Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: HTTP Header Usage Statistics - SANS Internet Storm Center HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Server
Connection
Vary
Cache-Control
Expires
Link
X-Powered-By
Content-Length
Pragma
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-XSS-Protection
Strict-Transport-Security
X-Frame-Options
X-Cache
CF-RAY
Content-Language
Age
X-Wix-Server-Artifact-Id
X-Pingback
X-Accel-Buffering
Via
P3P
X-AspNet-Version
Expect-CT
X-Cacheable
X-UA-Compatible
Content-Security-Policy
X-Via
X-ServedBy
X-Contextid
X-PC-Key
X-PC-Hit
X-Request-Id
X-Adblock-Key
X-Wix-Request-Id
X-Seen-By
Access-Control-Allow-Origin
X-PC-AppVer
X-PC-Host
X-PC-Date
X-Check
WPE-Backend
X-Type
X-Ua-Compatible
X-Cache-Group
X-Pass-Why
X-UA-Device
X-Rid
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-1
X-Template
X-Language
X-Download-Options
X-Permitted-Cross-Domain-Policies
X-NewRelic-App-Data
X-Buckets
X-Tumblr-Pixel-2
Upgrade
X-Sorting-Hat-ShopId
X-Sorting-Hat-ShopId-Cached
X-Sorting-Hat-Section
X-Sorting-Hat-PodId
X-ShardId
X-Dc
X-Alternate-Cache-Key
X-Sorting-Hat-PrivacyLevel
X-ShopId
X-Sorting-Hat-FeatureSet
X-Sorting-Hat-PodId-Cached
Referrer-Policy
Alt-Svc
Host-Header
X-Tumblr-Pixel-3
X-Ac
X-Hacker
X-Varnish
X-Cache-Hits
X-Runtime
X-Generator
X-WPE-Loopback-Upstream-Addr
X-Served-By
X-CST
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
X-Host
X-Timer
X-Drupal-Cache
P3p
X-Tumblr-Pixel-4
X-Backend
X-Endurance-Cache-Level
X-Cache-Hit
X-Port
X-Newrelic-App-Data
X-AspNetMvc-Version
CF-Cache-Status
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Status
X-Powered-By-Plesk
X-Request-ID
Access-Control-Allow-Credentials
X-Amz-Cf-Id
Content-Location
X-FRAME-OPTIONS
X-Cache-Enabled
X-Iinfo
Keep-Alive
X-Cache-Status
X-FW-Server
X-FW-Hash
X-FW-Type
X-FW-Serve
X-FW-Static
X-Webcom-Cache-Status
X-Server
X-Robots-Tag
X-Wix-Punisher
X-CDN
X-GitHub-Request-Id
X-Proxy-Cache
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Hits
Content-Encoding
MS-Author-Via
X-Rack-Cache
Edge-Control
Rating
X-Tumblr-Content-Rating
X-FullPageCaching
X-Trace
X-HS-Cache-Config
X-DDC-Arch-Trace
X-Server-Powered-By
Edge-Cache-Tag
X-HS-Content-Id
X-Turbo-Charged-By
X-BC-Stapler
Powered-By
X-Pad
X-DIS-Request-ID
X-Nginx-Cache-Status
X-IPLB-Instance
Permitted-Cross-Domain-Policies
X-HeyJason
X-Do-Not-Hack
X-Tumblr-Pixel-6
X-Fastly-Request-ID
X-HS-Combine-CSS
X-Amz-Request-Id
X-LiteSpeed-Cache
X-Amz-Id-2
X-Mod-Pagespeed
X-Drupal-Dynamic-Cache
X-INKT-URI
X-INKT-SITE
Content-Security-Policy-Report-Only
X-Logged-In
Request-Context
P-LB
X-XRDS-Location
P-WS
X-Accel-Version
X-Content-Digest
X-CF-Powered-By
X-Page-Speed
X-Version
X-Node
Allow
X-Acc-Exp
Last-Published
Charset
X-Request-Country
Timing-Allow-Origin
X-Content-Powered-By
X-SVR-IIS
X-Svr-Proxy
X-Zen-Fury
Cf-Railgun
X-SSLUpstream
Access-Control-Max-Age
X-Cdn
X-SSLProxy
X-Cnection
X-Upstream
X-PHP-Backend
X-Server-Name
X-Cache-Lookup
X-AH-Environment
X-Varnish-Cache
MicrosoftOfficeWebServer
X-LW-Cache
Access-Control-Expose-Headers
X-Powered-CMS
X-Amz-Version-Id
SPRequestGuid
MicrosoftSharePointTeamServices
X-SharePointHealthScore
X-Device
X-Varnish-TTL
X-Safe-Firewall
WP-Super-Cache
EagleId
X-MS-InvokeApp
X-Varnish-HitMiss
X-Cloud-Trace-Context
X-Varnish-Count
Cartoon
X-Swift-SaveTime
X-Swift-CacheTime
X-StackifyID
X-Source
X-SS-Location
X-VCache
X-PhApp
X-Webserver
X-Kinsta-Cache
X-SS-Conf
X-Backend-Server
Response
X-Middleton-Display
X-Middleton-Response
X-ET-API-ORIGIN
X-ET-API-VERSION
Display
X-ET-API-ROOT
SiteSpeed
X-Sol
X-TNCMS
X-Whom
X-Cache-Config
X-Loop
X-User-Agent
X-Litespeed-Cache
Liferay-Portal
Strikingly-Cached
Strikingly-Cached-Version
