Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
Access-Control-Allow-Origin
X-Cacheable
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-UA-Device
X-Logged-In
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Ua-Compatible
X-Cnection
X-PhApp
X-Via
X-W3TC-Minify
X-Varnish-Cache
X-Webserver
X-CF-Powered-By
Strict-Transport-Security
X-Page-Speed
X-Forwarded-For
Served-By
Composed-By
X-Firenze-Processing-Times
X-ServedBy
X-Served-By
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-Url
X-Accel-Version
X-XN-XNHTML
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-MS-InvokeApp
Cartoon
X-Mobilized-By
X-ContextId
Access-Control-Allow-Methods
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-CDN
X-Stats-Visit-Token
X-Stats-Unique-Token
X-Umbraco-Version
X-Powered-By-360WZB
X-AH-Environment
X-Backend
Content-Style-Type
Content-Script-Type
Liferay-Portal
Refresh
X-Cache-Info
X-Server-Name
X-PC-AppVer
X-PC-Key
X-PC-Host
X-PC-Date
X-PC-Hit
Thanks
X-Geo
X-Geo-Port
Powered-By-ChinaCache
Magicmarker
X-HeyJason
X-Cache-Server
Rating
X-Amz-Id-2
TCN
X-Outils-CS
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
X-URL
Page-Completion-Status
X-FB-Debug
X-From
X-Content-Digest
X-Original-Content-Length
X-TN-ServedBy
Real-Hostname
X-Px
X-Tumblr-Pixel-4
X-Loop
X-PHP-Engine
Imagetoolbar
X-Spip-Cache
NS-RTIMER-COMPOSITE
SPRequestDuration
Request-Id
SPIisLatency
X-Generated-By
X-Matrix-Server
X-Matrix-Proxy
X-Content-Encoded-By
IBM-Web2-Location
X-Tumblr-Content-Rating
X-Amz-Cf-Id
PICS-Label
X-Drectory-Script
X-CDN-Any-IP
X-TNCMS-Version
X-CDN-Geo
X-CDN-Geo-IP
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-ChromeLogger-Data
X-TNCMS-Render-Time
X-Cache-Status
Set-Cookie2
X-Device
X-Cached-By
IISExport
X-Tumblr-Pixel-5
Access-Control-Max-Age
X-Node
X-Firenze-Processing-Time
X-Cached
X-CMS-Version
X-Timer
ServerName
CF-Cache-Status
Retry-After
X-DynaTrace
X-PF-Uncompressing
X-Trace-App
X-SDS
Generator
Accept-Encoding
DynaTrace
COMMERCE-SERVER-SOFTWARE
X-Age
X-ATG-Version
ServedBy
X-B2f-Cache-Load
X-Cache-Debug
X-I
X-ApacheServer
RTSS
X-DDC-Arch-Trace
Lsrequestid
Powered-By
X-Backend-Server
X-Vary-Options
X-Nitra-Side
X-PERF
MIME-Version
Product
X-Cache-Hit
SID
Time
Edge-Control
Pics-Label
Content-Encoding-Handler
X-UD-Host
X-UD-Method
X-Pantheon-Endpoint
X-Hosted-By
Access-Control-Request-Method
X-Pantheon-Styx-Hostname
X-Processed-By
LFY
SFY
Host
X-Original-Request
X-FORWARDED-FOR
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
X-DynaTrace-JS-Agent
X-Purge-Host
X-NoCache
X-PwB-Node
X-Art-Request-Id
X-Srv
Surrogate-Control
X-Director
Machine
X-Returned-From
X-App-Hosting
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-Passed-To-PostProcessResponse
X-Passed-To-DLL
X-Handled-By
X-Passed-To
