Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
Alternate-Protocol
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
MS-Author-Via
Access-Control-Allow-Origin
X-Pad
X-Cacheable
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-UA-Device
X-Logged-In
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-W3TC-Minify
X-Cnection
X-PhApp
X-Webserver
X-Ua-Compatible
X-Varnish-Cache
X-CF-Powered-By
X-Via
Composed-By
X-CACHE
Served-By
X-Firenze-Processing-Times
X-Page-Speed
X-Forwarded-For
X-Url
Strict-Transport-Security
X-ServedBy
X-Served-By
X-Hostname
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-MS-InvokeApp
Cartoon
X-Mobilized-By
X-ContextId
Access-Control-Allow-Methods
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-CDN
X-Umbraco-Version
X-Stats-Visit-Token
X-Stats-Unique-Token
X-AH-Environment
X-Powered-By-360WZB
X-Backend
Content-Style-Type
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
X-PC-Key
X-PC-Host
X-PC-AppVer
X-PC-Hit
X-PC-Date
Magicmarker
Powered-By-ChinaCache
Thanks
X-HeyJason
X-Geo-Port
X-Geo
Rating
X-Cache-Server
X-Amz-Id-2
TCN
X-Outils-CS
X-From
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
Page-Completion-Status
X-Content-Digest
X-FB-Debug
Real-Hostname
X-TN-ServedBy
X-Loop
X-Tumblr-Pixel-4
X-PHP-Engine
X-Original-Content-Length
Imagetoolbar
IBM-Web2-Location
NS-RTIMER-COMPOSITE
PICS-Label
X-Amz-Cf-Id
X-Spip-Cache
X-Generated-By
X-Px
X-Tumblr-Content-Rating
X-Matrix-Proxy
X-Matrix-Server
SPIisLatency
SPRequestDuration
Request-Id
X-Content-Encoded-By
X-TNCMS-Render-Time
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Version
X-ChromeLogger-Data
X-Drectory-Script
Set-Cookie2
X-Cache-Status
X-Cached-By
X-CDN-Any-IP
X-Device
X-CDN-Geo
X-CDN-Geo-IP
X-Tumblr-Pixel-5
ServerName
X-URL
IISExport
X-CMS-Version
X-Firenze-Processing-Time
X-Node
X-Cached
Access-Control-Max-Age
X-Trace-App
Retry-After
CF-Cache-Status
X-PF-Uncompressing
X-DynaTrace
DynaTrace
X-Age
Generator
X-FORWARDED-FOR
Accept-Encoding
X-Timer
COMMERCE-SERVER-SOFTWARE
X-DDC-Arch-Trace
X-I
RTSS
Powered-By
X-Cache-Debug
Lsrequestid
ServedBy
X-SDS
X-Art-Request-Id
X-Vary-Options
X-Backend-Server
Product
MIME-Version
X-ATG-Version
X-Cache-Hit
Time
X-ApacheServer
X-Hosted-By
X-Pantheon-Styx-Hostname
SID
X-Pantheon-Endpoint
X-Nitra-Side
X-PERF
X-Processed-By
Content-Encoding-Handler
X-UD-Host
Pics-Label
Edge-Control
Access-Control-Request-Method
X-UD-Method
LFY
SFY
X-PwB-Node
X-Vtex-Remote-Cache
Surrogate-Control
X-Vtex-Cache-Key
Machine
X-DNS-Prefetch-Control
X-Speed-Cache-Key
X-DynaTrace-JS-Agent
Host
X-Director
X-Original-Request
X-Srv
X-Purge-Host
X-NoCache
X-App-Hosting
X-Cache-Enabled
X-LiteSpeed-Cache
X-Returned-From-BeforeDispatch
X-Returned-From-DLL
X-Returned-From-PostProcessResponse
