Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics - SANS Internet Storm Center HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Vary
Cache-Control
Link
Expires
X-Powered-By
Content-Length
Pragma
Last-Modified
Accept-Ranges
ETag
X-Content-Type-Options
X-XSS-Protection
Strict-Transport-Security
X-Cache
X-Frame-Options
CF-RAY
Content-Language
Age
X-Wix-Server-Artifact-Id
X-Accel-Buffering
X-Pingback
Via
P3P
Expect-CT
X-AspNet-Version
X-Cacheable
X-UA-Compatible
Content-Security-Policy
X-Via
X-ServedBy
X-Contextid
X-PC-Key
X-PC-Hit
X-Request-Id
X-Wix-Request-Id
X-Seen-By
X-PC-Host
X-PC-Date
X-PC-AppVer
WPE-Backend
X-Type
X-Pass-Why
X-Cache-Group
Access-Control-Allow-Origin
X-UA-Device
X-Ua-Compatible
X-Rid
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-NewRelic-App-Data
X-Permitted-Cross-Domain-Policies
X-Download-Options
X-Tumblr-Pixel-2
X-Adblock-Key
X-Check
X-Sorting-Hat-PrivacyLevel
X-Sorting-Hat-Section
X-Sorting-Hat-ShopId
X-Sorting-Hat-ShopId-Cached
X-Sorting-Hat-PodId-Cached
X-ShopId
X-Sorting-Hat-PodId
Upgrade
X-Dc
X-Alternate-Cache-Key
X-ShardId
X-Sorting-Hat-FeatureSet
Referrer-Policy
Alt-Svc
X-Template
X-Language
X-Tumblr-Pixel-3
Host-Header
X-Buckets
X-Ac
X-Hacker
X-Runtime
X-Varnish
X-Cache-Hits
X-Generator
X-WPE-Loopback-Upstream-Addr
X-Served-By
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Host
P3p
X-Drupal-Cache
X-CST
X-Tumblr-Pixel-4
X-Timer
X-Backend
X-Endurance-Cache-Level
X-Cache-Hit
X-Port
X-Newrelic-App-Data
X-AspNetMvc-Version
CF-Cache-Status
Access-Control-Allow-Headers
Status
Access-Control-Allow-Methods
X-Amz-Cf-Id
X-Powered-By-Plesk
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
X-Cache-Enabled
X-Request-ID
X-Iinfo
Content-Location
X-Cache-Status
X-FW-Hash
X-FW-Server
X-Webcom-Cache-Status
X-FW-Static
X-FW-Serve
X-FW-Type
Keep-Alive
X-Robots-Tag
X-Server
X-Wix-Punisher
X-Tumblr-Pixel-5
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-CDN
X-Hits
X-GitHub-Request-Id
X-Proxy-Cache
Content-Encoding
X-Rack-Cache
Rating
Edge-Control
X-FullPageCaching
MS-Author-Via
X-Tumblr-Content-Rating
X-Trace
X-HS-Cache-Config
Edge-Cache-Tag
X-DDC-Arch-Trace
X-HS-Content-Id
X-BC-Stapler
X-Tumblr-Pixel-6
X-Pad
X-Server-Powered-By
Powered-By
X-HS-Combine-CSS
X-Amz-Request-Id
X-Amz-Id-2
X-Turbo-Charged-By
X-DIS-Request-ID
X-Mod-Pagespeed
X-Drupal-Dynamic-Cache
X-Nginx-Cache-Status
X-INKT-SITE
X-INKT-URI
X-IPLB-Instance
Content-Security-Policy-Report-Only
X-LiteSpeed-Cache
Request-Context
X-Fastly-Request-ID
P-WS
P-LB
X-XRDS-Location
X-Logged-In
X-CF-Powered-By
X-Version
X-Content-Digest
X-Accel-Version
Allow
X-Page-Speed
X-Acc-Exp
Last-Published
Charset
X-Zen-Fury
X-Request-Country
X-Svr-Proxy
X-SVR-IIS
Timing-Allow-Origin
X-SSLProxy
X-SSLUpstream
Access-Control-Max-Age
X-Cdn
Cf-Railgun
X-Upstream
X-Cnection
X-Server-Name
X-Content-Powered-By
X-Varnish-Cache
X-AH-Environment
Permitted-Cross-Domain-Policies
X-Do-Not-Hack
X-HeyJason
MicrosoftOfficeWebServer
X-Cache-Lookup
X-LW-Cache
X-Amz-Version-Id
MicrosoftSharePointTeamServices
WP-Super-Cache
X-SharePointHealthScore
X-Varnish-TTL
X-Device
SPRequestGuid
EagleId
Access-Control-Expose-Headers
X-Safe-Firewall
X-Varnish-Count
Cartoon
X-MS-InvokeApp
X-Cloud-Trace-Context
X-Varnish-HitMiss
X-Swift-CacheTime
X-Swift-SaveTime
X-StackifyID
X-Source
X-SS-Location
X-PhApp
X-Webserver
X-VCache
X-SS-Conf
X-Kinsta-Cache
X-Backend-Server
X-Middleton-Display
Display
Response
X-ET-API-ROOT
X-ET-API-VERSION
X-Sol
X-Middleton-Response
SiteSpeed
X-ET-API-ORIGIN
X-Loop
X-Whom
X-Cache-Config
X-User-Agent
X-TNCMS
Liferay-Portal
X-Litespeed-Cache
X-Powered-CMS
Strikingly-Cached-Version