X-Passed-To-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Speed-Cache-Key
X-FIRSTBase
X-Actual-URL
X-LiteSpeed-Cache
X-DNS-Prefetch-Control
X-Varnish-Backend
Location
NODE
X-Served-From-Cache
X-WebServer
X-Purge-URL
X-Cache-Enabled
X-Cache-Expires
Node
Charset
AMF-Ver
X-Cookie-Domain
X-Expires-Orig
MW-Webserver
X-Orig-Vary
X-Yadis-Location
WWW-Authenticate
Filter-Revision
X-Speed-Cache
Proxy-Agent
Fhost
Content-Disposition
X-Cache-Control-Orig
X-ServerID
Cm-Server
X-ServerName
X-CJ-Soft
X-Yqk-Set
Microsoftsharepointteamservices
X-Powered-By-Yqk
X-SERVER
VAR-Cache
X-LIGHTHTTP-PCDID
Cache
X-Varnish-TTL
X-ACMCache
X-TTL
X-Sharepointhealthscore
Sprequestguid
X-StoreSense
X-ProStores-StoreApiEntryPoint
X-Micro-Cache
X-Content-Options
Id
X-FW
Proxy-Connection
Debug-Begin-IP
Debug-IP-Cntry
X-Cocoon-Version
Debug
Website-Info
X-Request-ID
Server-Info
X-Trace-Cache
X-GeoIP-Country-Name
X-GeoIP-Country-Code
X-App
X-Duration
S
X-Time
X-Track
SN
X-MJ-Upstream-Addr
X-Adobe-Content
X-Front
X-Server-ID
X-Gamma-Serve
Webluker-Edge
X-MJ-Serve-Req-Time
ORIGIN
X-App-Start
CT
Nodo
Hamster
X-SRV
UniqueName
X-Pangea-Version
X-Source-Host
X-Cache-Rule
X-Sys-Req-ID
Req-Id
X-Ms-Invokeapp
X-Cluster-Node
X-Session-Reinit
X-AOL-SNH
X-Hits
X-Blog
OHS-WebNode
X-HS-MC-Reqs
X-Varnish-Hits
QOR-Cache
X-CHSN
X-WR-Flags
NetMindSessionID
X-Varnish-Action
X-Info
X-Highwire-SessionId
X-Highwire-RequestId
X-Microcachable
X-Kirra-SiteId
X-Phpwcms-Release
X-Old-Content-Length
X-AspNetWebPages-Version
CommunityServer
Pagely
Accept-Charset
X-Pass-Why
ServerID
X-Trash-Talk
X-Engine
X-Target
X-Phpwcms-Page-Processed-In
X-Varnish-Host
X-Cache-Action
X-N
X-UPSTREAM
From
X-Cache-TTL
X-Accelerated-By
Server2
X-ASTRO-REWRITE
X-Src-Webcache
X-Distil-CS
A-Powered-By
X-ServerCache-Info
X-Varnish-IP
X-Atraveo-From-Varnish-Cache
ScoreTracker
X-Atraveo-Varnish-Server-Id
X-Atraveo-TTL
X-Atraveo-NC
MJ12bot
X-Atraveo-Cache-Control
MvcResult
X-Varnish-Age
X-Header
SEOMOZ
Content-Transfer-Encoding
X-Geo-IP
X-Cdn
X-Turbo-Control
X-Wily-Info
X-Device-Type
X-Server-Web
X-Microcache-Status
X-Ttl
NtCoent-Length
X-Response-Time
Ibm-Web2-Location
X-DeliveryServer
X-Machine-Name
X-Wily-Servlet
X-Grid-Server
X-PvInfo
X-Varnish-Server
X-HOSTTYPE
X-USERNAME
X-Cache-Operation
Pool-Info
MIH-CLIENT-FARM
X-Directory-Script
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
X-Enhanced-By
X-Debug
X-Bettercache-Proxy
X-Object-Id
X-Object-Type
Author
X-Id
X-Haiku
X-GLaDOS
X-Benchmark-Total
X-Benchmark-Sphinx-Count
Server-Name
X-Benchmark-Cache
X-Benchmark-Db
X-Request-Duration
X-Benchmark-Sphinx
X-Channel-Maxage
SynthaSite-ID
X-Hrouter
MirrorName
X-Transaction
X-Max-Age
X-EdgeRouter
X-Database-Slave-Connection
X-PRAM
X-Force
X-FreeTag-Count
X-Source-ID
X-Varnish-Cache-Hits
X-Whom
