Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
Access-Control-Allow-Origin
X-Pad
X-Cacheable
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Host
X-Server
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-SITE
X-INKT-URI
X-Tumblr-Pixel-2
X-Robots-Tag
Host-Header
SPRequestGuid
X-SharePointHealthScore
X-W3TC-Minify
X-Cnection
X-PhApp
X-Webserver
X-Varnish-Cache
X-Ua-Compatible
Composed-By
X-Via
X-CF-Powered-By
Served-By
X-Forwarded-For
X-Url
X-Page-Speed
X-Firenze-Processing-Times
Strict-Transport-Security
X-Served-By
X-ServedBy
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
Cartoon
X-Mobilized-By
X-MS-InvokeApp
X-ContextId
Access-Control-Allow-Methods
X-CDN
X-Umbraco-Version
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Stats-Unique-Token
X-Stats-Visit-Token
X-AH-Environment
X-Backend
X-Powered-By-360WZB
Content-Style-Type
Refresh
Content-Script-Type
X-Cache-Info
Liferay-Portal
X-Server-Name
Magicmarker
X-PC-AppVer
X-PC-Host
X-PC-Key
X-PC-Hit
X-PC-Date
Powered-By-ChinaCache
Thanks
X-HeyJason
X-Cache-Server
X-Geo
X-Geo-Port
Rating
TCN
X-Outils-CS
X-Amz-Id-2
X-From
Cf-Railgun
Page-Completion-Status
X-Amz-Request-Id
X-Content-Digest
X-Powered-By-Anquanbao
X-FB-Debug
X-TN-ServedBy
Real-Hostname
X-Loop
X-PHP-Engine
X-Tumblr-Pixel-4
Imagetoolbar
IBM-Web2-Location
X-Original-Content-Length
X-Px
NS-RTIMER-COMPOSITE
X-Spip-Cache
X-Matrix-Proxy
X-Matrix-Server
X-ChromeLogger-Data
X-TNCMS-Served-By
X-TNCMS-Memory-Usage
X-Generated-By
X-TNCMS-Render-Time
X-TNCMS-Version
Set-Cookie2
X-Content-Encoded-By
Request-Id
SPRequestDuration
SPIisLatency
PICS-Label
X-Amz-Cf-Id
X-Tumblr-Content-Rating
X-Drectory-Script
X-Cached-By
X-Cache-Status
X-Device
X-CDN-Any-IP
X-CDN-Geo-IP
X-CDN-Geo
ServerName
X-Tumblr-Pixel-5
X-URL
IISExport
Access-Control-Max-Age
X-Firenze-Processing-Time
X-Node
X-Cached
X-CMS-Version
CF-Cache-Status
X-Trace-App
Retry-After
X-PF-Uncompressing
X-DynaTrace
X-SERVER
DynaTrace
X-Timer
X-Age
Generator
ServedBy
X-FORWARDED-FOR
Accept-Encoding
COMMERCE-SERVER-SOFTWARE
Lsrequestid
X-I
X-Cache-Debug
X-Nitra-Side
MIME-Version
RTSS
X-DDC-Arch-Trace
Pics-Label
X-ApacheServer
Powered-By
X-SDS
X-ATG-Version
X-Art-Request-Id
X-Cache-Hit
X-Vary-Options
X-Backend-Server
Product
X-PERF
Access-Control-Request-Method
Time
Content-Encoding-Handler
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
SID
X-Processed-By
X-Hosted-By
X-NoCache
X-Original-Request
X-UD-Method
X-UD-Host
X-LiteSpeed-Cache
X-Speed-Cache-Key
Edge-Control
X-Purge-Host
X-PwB-Node
X-Handled-By
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
X-Actual-URL
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Returned-From-PostProcessResponse
X-Returned-From
X-Passed-To-PostProcessResponse
X-Passed-To-BeforeDispatch
X-Passed-To-DLL
