agent
HostName
Srv-N
Ap-Exec-Time-Mks
X-Life
X-Papaya-Cache
Progma
CacheInfo
X-Processing-Begin
X-CMS-Live
X-CMS-Nid
X-CMS-Sid
X-CMS-CRMSet
X-CMS-Collection
X-GitHub-Request-Id
Accept
X-CMS-Stage
X-CMS-State
WZ-Cache
X-Powered-Developer
WZ-Device-Match
X-Bcwwwid
X-CMS-Tid
SLB
WP-AdvCache-MemCached
X-ACLR-Version
X-V-Outer
X-V-TTL
Origin
X-V-I-TTL
X-Req-Url
X-Created
X-Req-Host
X-Vhost-ID
X-CMS
Response
X-PBY
OGHopCount
Mark
X-Rot
X-DC-Origin-IP
X-Status
X-PoolMember
X-Pta-Px
OutputRewritten
X-Origin
Login-Required
X-Stackable-Node
X-Server-Id
X-Continum-Server
X-Set-Cookie
X-Geoip-Country-Code
Description
Keywords
X-Trace
Www.Aujourdhui.Com
X-MSEdge-Ref
X-DEBUG
X-Processing-Finished
X-Hash
X-SmugMug-Hiring
X-SmugMug-Values
X-TTFB
X-Web-Hosting-Service-Provider
Content-Control
SAVVIS
Allow
X-TTFB-L
Http
X-Environment
X-Cache-Control
X-VCache
X-Pagename
X-WR-MODIFICATION
X-Hit-Cache
X-UA