X-Returned-From
X-Passed-To-PostProcessResponse
X-Passed-To
X-Handled-By
X-Actual-URL
X-Passed-To-DLL
X-FIRSTBase
X-Passed-To-BeforeDispatch
X-Cookie-Domain
WWW-Authenticate
Charset
X-Yadis-Location
NODE
AMF-Ver
X-Speed-Cache
Location
Node
X-Purge-URL
MW-Webserver
X-Cache-Expires
Proxy-Agent
X-Varnish-Backend
X-Ms-Invokeapp
X-TTL
VAR-Cache
Cm-Server
X-Orig-Vary
Website-Info
X-B2f-Cache-Load
Server-Info
Proxy-Connection
X-CJ-Soft
Microsoftsharepointteamservices
X-GeoIP-Country-Name
X-Trace-Cache
Fhost
Cache
X-LIGHTHTTP-PCDID
X-GeoIP-Country-Code
X-Content-Options
X-Served-From-Cache
X-ACMCache
X-SERVER
Content-Disposition
X-ServerID
X-Expires-Orig
X-Sharepointhealthscore
Sprequestguid
X-Duration
X-Micro-Cache
X-Track
X-Cache-Control-Orig
X-Request-ID
Filter-Revision
S
X-Varnish-TTL
Accept-Charset
X-Yqk-Set
X-Cocoon-Version
X-Powered-By-Yqk
X-StoreSense
Req-Id
X-MJ-Upstream-Addr
X-Time
X-Cache-Rule
X-ProStores-StoreApiEntryPoint
SN
X-Hits
X-ServerName
X-Source-Host
X-Front
X-FW
X-SRV
X-Adobe-Content
Hamster
X-Sys-Req-ID
X-App-Start
UniqueName
X-Old-Content-Length
Nodo
X-MJ-Serve-Req-Time
X-Pangea-Version
NetMindSessionID
X-AOL-SNH
X-Server-ID
X-Blog
X-Session-Reinit
ServerID
Debug
X-Microcachable
Debug-IP-Cntry
QOR-Cache
X-Highwire-RequestId
X-CHSN
Webluker-Edge
X-Highwire-SessionId
Debug-Begin-IP
X-ASTRO-REWRITE
X-Info
X-WR-Flags
Id
X-Gamma-Serve
X-App
CommunityServer
X-Cluster-Node
X-Varnish-Host
X-Engine
A-Powered-By
X-Cache-TTL
X-Varnish-Hits
ORIGIN
X-Server-Web
X-UPSTREAM
X-WebServer
X-Device-Type
X-Microcache-Status
CT
X-Accelerated-By
X-AspNetWebPages-Version
X-Distil-CS
X-N
NtCoent-Length
X-Varnish-IP
X-Trash-Talk
X-Atraveo-TTL
X-Atraveo-Varnish-Server-Id
X-Atraveo-From-Varnish-Cache
X-Atraveo-Cache-Control
X-Target
Pagely
X-Phpwcms-Page-Processed-In
X-Src-Webcache
MvcResult
X-Phpwcms-Release
X-PvInfo
X-HS-MC-Reqs
X-Atraveo-NC
From
X-Pass-Why
Server2
X-ACCELERATE
X-Cache-Operation
X-Cache-Action
X-Header
OHS-WebNode
X-Ttl
X-ID
X-Grid-Server
X-Kirra-SiteId
X-Turbo-Control
ScoreTracker
X-Wily-Info
X-Varnish-Age
X-Wily-Servlet
X-Varnish-Action
WP-Cache
X-Machine-Name
X-Channel-Maxage
X-Source
X-Li-Fabric
X-LI-UUID
X-Geo-IP
X-Li-Pop
X-DeliveryServer
X-Enhanced-By
Pool-Info
X-FS-UUID
X-Whom
X-ServerCache-Info
MirrorName
X-Source-ID
X-PRAM
X-Force
X-Nginx-Cache
Content-Transfer-Encoding
X-Request-Duration
X-Database-Slave-Connection
Provided-Host
X-Benchmark-Sphinx
X-FreeTag-Count
X-Benchmark-Cache
X-Benchmark-Db
X-Benchmark-Sphinx-Count
Server-Name
X-Benchmark-Total
X-CacheHits
X-EdgeRouter
X-Hrouter
SynthaSite-ID
Warning
Author
X-Varnish-Server
LBVIS
X-Uid
X-Country-Code
-Onnection
X-Oracle-DMS-ECID
X-Frontend
X-App-Server
NLCacheNote
X-Framework
X-Version
X-Cdn
CountryCode
