Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - SANS Internet Storm Center HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Pragma
X-Powered-By
Last-Modified
Accept-Ranges
X-Content-Type-Options
Strict-Transport-Security
CF-RAY
X-XSS-Protection
ETag
Link
Expect-CT
Via
X-Cache
Age
Access-Control-Allow-Origin
Content-Language
Content-Security-Policy
P3P
X-UA-Compatible
X-Cache-Hits
X-Varnish
X-Request-Id
X-Served-By
X-Amz-Cf-Id
Referrer-Policy
X-AspNet-Version
X-Timer
CF-Cache-Status
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Runtime
Access-Control-Allow-Credentials
X-Download-Options
X-Drupal-Cache
X-Check
X-Adblock-Key
X-AspNetMvc-Version
X-Cacheable
X-Generator
Alt-Svc
Status
Timing-Allow-Origin
Content-Security-Policy-Report-Only
X-Cache-Status
X-Via
X-Iinfo
X-Cdn
X-DNS-Prefetch-Control
X-Template
X-Language
X-Turbo-Charged-By
X-Content-Security-Policy
X-Buckets
Content-Encoding
X-Permitted-Cross-Domain-Policies
Keep-Alive
EagleId
X-Swift-SaveTime
X-Swift-CacheTime
X-Nginx-Cache-Status
X-Server-Powered-By
Ali-Swift-Global-Savetime
X-Pingback
X-Server
X-AH-Environment
X-Backend
Access-Control-Max-Age
X-Type
X-Age
X-Cache-Group
X-Pass-Why
WPE-Backend
Grace
Xkey
X-Cache-Lookup
X-Varnish-Cache
Access-Control-Expose-Headers
Upgrade
Cf-Railgun
X-UA-Device
X-Hacker
X-LiteSpeed-Cache
X-Drupal-Dynamic-Cache
X-Page-Speed
X-Amz-Request-Id
X-CST
X-Proxy-Cache
X-Robots-Tag
Content-Location
X-Amz-Id-2
Request-Context
X-Envoy-Upstream-Service-Time
X-Ac
X-WebKit-CSP
X-Host
X-Server-Id
X-Node
X-Cnection
X-Device
X-OneAgent-JS-Injection
X-Amz-Version-Id
Allow
X-Backend-Server
X-HeyJason
X-Do-Not-Hack
Permitted-Cross-Domain-Policies
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Rack-Cache
Request-Id
X-Px
Edge-Control
X-Application-Context
X-Readtime
X-Cloud-Trace-Context
X-Url
X-Country
Surrogate-Control
EagleEye-TraceId
Server-Timing
X-Clacks-Overhead
X-Instart-Request-ID
X-TTL
X-Response-Time
X-MS-InvokeApp
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-NWS-LOG-UUID
X-Rq
Charset
X-DynaTrace-JS-Agent
AR-ATIME
AR-CACHE
AR-PoweredBy
Pinterest-Generated-By
AR-SID
Public-Key-Pins
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
X-Server-Name
RATING
SPRequestGuid
X-ESI
X-SharePointHealthScore
X-Ser
X-Varnish-TTL
X-Country-Code
X-Ruxit-JS-Agent
X-Powered-CMS
Content-MD5
X-DataDome
X-Powered-By-Plesk
MS-Author-Via
X-Cached
X-Via-JSL
X-SRCache-Store-Status
X-TtlSet