X-Source
X-Country-Code
Bs-Header
WP-Cache
X-CMS-Server
F-In-Cache
X-S
X-ID
X-Frontend
X-CacheHits
-Onnection
X-Vivastreet
X-Vivastreet-KiwiiPage
X-Response
RequestTime
X-UD-Target
X-Amz-Id-1
X-UD-Loopcounter
X-App-Server
X-UD-REMOTE-ADDR
X-Domain-Checked
X-Provisioner-Version
X-Framework
OriginServer
X-Varnish-Debug-Age
X-Version
X-Uid
X-Jphone-Copyright
X-Varnish-Debug-Hits
X-Garden-Version
X-Cms-Mode
X-ACCELERATE
Provided-Host
X-SN
X-WLD-LB
X-Magento-Action
X-REDIRECTSERVER
X-Li-Pop
X-Magento-Lifetime
X-FS-UUID
NLCacheNote
SS
Srv
X-Nginx-Cache
SRV
X-Li-Fabric
X-LI-UUID
X-Monstercache-Timeout
X-WP
X-Expires
X-Geo-IP-Country
PowerCDN
X-Geo-IP-Metro
X-Geo-IPV
X-Geo-IP-Region
Www.Mirrorgate.Se
Www.Myjob.Se
Jobb.Assistentpoolen.Se
NodeID
Www.Mabracertifiering.Se
LBVIS
X-B2f-Not-Route
SIP
Open.Jobgate.Se
X-JAL
X-Via-Kemp
X-Varnish-Cache-Local
Jobb.Passal.Se
Ssl-Enabled
Jobb.Gil.Se
X-Frames-Options
Compression-Control
X-User-Id
Backend-Host
X-Varnish-ID
X-MCB-Server
A1B2C3
X-Vhost
X-Cache-Me-Harder
Content
X-Varnish-Device
ProxiaInstanceId
X-T3CacheTags
X-Origin-Id
Beyond-Iis
P3P:CP
X-Venda-Hitid
Test.Executivepeople.Se
X-Route
X-SV
Powered
Rt-Fastcgi-Cache
X-Powered
CountryCode
Content-MD5
MASTERWEBLET
Cluster-ID
CDN
X-Actindo-RS
X-Apache-Backend
X-Nginx-Server
X-Hosting-Env
Ec
X-Cache-Term
Front
X-Farm-Server
X-Content-Age
X-Translation
X-JSL
X-Cf-Powered-By
X-MidCOM-Meta-Cache
Hash
X-T3CacheInfo
X-T3Cache
X-NGINX-CACHED-AT
X-Conf
X-NGINX-CACHED
X-Ocache
Proxy-From
X-T
X-Powered-By-Server
X-B
Pool
X-Flex-Community
X-Flex-Tag
X-Flex-Lastmod
X-Amz-Meta-S3cmd-Attrs
X-Recruiting
X-Flex-Tags
WEBO
X-Rewritten-By
X-Flex-Evend
X-Oracle-DMS-ECID
X-Flex-Evstart
X-Flex-Lang
X-ManagedFusion-Rewriter-Version
Backend
Warning
X-Dev
X-ATP-Server
D
X-VarnCache
Worker
X-TISSERVER
Mobiquo-Is-Login
X-ORACLE-DMS-ECID
X-MSG-06
X-MSG-03
X-MSG-02
X-MSG-01
X-MSG-04
WP-AdvCache-MemCached
PUBLISH
SVR
X-MSG-00
X-DEBUG-X-Id
X-MSG-05
CP
X-Device-Group
X-Vtex-Processado-Em
X-DEBUG-Obj-Ttl
No
X-Fett
X-Server-By
VTag
Ms
X-ERM-RunTime
7e-Page-Cache
X-View
XX
ExecutionTime
X-Jcms-Ajax-Id
X-FCMS-Cache
X-GC-App
X-Test
X-GC-Read
X-GC-Write
X-ERM-ServerName
X-ERM-ServerName-AppPage
Content-Instance
X-SilverStripe-Cache
If-Modified-Since
Cmsid
Cmstype
X-Varnish-Cache-Server
X-Pb-Mii
Hej
X-Mii-Cache-Hit
X-Web-Node
CacheControlMode
X-PM-ID
B-Powered-By
X-Varnish-Debug-Fetch-Host
Rt-Server
Cache-Ctrol
X-Permitted-Cross-Domain-Policies
Preview-Refresh
X-Cache-Backend
X-Artvisual-Server
Robots
Aoestatic
X-Geoip-Country-Code
Xc
POOL
X-Node-Name
X-Monstercache-Host
X-Full-URL
INCOMING-TIME
X-Optimization
Publisher
X-Monstercache-Hash
X-Monstercache
X-Upstream
Provider
HCVer
BKREF
HAVer
X-Cluster-Host
X-Pixelsilk-Server
X-Pixelsilk-Version
X-BKSrc
X-Header-Set-Id