X-Bettercache-Proxy
RequestTime
X-S
X-SV
X-Max-Age
X-Directory-Script
X-USERNAME
X-HOSTTYPE
X-Varnish-Debug-Age
X-Transaction
X-Response-Time
X-Varnish-Debug-Hits
X-Amz-Id-1
SEOMOZ
OriginServer
X-Id
X-Debug
MJ12bot
X-WLD-LB
X-WP
X-REDIRECTSERVER
X-Magento-Action
X-Flex-Evstart
X-NewRelic-App-Data
X-Monstercache-Timeout
F-In-Cache
X-Flex-Tags
X-Flex-Tag
X-Flex-Community
X-Flex-Lang
X-Flex-Lastmod
X-Magento-Lifetime
X-Flex-Evend
X-CMS-Server
Front
X-Expires
Content
X-SN
Bs-Header
Www.Myjob.Se
Hash
X-GLaDOS
X-Ocache
X-View
Www.Mirrorgate.Se
X-Response
X-Varnish-Cache-Hits
X-Varnish-ID
X-Vivastreet
X-B
X-NGINX-CACHED
X-Farm-Server
X-Jcms-Ajax-Id
X-NGINX-CACHED-AT
X-Vivastreet-KiwiiPage
SIP
X-Pb-Mii
X-Cache-Me-Harder
X-Apache-Backend
X-ATP-Server
A1B2C3
Open.Jobgate.Se
X-Haiku
P3P:CP
X-MidCOM-Meta-Cache
MASTERWEBLET
Jobb.Assistentpoolen.Se
X-Amz-Meta-S3cmd-Attrs
X-Translation
Jobb.Passal.Se
X-Mii-Cache-Hit
Test.Executivepeople.Se
X-UD-REMOTE-ADDR
X-UD-Target
X-Device-Group
X-Varnish-Device
X-UD-Loopcounter
Backend-Host
Www.Mabracertifiering.Se
X-Venda-Hitid
Backend
Cache-Ctrol
X-TISSERVER
X-JSL
X-JAL
Srv
NodeID
X-Cf-Powered-By
X-T
Cluster-ID
Content-MD5
X-Powered
D
X-Varnish-Cache-Local
Powered
Ec
X-User-Id
Ssl-Enabled
ProxiaInstanceId
X-Via-Kemp
CDN
Jobb.Gil.Se
X-B2f-Not-Route
X-Actindo-RS
X-Conf
X-Object-Id
X-Garden-Version
Beyond-Iis
X-Object-Type
X-Jphone-Copyright
X-Recruiting
PowerCDN
Content-Instance
X-Varnish-Debug-Fetch-Host
WEBO
Aoestatic
X-ManagedFusion-Rewriter-Version
X-Rewritten-By
X-Route
X-Geo-IP-Country
SRV
X-Geo-IP-Metro
X-Geo-IP-Region
X-Geo-IPV
X-Cms-Mode
Copyright
X-Vhost
SS
X-Cache-Term
X-Provisioner-Version
X-MSG-05
X-MSG-06
PUBLISH
CP
X-Server-By
B-Powered-By
X-Permitted-Cross-Domain-Policies
X-Vtex-Processado-Em
No
X-MSG-03
X-MSG-01
X-MSG-04
X-MSG-00
X-DEBUG-Obj-Ttl
X-DEBUG-X-Id
Mobiquo-Is-Login
X-GC-Write
X-Rewrite
Rt-Server
X-Domain-Checked
X-Nginx-Server
X-Hosting-Env
X-Varnish-Cache-Server
If-Modified-Since
X-MSG-02
X-VarnCache
X-GC-App
X-GC-Read
X-MCB-Server
VTag
Proxy-From
X-Powered-By-Server
CacheControlMode
CacheControlHeader
Content-Security-Policy
X-Author
7e-Page-Cache
X-Web-Node
X-PM-ID
Preview-Refresh
X-Content-Age
Cmstype
Cmsid
Hej
Pool
X-Node-Name
Ms
X-ERM-RunTime
Xc
X-Frames-Options
X-ERM-ServerName
SiteSpect-Identity
Compression-Control
X-ERM-ServerName-AppPage
X-Test
X-Origin-Id
X-Monstercache-Hash
X-Monstercache
Publisher
X-Geoip-Country-Code
Provider
POOL
Robots
XX
X-SilverStripe-Cache
X-Monstercache-Host
X-Artvisual-Server
X-Cache-Backend
INCOMING-TIME
At-Isb
X-Full-URL
X-Optimization
Atp-Isdpp
At-Shoptype
X-Platform
Apache
WEBSERVER
No-Cache
X-PP
Web-Server
MIH-CLIENT-FARM
X-FCMS-Cache
X-Host-Url
Web-Head
SVR
MIH-PLATFORM
Application-Version
Ibm-Web2-Location