X-SRCache-Fetch-Status
X-Vname
SPRequestDuration
X-PC
SPIisLatency
X-VARITI-CCR
X-DynaTrace
X-Mod-Pagespeed
Report-To
X-Recruiting
X-Amz-Rid
X-Kinja-Build
X-Kinja
X-GoogleNews-Bot
X-Geo-Segment
X-Kinja-Revision
X-Kinja-Server
X-Feature
MicrosoftSharePointTeamServices
X-Trace
X-Daa-Tunnel
Arr-Disable-Session-Affinity
X-Cdn-Fetch
X-Shield-Request-Id
X-N
X-Exp-Id
X-XRDS-LOCATION
X-Exp-Variant
Cartoon
Feature-Policy
X-Goog-Hash
X-GitHub-Request-Id
X-F-Cache
X-Kinsta-Cache
X-Fastcgi-Cache
X-FTR-Request-ID
X-Grace
X-Version
X-CF-Powered-By
X-Newrelic-App-Data
X-Forwarded-Proto
Liferay-Portal
Nginx-Cache
X-Dw-Request-Base-Id
X-IPLB-Instance
RTSS
X-Vcap-Request-Id
Cache
X-B
S
X-T
Verso
X-TEC-API-VERSION
X-Upstream
Fastcgi-Cache
DynaTrace
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Hyper-Cache
X-Zen-Fury
X-Vhost
X-Cache-Key
X-Client-IP
Access-Control-Request-Method
X-Hits
X-Id
X-User-Agent
X-Logged-In
X-Varnish-Age
Front-End-Https
X-Frontend
X-Correlation-Id
X-Pinterest-Rid
Realpath
NEL
X-Upstream-Env
Pinterest-Version
X-Origin-Cache
X-DIS-Request-ID
TCN
X-D2id
X-Sucuri-ID
Eomportal-Instance
Edge-Cache-Tag
X-Guploader-Uploadid
X-Dispatcher
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
Server-Name
X-Debug
X-HS-Cache-Config
X-Sol
X-HS-Content-Id
X-NF-Request-ID
X-Pad
X-Fastly-Request-ID
X-Forwarded-For
X-Abt-Application-Version
X-Nf-Srv-Version
X-Goog-Storage-Class
HitType
X-Cache-Age
X-AOL-HN
Server-Info
HitInfo
S-Cnection
Accept-Charset
X-Wix-Server-Artifact-Id
X-Ratelimit-Remaining
X-Middleton-Response
X-Middleton-Display
X-UUID
X-Content-Security-Policy-Report-Only
Host
X-HS-Combine-CSS
Tracecode
X-Mrf-Item-Lastmod
X-ATG-Version
MRF-Tech
Mrf-Cache-Status
X-NWS-UUID-VERIFY
X-Navigation-Version
Alternate-Protocol
X-Whom
X-Mrf-Section-Lastmod
Powered-By-ChinaCache
Response
Rt-Fastcgi-Cache
FilterID
Pagespeed
Display
Cache-Status
X-Magnolia-Registration
X-Revision
X-Srv
X-Amzn-Trace-Id
X-Cache-Action
X-VCache
Source
X-Cache-Bucket
X-Real-Ip
X-Cache-Rule
X-Hostname
X-WA-Info
X-UA
X-B3-Traceid
Service-Worker-Allowed
X-Content-Options
X-Content-Digest
Paypal-Debug-Id
X-Sucuri-Cache
X-PressLabs-Stats
X-Framework
Public-Key-Pins-Report-Only
Served-By
X-Servedby
X-Geo
X-Cache-NE
X-Rid
X-Geo-Country
X-Cache-Config
Country
X-Cache-2
X-Accel-Buffering
X-Signature
X-Varnish-Server
X-FB-Debug
X-TT
X-PHP-Backend
X-B-Cache
WP-Super-Cache
X-TT-TIMESTAMP
PB-PID
X-SS-Set-Cookie
