Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
X-Cache
Alternate-Protocol
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Buckets
X-Template
X-Generator
X-Hacker
WP-Super-Cache
Status
MS-Author-Via
X-Drupal-Cache
X-Cacheable
Access-Control-Allow-Origin
X-Pad
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Server
X-Host
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-URI
X-INKT-SITE
X-Robots-Tag
X-Tumblr-Pixel-2
Host-Header
X-SharePointHealthScore
SPRequestGuid
X-Cnection
X-PhApp
X-W3TC-Minify
X-Varnish-Cache
X-Webserver
X-CF-Powered-By
X-Via
Served-By
Composed-By
X-Page-Speed
Strict-Transport-Security
X-Forwarded-For
X-Firenze-Processing-Times
X-Served-By
X-ServedBy
X-Hostname
X-Url
X-Iinfo
X-XN-Trace-Token
X-XN-XNHTML
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-MS-InvokeApp
X-Mobilized-By
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-ShardId
X-Alternate-Cache-Key
X-ShopId
X-CDN
X-Stats-Unique-Token
X-Stats-Visit-Token
X-AH-Environment
X-Umbraco-Version
X-Backend
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
Magicmarker
X-PC-Hit
X-PC-AppVer
X-PC-Date
X-PC-Host
X-PC-Key
X-From
Powered-By-ChinaCache
X-Geo
X-Geo-Port
Thanks
X-Ua-Compatible
X-Cache-Server
X-HeyJason
Rating
X-Amz-Id-2
X-Outils-CS
TCN
Cf-Railgun
X-Amz-Request-Id
Page-Completion-Status
X-FB-Debug
X-Powered-By-Anquanbao
X-Content-Digest
Real-Hostname
X-TN-ServedBy
X-URL
X-Loop
X-PHP-Engine
X-Original-Content-Length
Imagetoolbar
X-Tumblr-Pixel-4
X-Px
X-Spip-Cache
NS-RTIMER-COMPOSITE
Request-Id
SPIisLatency
SPRequestDuration
X-Generated-By
IBM-Web2-Location
X-Content-Encoded-By
X-Tumblr-Content-Rating
X-Matrix-Proxy
X-Matrix-Server
X-TNCMS-Render-Time
X-TNCMS-Served-By
X-TNCMS-Version
X-TNCMS-Memory-Usage
X-ChromeLogger-Data
X-Amz-Cf-Id
X-Drectory-Script
PICS-Label
X-CDN-Geo
X-CDN-Any-IP
X-CDN-Geo-IP
X-Cache-Status
Set-Cookie2
X-Device
X-Cached-By
X-Tumblr-Pixel-5
IISExport
ServerName
Access-Control-Max-Age
X-Firenze-Processing-Time
X-Node
X-Cached
X-CMS-Version
X-Timer
Retry-After
CF-Cache-Status
X-PF-Uncompressing
X-DynaTrace
X-Trace-App
DynaTrace
X-I
Generator
Accept-Encoding
X-FORWARDED-FOR
ServedBy
X-B2f-Cache-Load
X-DDC-Arch-Trace
X-Age
COMMERCE-SERVER-SOFTWARE
Lsrequestid
X-ATG-Version
X-SDS
Pics-Label
Powered-By
X-Processed-By
Product
X-Cache-Debug
RTSS
X-Backend-Server
X-ApacheServer
MIME-Version
Edge-Control
X-Cache-Hit
SID
Time
X-PERF
X-Vary-Options
X-Nitra-Side
X-Pantheon-Styx-Hostname
X-Pantheon-Endpoint
Access-Control-Request-Method
X-Hosted-By
X-UD-Host
X-UD-Method
Content-Encoding-Handler
X-NoCache
X-Purge-Host
X-PwB-Node
X-Original-Request
X-Speed-Cache-Key
X-Vtex-Remote-Cache
X-Vtex-Cache-Key
X-Art-Request-Id
Host
X-DynaTrace-JS-Agent
X-LiteSpeed-Cache
Machine
X-Director
X-Srv
X-DNS-Prefetch-Control
LFY
Surrogate-Control