Head
X-Page-Generated-At
WebServer
Front-End-Https
Esi-Enabled
X-Symfony-Cache
DeleGate-Ver
MIH-PUBLIC-IDENTIFIER
X-OPNET-Transaction-Trace
X-JSON-API-LATENCY
X-JSON-API-TTL
X-WA-Info
Rt-Fastcgi-Cache
RequestId
X-Page-Generation-Time
X-Fett
Access-Control-Expose-Headers
X-Agentscape-Info
X-Cluster-Host
X-DEBUG
SiteName
X-Header-Set-Id
X-ORACLE-DMS-ECID
X-Nucleus-Cache
CachedXSLT
X-Forwarded-Proto
X-NginX-Server
X-NginX-Cache
X-Caching-Rule-Id
Accept-Language
ExecutionTime
X-Pixelsilk-Server
X-EPiphany-Vid
X-IDS-WS
X-CCM
X-Proxy
X-Execution-Time
X-T3CacheTags
X-Client-Vid
X-Ratelimit
Custom
X-Varnish-Cacheable
X-Cache-Ttl
X-Extra-Header
X-Hit
Mime-Version
X-Answer
X-LAvg
X-FW-Static
X-IP-Address
X-Pixelsilk-Version
X-Cache-NHIT
X-Abuse
X-7d-Version
X-7dig
X-Server-Id
X-Empowered-By
X-Allow-Redis
HAVer
X-Secret
X-CMS
Spot
HCVer
Noahs-Classifieds
X-Purge-Level
TimeRestart
X-XHR-Current-Location
X-Box
X-Varnish-Cookie-Debug
X-Time-Microsecs
X-Serial
X-Modules
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-RE-Ref
EbdTrace
X-JSON-API-AGE
X-Your-GrandPa-Would-Wait
X-TTL-Age
Telligent-Evolution
X-Would-Your-GrandPa-Wait
X-Webstats-RespID
X-TLServer
Expire
X-SERVERID
X-T3Cache
X-T3CacheInfo
X-DELIVERYSERVER
X-WorkerInstancename
X-WEBSERVER
X-Nocache
Worker
X-RemovedCookies
X-ProcessESI
X-PHP-Cache
X-GeoIP
Www.Aujourdhui.Com
X-Set-Cookie
X-ProxyInstancename
X-MSEdge-Ref
X-Upstream
X-Origin
WebDevSrc
X-Yottaa-Optimizations
BKREF
X-BKSrc
X-Yottaa-Metrics
RayEngine
INFO
X-WebKit-CSP
X-Hc-Host
X-Varnish-Hit
X-Wm-1
TypeOfContent
VM
X-Unbounce-Instance
OriginalHost
Optimizer
CacheInfo
CacheInfoFetch
X-Site:
ResourceTag
X-BackendServer
X-AISO-Cache
HostName
X-User-Agent
X-Developer
Mark
X-AISO-Server
X-Varnish-Count
X-Backend-Host
UNIQUE-ID
X-Cache-Age
X-Cache-Lifetime
X-Varnish-HitMiss
OMNI-C
X-Process-Time
Public-Extension
X-Life
X-Catalyst
ServerId
X-Mobile
X-IP
X-Server-Node
Last-Modified:
X-Crafted
Srv-N
Ap-Exec-Time-Mks
Progma
X-Loc
X-NID
X-PBY
Response
X-WR-MODIFICATION
X-VCache
X-Pagename
WP-AdvCache-MemCached
X-Hit-Cache
Http
X-Environment
Login-Required
X-PoolMember
SAVVIS
Allow
X-Cache-Control
Content-Control
X-Hash
X-TTFB-L
X-CMS-Sid
X-CMS-Nid
X-CMS-Stage
X-CMS-State
SLB
X-CMS-Tid
X-CMS-Live
X-CMS-CRMSet
X-SmugMug-Values
X-TTFB
X-SmugMug-Hiring
X-Web-Hosting-Service-Provider
X-CMS-Collection
Accept
X-Status
X-V-TTL
X-UA
X-Papaya-Cache
OGHopCount
Keywords
X-Trace
Description
X-Papaya-Gzip
Nbmt
X-PS-MURDOCK-ORIG-PROTOCOL
Test
X-PS-MURDOCK-ORIG-FILEEXT
X-PS-MURDOCK-CASE-NORMALIZATION
Nbaid
HTTP
X-DC-Origin-IP
Xonnection
X-Created
X-Powered-Developer
X-Req-Host
X-Req-Url
X-V-Outer
X-V-I-TTL
WZ-Cache
WZ-Device-Match
X-Vhost-ID
X-Rot
X-Bcwwwid
X-ACLR-Version
X-GitHub-Request-Id
Origin
MachineName