Strikingly-Cache-Region
X-DealerOn
X-Abgroup
X-Cluster-Node
X-Dealeron-Original-Url
X-Dealeron-Backend
X-RESOURCE
X-URLSCHEME
X-Cache-Key
X-Vip
Access-Control-Request-Method
Cache-Key
X-Pool
Request-Id
Fastcgi-Cache
X-Clacks-Overhead
X-Goog-Hash
X-Handled-By
X-LiteSpeed-Cache-Control
Req-Id
Generator
X-N-OperationId
X-ServerName
WP-FROM-CACHE
X-S
Public-Key-Pins-Report-Only
Surrogate-Control
Akamai-IP
CS-SERVER
X-Micro-Cache
X-Hostname
W
X-Xss-Protection
X-SRV
X-Unbounce-PageId
X-Unbounce-Variant
X-Unbounce-VisitorID
X-PERF
X-ApacheServer
X-Server-Instance
X-Cached
Pagespeed
X-Storage-Cache-Expires
X-OneAgent-JS-Injection
X-AspNetWebPages-Version
X-Storage-Cache-Date
X-Ruxit-JS-Agent
X-HS-Content-Campaign-Id
X-Cache-Info
X-LB-Server
PageSpeed
X-Storage-Cache
FindLaw
X-TTFB
X-SmugMug-Values
X-Content-Security-Policy
X-Env
X-SmugMug-Hiring
X-Wikidot-Backend
X-Path-Route
X-ARC
X-FB-Debug
Public-Key-Pins
X-Generated
X-Wikidot-Static-Cache
X-TTFB-L
Smug-CDN
SN
Grace
X-Device-Type
X-SP-Farm
SPRequestDuration
SPIisLatency
X-SP-UniqueName
X-Locale
X-Hosted-By
Cache-Provider
X-Hrouter
X-Translation
X-Microcachable
X-Varnish-Debug-TTL
X-Varnish-Debug-Age
Retry-After
X-Span
X-Request-Time
X-Hstore
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-FORWARDED-FOR
X-Microcache-Status
X-Key
X-RateLimit-Remaining
X-Jimdo-Wid
X-Via-S
X-ENDPOINT
X-Varnish-Debug-Hits
X-Sapient
X-ROUTING
X-Lambda-Id
X-Hyper-Cache
X-Forwarded-For
X-Jimdo-Instance
X-Origin-Id
X-FIRSTBase
X-ORIKEY
X-RateLimit-Reset
X-XN-Trace-Token
Powered-By-ChinaCache
X-Instart-Request-ID
Content-Style-Type
X-Cache-Miss-From
X-Sedo-Request-Id
X-Response-Time
X-Supported-By
Content-Script-Type
X-Topify-Platform
X-XN-XNHTML
X-Appmachine-Environment
ServerID
Content-Encoding-Handler
X-Dns-Prefetch-Control
X-Ezoic-Cdn
IM-Version
X-Application-Context
X-RateLimit-Limit
ViewMode
VSID
SSPAppContext
X-APIAUTH-VAL
X-Cached-By
X-APIVERSION
USPLoggingUUID
ServerNode
*
X-Accel-Expires
X-SSL-Protocol
X-Engine
X-4ormat-Cacheable
Request-EU
Version
Aurora-Node
X-Trace-Id
X-Microcache
Rt-Fastcgi-Cache
X-Server-Upstream
X-SSL-Cipher
X-Vcache
Firespring-Website-Id
X-Middleware-Start
Use-Proxy
ServedBy
MC
Request-Country
Node
X-HeBS-Cache-Status
X-Sucuri-ID
X-Sucuri-Cache
X-Stale
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-GUploader-UploadID
Accept-Encoding
X-Varnish-Server
X-Varnish-Beresp-Ttl
X-Returned-From-DLL
X-Returned-From
X-Origin
X-Magento-Cache-Debug
X-Magento-Cache-Control
X-HS-Status
X-Original-Request
X-Passed-To
X-Ratelimit-Reset
X-Ratelimit-Remaining
X-Ratelimit-Limit
X-Passed-To-DLL
X-Goog-Stored-Content-Length
TCN
X-Edge-IP
X-Dscp-Value
X-App-Status
X-Consent-Required
X-Edge-Location
X-Debug-Info
X-Appid
X-Dw-Request-Base-Id
X-Empowered-By
X-UD-Method
X-Environment
X-NWS-LOG-UUID
X-VARITI-CCR
X-Goog-Stored-Content-Encoding
X-Generated-Timestamp
X-Fedora-School-Id
X-Goog-Storage-Class
X-Goog-Metageneration
X-DNS-Prefetch-Control
X-Daa-Tunnel
X-Goog-Generation
X-FromPodPressCache
X-Firefox-Spdy
Origin
MIME-Version
Load-Balancer
IES-Server
Feature-Policy
X-Pantheon-Environment
X-GeoIP-Country-Code
X-Original-Date
X-Cookie-Domain
Surrogate-Key-Raw
Hummingbird-Cache
Composed-By
X-Umbraco-Version
X-Pantheon-Site
X-Rocket-Nginx-Bypass
Ssl-Proxy-Server
Service-Worker-Allowed
X-Pantheon-Phpreq
Xkey
Imagetoolbar
RequestId
X-GeoIP-Country-Name
X-NoCache
X-Actual-URL
REFRESH
PBS
X-Matrix-Proxy
X-Cache-Control-Orig
X-Cache-Handler
X-Fastcgi-Cache
X-Amz-Meta-S3cmd-Attrs
X-Expires-Orig
X-CPU-Time
Fpc-Cache-Id
X-Matrix-Server
X-Speed-Cache-Key
X-Speed-Cache
X-Proxy-Backend
X-Processing-Time
X-URL
X-VC-Enabled
X-Mighty-Proxy
X-Discourse-Route
X-WEBMGR-CACHE
Surrogate-Key