SFY
X-Actual-URL
X-Passed-To
X-App-Hosting
WWW-Authenticate
X-Returned-From-BeforeDispatch
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Returned-From
X-Handled-By
X-Returned-From-PostProcessResponse
X-Passed-To-BeforeDispatch
X-FIRSTBase
X-Returned-From-DLL
X-Cache-Enabled
X-Cookie-Domain
Location
Node
NODE
X-Speed-Cache
AMF-Ver
X-Yadis-Location
X-Varnish-Backend
Charset
MW-Webserver
X-Purge-URL
X-Cache-Expires
X-Served-From-Cache
X-Orig-Vary
X-Expires-Orig
X-WebServer
X-FW
X-Ms-Invokeapp
Cm-Server
X-Cache-Control-Orig
Proxy-Agent
Microsoftsharepointteamservices
X-CJ-Soft
X-ACMCache
Fhost
VAR-Cache
X-LIGHTHTTP-PCDID
Cache
Proxy-Connection
Content-Disposition
X-SERVER
X-GeoIP-Country-Code
X-ServerID
X-ServerName
X-Sharepointhealthscore
X-StoreSense
Filter-Revision
X-ProStores-StoreApiEntryPoint
Sprequestguid
X-GeoIP-Country-Name
X-Micro-Cache
X-TTL
X-Varnish-TTL
X-Duration
X-Content-Options
X-Request-ID
X-Cocoon-Version
Server-Info
Website-Info
S
X-Trace-Cache
X-Yqk-Set
ORIGIN
X-Track
CT
X-Powered-By-Yqk
X-Source-Host
X-Cache-Rule
X-Server-ID
X-Time
Req-Id
X-Adobe-Content
SN
X-App-Start
X-Pangea-Version
X-Sys-Req-ID
Webluker-Edge
Nodo
Hamster
X-Gamma-Serve
X-SRV
UniqueName
X-AOL-SNH
X-Blog
X-MJ-Upstream-Addr
X-Hits
X-Session-Reinit
Debug-IP-Cntry
X-Old-Content-Length
X-MJ-Serve-Req-Time
X-Microcachable
Accept-Charset
NetMindSessionID
QOR-Cache
X-App
Debug
X-Info
Debug-Begin-IP
X-WR-Flags
X-CHSN
Id
X-Front
X-Highwire-SessionId
X-Highwire-RequestId
X-Cluster-Node
X-Engine
X-Trash-Talk
A-Powered-By
X-Target
Pagely
CommunityServer
X-Varnish-Host
From
X-Varnish-Hits
X-Cache-TTL
ServerID
X-HS-MC-Reqs
NtCoent-Length
X-UPSTREAM
X-AspNetWebPages-Version
X-N
X-Varnish-Action
X-Cache-Action
X-Phpwcms-Page-Processed-In
X-Kirra-SiteId
X-Accelerated-By
X-Phpwcms-Release
X-ServerCache-Info
X-Pass-Why
X-Atraveo-Varnish-Server-Id
MvcResult
X-Atraveo-NC
X-Src-Webcache
X-Atraveo-Cache-Control
Server2
X-Distil-CS
X-Atraveo-From-Varnish-Cache
X-Varnish-Age
X-Atraveo-TTL
X-Varnish-IP
X-Server-Web
X-Microcache-Status
X-ASTRO-REWRITE
X-Device-Type
X-Cdn
X-Bettercache-Proxy
OHS-WebNode
X-Cache-Operation
X-Turbo-Control
X-DeliveryServer
X-PvInfo
X-Wily-Info
X-Machine-Name
X-Wily-Servlet
ScoreTracker
X-Header
X-Varnish-Server
Ibm-Web2-Location
X-Grid-Server
X-Ttl
X-ID
X-Geo-IP
X-Object-Type
X-Source
X-Object-Id
X-Enhanced-By
Pool-Info
Server-Name
MirrorName
X-Force
X-Database-Slave-Connection
X-Request-Duration
X-EdgeRouter
X-CacheHits
X-Hrouter
SynthaSite-ID
Content-Transfer-Encoding
X-Benchmark-Cache
SEOMOZ
MJ12bot
X-Benchmark-Db
X-Benchmark-Sphinx
X-Benchmark-Total
X-Benchmark-Sphinx-Count
X-Channel-Maxage
X-Whom
X-Source-ID
X-PRAM
X-Response-Time
X-FreeTag-Count
X-Id
X-LI-UUID
X-Li-Pop
X-Country-Code
X-S
X-Li-Fabric
X-Directory-Script
WP-Cache
Warning
