Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
X-Cacheable
MS-Author-Via
Access-Control-Allow-Origin
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-Cnection
X-PhApp
X-W3TC-Minify
X-Varnish-Cache
X-Webserver
X-CF-Powered-By
X-Via
Composed-By
Served-By
X-Page-Speed
Strict-Transport-Security
X-Forwarded-For
X-Firenze-Processing-Times
X-Served-By
X-ServedBy
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Url
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-Mobilized-By
X-MS-InvokeApp
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-CDN
X-Stats-Unique-Token
X-Stats-Visit-Token
X-AH-Environment
X-Umbraco-Version
X-Powered-By-360WZB
X-Backend
Content-Style-Type
Content-Script-Type
Liferay-Portal
X-Cache-Info
Refresh
X-Server-Name
Magicmarker
Powered-By-ChinaCache
X-PC-Date
X-PC-Hit
X-PC-AppVer
X-PC-Key
X-Geo-Port
X-Geo
X-PC-Host
Thanks
X-From
X-Ua-Compatible
X-HeyJason
X-Cache-Server
Rating
X-Amz-Id-2
TCN
X-Outils-CS
X-URL
Cf-Railgun
X-Amz-Request-Id
Page-Completion-Status
X-Powered-By-Anquanbao
X-FB-Debug
X-Content-Digest
X-TN-ServedBy
Real-Hostname
X-PHP-Engine
X-Loop
Imagetoolbar
X-Original-Content-Length
X-Spip-Cache
X-Tumblr-Pixel-4
X-Px
NS-RTIMER-COMPOSITE
Request-Id
SPIisLatency
SPRequestDuration
X-Generated-By
PICS-Label
IBM-Web2-Location
X-Content-Encoded-By
X-TNCMS-Version
X-TNCMS-Memory-Usage
X-ChromeLogger-Data
X-TNCMS-Served-By
X-TNCMS-Render-Time
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
X-Tumblr-Content-Rating
X-Matrix-Server
X-Matrix-Proxy
X-Amz-Cf-Id
X-Drectory-Script
Set-Cookie2
X-Device
X-Cache-Status
X-Cached-By
IISExport
X-Tumblr-Pixel-5
ServerName
Access-Control-Max-Age
X-Firenze-Processing-Time
X-Node
X-Cached
X-CMS-Version
X-Timer
Retry-After
CF-Cache-Status
X-PF-Uncompressing
X-FORWARDED-FOR
X-DynaTrace
DynaTrace
X-Processed-By
X-Trace-App
X-I
Accept-Encoding
Generator
X-Age
ServedBy
X-B2f-Cache-Load
COMMERCE-SERVER-SOFTWARE
X-ATG-Version
X-SDS
Edge-Control
Lsrequestid
Powered-By
X-Cache-Debug
X-DDC-Arch-Trace
X-Backend-Server
RTSS
Product
MIME-Version
X-ApacheServer
SID
X-Cache-Hit
Time
X-Vary-Options
X-Nitra-Side
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-PERF
Pics-Label
X-Hosted-By
Access-Control-Request-Method
Host
X-UD-Method
X-UD-Host
Content-Encoding-Handler
X-Purge-Host
X-NoCache
X-PwB-Node
X-Speed-Cache-Key
X-Vtex-Cache-Key
X-DynaTrace-JS-Agent
X-Original-Request
X-Vtex-Remote-Cache
SFY
LFY
Surrogate-Control
X-Art-Request-Id
X-LiteSpeed-Cache
X-Director
X-Srv
Machine
X-DNS-Prefetch-Control
X-Cache-Enabled
X-Returned-From-PostProcessResponse
X-Returned-From-BeforeDispatch
X-App-Hosting
X-Returned-From-DLL
X-Handled-By
X-Passed-To-BeforeDispatch
WWW-Authenticate
X-Passed-To-DLL
X-Passed-To
X-FIRSTBase
X-Returned-From
