Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
X-Cache
Set-Cookie
Date
Connection
Content-Type
X-Cache-Lookup
Vary
Server
Via
Cache-Control
X-Amz-Cf-Pop
X-Amz-Cf-Id
Content-Length
X-Edge-Origin-Shield-Skipped
X-Frame-Options
X-Content-Type-Options
ETag
Strict-Transport-Security
Expires
X-Powered-By
Link
Last-Modified
Age
Accept-Ranges
Content-Security-Policy
Referrer-Policy
X-XSS-Protection
X-Xss-Protection
Accept-CH
Pragma
Access-Control-Allow-Origin
Expect-CT
X-Download-Options
CF-RAY
CF-Cache-Status
Content-Language
X-Request-Id
Report-To
NEL
X-DNS-Prefetch-Control
Alt-Svc
Access-Control-Allow-Methods
Access-Control-Allow-Headers
X-UA-Compatible
X-Cache-Hits
X-Amz-Version-Id
X-Permitted-Cross-Domain-Policies
Content-Security-Policy-Report-Only
X-Varnish
X-Envoy-Upstream-Service-Time
EagleId
Access-Control-Allow-Credentials
X-Served-By
P3P
Accept-CH-Lifetime
X-Runtime
X-Adblock-Key
X-Amz-Request-Id
X-Amz-Id-2
Permissions-Policy
X-Generator
X-Cacheable
X-Vhost
X-Dispatcher
X-Meli-Trace-Site
X-D2id
X-Meli-Trace-Bu
X-Meli-Trace-Platform
X-Request-Device-Id
X-Drupal-Cache
X-Navigation-Version
X-Content-Type
X-Element-Page-Cache
X-Drupal-Dynamic-Cache
X-AspNet-Version
Server-Timing
Feature-Policy
Access-Control-Max-Age
Status
X-Timer
X-Backend
X-Content-Security-Policy
Access-Control-Expose-Headers
X-Server
X-Cache-Status
X-Proxy-Cache
X-Dns-Prefetch-Control
X-Iinfo
X-Via
X-CDN
Content-Encoding
X-Varnish-Cache
X-Amzn-Trace-Id
X-Amz-Server-Side-Encryption
Cache-Tag
Xkey
X-WebKit-CSP
X-AspNetMvc-Version
X-ProcessESI
X-Ws-Request-Id
X-Amz-Rid
X-RemovedCookies
X-Turbo-Charged-By
Request-Id
SPIisLatency
SPRequestGuid
X-AH-Environment
X-MS-InvokeApp
SPRequestDuration
X-SharePointHealthScore
Apigw-Requestid
Timing-Allow-Origin
X-Timing-Wait
X-Proxy-Build
Selected-Fe
AMP-Access-Control-Allow-Source-Origin
Front
X-Cacheable-TTL
X-Page-Speed
Xet-Cookie
Expect-Ct
X-Amz-Replication-Status
X-Aspnet-Version
X-Robots-Tag
MicrosoftSharePointTeamServices
Cf-Edge-Cache
X-Node
CloudFront-Viewer-Country
X-Mly-Id
X-LiteSpeed-Cache
X-Host
X-Redirect
X-Device
Grace
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Mod-Pagespeed
Accept-Ch
X-SRCache-Key
Expect-Staple
X-Correlation-Id
X-Hl-Ver
X-Clientip
Countrycode
Mail-Subject
We-Hiring
X-Viewer-Country
X-Rq
Fastly-Restarts
Protected
X-OneAgent-JS-Injection
Request-Context
Cf-Apo-Via
X-Provided-By
X-Ruxit-JS-Agent
X-Cache-Group
X-Readtime
X-Backend-Server
X-Azure-Ref
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Age
X-Server-Powered-By
X-Server-Id
X-User
X-Cache-Time
X-CST
X-Oneagent-Js-Injection
X-Ruxit-Js-Agent
X-Cache-TTL
Accept-Ch-Lifetime
Content-Location
X-Amzn-RequestId
X-T
X-Amz-Apigw-Id
X-Ua-Compatible
Allow
X-Status
X-HW
X-Debug-Info
Liferay-Portal
X-Powered-By-Plesk
Cloudfront-Viewer-Country
X-Country-Code
X-Language
X-Vcl-Version
X-Trace
Odigeo-Trace-Id
Cf-Railgun
Resin-Trace
X-B3-TraceId
X-Cdn
P3p
X-Envoy-Decorator-Operation
X-ID
X-Generated-By
X-Server-ID
X-Yottaa-Metrics
Request-ID
X-Yottaa-Optimizations
X-B3-TraceId-Primal
X-NODE
X-Api-Version
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
X-Template
X-UA-Device
AKAMAI-GRN
MRF-Tech
Mrf-Cache-Status
X-Akam-SW-Version