Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - SANS Internet Storm Center HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
X-Content-Type-Options
CF-RAY
Strict-Transport-Security
X-XSS-Protection
Link
ETag
Expect-CT
Via
X-Cache
Age
Access-Control-Allow-Origin
Content-Language
Content-Security-Policy
P3P
X-UA-Compatible
X-Cache-Hits
X-Varnish
X-AspNet-Version
X-Request-Id
Referrer-Policy
X-Served-By
X-Amz-Cf-Id
CF-Cache-Status
X-Timer
Access-Control-Allow-Headers
X-Runtime
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Download-Options
X-Drupal-Cache
X-Check
Status
X-AspNetMvc-Version
Timing-Allow-Origin
Alt-Svc
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Cacheable
X-Via
X-Generator
X-Iinfo
X-Cdn
X-Cache-Status
X-Template
X-Language
X-Turbo-Charged-By
X-Content-Security-Policy
Keep-Alive
X-Nginx-Cache-Status
X-Server-Powered-By
X-Swift-SaveTime
X-Swift-CacheTime
EagleId
X-Permitted-Cross-Domain-Policies
X-Buckets
Ali-Swift-Global-Savetime
Content-Encoding
X-DNS-Prefetch-Control
X-Pingback
X-Server
Access-Control-Max-Age
X-Backend
X-Cache-Lookup
X-Age
Grace
X-AH-Environment
Access-Control-Expose-Headers
X-LiteSpeed-Cache
X-Varnish-Cache
Upgrade
X-Robots-Tag
Cf-Railgun
X-Cache-Group
X-Type
Xkey
WPE-Backend
X-Pass-Why
X-CST
X-Hacker
X-UA-Device
X-Drupal-Dynamic-Cache
Content-Location
Request-Context
X-Host
X-Ac
X-Proxy-Cache
X-Page-Speed
X-Cnection
X-Envoy-Upstream-Service-Time
X-Amz-Request-Id
X-Server-Id
X-WebKit-CSP
X-OneAgent-JS-Injection
X-Country
X-Node
X-Amz-Id-2
X-Device
X-Application-Context
X-Px
Permitted-Cross-Domain-Policies
Allow
X-Do-Not-Hack
X-Cloud-Trace-Context
X-HeyJason
X-Backend-Server
Request-Id
EagleEye-TraceId
X-Amz-Version-Id
X-NWS-LOG-UUID
Server-Timing
Edge-Control
X-Readtime
X-Rack-Cache
Charset
X-Clacks-Overhead
X-MS-InvokeApp
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
Public-Key-Pins
X-TTL
X-DynaTrace-JS-Agent
X-Pantheon-Styx-Hostname
X-Ser
X-Via-JSL
X-Url
X-Styx-Req-Id
AR-SID
AR-CACHE
AR-ATIME
AR-PoweredBy
X-Response-Time
X-Amz-Rid
Content-MD5
X-Kinsta-Cache
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-DataDome
X-SharePointHealthScore
SPRequestGuid
X-Rq
S
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Grace
X-Goog-Hash
X-Instart-Request-ID
X-Server-Name
RATING
MS-Author-Via
X-Country-Code
X-Cdn-Fetch
X-Daa-Tunnel
X-Trace
X-Ruxit-JS-Agent
X-Hyper-Cache
X-ESI
X-Powered-CMS
X-Kinja-Revision
X-Kinja-Build
X-Exp-Id
X-Kinja
X-Kinja-Server
X-GoogleNews-Bot
X-Feature
X-Exp-Variant
X-Geo-Segment
X-GitHub-Request-Id
X-VARITI-CCR
X-Varnish-TTL
X-Newrelic-App-Data
X-Forwarded-Proto
X-Powered-By-Plesk
Arr-Disable-Session-Affinity
SPIisLatency
SPRequestDuration
Feature-Policy
X-XRDS-LOCATION
Surrogate-Control
Liferay-Portal
X-Shield-Request-Id
X-DynaTrace
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Metageneration
X-Guploader-Uploadid
X-Recruiting
X-TtlSet
X-Goog-Generation
X-Sucuri-ID
X-Vname
X-PC