X-Cluster-Node
X-Abgroup
X-URLSCHEME
Strikingly-Cached
Strikingly-Cache-Region
X-Cache-Key
X-DealerOn
X-Dealeron-Original-Url
X-RESOURCE
X-Dealeron-Backend
Cache-Key
Access-Control-Request-Method
X-Vip
Request-Id
X-Pool
X-Goog-Hash
X-Clacks-Overhead
Fastcgi-Cache
X-LiteSpeed-Cache-Control
Generator
Req-Id
X-Handled-By
X-Xss-Protection
X-N-OperationId
Public-Key-Pins-Report-Only
X-Node
X-Micro-Cache
WP-FROM-CACHE
X-S
Surrogate-Control
X-Hostname
X-ServerName
W
CS-SERVER
X-Server-Instance
X-Storage-Cache-Date
X-Storage-Cache-Expires
X-AspNetWebPages-Version
X-Storage-Cache
X-Cached
X-Unbounce-Variant
X-Unbounce-PageId
X-SRV
X-Unbounce-VisitorID
FindLaw
X-Cache-Info
X-LB-Server
Pagespeed
X-HS-Content-Campaign-Id
X-Ruxit-JS-Agent
PageSpeed
X-OneAgent-JS-Injection
X-Wikidot-Backend
X-TTFB
X-TTFB-L
SN
Public-Key-Pins
X-SmugMug-Values
Grace
X-Generated
X-Wikidot-Static-Cache
X-Locale
X-SP-UniqueName
X-Content-Security-Policy
X-Env
SPRequestDuration
X-ARC
X-Path-Route
X-SP-Farm
X-SmugMug-Hiring
X-Hosted-By
Smug-CDN
X-Device-Type
SPIisLatency
X-SRCache-Store-Status
X-FORWARDED-FOR
X-SRCache-Fetch-Status
X-Microcachable
X-Request-Time
X-Span
X-Hstore
X-Hrouter
Retry-After
Cache-Provider
X-Key
X-Microcache-Status
X-Varnish-Debug-Age
X-Varnish-Debug-TTL
X-Translation
X-Lambda-Id
USPLoggingUUID
Content-Style-Type
Content-Script-Type
X-Origin-Id
X-Hyper-Cache
Powered-By-ChinaCache
X-ENDPOINT
X-Sedo-Request-Id
X-Dns-Prefetch-Control
X-Ezoic-Cdn
X-FIRSTBase
X-ORIKEY
X-Forwarded-For
X-Instart-Request-ID
X-ROUTING
X-Application-Context
X-Jimdo-Instance
X-Via-S
X-Topify-Platform
X-XN-XNHTML
X-Appmachine-Environment
ServerID
X-Varnish-Debug-Hits
X-Jimdo-Wid
X-RateLimit-Remaining
X-RateLimit-Reset
IM-Version
X-Supported-By
X-RateLimit-Limit
Content-Encoding-Handler
X-XN-Trace-Token
X-Cache-Miss-From
ServerNode
SSPAppContext
VSID
ViewMode
X-Response-Time
X-APIAUTH-VAL
X-Sapient
*
X-Cached-By
X-APIVERSION
Request-Country
Request-EU
Node
X-PERF
X-ApacheServer
X-SSL-Cipher
X-Accel-Expires
Use-Proxy
X-SSL-Protocol
X-Microcache
Rt-Fastcgi-Cache
X-Vcache
Firespring-Website-Id
X-Middleware-Start
ServedBy
MC
X-Trace-Id
X-Server-Upstream
X-Engine
X-4ormat-Cacheable
Version
Aurora-Node
X-Origin
X-Magento-Cache-Debug
X-Original-Request
X-Passed-To-DLL
X-Ratelimit-Remaining
X-Ratelimit-Limit
X-Magento-Cache-Control
X-Passed-To
X-FromPodPressCache
X-Fastcgi-Cache
X-App-Status
X-Expires-Orig
X-CPU-Time
X-Cache-Handler
X-NWS-LOG-UUID
X-DNS-Prefetch-Control
X-Firefox-Spdy
X-Edge-IP
X-HS-Status
X-Edge-Location
TCN
X-Dscp-Value
X-Fedora-School-Id
X-Varnish-Beresp-Grace
X-FB-Debug
X-PHP-Backend
X-Varnish-Server
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-UD-Method
X-Generated-Timestamp
X-Returned-From
X-Ratelimit-Reset
Accept-Encoding
X-Returned-From-DLL
X-Stale
X-VARITI-CCR
X-Sucuri-ID
X-Sucuri-Cache
X-Daa-Tunnel
Service-Worker-Allowed
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-GUploader-UploadID
X-HeBS-Cache-Status
X-Original-Date
X-Pantheon-Environment
X-Mighty-Proxy
X-Matrix-Server
X-Matrix-Proxy
X-Environment
X-Empowered-By
Ssl-Proxy-Server
Surrogate-Key
RequestId
Imagetoolbar
Feature-Policy
Surrogate-Key-Raw
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Discourse-Route
X-Debug-Info
X-Consent-Required
X-Pantheon-Phpreq
X-Pantheon-Site
X-Speed-Cache-Key
X-URL
X-Speed-Cache
X-Proxy-Backend
X-Processing-Time
X-VC-Enabled
X-WEBMGR-CACHE
X-Actual-URL
REFRESH
PBS
Fpc-Cache-Id
X-NoCache
X-GeoIP-Country-Name
Composed-By
Hummingbird-Cache
Xkey
X-Umbraco-Version
X-Rocket-Nginx-Bypass
IES-Server
Load-Balancer
X-GeoIP-Country-Code
X-Cookie-Domain
Origin
MIME-Version
X-Cache-Control-Orig