X-Passed-To
Surrogate-Control
LFY
SFY
Machine
X-Director
Host
X-Cookie-Domain
X-Srv
X-DNS-Prefetch-Control
X-DynaTrace-JS-Agent
X-Cache-Enabled
X-Speed-Cache
X-App-Hosting
Node
X-Cache-Expires
X-FIRSTBase
X-Purge-URL
X-Yadis-Location
AMF-Ver
Charset
MW-Webserver
WWW-Authenticate
Cm-Server
Location
NODE
Proxy-Agent
X-Varnish-Backend
X-Ms-Invokeapp
X-CJ-Soft
X-Served-From-Cache
X-Orig-Vary
Fhost
Content-Disposition
X-B2f-Cache-Load
X-Cache-Rule
Microsoftsharepointteamservices
Proxy-Connection
VAR-Cache
X-GeoIP-Country-Name
X-ServerID
X-Trace-Cache
X-GeoIP-Country-Code
S
X-ACMCache
X-LIGHTHTTP-PCDID
X-TTL
Cache
X-ProStores-StoreApiEntryPoint
Sprequestguid
X-StoreSense
SN
X-ServerName
X-Sharepointhealthscore
X-Expires-Orig
X-Content-Options
CT
X-MJ-Upstream-Addr
X-Duration
Filter-Revision
ORIGIN
X-Varnish-TTL
X-Cache-Control-Orig
X-Request-ID
Website-Info
QOR-Cache
Server-Info
X-Cocoon-Version
X-MJ-Serve-Req-Time
X-Track
CommunityServer
X-Server-ID
X-Powered-By-Yqk
X-Yqk-Set
Accept-Charset
X-Micro-Cache
Req-Id
X-Time
Nodo
X-Source-Host
X-Pangea-Version
X-Hits
X-SRV
X-App-Start
X-Old-Content-Length
UniqueName
X-Microcachable
X-Adobe-Content
X-FW
Hamster
X-Sys-Req-ID
X-Blog
X-AOL-SNH
NetMindSessionID
X-Session-Reinit
X-Cache-Operation
Id
X-WR-Flags
X-App
X-ASTRO-REWRITE
X-Trash-Talk
X-CHSN
Debug-Begin-IP
Debug
Debug-IP-Cntry
Webluker-Edge
A-Powered-By
X-Gamma-Serve
X-Info
Pagely
X-Target
X-Cluster-Node
X-AspNetWebPages-Version
X-Varnish-Action
X-Front
X-Highwire-RequestId
X-Pass-Why
X-Varnish-Host
X-WebServer
X-Varnish-Hits
X-Cache-TTL
X-UPSTREAM
X-Engine
ServerID
X-Varnish-Age
X-Highwire-SessionId
X-Accelerated-By
NtCoent-Length
X-DeliveryServer
X-N
X-Distil-CS
X-PvInfo
X-Server-Web
X-Kirra-SiteId
Server2
X-Src-Webcache
X-Atraveo-From-Varnish-Cache
X-HS-MC-Reqs
X-Atraveo-NC
X-Atraveo-Cache-Control
X-Atraveo-TTL
MvcResult
X-Atraveo-Varnish-Server-Id
X-Varnish-IP
From
X-Phpwcms-Release
X-ID
X-Microcache-Status
X-Phpwcms-Page-Processed-In
X-Device-Type
X-Enhanced-By
X-Cache-Action
X-Varnish-Server
OHS-WebNode
X-Database-Slave-Connection
X-ACCELERATE
X-Request-Duration
X-Header
X-Ttl
WP-Cache
X-Machine-Name
ScoreTracker
X-Channel-Maxage
X-Grid-Server
X-Turbo-Control
X-Wily-Info
X-Wily-Servlet
Pool-Info
X-Geo-IP
X-Source
X-REDIRECTSERVER
X-Directory-Script
X-GLaDOS
MirrorName
X-PRAM
X-Source-ID
NLCacheNote
Server-Name
X-Haiku
X-ServerCache-Info
X-Whom
X-Benchmark-Total
X-Benchmark-Db
X-Benchmark-Cache
X-FreeTag-Count
Provided-Host
X-Benchmark-Sphinx
X-Benchmark-Sphinx-Count
MJ12bot
X-CacheHits
X-Force
SEOMOZ
Content-Transfer-Encoding
X-Magento-Action
SynthaSite-ID
X-Magento-Lifetime
X-FS-UUID
X-Route
X-LI-UUID
Content
Warning
Author
X-Li-Pop
X-Country-Code
X-Hrouter
X-EdgeRouter
-Onnection
X-Li-Fabric
X-Bettercache-Proxy
Beyond-Iis
