Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
MS-Author-Via
Access-Control-Allow-Origin
X-Cacheable
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-UA-Device
X-Logged-In
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Tumblr-Pixel-1
X-Cache-Hits
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-Cnection
X-PhApp
X-W3TC-Minify
X-Webserver
X-Varnish-Cache
Composed-By
X-Via
X-CF-Powered-By
Served-By
X-Page-Speed
X-Forwarded-For
Strict-Transport-Security
X-Firenze-Processing-Times
X-ServedBy
X-Url
X-Served-By
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-Mobilized-By
X-MS-InvokeApp
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Stats-Visit-Token
X-Stats-Unique-Token
X-CDN
X-AH-Environment
X-Umbraco-Version
X-Backend
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
Magicmarker
X-PC-Host
X-PC-Key
X-PC-Hit
X-PC-Date
X-PC-AppVer
Thanks
Powered-By-ChinaCache
X-Ua-Compatible
X-Geo-Port
X-Geo
X-HeyJason
X-Cache-Server
Rating
X-Outils-CS
TCN
X-Amz-Id-2
X-From
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
Page-Completion-Status
X-FB-Debug
X-Content-Digest
X-TN-ServedBy
Real-Hostname
X-Loop
X-PHP-Engine
X-Tumblr-Pixel-4
X-Original-Content-Length
Imagetoolbar
X-Spip-Cache
X-Px
NS-RTIMER-COMPOSITE
X-Generated-By
IBM-Web2-Location
PICS-Label
X-Amz-Cf-Id
X-Matrix-Proxy
X-Matrix-Server
SPIisLatency
SPRequestDuration
Request-Id
X-Tumblr-Content-Rating
X-Device
X-TNCMS-Served-By
X-TNCMS-Version
X-ChromeLogger-Data
X-TNCMS-Render-Time
X-TNCMS-Memory-Usage
X-Content-Encoded-By
X-URL
Set-Cookie2
X-Drectory-Script
X-Cache-Status
X-CDN-Geo
X-CDN-Geo-IP
X-CDN-Any-IP
X-Cached-By
X-Tumblr-Pixel-5
ServerName
Access-Control-Max-Age
X-Node
X-CMS-Version
IISExport
X-Cached
X-Firenze-Processing-Time
Retry-After
X-Trace-App
CF-Cache-Status
X-PF-Uncompressing
X-DynaTrace
DynaTrace
RTSS
Generator
X-I
Accept-Encoding
X-Timer
X-FORWARDED-FOR
COMMERCE-SERVER-SOFTWARE
X-Age
X-DDC-Arch-Trace
ServedBy
Lsrequestid
X-Cache-Debug
X-SDS
Powered-By
X-ATG-Version
X-Art-Request-Id
X-Backend-Server
MIME-Version
Product
X-ApacheServer
X-Cache-Hit
Time
X-PERF
X-Vary-Options
X-Nitra-Side
SID
X-Pantheon-Styx-Hostname
Content-Encoding-Handler
X-Pantheon-Endpoint
Edge-Control
Pics-Label
Access-Control-Request-Method
X-Processed-By
NODE
X-Hosted-By
X-NoCache
X-B2f-Cache-Load
X-UD-Host
X-UD-Method
X-PwB-Node
X-Vtex-Cache-Key
X-Original-Request
X-Speed-Cache-Key
X-Vtex-Remote-Cache
X-DynaTrace-JS-Agent
Machine
Host
X-App-Hosting
X-Srv
X-Purge-Host
LFY
X-LiteSpeed-Cache
X-Director
SFY
X-DNS-Prefetch-Control
X-Returned-From-BeforeDispatch
X-Handled-By
X-Returned-From-DLL
X-Passed-To-PostProcessResponse
X-Actual-URL
X-Passed-To
X-Passed-To-BeforeDispatch
X-FIRSTBase
X-Passed-To-DLL
X-Returned-From-PostProcessResponse