X-Passed-To-PostProcessResponse
X-Actual-URL
Location
Node
X-Cookie-Domain
X-Expires-Orig
X-WebServer
X-Yadis-Location
X-Ms-Invokeapp
X-Speed-Cache
NODE
Charset
AMF-Ver
X-Varnish-Backend
X-Cache-Control-Orig
X-Cache-Expires
X-Purge-URL
MW-Webserver
X-Orig-Vary
VAR-Cache
Proxy-Agent
Cm-Server
X-Served-From-Cache
X-CJ-Soft
Microsoftsharepointteamservices
Filter-Revision
X-Micro-Cache
X-ACMCache
Cache
X-SERVER
Proxy-Connection
X-LIGHTHTTP-PCDID
Content-Disposition
Fhost
X-TTL
X-StoreSense
X-ServerName
X-ProStores-StoreApiEntryPoint
X-ServerID
X-Content-Options
X-Cocoon-Version
X-Sharepointhealthscore
X-GeoIP-Country-Name
Sprequestguid
X-GeoIP-Country-Code
X-Varnish-TTL
X-FW
Nodo
Website-Info
X-Source-Host
Server-Info
X-Request-ID
CT
X-Trace-Cache
X-Powered-By-Yqk
X-Duration
X-Track
X-Yqk-Set
X-Time
S
ORIGIN
X-MJ-Upstream-Addr
Req-Id
X-MJ-Serve-Req-Time
X-Server-ID
X-Adobe-Content
SN
X-App-Start
X-Pangea-Version
Id
UniqueName
X-Cache-Rule
X-SRV
X-Sys-Req-ID
X-Gamma-Serve
Webluker-Edge
Hamster
X-Blog
X-Cluster-Node
X-Session-Reinit
X-AOL-SNH
X-Hits
Accept-Charset
X-CHSN
Debug-Begin-IP
Debug-IP-Cntry
Debug
X-WR-Flags
QOR-Cache
From
NetMindSessionID
X-Info
X-App
X-Microcachable
X-Highwire-SessionId
A-Powered-By
X-Highwire-RequestId
X-Front
X-AspNetWebPages-Version
X-Engine
Pagely
ServerID
X-Target
X-Varnish-Hits
CommunityServer
X-Varnish-Age
X-Old-Content-Length
X-Pass-Why
X-Cache-TTL
X-HS-MC-Reqs
X-Varnish-Host
X-Trash-Talk
X-UPSTREAM
X-N
X-Cache-Action
X-Varnish-Action
X-Header
X-Kirra-SiteId
X-Phpwcms-Page-Processed-In
X-Phpwcms-Release
X-ServerCache-Info
X-Bettercache-Proxy
X-Varnish-IP
X-Device-Type
X-Machine-Name
X-Atraveo-Cache-Control
Server2
X-Atraveo-From-Varnish-Cache
X-ASTRO-REWRITE
X-Accelerated-By
X-Microcache-Status
X-Atraveo-Varnish-Server-Id
X-Atraveo-TTL
X-Distil-CS
MvcResult
X-Src-Webcache
X-Server-Web
X-Atraveo-NC
X-Cdn
X-Object-Type
X-Geo-IP
X-Object-Id
OHS-WebNode
ScoreTracker
X-DeliveryServer
X-Directory-Script
X-Wily-Info
X-Wily-Servlet
X-Grid-Server
X-PvInfo
NtCoent-Length
X-Ttl
MJ12bot
X-ID
SEOMOZ
X-Varnish-Server
X-Turbo-Control
Ibm-Web2-Location
X-CacheHits
X-Cache-Operation
Pool-Info
X-Enhanced-By
X-Benchmark-Db
X-Benchmark-Cache
X-Source-ID
MirrorName
X-Database-Slave-Connection
X-Request-Duration
X-PRAM
X-Force
X-Benchmark-Sphinx-Count
X-Benchmark-Sphinx
X-Benchmark-Total
X-Channel-Maxage
Content-Transfer-Encoding
X-Id
X-Response-Time
X-Hrouter
Server-Name
SynthaSite-ID
X-EdgeRouter
X-FreeTag-Count
X-Whom
X-S
Srv
WP-Cache
Warning
Bs-Header
X-Domain-Checked
Author
X-Source
X-Country-Code
X-LI-UUID
X-Li-Pop
X-FS-UUID
X-Frontend
X-Provisioner-Version
X-Li-Fabric
X-Debug
-Onnection
OriginServer
Provided-Host
X-SV
X-Version
X-Framework
X-Recruiting
X-GLaDOS
X-Amz-Meta-S3cmd-Attrs
