Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
X-Cache
Set-Cookie
Date
Connection
Content-Type
X-Cache-Lookup
Vary
Server
Via
Cache-Control
X-Amz-Cf-Pop
X-Amz-Cf-Id
Content-Length
X-Edge-Origin-Shield-Skipped
X-Frame-Options
X-Content-Type-Options
ETag
Strict-Transport-Security
Expires
X-Powered-By
Link
Last-Modified
Age
Accept-Ranges
Content-Security-Policy
X-Xss-Protection
Accept-CH
Referrer-Policy
Pragma
X-XSS-Protection
Access-Control-Allow-Origin
Expect-CT
CF-RAY
CF-Cache-Status
X-Download-Options
Content-Language
X-Request-Id
Report-To
NEL
Alt-Svc
X-DNS-Prefetch-Control
Access-Control-Allow-Methods
Access-Control-Allow-Headers
X-UA-Compatible
X-Cache-Hits
X-Amz-Version-Id
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
EagleId
X-Varnish
X-Envoy-Upstream-Service-Time
Access-Control-Allow-Credentials
X-Served-By
Accept-CH-Lifetime
P3P
X-Adblock-Key
X-Runtime
X-Generator
Permissions-Policy
X-Amz-Request-Id
X-Amz-Id-2
X-Cacheable
X-Dispatcher
X-Vhost
X-D2id
X-Meli-Trace-Site
X-Request-Device-Id
X-Meli-Trace-Platform
X-Meli-Trace-Bu
X-Drupal-Cache
X-Drupal-Dynamic-Cache
X-Content-Type
X-Navigation-Version
X-Element-Page-Cache
X-AspNet-Version
Server-Timing
Feature-Policy
Access-Control-Max-Age
Status
X-Timer
X-Backend
X-Cache-Status
Access-Control-Expose-Headers
X-Content-Security-Policy
X-Server
X-Proxy-Cache
X-Dns-Prefetch-Control
X-Iinfo
X-Via
X-CDN
X-Varnish-Cache
Content-Encoding
X-Amzn-Trace-Id
X-Amz-Server-Side-Encryption
Cache-Tag
X-Ws-Request-Id
Xkey
X-Turbo-Charged-By
X-WebKit-CSP
X-ProcessESI
X-RemovedCookies
X-AspNetMvc-Version
X-Amz-Rid
Request-Id
Timing-Allow-Origin
SPRequestDuration
X-SharePointHealthScore
X-MS-InvokeApp
SPIisLatency
SPRequestGuid
X-AH-Environment
Apigw-Requestid
X-Timing-Wait
X-Proxy-Build
Selected-Fe
AMP-Access-Control-Allow-Source-Origin
X-Aspnet-Version
Expect-Ct
X-Cacheable-TTL
Front
Xet-Cookie
X-Page-Speed
Cf-Edge-Cache
X-Amz-Replication-Status
CloudFront-Viewer-Country
X-Node
MicrosoftSharePointTeamServices
X-Robots-Tag
X-LiteSpeed-Cache
X-Host
X-Redirect
X-Mly-Id
X-SRCache-Fetch-Status
X-Device
Grace
X-SRCache-Store-Status
X-Correlation-Id
Expect-Staple
X-SRCache-Key
X-Rq
X-Mod-Pagespeed
Fastly-Restarts
We-Hiring
Mail-Subject
X-Clientip
X-OneAgent-JS-Injection
Protected
X-Viewer-Country
Countrycode
X-Hl-Ver
Request-Context
Cf-Apo-Via
X-Provided-By
X-Cache-Group
X-Ruxit-JS-Agent
X-Pantheon-Styx-Hostname
X-Readtime
X-Azure-Ref
X-Styx-Req-Id
X-Backend-Server
X-Age
X-Server-Powered-By
X-Server-Id
X-Cache-Time
X-User
X-CST
Content-Location
X-Cache-TTL
X-Amzn-RequestId
X-Oneagent-Js-Injection
X-Ruxit-Js-Agent
X-Amz-Apigw-Id
X-Ua-Compatible
X-HW
X-Status
X-T
Allow
X-Debug-Info
Liferay-Portal
X-Powered-By-Plesk
X-Language
Odigeo-Trace-Id
Cf-Railgun
X-Vcl-Version
X-Country-Code
X-Trace
Resin-Trace
X-Cdn
P3p
X-B3-TraceId
X-Generated-By
X-Envoy-Decorator-Operation
X-B3-TraceId-Primal
X-ID
X-Server-ID
Request-ID
X-Yottaa-Metrics
X-Yottaa-Optimizations
Pinterest-Generated-By
Pinterest-Version
AKAMAI-GRN
Cloudfront-Viewer-Country
X-Api-Version
X-Pinterest-Rid
X-Template
MRF-Tech
Mrf-Cache-Status
X-UA-Device
X-Akam-SW-Version