Cache
MicrosoftSharePointTeamServices
Eomportal-Instance
Realpath
X-Frontend
X-Cached
Front-End-Https
Accept-Charset
Cartoon
X-CF-Powered-By
Access-Control-Request-Method
X-HS-Content-Id
X-HS-Cache-Config
X-Logged-In
X-N
X-Framework
X-Zen-Fury
X-Mod-Pagespeed
X-HS-Combine-CSS
Edge-Cache-Tag
S-Cnection
DynaTrace
X-Debug
X-Fastcgi-Cache
X-FTR-Request-ID
X-Geo
X-F-Cache
X-Correlation-Id
X-IPLB-Instance
X-Content-Security-Policy-Report-Only
X-Cache-NE
X-UA
X-User-Agent
X-Vcap-Request-Id
X-Wix-Server-Artifact-Id
X-Cache-Age
X-Upstream
X-Sucuri-Cache
X-WA-Info
X-NWS-UUID-VERIFY
Verso
Fastcgi-Cache
HitInfo
HitType
X-Varnish-Age
X-UUID
X-Cache-Action
X-Cache-Key
Server-Info
X-Fastly-Request-ID
X-AOL-HN
Server-Name
X-Amzn-Trace-Id
X-Accel-Buffering
Source
X-B
X-Magnolia-Registration
X-Id
X-Forwarded-For
X-Dw-Request-Base-Id
X-NF-Request-ID
X-Hits
X-TT
X-DIS-Request-ID
X-Version
X-VCache
X-Varnish-IP
X-Pad
X-Srv
X-Nf-Srv-Version
X-ATG-Version
RTSS
Cleartype
Nginx-Cache
Host
WP-Super-Cache
FilterID
Cache-Status
X-Middleton-Display
X-Middleton-Response
X-Oss-Object-Type
X-Oss-Storage-Class
X-PHP-Backend
X-Oss-Server-Time
X-Oss-Request-Id
X-Client-IP
X-Oss-Hash-Crc64ecma
X-EIG-Tracking-Id
X-Geo-Country
X-Proto
X-GeoIP
X-Generated-By
X-JoinUs
X-LB-Cache
X-FB-Debug
X-Jobs
X-TEC-API-ROOT
X-TT-TIMESTAMP
X-Timing-Wait
X-TEC-API-VERSION
X-UA-Device-Type
X-Yottaa-Metrics
X-CCM
X-Yottaa-Sig
X-Yottaa-Optimizations
X-TEC-API-ORIGIN
X-Storage
X-Ratelimit-Remaining
X-ProxyCache-Status
X-ProxyCache-Key
X-Real-Ip
X-Revision
X-Sol
X-Signature
X-Proxy-Build
X-Cache-Bucket
Country
Cache-Hits
Access-Control-Request-Headers
Datacenter
Display
Pagespeed
Load-Balancing
X-Vhost
X-Cached-By
MRF-Tech
Mrf-Cache-Status
Report-To
X-Dispatcher
X-Mrf-Section-Lastmod
X-Mrf-Item-Lastmod
Powered-By-ChinaCache
Cache-Tag
X-BYPASS-REASON
X-B-Cache
X-Amzn-RequestId
Public-Key-Pins-Report-Only
X-Cache-2
X-Cache-Remote
X-Cache-Config
X-Amz-Apigw-Id
X-App-Server
X-Adobe-Loc
Selected-FE
Rt-Fastcgi-Cache
Served-By
TCN
Response
X-Adobe-Content
X-Device-Type
X-Hostname
X-GZip
X-CDN-Forward
X-Optimization
X-Cacheable-TTL
X-Content-Powered-By
X-Whom
X-Varnish-Hits
X-Cache-HT
X-Servedby
X-S
X-PressLabs-Stats
X-Origin-Cache
X-Contextid
ServedBy
HostName
X-Cache-Enabled
Retry-After
Service-Worker-Allowed
X-Akamai-Transformed
X-IN-APIGATEWAY
X-Hl-Ver
X-IN-SSL-APIGATEWAY
X-IN-WAF
X-Hit
X-Info
X-HGenerator
X-Grey
X-Instance
X-Hash
X-Generated-In
X-Generated
X-LB-CacheStatus
X-NX-Host
X-Nginx-Cache
X-Origin
X-Origin-Date
X-Origin-Expires
X-NGENIX-Cache
X-Logtrace-Id
X-Labrador-Cache-Channel
X-G
X-LB-Node
X-Load-Cache
X-L-Path
X-FTR-DC
X-Destination
X-DPWN-IS-SECURE
X-Debug-Log
X-Debug-Info
X-Debug-Cookies
X-Developer
X-Device-Os
X-Died
X-Page-Id
X-Dispatcher-Server
X-Distributor
X-Debug-Cache
X-Environment-Context
X-FTR-Cache-Host
X-FTR-Balancer
X-FTR-Cache-Status
X-Dc
X-FTR-Expires
X-FTR-Backend-Server
X-FTR-Backend
X-Fastly-Backend-Reqs
