Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.
Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.
As we collect more data, we will plot changes over time.
Statistic summary for Wednesday May 16th 2012. 21688 distinct hosts.| Header | # of Hosts | ||
|---|---|---|---|
| Content-Type | 21688 |  | |
| Date | 21645 | | |
| Server | 21367 | | |
| Connection | 18596 | | |
| Set-Cookie | 16361 | | |
| X-Powered-By | 12700 | | |
| Cache-Control | 10945 | | |
| Content-Length | 8237 | | |
| Expires | 7897 | | |
| Last-Modified | 7373 | | |
| Vary | 6927 | | |
| Pragma | 6089 | | |
| Accept-Ranges | 4703 | | |
| ETag | 4658 | | |
| X-Pingback | 3337 | | |
| P3P | 1675 | | |
| X-AspNet-Version | 1249 | | |
| X-XSS-Protection | 867 | | |
| X-Content-Type-Options | 857 | | |
| Content-Location | 680 | | |
| Link | 611 | | |
| X-Cache | 414 | | |
| Content-Language | 374 | | |
| Via | 360 | | |
| Age | 302 | | |
| X-UA-Compatible | 255 | | |
| X-Varnish | 193 | | |
| X-Hacker | 155 | | |
| MicrosoftOfficeWebServer | 146 | | |
| Keep-Alive | 138 | | |
| Status | 136 | | |
| WP-Super-Cache | 134 | | |
| X-Pad | 124 | | |
| X-Runtime | 118 | | |
| X-Tumblr-User | 102 | | |
| X-Tumblr-Usec | 102 | | |
| X-Frame-Options | 81 | | |
| X-Powered-By-Plesk | 67 | | |
| X-Nananana | 65 | | |
| X-Cache-Lookup | 64 | | |
| X-AspNetMvc-Version | 55 | | |
| MS-Author-Via | 55 | | |
| X-Generator | 55 | | |
| X-Server | 45 | | |
| X-Cnection | 44 | | |
| X-Host | 44 | | |
| X-Drupal-Cache | 43 | | |
| X-Powered-CMS | 42 | | |
| X-XRDS-Location | 38 | | |
| X-Cacheable | 37 | | |
| X-PhApp | 30 | | |
| X-Webserver | 30 | | |
| X-INKT-URI | 28 | | |
| X-XN-Trace-Token | 28 | | |
| X-XN-XNHTML | 28 | | |
| X-INKT-SITE | 28 | | |
| X-Mobilized-By | 27 | | |
| Composed-By | 25 | | |
| X-Mod-Pagespeed | 24 | | |
| X-ServedBy | 24 | | |
| X-Robots-Tag | 24 | | |
| Content-Script-Type | 22 | | |
| Served-By | 21 | | |
| REFRESH | 21 | | |
| Content-Encoding | 20 | | |
| MicrosoftSharePointTeamServices | 18 | | |
| Access-Control-Allow-Origin | 18 | | |
| X-CF-Powered-By | 17 | | |
| X-Request-Id | 17 | | |
| X-Rack-Cache | 16 | | |
| X-Check | 14 | | |
| X-Template | 14 | | |
| X-Language | 14 | | |
| X-Served-By | 13 | | |
| X-Cache-Hits | 12 | | |
| Content-Style-Type | 12 | | |
| X-Outils-CS | 11 | | |
| X-Backend | 11 | | |
| X-Firenze-Processing-Times | 11 | | |
| Pics-Label | 10 | | |
| X-Generated-By | 10 | | |
| IISExport | 10 | | |
| X-Alternate-Cache-Key | 10 | | |
| X-Cache-Server | 9 | | |
| Imagetoolbar | 9 | | |
| X-Matrix-Server | 9 | | |
| X-SharePointHealthScore | 9 | | |
| SPRequestGuid | 9 | | |
| X-Umbraco-Version | 9 | | |
| Page-Completion-Status | 9 | | |
| X-Cache-Group | 8 | | |
| X-Type | 8 | | |
| Liferay-Portal | 8 | | |
| X-Secret | 8 | | |
| X-Drectory-Script | 8 | | |
| X-FB-Debug | 7 | | |
| Xonnection | 7 | | |
| X-Whom | 6 | | |
| X-Matrix-Proxy | 6 | | |
| NS-RTIMER-COMPOSITE | 6 | | |
| X-CJ-Soft | 6 | | |
| X-DDC-Arch-Trace | 6 | | |
| X-Enhanced-By | 5 | | |
| X-PWb-Node | 5 | | |
| X-Wily-Servlet | 5 | | |
| MIME-Version | 5 | | |
| X-Wily-Info | 5 | | |
| Content-Disposition | 5 | | |
| TCN | 5 | | |
| X-Cdn | 5 | | |
| Powered-By-ChinaCache | 5 | | |
| X-RateLimit-Remaining | 5 | | |
| X-GitSHA | 5 | | |
| X-PosterousHostName | 5 | | |
| X-CMS-Version | 5 | | |