X-FTR-Backend-Server
X-Country-Code-Real
PB-RID
X-Contextid
Fastly-Restarts
X-FTR-Backend
X-FTR-Cache-Status
X-FTR-Balancer
TP-L2-Cache
TP-Cache
X-FTR-DC
X-Instance
X-FTR-Expires
X-FTR-Realm
ServerID
X-Tumblr-Pixel-0
X-Tumblr-User
X-MSEdge-Ref
X-Varnish-Hostname
X-Varnish-IP
X-Page-Id
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Mobile-Rewrite
X-Shield-Cache-Expires
X-Request-Processing-Time
X-Request-Received
X-Tumblr-Pixel
X-Storage
X-Oss-Hash-Crc64ecma
X-Oss-Object-Type
X-Oss-Request-Id
X-Generated-By
X-GeoIP
X-LB-Cache
X-Jobs
X-Oss-Server-Time
X-Oss-Storage-Class
X-FTR-Cache-Host
Datacenter
Cache-Tag
X-Adobe-Content
X-Adobe-Loc
X-Cache-Remote
X-App-Server
X-APP-VERSION
X-Ratelimit-Limit
X-ADI-VCache
X-Akamai-Edgescape
X-App-Environment
X-Cache-Operation
WebServer
X-Device-Type
Actual-Object-TTL
Cleartype
Retry-After
Surrogate-Key
X-CDN-Forward
Upgrade-Insecure-Requests
X-Debug-Info
X-Dc
X-Content-Powered-By
X-Cached-By
X-Cache-Ttl
X-Cache-TTL-Remaining
X-Amz-Server-Side-Encryption
X-S
SRV
X-ProxyCache-Key
X-Seen-By
Cache-Hits
X-BYPASS-REASON
X-Cacheable-TTL
X-RequestSource
X-HW
Access-Control-Request-Headers
X-GZip
X-Mobile
X-Ocache
X-Origin
X-Proto
X-Proxy-Build
Ohc-File-Size
X-CCM
X-EIG-Tracking-Id
X-JoinUs
X-Cluster
ServedBy
X-AppVersion
X-Analytics
X-Amz-Apigw-Id
X-TX-ID
X-Az
X-Activity-Id
Selected-FE
Load-Balancing
Backend-Timing
X-ProxyCache-Status
Refresh
X-Timing-Wait
X-Varnish-Hits
X-WebKit-CSP-Report-Only
X-Cache-Hit
X-Wix-Request-Id
X-Yottaa-Sig
IBM-Web2-Location
HostName
X-Proxied
X-UA-Device-Type
AsisCache
X-Amzn-RequestId
X-VG-WebCache
Access-Control-Allow-Method
Healthy
GEO-INFO
Cache-Name
Cache-Key
Fastly-SSL
X-Cache-Enabled
X-Labrador-Cache-Channel
X-NGENIX-Cache
X-Nginx-Cache
X-Optimization
X-L-Path
X-Hit
X-Environment-Context
X-Generated
X-Grey
X-PERF
X-ServerID
X-Viewer-Country
X-Web-Node
X-Xfnlog-Site
Xserver
X-Upstream-HT
X-Upstream-CT
X-Skip-Cache
X-Time-Microsecs
X-Unique-Id
X-Distributor
X-Debug-Cache
ProcessTime
ServerName
Time
X-Agile
PageType
Origin-Edge-Control
Mn-Server-Ip
Now
Origin-Cache-Control
X-Agile-Age
X-Agile-Id
X-BB-IP
X-Cache-Category-Id
X-Cache-HT
X-Backend-Name
X-ApacheServer
X-Akam-SW-Version
X-Akamai-Request-ID
X-Akamai-Transformed
L5d-Success-Class
Countrycode
X-PC-Hit
X-PC-Date
X-PC-AppVer
AMP-Access-Control-Allow-Source-Origin
X-PC-Host
X-PC-Key
X-CSRF-Token
X-WPE-Loopback-Upstream-Addr
X-Varnish-Backend
X-TIME
Arc-Version