X-NGINX-CACHED-AT
X-Farm-Server
X-Varnish-Debug-Age
X-Uid
X-Haiku
X-Amz-Id-1
X-Jcms-Ajax-Id
X-NGINX-CACHED
X-Max-Age
X-Varnish-Debug-Hits
X-USERNAME
X-ACCELERATE
X-Transaction
SS
RequestTime
X-App-Server
Backend
X-HOSTTYPE
X-Garden-Version
X-Geo-IP-Country
X-Geo-IP-Metro
X-Geo-IP-Region
X-Magento-Action
NLCacheNote
X-Varnish-Cache-Hits
X-Magento-Lifetime
X-REDIRECTSERVER
X-Geo-IPV
X-WLD-LB
X-Expires
F-In-Cache
X-WP
X-Monstercache-Timeout
X-SN
REFRESH
X-Nginx-Cache
Pool
7e-Page-Cache
X-CMS-Server
Jobb.Assistentpoolen.Se
X-Cms-Mode
X-UD-Target
Ssl-Enabled
X-Via-Kemp
X-UD-REMOTE-ADDR
Cache-Ctrol
X-Response
Www.Mabracertifiering.Se
X-Frames-Options
P3P:CP
X-Translation
X-B
X-Route
Backend-Host
X-B2f-Not-Route
Www.Myjob.Se
Www.Mirrorgate.Se
X-Jphone-Copyright
Test.Executivepeople.Se
X-UD-Loopcounter
X-Vivastreet-KiwiiPage
X-Conf
X-Varnish-Cache-Local
Ec
X-JAL
X-JSL
X-MCB-Server
Content
X-Ocache
Content-MD5
X-Cf-Powered-By
X-T
X-User-Id
X-Cache-Term
Jobb.Passal.Se
X-MidCOM-Meta-Cache
X-Vivastreet
Compression-Control
Open.Jobgate.Se
Cluster-ID
MIH-CLIENT-FARM
MIH-PLATFORM
Front
MIH-PUBLIC-IDENTIFIER
Jobb.Gil.Se
Hash
X-Content-Age
Beyond-Iis
X-Powered
SIP
X-T3CacheInfo
X-Varnish-ID
X-T3Cache
CountryCode
Powered
X-Node-Name
X-T3CacheTags
Content-Instance
X-SilverStripe-Cache
X-Cache-Me-Harder
NodeID
X-Vhost
X-Varnish-Device
If-Modified-Since
X-Hosting-Env
X-Apache-Backend
X-Actindo-RS
CDN
X-Nginx-Server
MASTERWEBLET
X-Venda-Hitid
ProxiaInstanceId
A1B2C3
X-Flex-Evstart
X-Flex-Lastmod
X-Flex-Lang
WEBO
PowerCDN
X-Flex-Tag
X-Flex-Community
X-Flex-Evend
X-Rewritten-By
X-Flex-Tags
X-Oracle-DMS-ECID
X-ManagedFusion-Rewriter-Version
SRV
X-MSG-01
Rt-Fastcgi-Cache
X-Test
X-DEBUG-Obj-Ttl
No
X-MSG-02
X-ORACLE-DMS-ECID
X-PM-ID
X-MSG-03
X-MSG-06
X-MSG-05
X-Permitted-Cross-Domain-Policies
X-Fett
Ms
X-Vtex-Processado-Em
X-DEBUG-X-Id
X-FCMS-Cache
X-View
B-Powered-By
X-MSG-00
D
X-Server-By
Rt-Server
Cmstype
X-Box
X-VarnCache
X-Web-Node
Cmsid
CacheControlHeader
Preview-Refresh
Hej
CacheControlMode
X-Origin-Id
X-Trace
X-Device-Group
XX
X-Mii-Cache-Hit
X-ERM-RunTime
X-ATP-Server
LBVIS
X-ERM-ServerName-AppPage
X-Varnish-Debug-Fetch-Host
X-ERM-ServerName
X-Varnish-Cache-Server
TypeOfContent
PUBLISH
CP
X-TISSERVER
X-Powered-By-Server
VTag
ExecutionTime
X-GC-Read
X-GC-App
X-MSG-04
WP-AdvCache-MemCached
Proxy-From
Optimizer
OriginalHost
X-7dig
X-7d-Version
CacheInfoFetch
Content-Security-Policy
Mobiquo-Is-Login
CacheInfo
X-Pb-Mii
X-GC-Write
Aoestatic
X-Monstercache-Hash
X-Monstercache-Host
X-Monstercache
Publisher
X-Full-URL
Robots
Provider
Xc
POOL
X-Geoip-Country-Code
X-Artvisual-Server
X-Cache-Backend
X-Optimization
At-Isb
Atp-Isdpp
INCOMING-TIME
At-Shoptype
ResourceTag
X-Origin
Public-Extension
X-Empowered-By
HostName
X-Server-Id