CacheInfoFetch
Optimizer
CacheInfo
X-Wm-1
X-Forwarded-Proto
X-Varnish-Hit
X-Hc-Host
X-IDS-WS
X-Hit
X-Author
Telligent-Evolution
OMNI-C
X-RE-Ref
MachineName
X-Time-Microsecs
EbdTrace
X-XHR-Current-Location
X-Rewrite
X-CCM
Web-Head
X-Proxy
X-Execution-Time
TypeOfContent
ServerId
HostName
Content-Security-Policy
X-FW-Static
X-7dig
X-Cache-NHIT
X-OPNET-Transaction-Trace
X-NID
X-ATM-RServer
X-ATM-RTime
X-OLM-Node
X-Utime
X-Origin
X-CMS
X-7d-Version
X-LAvg
Access-Control-Expose-Headers
CacheControlHeader
X-Nucleus-Cache
X-Box
CachedXSLT
X-Agentscape-Info
RequestId
SiteName
X-RemovedCookies
Mime-Version
X-ProcessESI
X-Cache-Ttl
X-Caching-Rule-Id
X-TLServer
OriginalHost
X-Webstats-RespID
Accept-Language
Keywords
Description
Application-Version
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-UA
X-Symfony-Cache
Head
X-Papaya-Gzip
X-NginX-Server
X-Papaya-Cache
X-PP
X-Trace
WEBSERVER
Web-Server
Apache
SiteSpect-Identity
No-Cache
X-WA-Info
X-Platform
Expire
X-VCache
X-Varnish-Cacheable
X-Secret
WebServer
Esi-Enabled
X-EPiphany-Vid
X-Ratelimit
X-PS-MURDOCK-ORIG-PROTOCOL
X-NginX-Cache
X-Client-Vid
Copyright
DeleGate-Ver
X-Host-Url
X-PS-MURDOCK-ORIG-FILEEXT
X-Answer
X-IP-Address
X-PS-MURDOCK-CASE-NORMALIZATION
Front-End-Https
X-ServerId
X-SERVERID
X-DELIVERYSERVER
X-WEBSERVER
X-WorkerInstancename
Public-Extension
X-Stackable-Node
X-Developer
X-Continum-Server
Last-Modified:
ResourceTag
X-Server-Node
X-Crafted
X-Environment
X-PHP-Cache
Www.Aujourdhui.Com
X-RAMCache
X-Server-Id
X-GeoIP
X-Cache-Control
X-Set-Cookie
VM
SBMCLOUD
X-Mobile
X-Config-By
OutputRewritten
X-MSEdge-Ref
X-IP
X-Would-Your-GrandPa-Wait
Cteonnt-Length
Source
X-GitHub-Request-Id
OGHopCount
WZ-Cache
WZ-Device-Match
X-DC-Origin-IP
X-Rot
X-Cached-Page
Response
EI-UNIQUE-ID
W
X-Vhost-ID
X-Varnish-Id
X-Powered-Developer
X-Status
X-Page-Generated-At
X-Page-Generation-Time
X-JSON-API-TTL
X-JSON-API-LATENCY
Buuteeq-Source
X-JSON-API-AGE
X-TTL-Age
X-Cache-Lifetime
SAVVIS
X-PoolMember
Http
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
X-Hash
At-Shoptype
RayEngine
X-Yottaa-Metrics
HTTP
INFO
X-Allow-Redis
X-Purge-Level
X-Yottaa-Optimizations
Noahs-Classifieds
X-DEBUG
X-SmugMug-Hiring
X-Varnish-Cookie-Debug
X-Web-Hosting-Service-Provider
Login-Required
TimeRestart
X-Serial
X-CMS-Sid
X-CMS-Stage
X-CMS-Nid
X-CMS-Live
X-CMS-Collection
Accept
X-CMS-State
X-CMS-Tid
X-Bcwwwid
X-Modules
SLB
Test
X-Extra-Header
X-Empowered-By
X-SmugMug-Values
X-User-Agent
X-BackendServer
X-Process-Time
Srv-N
Progma
Ap-Exec-Time-Mks
X-AISO-Cache
X-AISO-Server
UNIQUE-ID
X-Backend-Host
X-Catalyst
X-Varnish-HitMiss
X-Varnish-Count
X-Loc
X-Life
X-Site:
X-Hit-Cache
X-Unbounce-Instance
X-TTFB-L
X-TTFB
X-Pagename
X-Abuse
Atp-Isdpp
Xonnection
X-CMS-CRMSet
At-Isb
X-ProxyInstancename
X-Cache-Age