X-Request-Guid
X-Accel-Expires
X-Handled-By
X-BCube-Filmed-By
DC
X-Hail-Hydra
X-Cache-Server
X-Origin-Upstream-Status
X-Cache-Control
MS-CV
Server-Node
Host-Header
Warning
X-A-Ccd
X-A
T-Server
Server-ID
X-A-Dam
V-Age
X-A-Dgt
X-Auto-Login
X-B-Cookie
X-Cache-Expires
X-ARC
X-Application
Resin-Trace
X-A-Wwc
X-Alternate-Cache-Key
X-A-Dcw
Request-Time
Fly-Cache
Fly-Request-Id
Get-Access-Time
Cteonnt-Length
Brightspot-Id
Cache-Provider
Cache-Prefix
Country-Code
X-Cache-Id
If-Modified-Since
Proxy-Connection
Request-Country
Request-EU
NodeID
Ajk
Is-Session-Tracking
Kp-EeAlive
COMMERCE-SERVER-SOFTWARE
X-Crawler
X-S-Maxage
X-S-Cookie
X-Sentry-ID
X-ShardId
X-Shopify-Stage
X-ShopId
X-Request-URI
X-Release
X-Page-Type
X-Origin-Expires
X-ProxyCache-Args
X-RCS-CacheZone
X-Refresh
X-Sorting-Hat-FeatureSet
X-Sorting-Hat-PodId
X-Var-Ttl
X-UE-Client-Country
X-Varnish-Url
X-Via-NSCOPI
X-Varnish-Grace
X-WebServer
X-Status
X-SRCache-Key
X-Sorting-Hat-PrivacyLevel
X-Sorting-Hat-PodId-Cached
X-Sorting-Hat-Section
X-Sorting-Hat-ShopId
X-Sorting-Hat-ShopId-Cached
X-Origin-Date
X-NX-Host
X-Dispatcher-Server
X-Died
X-DPWN-IS-SECURE
X-Fastly-Backend-Reqs
X-From
X-Fe
X-Device-Os
X-Developer
X-D
X-CS
X-Debug-Cookies
X-Debug-Log
X-Destination
X-Fstrz
X-G
X-LB-CacheStatus
X-Info
X-LB-Node
X-Load-Cache
X-Logtrace-Id
X-IN-WAF
X-IN-SSL-APIGATEWAY
X-Hash
X-Generated-In
X-HGenerator
X-Hl-Ver
X-IN-APIGATEWAY
X-Cache-Time
X-Cache-Host
X-FW-Server
X-FW-Hash
X-Edge-Cache-Key
X-Edge-Cache
X-FW-Static
X-FW-Type
X-Microcachable
X-Locale
X-Internal-Host
X-Drupal-Cache-Tags
X-Distil-CS
Content-Style-Type
NGB
Filters
From-Origin
Content-Script-Type
Viewport
X-Croise-Owner
X-ByteArk-Cache
X-Amz-Replication-Status
X-Nc
X-FW-Serve
X-StackifyID
X-Tumblr-Pixel-1
X-Source
X-Region
X-RTag
X-Tumblr-Pixel-2
X-Platform-Server
X-Varnish-Cache-Hits
X-Origin-Server
X-Access
Azure-Version
Azure-SlotName
WZWS-RAY
Webcakes-Region
Webcakes-App-Version
V-Cache
Webcakes-App-Name
Azure-SiteName
X-Amz-Meta-Surrogate-Control
X-B3-Sampled
X-AWS-Id
User-Cache-Control
Azure-InstanceId
Azure-RegionName
X-Origin-Hint
X-App-Name
TWC-Privacy
Fastcgi-Useragent
NODE
Dnion-Transfer-Encoding
DB-Nickname
Mime-Version
Meta-Geo
Group
FSS-Cache
LB
Machine
X-B3-Spanid
RequestId
TWC-GeoIP-LatLong
TWC-Locale-Group
FSS-Proxy
UCS
TWC-GeoIP-Country
TWC-Device-Class
S-Rt
Backend
TWC-Connection-Speed
User-Agent
Property-Id
X-Surge-Debug
X-NodeID
X-TNCMS
X-SplitTest