X-Frontend
X-FS-UUID
Author
-Onnection
OriginServer
X-GLaDOS
Backend
X-HOSTTYPE
X-USERNAME
Provided-Host
RequestTime
X-Haiku
X-App-Server
X-Amz-Id-1
X-Amz-Meta-S3cmd-Attrs
X-Max-Age
X-Debug
Pool
X-Garden-Version
X-SV
X-Jcms-Ajax-Id
X-Uid
X-Farm-Server
X-ACCELERATE
X-Version
X-Transaction
X-Varnish-Debug-Hits
X-Framework
X-Varnish-Debug-Age
NLCacheNote
X-Magento-Lifetime
X-Varnish-Cache-Hits
X-Nginx-Cache
X-CMS-Server
X-SN
Bs-Header
X-WLD-LB
X-REDIRECTSERVER
F-In-Cache
X-WP
X-Monstercache-Timeout
X-Expires
X-Magento-Action
X-Vivastreet
X-Vivastreet-KiwiiPage
X-Conf
X-T
X-Ocache
X-UD-Loopcounter
X-Hosting-Env
X-Nginx-Server
If-Modified-Since
X-MidCOM-Meta-Cache
MASTERWEBLET
X-Venda-Hitid
Backend-Host
X-UD-REMOTE-ADDR
X-UD-Target
X-B
Ec
X-Cache-Term
X-Response
Content
X-Cf-Powered-By
X-Via-Kemp
Ssl-Enabled
X-User-Id
X-JSL
X-Varnish-Cache-Local
Compression-Control
X-JAL
X-B2f-Not-Route
SIP
X-Varnish-ID
X-Vhost
Beyond-Iis
X-Varnish-Device
X-Powered
X-Route
Powered
CountryCode
X-Frames-Options
NodeID
X-MCB-Server
Www.Mabracertifiering.Se
Hash
Www.Mirrorgate.Se
Www.Myjob.Se
Jobb.Passal.Se
Jobb.Gil.Se
Jobb.Assistentpoolen.Se
Test.Executivepeople.Se
P3P:CP
X-T3CacheTags
ProxiaInstanceId
D
X-Cache-Me-Harder
A1B2C3
Content-MD5
Srv
Open.Jobgate.Se
Cache-Ctrol
X-Cms-Mode
X-Actindo-RS
X-Node-Name
X-SilverStripe-Cache
Cluster-ID
X-Apache-Backend
X-Content-Age
X-T3CacheInfo
X-T3Cache
CDN
Content-Instance
Front
X-NGINX-CACHED
X-Jphone-Copyright
X-NGINX-CACHED-AT
X-Translation
X-Flex-Lang
X-Flex-Lastmod
X-Flex-Tag
X-Flex-Evstart
X-ManagedFusion-Rewriter-Version
X-Flex-Tags
X-Flex-Evend
X-Rewritten-By
X-Flex-Community
X-Geo-IP-Region
X-Geo-IP-Metro
PowerCDN
WEBO
X-Geo-IP-Country
X-Geo-IPV
X-NewRelic-App-Data
X-Recruiting
SS
SRV
X-Oracle-DMS-ECID
X-Device-Group
X-ERM-ServerName-AppPage
XX
X-ERM-ServerName
X-ERM-RunTime
Hej
LBVIS
X-ATP-Server
X-Mii-Cache-Hit
Cmsid
Cmstype
X-Test
X-FCMS-Cache
Ms
B-Powered-By
X-Web-Node
X-Server-By
X-VarnCache
X-Permitted-Cross-Domain-Policies
X-Pb-Mii
7e-Page-Cache
X-MSG-01
X-Varnish-Debug-Fetch-Host
X-MSG-00
X-DEBUG-X-Id
CacheControlHeader
X-MSG-02
ExecutionTime
X-MSG-04
X-MSG-03
X-DEBUG-Obj-Ttl
No
X-MSG-05
X-Fett
Rt-Fastcgi-Cache
PUBLISH
X-MSG-06
X-Vtex-Processado-Em
CP
X-TISSERVER
Mobiquo-Is-Login
X-ORACLE-DMS-ECID
X-View
Preview-Refresh
X-Powered-By-Server
X-XHR-Current-Location
X-PM-ID
X-GC-App
VTag
WP-AdvCache-MemCached
Proxy-From
Rt-Server
X-Origin-Id
X-Domain-Checked
X-Provisioner-Version
Content-Security-Policy
X-GC-Read
X-Box
X-Varnish-Cache-Server
CacheControlMode
X-GC-Write
Atp-Isdpp
X-Cache-Backend
X-Monstercache
X-Monstercache-Hash
Provider
Xc
INCOMING-TIME
Publisher
POOL
Robots
At-Isb
X-Monstercache-Host
At-Shoptype
X-Optimization
X-Full-URL
X-Artvisual-Server
X-Geoip-Country-Code
Aoestatic
CacheInfoFetch
CacheInfo