X-Fe
X-From
X-Fstrz
X-FTR-Realm
X-SRCache-Key
X-UE-Client-Country
X-TX-ID
X-Unique-Id
X-Upstream-CT
X-Upstream-HT
X-Tumblr-User
X-Tumblr-Pixel-0
X-Sorting-Hat-ShopId-Cached
X-Status
X-Time-Microsecs
X-Tumblr-Pixel
X-Var-Ttl
X-Varnish-Hostname
X-WebServer
X-WebKit-CSP-Report-Only
X-Wix-Request-Id
X-Xfnlog-Site
Xserver
X-Web-Node
X-Viewer-Country
X-Varnish-Server
X-Varnish-Url
X-VG-WebCache
X-Via-NSCOPI
X-Sorting-Hat-ShopId
X-Sorting-Hat-Section
X-RequestSource
X-Request-URI
X-Rid
X-S-Cookie
X-S-Maxage
X-Release
X-Refresh
X-PERF
X-ProxyCache-Args
X-Ratelimit-Limit
X-RCS-CacheZone
X-Seen-By
X-Sentry-ID
X-Sorting-Hat-FeatureSet
X-Sorting-Hat-PodId
X-Sorting-Hat-PodId-Cached
X-Sorting-Hat-PrivacyLevel
X-Skip-Cache
X-Shopify-Stage
X-ServerID
X-ShardId
X-Shield-Cache-Expires
X-ShopId
X-Page-Type
X-D
Mn-Server-Ip
NodeID
Now
Ohc-File-Size
L5d-Success-Class
Kp-EeAlive
Healthy
IBM-Web2-Location
If-Modified-Since
Is-Session-Tracking
Origin-Cache-Control
Origin-Edge-Control
Resin-Trace
Server-ID
ServerID
ServerName
Request-Time
Request-EU
PageType
ProcessTime
Proxy-Connection
Request-Country
Get-Access-Time
GEO-INFO
Ajk
Alternate-Protocol
AsisCache
Brightspot-Id
Actual-Object-TTL
Access-Control-Allow-Method
X-Source
X-Content-Options
Viewport
Refresh
Cache-Key
Cache-Name
Fastly-Restarts
Fastly-SSL
Fly-Cache
Fly-Request-Id
Cteonnt-Length
Countrycode
Cache-Prefix
Cache-Provider
X-CS
Country-Code
SRV
COMMERCE-SERVER-SOFTWARE
X-B-Cookie
X-B3-Traceid
X-Backend-Name
X-BB-IP
X-Auto-Login
X-ARC
X-Amz-Server-Side-Encryption
X-ApacheServer
X-App-Environment
X-Application
X-Cache-Category-Id
X-Cache-Expires
X-Cluster
X-Country-Code-Real
X-Crawler
Surrogate-Key
X-Cache-TTL-Remaining
X-Cache-Time
X-Cache-Host
X-Cache-Id
X-Cache-Operation
X-Cache-Rule
X-Alternate-Cache-Key
X-Cache-Ttl
V-Age
Warning
WebServer
X-A
Upgrade-Insecure-Requests
Tracecode
T-Server
Time
X-Akamai-Request-ID
TP-L2-Cache
X-A-Ccd
TP-Cache
X-Agile-Id
X-Akam-SW-Version
X-Akamai-Edgescape
X-A-Dam
X-Agile
X-Agile-Age
X-A-Wwc
X-A-Dcw
X-ADI-VCache
X-A-Dgt
X-Www-Served-By
X-CCM-LastModified
X-Origin-CC
X-DataStream-Cache-Status
X-Croise-Owner
NEL
Meta-Geo
Content-Style-Type
Content-Script-Type
X-PC-Date
X-PC-Hit
X-PC-Host
X-PC-Key
X-Pjax-Url
X-PC-AppVer
X-ProcessESI
X-OVcl
X-Region-Sid
X-Origin-Upstream-Status
X-Original-Request
X-OVcl-Cache
X-Owner
X-P-T
X-Varnish-Beresp-TTL
X-Varnish-Cacheable
X-Varnish-Backend
X-Via-Fastly
X-VWS-Id
X-Origin-TTL
X-Varnish-Action
X-TWH-CORRELATION-ID
X-SplitTest
X-Site-Version
X-Surge-Debug
X-TIME
X-Trace-Id
X-RemovedCookies
AMP-Access-Control-Allow-Source-Origin
Pragrma
PB-RID
Release
Server-Node
X-Abt-Application-Version
PB-PID
Meta-Geo-Continent
Backend
Arc-Version
Filters
Host-Header
Host-ID
X-APP-VERSION
X-AWS-Id
X-LJ-Flow-ID
X-Hail-Hydra
X-Locale
X-Mobile-Rewrite
X-Node-Name
X-GeoIP-City
X-Front
X-DataStream-MidMile-RTT
X-Be
X-DataStream-Origin-MEX-Latency
X-Drupal-Cache-Tags
X-Edge-Location
X-NodeID