X-OPNET-Transaction-Trace
X-ProcessESI
X-Varnish-Cookie-Debug
Expire
X-RemovedCookies
SVR
X-User-Agent
X-Varnish-Cacheable
Description
OMNI-C
MachineName
X-Hit
X-Author
Web-Head
X-Time-Microsecs
X-Ratelimit
X-Answer
X-IP-Address
X-Papaya-Cache
X-UA
X-PS-MURDOCK-CASE-NORMALIZATION
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-ORIG-FILEEXT
X-XHR-Current-Location
X-Varnish-Debug-Varnish-TTL-Set-From-Server
BKREF
HCVer
X-BKSrc
Keywords
X-Wm-1
X-Varnish-Hit
HAVer
X-CMS
X-Webstats-RespID
Accept-Language
X-Hc-Host
X-Pixelsilk-Server
X-Pixelsilk-Version
X-Papaya-Gzip
X-Cache-NHIT
Worker
X-PP
X-Platform
Apache
X-FW-Static
X-Host-Url
DeleGate-Ver
X-TLServer
X-OLM-Node
X-Cache-Ttl
X-Dev
X-Abuse
No-Cache
WebServer
X-Symfony-Cache
Head
Esi-Enabled
Web-Server
Application-Version
Front-End-Https
WEBSERVER
X-WA-Info
X-LAvg
X-Utime
X-NginX-Cache
X-NginX-Server
X-Nucleus-Cache
Telligent-Evolution
X-Header-Set-Id
X-Caching-Rule-Id
SiteName
X-Cluster-Host
X-Rewrite
SiteSpect-Identity
X-Secret
EbdTrace
Copyright
Access-Control-Expose-Headers
RequestId
X-IDS-WS
X-RE-Ref
X-CCM
X-Proxy
X-EPiphany-Vid
Mime-Version
X-Agentscape-Info
CachedXSLT
X-Forwarded-Proto
X-Client-Vid
X-Execution-Time
X-DELIVERYSERVER
X-ServerId
X-WorkerInstancename
X-NewRelic-App-Data
X-SERVERID
X-WEBSERVER
X-Mobile
X-IP
X-Dynamic
X-Cache-Age
Last-Modified:
X-Cache-Lifetime
X-Developer
X-Crafted
Content-ID
X-Server-Node
Origin
Www.Aujourdhui.Com
X-MSEdge-Ref
X-GeoIP
X-Set-Cookie
VM
X-ATM-RServer
X-ATM-RTime
X-NID
X-VG-WebCache
X-Config-By
Http
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
SAVVIS
X-PoolMember
X-Powered-Developer
X-Status
Buuteeq-Source
X-JSON-API-AGE
X-Page-Generated-At
X-JSON-API-TTL
X-Page-Generation-Time
X-JSON-API-LATENCY
X-Would-Your-GrandPa-Wait
X-TTL-Age
WZ-Cache
X-Hash
Source
X-Upstream
Cteonnt-Length
X-DC-Origin-IP
X-Rot
X-Vhost-ID
X-PHP-Cache
OutputRewritten
X-GitHub-Request-Id
X-Continum-Server
X-RAMCache
X-Stackable-Node
SBMCLOUD
OGHopCount
WZ-Device-Match
X-Brought-To-You-By
X-CMS-Tid
X-SmugMug-Values
X-TTFB
X-SmugMug-Hiring
X-Web-Hosting-Service-Provider
SLB
X-Bcwwwid
X-TTFB-L
X-Hit-Cache
Login-Required
X-DEBUG
X-Cache-Control
X-Environment
X-Pagename
X-VCache
X-CMS-State
X-CMS-Stage
X-V-Outer
X-V-TTL
X-V-I-TTL
X-Req-Url
X-Created
X-Req-Host
Response
Accept
X-CMS-Nid
X-CMS-Sid
X-CMS-Live
X-CMS-CRMSet
X-CMS-Collection
Xonnection
HTTP
Ap-Exec-Time-Mks
Srv-N
Progma
X-Loc
ServerId
X-Life
X-Process-Time
X-BackendServer
X-Catalyst
UNIQUE-ID
X-Varnish-HitMiss
X-Varnish-Count
X-AISO-Cache
X-AISO-Server
X-ProxyInstancename
X-Site:
TimeRestart
X-Allow-Redis
X-Serial
X-Modules
Test
X-Extra-Header
X-Purge-Level
INFO
Noahs-Classifieds
X-Unbounce-Instance
X-Yottaa-Optimizations
X-Yottaa-Metrics
RayEngine
X-Backend-Host