X-Utime
X-Pixelsilk-Server
X-Pixelsilk-Version
Noahs-Classifieds
HCVer
X-BKSrc
X-Hc-Host
BKREF
HAVer
X-Secret
X-CMS
TypeOfContent
X-Wm-1
OriginalHost
X-Origin
Optimizer
SVR
X-Time-Microsecs
X-UA
X-Papaya-Cache
X-Varnish-Debug-Varnish-TTL-Set-From-Server
Accept-Language
X-Webstats-RespID
HostName
X-Papaya-Gzip
MIH-PUBLIC-IDENTIFIER
X-PS-MURDOCK-ORIG-PROTOCOL
X-PS-MURDOCK-CASE-NORMALIZATION
X-Answer
X-IP-Address
X-Ratelimit
Keywords
Description
X-Hit
Web-Server
X-Author
X-PS-MURDOCK-ORIG-FILEEXT
MIH-CLIENT-FARM
Web-Head
X-OPNET-Transaction-Trace
OMNI-C
X-Trace
MIH-PLATFORM
Expire
X-Varnish-Cacheable
MachineName
SiteSpect-Identity
Access-Control-Expose-Headers
X-Abuse
X-WA-Info
X-Cache-NHIT
X-FW-Static
X-LAvg
WEBSERVER
No-Cache
X-Platform
X-TLServer
Mime-Version
X-7dig
Application-Version
EbdTrace
X-Varnish-Cookie-Debug
X-Dev
X-Empowered-By
X-Server-Id
X-RE-Ref
Front-End-Https
WebServer
Telligent-Evolution
X-Symfony-Cache
Esi-Enabled
Head
X-PP
Apache
RequestId
SiteName
X-Agentscape-Info
CachedXSLT
X-Host-Url
X-Caching-Rule-Id
X-Header-Set-Id
X-Rewrite
Copyright
X-Cluster-Host
X-7d-Version
X-Nucleus-Cache
X-IDS-WS
X-Forwarded-Proto
X-NginX-Server
X-NginX-Cache
X-CCM
Worker
DeleGate-Ver
X-Client-Vid
X-Cache-Ttl
X-EPiphany-Vid
X-Proxy
X-Execution-Time
X-DELIVERYSERVER
X-SERVERID
X-WorkerInstancename
X-WEBSERVER
X-ServerId
VM
Www.Aujourdhui.Com
X-GeoIP
X-MSEdge-Ref
X-Set-Cookie
X-Backend-Host
X-PHP-Cache
X-Cache-Age
X-Cache-Lifetime
UNIQUE-ID
X-Catalyst
X-Varnish-Count
X-Varnish-HitMiss
X-Developer
X-Crafted
X-IP
X-Mobile
ResourceTag
Public-Extension
Last-Modified:
X-Server-Node
X-NID
X-Page-Generated-At
X-Powered-Developer
WZ-Cache
WZ-Device-Match
X-Status
X-PoolMember
Http
SAVVIS
OGHopCount
X-GitHub-Request-Id
X-Vhost-ID
X-OLM-Node
X-Rot
X-DC-Origin-IP
Cteonnt-Length
Source
X-WR-MODIFICATION
X-Your-GrandPa-Would-Wait
X-Continum-Server
X-RAMCache
X-Hash
X-Stackable-Node
SBMCLOUD
OutputRewritten
X-Config-By
Buuteeq-Source
X-JSON-API-AGE
X-TTL-Age
X-Would-Your-GrandPa-Wait
X-Page-Generation-Time
X-AISO-Server
X-JSON-API-LATENCY
X-JSON-API-TTL
X-Upstream
X-Req-Host
X-CMS-Stage
X-CMS-Sid
X-CMS-State
X-CMS-Tid
X-Bcwwwid
SLB
X-CMS-Nid
X-CMS-Live
X-Modules
X-Serial
Accept
X-CMS-Collection
X-CMS-CRMSet
X-Extra-Header
Test
X-VCache
X-Pagename
X-Environment
X-Cache-Control
X-DEBUG
Login-Required
X-Hit-Cache
HTTP
X-SmugMug-Hiring
X-Web-Hosting-Service-Provider
X-SmugMug-Values
X-TTFB
X-TTFB-L
TimeRestart
X-Allow-Redis
ServerId
X-Life
X-ProxyInstancename
X-RemovedCookies
X-Site:
X-ProcessESI
X-Loc
Progma
X-User-Agent
X-BackendServer
X-Process-Time
Srv-N
Ap-Exec-Time-Mks
X-Unbounce-Instance
Origin
X-Yottaa-Metrics
X-Yottaa-Optimizations
RayEngine
Response
X-Purge-Level
INFO
X-V-TTL
X-V-Outer
Xonnection
X-Created
X-Varnish-Hit
X-Req-Url
X-V-I-TTL
X-AISO-Cache