X-SV
RequestTime
X-S
X-App-Server
X-Varnish-Debug-Hits
If-Modified-Since
X-Response-Time
X-Varnish-Debug-Age
X-Id
X-Uid
OriginServer
Compression-Control
X-Via-Kemp
Ssl-Enabled
X-B2f-Not-Route
X-Varnish-Device
X-Transaction
X-Varnish-ID
X-Origin-Id
X-Debug
X-HOSTTYPE
X-Max-Age
X-Amz-Id-1
X-USERNAME
X-Cdn
X-Version
X-Frontend
X-NewRelic-App-Data
X-WLD-LB
F-In-Cache
Bs-Header
X-ManagedFusion-Rewriter-Version
Front
X-Expires
X-Rewritten-By
X-WP
X-CMS-Server
X-SN
X-Monstercache-Timeout
X-Varnish-Debug-Fetch-Host
X-Nginx-Cache
Powered
X-T
X-Ocache
SIP
X-B
Ec
LBVIS
D
X-Framework
Www.Myjob.Se
X-Conf
CountryCode
Www.Mabracertifiering.Se
X-Powered
A1B2C3
X-Vhost
Backend
X-Varnish-Cache-Hits
X-Cache-Me-Harder
Jobb.Assistentpoolen.Se
Jobb.Gil.Se
Test.Executivepeople.Se
Content-MD5
P3P:CP
Open.Jobgate.Se
Jobb.Passal.Se
Www.Mirrorgate.Se
X-Garden-Version
Cache-Ctrol
X-Response
X-UD-REMOTE-ADDR
X-UD-Loopcounter
X-Translation
Backend-Host
X-User-Id
X-Vivastreet
NodeID
X-Varnish-Cache-Local
X-JSL
ProxiaInstanceId
X-Vivastreet-KiwiiPage
X-Venda-Hitid
X-MidCOM-Meta-Cache
X-Apache-Backend
X-Jcms-Ajax-Id
CDN
X-Actindo-RS
X-Secret
Cluster-ID
X-Farm-Server
X-Cf-Powered-By
Hash
MASTERWEBLET
X-NGINX-CACHED-AT
X-NGINX-CACHED
X-ERM-ServerName-AppPage
X-JAL
X-UD-Target
Web-Server
ExecutionTime
X-Object-Id
X-Object-Type
X-ERM-ServerName
Srv
X-ERM-RunTime
X-Frames-Options
X-Amz-Meta-S3cmd-Attrs
X-Geo-IP-Country
Content-Instance
WEBO
X-Geo-IP-Metro
PowerCDN
X-Flex-Tag
X-Cms-Mode
X-Flex-Lang
X-Flex-Lastmod
SRV
X-Flex-Tags
X-Flex-Evstart
X-Recruiting
X-Geo-IPV
X-Jphone-Copyright
X-Flex-Community
X-Flex-Evend
X-Geo-IP-Region
X-Oracle-DMS-ECID
X-Varnish-Cache-Server
Mobiquo-Is-Login
CacheControlMode
X-T3CacheInfo
X-TISSERVER
X-Hosting-Env
PUBLISH
Cmstype
CP
X-Nginx-Server
CacheControlHeader
X-VarnCache
X-Pb-Mii
X-SERVERID
X-Web-Node
X-T3CacheTags
X-Mii-Cache-Hit
X-Device-Group
Hej
X-T3Cache
X-ATP-Server
SS
Cmsid
X-MSG-04
X-View
X-DEBUG-Obj-Ttl
X-DEBUG-X-Id
X-MSG-00
B-Powered-By
No
X-MSG-06
X-Server-By
X-Vtex-Processado-Em
X-Permitted-Cross-Domain-Policies
X-GC-Read
X-GC-App
X-MSG-03
X-Provisioner-Version
X-Domain-Checked
Rt-Server
X-MSG-02
Proxy-From
X-MSG-01
X-MCB-Server
VTag
X-Powered-By-Server
X-MSG-05
X-GC-Write
X-Test
X-JSON-API-LATENCY
X-Author
Content-Security-Policy
X-Your-GrandPa-Would-Wait
X-JSON-API-TTL
X-JSON-API-AGE
X-Node-Name
Ms
Pool
X-Page-Generated-At
X-Content-Age
X-Would-Your-GrandPa-Wait
7e-Page-Cache
X-TTL-Age
SiteSpect-Identity
X-Cache-Term
Xc
X-Page-Generation-Time
X-PM-ID
Preview-Refresh
Publisher
Robots
X-Monstercache
X-Monstercache-Hash
Atp-Isdpp
Provider
X-Cache-Backend
X-Monstercache-Host
XX
X-SilverStripe-Cache
POOL
X-Artvisual-Server
X-Geoip-Country-Code
X-Optimization
X-Full-URL
At-Shoptype
Aoestatic
At-Isb
INCOMING-TIME