X-NU-AKA-ACS-Version
X-Section
X-OCL
X-Tumblr-Pixel-3
X-TWH-CORRELATION-ID
X-Varnish-Beresp-TTL
X-Varnish-Cacheable
X-Vgn-Hpd-Reason
X-MP-GENERATED-AT
X-NCache
X-Node-Name
X-Upgrade-Enabled
X-Routing-Service
X-RN-RSRV
X-Path-Route
X-PCL
X-Origin-CC
X-OVcl-Cache
X-OVcl
X-Original-Request
X-Be
X-Port
X-ProcessESI
X-Rendered-As
X-Request-Time
X-Render-Type
X-RemovedCookies
X-Proxy
X-Pubstack
X-Via-Fastly
X-Site-Version
X-Drupal-Cache-Contexts
X-Detected-As
X-DataStream-Cache-Status
X-Edge-Location
X-Endurance-Cache-Level
X-FC-Vary-Parameters
X-Ezoic-Cdn
X-Cluster-Node
X-CDN-Cache
X-Mode
X-Birta-Cache-Post
X-C
X-Cache-Var
X-CCM-LastModified
X-Cache-Var-Map
X-Format
X-Birta-Served
X-Www-Served-By
X-Zipkin-Id
X-Webstats-RespID
X-Meta-Tbi-Cache-Vertical
X-Front
X-VWS-Id
X-LJ-Flow-ID
X-Loop
X-Human
X-Is-Bot
X-Generation-Time
X-Instance-Name
X-Hosted-By
X-IP
X-Owner
X-Passed-To-DLL
X-P-T
X-PARISIEN-Cache-Rendered
X-Origin-TTL
X-Passed-To
X-Passed-To-BeforeDispatch
X-MSEdge-Features
X-Passed-To-PostProcessResponse
X-Micro-Cache
X-MI-In-Market
X-MSEdge-Flight
X-Nananana
X-No-Session
X-Newrelic-Synthetics
X-ND-Cache
X-Node-Id
X-Planisys-CDN-TTL
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Qnm-Cache
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Mem
X-Reboot
X-Public
X-Powered-By-ANYU
X-Phone
X-Pf-Uncompressing
X-Pjax-Url
X-Planisys-CDN-Cache
X-Platform
X-Planisys-CDN-Rules
X-PAYTM-SRV-ID
X-Edge-IP
X-Flog
X-FireWall-Port
X-Fetched-On
X-Forwarded-Host
X-Frame-Option
X-Gannett-Site-Version
X-From-Cache
X-Fastly-Cache
X-F5-Cache
X-EdgeConnect-Cache-Status
X-Redis-Cache
X-EC-Security-Audit
X-ElasticPress-Search
X-Env
X-Eu-Site
X-Epic-Correlation-Id
X-Gen-Mode
X-GeoIP-City
X-Layer
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-LiteSpeed-Cache-Control
X-Location
X-M-Reqid
X-M-Log
X-Key
X-Irp-Debug
X-GoCache-CacheStatus
X-GeoIP-Country-Code
X-Haproxy-Hostname
X-Haproxy-Ip
X-Hnp-Log
X-HCF
X-Matched-Rule
Xc-Version
X-Varnish-Action
X-VarnCache
X-V
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-Varnish-Id
X-Varnish-HitMiss
X-User
X-Up
X-Transaction
X-Trace-Id
X-Tid
X-Trv-Group
X-TT-LOGID
X-UnsetCookies
X-Twitter-Response-Tags
X-VarnPar1
X-VarnPar2
X-Worker
X-Wix-Route-ID
X-Wikidot-Static-Cache
X-WR-MODIFICATION
X-Zalando-Child-Request-Id
X-Developers
X-Zalando-Page-Type
X-Wikidot-Backend
X-We-Are-Hiring
X-Ver
X-VC
X-VG-WebServer
X-Via-CDN
X-VServer
X-Via-Edge
X-Thinkindot-L3
X-Thanos