X-Returned-From
X-Cookie-Domain
Surrogate-Control
X-Speed-Cache
Proxy-Agent
X-Cache-Enabled
Charset
AMF-Ver
X-Varnish-Backend
X-Cache-Expires
MW-Webserver
X-Served-From-Cache
WWW-Authenticate
X-Purge-URL
X-Ms-Invokeapp
Cm-Server
X-Yadis-Location
Location
X-Orig-Vary
X-Expires-Orig
X-CJ-Soft
Microsoftsharepointteamservices
Node
VAR-Cache
X-GeoIP-Country-Name
X-LIGHTHTTP-PCDID
X-Trace-Cache
X-GeoIP-Country-Code
Proxy-Connection
Fhost
X-ACMCache
X-SERVER
Sprequestguid
X-ServerID
X-Sharepointhealthscore
X-ServerName
X-Cache-Control-Orig
Content-Disposition
X-Duration
Filter-Revision
Cache
X-Content-Options
X-TTL
X-Request-ID
X-StoreSense
Server-Info
X-ProStores-StoreApiEntryPoint
Website-Info
X-Track
X-Varnish-TTL
X-Cocoon-Version
X-Powered-By-Yqk
X-Yqk-Set
Accept-Charset
X-Blog
X-Session-Reinit
Req-Id
X-MJ-Upstream-Addr
SN
X-Cache-Rule
S
X-Time
X-Micro-Cache
X-MJ-Serve-Req-Time
X-App-Start
UniqueName
CT
ORIGIN
X-Old-Content-Length
Hamster
X-Gamma-Serve
X-Pangea-Version
X-Sys-Req-ID
X-FW
X-Adobe-Content
X-SRV
Nodo
X-Source-Host
X-AOL-SNH
X-Hits
X-Server-ID
Debug-IP-Cntry
Debug
X-App
Debug-Begin-IP
X-CHSN
Id
X-Microcachable
Webluker-Edge
X-Info
NetMindSessionID
X-WR-Flags
QOR-Cache
X-Front
X-Cluster-Node
X-Distil-CS
X-WebServer
X-Target
X-Varnish-Hits
Pagely
X-Trash-Talk
X-Engine
X-Highwire-RequestId
X-Highwire-SessionId
ServerID
CommunityServer
X-Varnish-Host
X-N
X-AspNetWebPages-Version
X-UPSTREAM
X-Varnish-Action
X-Accelerated-By
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
X-Atraveo-Cache-Control
From
MvcResult
X-Atraveo-NC
X-Phpwcms-Page-Processed-In
X-Src-Webcache
X-PvInfo
X-Phpwcms-Release
X-Atraveo-From-Varnish-Cache
Server2
X-Server-Web
X-Varnish-IP
X-Device-Type
X-Pass-Why
X-ASTRO-REWRITE
A-Powered-By
X-Kirra-SiteId
X-Varnish-Age
X-Microcache-Status
X-HS-MC-Reqs
X-Cdn
OHS-WebNode
X-ACCELERATE
X-Cache-Action
NtCoent-Length
X-Cache-TTL
X-Cache-Operation
X-Machine-Name
Ibm-Web2-Location
X-Header
ScoreTracker
X-Wily-Info
X-Wily-Servlet
X-ID
X-Grid-Server
X-Channel-Maxage
X-CacheHits
X-Turbo-Control
X-Ttl
X-DeliveryServer
X-Varnish-Server
Pool-Info
WP-Cache
X-Geo-IP
X-Enhanced-By
X-Source
MJ12bot
X-Whom
X-PRAM
X-Source-ID
X-Force
X-ServerCache-Info
MirrorName
X-Request-Duration
X-Database-Slave-Connection
SEOMOZ
Content-Transfer-Encoding
X-Benchmark-Db
X-Benchmark-Cache
X-Benchmark-Sphinx
X-Id
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Hrouter
X-FreeTag-Count
X-EdgeRouter
Server-Name
SynthaSite-ID
X-Li-Pop
X-Li-Fabric
X-FS-UUID
Warning
X-Directory-Script
-Onnection
Author
X-LI-UUID
X-Country-Code
X-Frontend
RequestTime
X-Varnish-Debug-Age
X-Ocache
X-Haiku
X-Bettercache-Proxy
X-Amz-Id-1
Provided-Host
X-HOSTTYPE
X-USERNAME
X-Debug
X-S
X-T
X-GLaDOS