X-PP
X-Platform
Application-Version
Apache
X-WA-Info
X-IDS-WS
X-Hash
WEBSERVER
No-Cache
DeleGate-Ver
X-Client-Vid
X-NginX-Cache
X-NginX-Server
X-EPiphany-Vid
X-Execution-Time
X-CCM
X-Proxy
X-Forwarded-Proto
X-Host-Url
X-Answer
X-Webstats-RespID
X-FCMS-Cache
Accept-Language
Rt-Fastcgi-Cache
Expire
Xonnection
Web-Head
SVR
X-OPNET-Transaction-Trace
X-RAMCache
MIH-PUBLIC-IDENTIFIER
MIH-PLATFORM
MIH-CLIENT-FARM
Copyright
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-Ratelimit
X-RE-Ref
X-Extra-Header
RequestId
Access-Control-Expose-Headers
X-Fett
SiteName
X-Caching-Rule-Id
X-Cluster-Host
X-Rewrite
X-IP-Address
X-Nucleus-Cache
X-Header-Set-Id
X-Agentscape-Info
CachedXSLT
X-Cache-NHIT
X-FW-Static
X-Abuse
X-7dig
X-LAvg
X-7d-Version
Mime-Version
X-Purge-Level
X-Time-Microsecs
WP-AdvCache-MemCached
EbdTrace
X-Modules
TimeRestart
X-Serial
X-Allow-Redis
Spot
X-Varnish-Cacheable
X-Varnish-Cookie-Debug
HAVer
HCVer
Noahs-Classifieds
X-CMS
X-Box
X-Empowered-By
Custom
X-Cache-Ttl
X-ORACLE-DMS-ECID
X-Pixelsilk-Server
X-Server-Id
X-Pixelsilk-Version
Telligent-Evolution
X-XHR-Current-Location
Front-End-Https
X-TLServer
Ibm-Web2-Location
Esi-Enabled
X-Symfony-Cache
Head
X-Hit
WebServer
X-Nocache
X-WEBSERVER
X-WorkerInstancename
X-DELIVERYSERVER
Worker
X-User-Agent
Progma
X-Loc
Ap-Exec-Time-Mks
Srv-N
X-Process-Time
Nbmt
X-Vhost-ID
X-Life
Nbaid
CacheInfo
CacheInfoFetch
Optimizer
X-Wm-1
X-Varnish-Hit
BKREF
X-BKSrc
OriginalHost
TypeOfContent
HostName
X-ProxyInstancename
X-RemovedCookies
X-ProcessESI
X-Unbounce-Instance
X-Site:
ServerId
X-Varnish-Count
Www.Aujourdhui.Com
X-MSEdge-Ref
X-GeoIP
X-Set-Cookie
VM
X-Mobile
X-NID
X-Origin
X-PHP-Cache
X-Stackable-Node
X-Continum-Server
X-Real-Server
SBMCLOUD
X-Config-By
X-Upstream
OutputRewritten
X-IP
ResourceTag
X-Rot
X-Catalyst
UNIQUE-ID
X-Varnish-HitMiss
X-Yottaa-Optimizations
X-AISO-Cache
X-AISO-Server
X-Backend-Host
X-Cache-Age
X-Server-Node
Public-Extension
Last-Modified:
X-Crafted
X-Cache-Lifetime
X-Developer
X-BackendServer
MachineName
X-Status
X-Bcwwwid
X-ACLR-Version
X-VCache
X-CMS-Tid
SLB
X-PBY
X-PoolMember
X-V-I-TTL
X-Req-Url
X-V-Outer
X-V-TTL
SAVVIS
OGHopCount
X-CMS-State
X-Powered-Developer
X-CMS-Live
Response
Login-Required
X-CMS-CRMSet
Accept
X-CMS-Collection
X-DC-Origin-IP
X-CMS-Nid
WZ-Device-Match
WZ-Cache
X-CMS-Stage
X-Environment
X-Cache-Control
X-CMS-Sid
Allow
Content-Control
HTTP
X-PS-MURDOCK-CASE-NORMALIZATION
Mark
X-Papaya-Gzip
X-UA
X-Papaya-Cache
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-ORIG-PROTOCOL
X-Hc-Host
RayEngine
X-Web-Hosting-Service-Provider
INFO
Test
OMNI-C
X-SmugMug-Hiring
Keywords
X-Hit-Cache
X-GitHub-Request-Id
X-Created
X-Req-Host
X-DEBUG
X-Pagename
Http
X-WR-MODIFICATION
X-Trace
Description
X-SmugMug-Values
X-TTFB
X-TTFB-L
Origin
X-Yottaa-Metrics