X-Rojux
X-Rocket-Nginx-Serving-Static
X-Rocket-Nginx-Bypass
X-ROOTCache
X-Safe-Firewall
X-ScT
X-SB
X-Rewrite-Enabled
X-Returned-From-PostProcessResponse
X-RequestId
X-Request-UUID
X-Request-Start
X-Response-By
X-Returned-From
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Secret
X-Served-From
X-Stale
X-Sn-Servicetimems
X-SIPLIST1
X-Svr
X-SVT-ORM-RULES
X-Tb
X-SVT-ORM-VERSION
X-ServiceProvider
X-Servername
X-Server-By
X-ServedByHost
X-Server-Group
X-Server-IP
X-Server-W
X-Server-Time
X-Region-Sid
Backend-Name
Heartbleed
HA-Urlpath
HA-Servedtime
Host-ID
Httpd-Identifier
Is-Eu
HTTPS
HA-Ipaddr
HA-Host
HA-Geocountry
HA-Geocity
HA-Cloudapp
HA-Geolat
HA-Geolon
Ha-Gx-Prefs
HA-Georegion
IsBot
Lfy
NGX
N-Cache
MI-Cache-Age
NnCoection
NtCoent-Length
Ohc-Response-Time
Odigeo-Trace-Id
MI-Cache
MI-API
Max-Age
Magicmarker
MD5-Digest
Memcached
Meta-Geo-Continent
Memory
GW-Server
Geoip-Latitude
Cache-Cookie-Set-From
BehaviorPad-Version
Arc-Country
Cache-Cookie-Set-Idcheck
Cache-Cookie-Set-Lfrom
Cdn
CDCHOST
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
AKAMAI
Adler-Geo
Accept-Ch
Apicache-Store
Apicache-Version
Apple-News-Services-Host
Apple-News-Services-Handled
Cf-Ipcountry
Cneonction
Fastly-SIE
Fastly-Backend-Name
Fastcgi-X-Cache-Version
Fastly-Soc-X-Request-Id
Fastly-SWR
GeoIp-Country-Code
Geoip-City
Fastcgi-X-Cache
Esi-Enabled
Decoy-Debug-Key
Content-Disposition
Decoy-Debug-Status
Decoy-Debug-TTL
Ec-Rule-Version
Drupal-Pagecache-Memcache
On-Server
Origin
X-Cache-Backend
X-Block-Status
X-Bip
X-Cache-CFC
X-Cache-Control-Set-By
X-Cache-FS-Status
X-Cache-Debug
X-BBXSRF
X-BB-ID
X-Amz-Meta-S3cmd-Attrs
X-Amz-Meta-S3b-Last-Modified
X-Amz-Meta-Cache-Control
X-Backend-Host
X-Backend-State
X-Backend-Url
X-Backend-TTL
X-Cache-Srv
X-Cache-URL
X-Content-Age
X-Connection-Hash
X-Clientip
X-Content-Type
X-Core-Mission
X-DataStream-MidMile-RTT
X-Core-Value
X-Ckpd-Fst-Backend
X-CGP
X-CDN-Pop
X-Cdn-Origin
X-CDN-Pop-IP
X-Cdn-Srv
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-Alicdn-Da-Ups-Status
X-Actual-URL
Rendered-Blocks
Release
R
REQUESTUUID
Rt-Proxy-Cache
Server-Int
Server-Host
Pramga
Pragrma
Payment
OT-Force-Account-Verify
PFcat
Pics-Label
Powered-By
Platform
Sid
Sta2Tusw
Who
Web-Mar-Region
Web-Mar-Node
Ws
Www
X-ABtesting
WWW-Authenticate
VivaBuild
Viewtype
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Thinkindot-Control
Uber-Trace-Id
Version
URI
X-DataStream-Origin-MEX-Latency