X-Response-Time
X-Max-Age
OriginServer
X-Version
X-Garden-Version
X-B
X-Varnish-Debug-Hits
X-Transaction
X-App-Server
X-Uid
X-SV
X-WP
X-REDIRECTSERVER
X-Magento-Action
X-Monstercache-Timeout
Bs-Header
X-Magento-Lifetime
X-WLD-LB
Front
X-Expires
X-SN
X-Nginx-Cache
X-Varnish-Cache-Hits
X-CMS-Server
F-In-Cache
X-UD-Target
Jobb.Assistentpoolen.Se
X-T3CacheTags
X-Route
A1B2C3
Backend-Host
X-UD-Loopcounter
Jobb.Passal.Se
Open.Jobgate.Se
P3P:CP
Www.Mabracertifiering.Se
X-UD-REMOTE-ADDR
Jobb.Gil.Se
Test.Executivepeople.Se
Www.Mirrorgate.Se
Www.Myjob.Se
LBVIS
Cluster-ID
Hash
X-Response
MASTERWEBLET
Content-MD5
X-MidCOM-Meta-Cache
X-NGINX-CACHED-AT
X-Vivastreet-KiwiiPage
CDN
X-Apache-Backend
X-Actindo-RS
X-Jcms-Ajax-Id
X-NGINX-CACHED
X-Farm-Server
Cache-Ctrol
D
X-Via-Kemp
Compression-Control
X-Cache-Me-Harder
Ssl-Enabled
ProxiaInstanceId
X-B2f-Not-Route
X-Frames-Options
CountryCode
X-Vivastreet
Content
NLCacheNote
Ec
X-Conf
If-Modified-Since
X-JSL
SIP
X-Framework
Srv
X-Cf-Powered-By
Pool
X-Amz-Meta-S3cmd-Attrs
X-User-Id
X-T3Cache
X-Varnish-Cache-Local
X-Object-Id
Beyond-Iis
X-Content-Age
X-T3CacheInfo
X-JAL
X-Object-Type
Backend
X-Varnish-Device
X-Cms-Mode
X-Translation
X-Venda-Hitid
NodeID
X-Jphone-Copyright
X-Varnish-ID
X-Vhost
X-Powered
Powered
SRV
X-Oracle-DMS-ECID
X-Recruiting
X-NewRelic-App-Data
WEBO
Publisher
X-Flex-Evend
X-Flex-Evstart
X-Flex-Community
X-Geo-IPV
X-Geo-IP-Region
X-Flex-Lang
X-Flex-Lastmod
X-Rewritten-By
X-ManagedFusion-Rewriter-Version
X-Flex-Tags
X-Flex-Tag
X-Geo-IP-Metro
X-Geo-IP-Country
PowerCDN
Content-Instance
No
X-Server-By
X-Pb-Mii
X-Vtex-Processado-Em
VTag
X-Mii-Cache-Hit
X-MSG-01
X-MSG-06
X-DEBUG-Obj-Ttl
X-MSG-05
X-GC-Read
X-GC-Write
Rt-Fastcgi-Cache
X-MSG-04
X-MSG-02
X-MCB-Server
PUBLISH
X-GC-App
X-Device-Group
X-ATP-Server
X-MSG-00
X-DEBUG-X-Id
Proxy-From
CP
X-Powered-By-Server
X-ERM-ServerName-AppPage
X-ERM-RunTime
X-View
X-ERM-ServerName
X-TISSERVER
Mobiquo-Is-Login
X-Provisioner-Version
X-Domain-Checked
Rt-Server
X-Permitted-Cross-Domain-Policies
X-VarnCache
X-Origin-Id
B-Powered-By
X-MSG-03
ExecutionTime
X-ORACLE-DMS-ECID
X-Secret
Cmstype
SS
Hej
X-Nginx-Server
Preview-Refresh
Ms
X-Varnish-Cacheable
X-Time-Microsecs
X-Cache-Term
X-PM-ID
X-Varnish-Debug-Fetch-Host
X-Web-Node
Content-Security-Policy
Cmsid
X-Author
X-Test
7e-Page-Cache
X-Node-Name
X-FCMS-Cache
X-Hosting-Env
X-Hit
CacheControlHeader
CacheControlMode
X-Varnish-Cache-Server
X-Monstercache-Host
X-Monstercache-Hash
X-SilverStripe-Cache
X-Geoip-Country-Code
X-Artvisual-Server
Provider
Robots
X-Monstercache
XX
X-Full-URL
At-Shoptype
Atp-Isdpp
Aoestatic
Xc
X-Cache-Backend
POOL
X-Optimization
At-Isb
INCOMING-TIME
CachedXSLT
X-Forwarded-Proto
X-Execution-Time
X-Client-Vid
X-NginX-Cache
X-NginX-Server
X-EPiphany-Vid
X-Agentscape-Info
X-IDS-WS
X-CCM
X-Proxy
SVR
X-Caching-Rule-Id
Copyright
X-Rewrite
X-Cluster-Host
Worker
X-Dev
Mime-Version
X-Cache-Ttl
X-Nucleus-Cache
X-OPNET-Transaction-Trace
RequestId
X-Fett
Access-Control-Expose-Headers
MIH-PLATFORM
MIH-PUBLIC-IDENTIFIER
X-Header-Set-Id
SiteName
MIH-CLIENT-FARM
X-Platform
X-TLServer
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-RE-Ref
Telligent-Evolution
X-Varnish-Cookie-Debug
WP-AdvCache-MemCached
Accept-Language
X-Webstats-RespID
X-PS-MURDOCK-ORIG-FILEEXT
Expire
X-PS-MURDOCK-CASE-NORMALIZATION
X-CMS
Keywords
Description
X-XHR-Current-Location
EbdTrace
X-Cache-NHIT
X-FW-Static
X-Abuse
X-7dig
X-LAvg
X-7d-Version
X-Papaya-Cache
X-Papaya-Gzip
X-IP-Address
X-Box
X-UA
X-Empowered-By
X-Server-Id
Noahs-Classifieds
X-PS-MURDOCK-ORIG-PROTOCOL
No-Cache
X-Allow-Redis
WEBSERVER
Spot
SiteSpect-Identity
X-WA-Info
Apache
Web-Head
TimeRestart
X-Serial
DeleGate-Ver
X-Host-Url
X-Purge-Level
X-PP
OMNI-C
Web-Server
Head
HAVer
HCVer
WebServer
X-Answer
Front-End-Https
Esi-Enabled
X-Symfony-Cache
X-Pixelsilk-Server
Custom
X-Pixelsilk-Version
Application-Version
X-Ratelimit
X-Modules
X-WEBSERVER
X-WorkerInstancename
X-SERVERID
X-ServerId
X-DELIVERYSERVER
X-Cache-Lifetime
X-Developer
X-Cache-Age
X-Backend-Host
X-NID
UNIQUE-ID
X-Crafted
Last-Modified:
X-Server-Node
Public-Extension
X-IP
X-Catalyst
X-Mobile
ResourceTag
X-Varnish-Count
Ap-Exec-Time-Mks
Srv-N
Progma
X-Loc
X-Life
X-Process-Time
X-User-Agent
X-AISO-Server
VM
X-AISO-Cache
X-BackendServer
HostName
X-Varnish-HitMiss
X-Set-Cookie
X-Would-Your-GrandPa-Wait
X-Your-GrandPa-Would-Wait
X-WR-MODIFICATION
X-TTL-Age
X-Page-Generation-Time
X-JSON-API-TTL
X-Page-Generated-At
Http
SAVVIS
WZ-Device-Match
X-Utime
WZ-Cache
X-Powered-Developer
X-PoolMember
X-Status
X-JSON-API-LATENCY
X-JSON-API-AGE
X-PHP-Cache
X-Upstream
X-Origin
X-GeoIP
Www.Aujourdhui.Com
X-MSEdge-Ref
OutputRewritten
X-Config-By
X-Hash
Buuteeq-Source
X-RAMCache
X-Continum-Server
SBMCLOUD
X-Stackable-Node
ServerId
X-ProxyInstancename
X-CMS-Live
X-CMS-CRMSet
X-CMS-Collection
X-CMS-Nid
X-CMS-Sid
X-CMS-State
X-CMS-Stage
Accept
Response
X-Req-Host
X-Created
X-Req-Url
X-V-I-TTL
X-V-TTL
X-V-Outer
X-Trace
X-CMS-Tid
X-VCache
X-Pagename
X-Environment
X-Cache-Control
X-DEBUG
Login-Required
X-Hit-Cache
X-TTFB-L
X-Bcwwwid
SLB
X-Web-Hosting-Service-Provider
X-SmugMug-Hiring
X-TTFB
X-SmugMug-Values
HTTP
Origin
X-Wm-1
CacheInfo
CacheInfoFetch
X-Varnish-Hit
X-BKSrc
X-Yottaa-Optimizations
BKREF
Optimizer
OriginalHost
X-RemovedCookies
X-GitHub-Request-Id
X-ProcessESI
X-Site:
TypeOfContent
X-Unbounce-Instance
X-Yottaa-Metrics
RayEngine
Nbaid
Mark
Nbmt
X-DC-Origin-IP
X-Vhost-ID
X-Rot
Test
X-Extra-Header
X-ACLR-Version
X-Hc-Host
INFO
X-PBY
MachineName
OGHopCount
Xonnection