| X-RateLimit-Limit | 5 | | |
| IBM-Web2-Location | 5 | | |
| X-AH-Environment | 4 | | |
| COMMERCE-SERVER-SOFTWARE | 4 | | |
| Cm-Server | 4 | | |
| Generator | 4 | | |
| X-ELC-Checkpoint4 | 4 | | |
| X-Server-Name | 4 | | |
| X-PHP-Engine | 4 | | |
| X-Px | 4 | | |
| X-Grid-Server | 4 | | |
| X-TN-ServedBy | 4 | | |
| X-Loop | 4 | | |
| X-Cache-Info | 4 | | |
| Real-Hostname | 4 | | |
| X-PvInfo | 4 | | |
| Cartoon | 4 | | |
| X-Content-Encoded-By | 4 | | |
| Thanks | 3 | | |
| X-UD-Host | 3 | | |
| Accept-Encoding | 3 | | |
| X-UD-Method | 3 | | |
| X-Page-Speed | 3 | | |
| X-UD-Target | 3 | | |
| Location | 3 | | |
| From | 3 | | |
| Iinfo | 3 | | |
| X-Amz-Id-2 | 3 | | |
| X-Amz-Request-Id | 3 | | |
| X-Software-Info | 3 | | |
| X-Varnish-Cache | 3 | | |
| X-PF-Uncompressing | 3 | | |
| CP | 3 | | |
| Loadtime-Newsletter | 3 | | |
| X-Expires-Orig | 3 | | |
| Railo-Version | 3 | | |
| X-Cache-Control-Orig | 3 | | |
| Access-Control-Allow-Headers | 3 | | |
| X-ACMCache | 2 | | |
| NLCacheNote | 2 | | |
| Surrogate-Control | 2 | | |
| X-Yadis-Location | 2 | | |
| X-FORWARDED-FOR | 2 | | |
| X-Firenze-Processing-Time | 2 | | |
| X-Developer | 2 | | |
| Host | 2 | | |
| X-Wm-1 | 2 | | |
| Provider | 2 | | |
| Node | 2 | | |
| ProxiaInstanceId | 2 | | |
| X-Session-Reinit | 2 | | |
| WP-Cache | 2 | | |
| X-Head | 2 | | |
| SN | 2 | | |
| X-Blog | 2 | | |
| X-Server-IP | 2 | | |
| X-Cache-Control | 2 | | |
| X-Varnish-IP | 2 | | |
| X-SATserver | 2 | | |
| X-Seen-By | 2 | | |
| X-TNCMS-Render-Time | 2 | | |
| X-GLaDOS | 2 | | |
| D | 2 | | |
| X-TNCMS-Served-By | 2 | | |
| X-Haiku | 2 | | |
| X-MCB-Server | 2 | | |
| B-Powered-By | 2 | | |
| X-TNCMS-Version | 2 | | |
| X-Vary-Options | 2 | | |
| S | 2 | | |
| Cache | 2 | | |
| X-Content-Digest | 2 | | |
| X-UPSTREAM | 2 | | |
| X-TNCMS-Memory-Usage | 2 | | |
| CommunityServer | 2 | | |
| CCEncrypt | 2 | | |
| X-Wix-Renderer-Server | 2 | | |
| X-StoreSense | 2 | | |
| X-ProStores-StoreApiEntryPoint | 2 | | |
| X-S | 2 | | |
| Charset | 2 | | |
| Lsrequestid | 2 | | |
| Req-Timestamp | 2 | | |
| Warning | 2 | | |
| Uniqueid | 2 | | |
| X-Nginx-IP | 2 | | |
| Content-Base | 2 | | |
| X-Bettercache-Proxy | 2 | | |
| X-MSG-03 | 2 | | |
| X-MSG-02 | 2 | | |
| WCSITE | 2 | | |
| X-Object-Type | 2 | | |
| No | 2 | | |
| X-Object-Id | 2 | | |
| X-MSG-01 | 2 | | |
| X-Amz-Cf-Id | 2 | | |
| X-DEBUG-X-Id | 2 | | |
| X-MSG-00 | 2 | | |
| Page.Ly | 2 | | |
| ServerID | 2 | | |
| X-MSG-04 | 2 | | |
| X-Vtex-Remote-Cache | 2 | | |
| DeleGate-Ver | 2 | | |
| X-MSG-05 | 2 | | |
| Webserver | 2 | | |
| X-MSG-06 | 2 | | |
| X-ServerID | 2 | | |
| X-Vtex-Cache-Key | 2 | | |
| SynthaSite-ID | 2 | | |
| X-EdgeRouter | 2 | | |
| Access-Control-Allow-Methods | 2 | | |
| X-Cached-By | 2 | | |
| X-Hrouter | 1 | | |
| X-App-Server | 1 | | |
| X-Country-Name | 1 | | |
| ZoogleHost | 1 | | |
| X-DeliveryServer | 1 | | |
| X-Url | 1 | | |
| X-RE-Ref | 1 | | |
| X-Content-Parsed-By | 1 | | |
| X-Set-Cookie | 1 | | |
| X-VarnishNode | 1 | | |
| X-WhitelistedCookie | 1 | | |
| X-Server-Admins | 1 | | |
| Accept-Charset | 1 | | |
| X-Bak | 1 | | |
| MASTERWEBLET | 1 | | |
| X-PC3-Control | 1 | | |
| X-Hosted-By | 1 | | |
| X-PC3-Time | 1 | | |
| GP-NGX | 1 | | |
| X-DOTLAN-Version | 1 | | |
| X-DOTLAN-License | 1 | | |
| A-Powered-By | 1 | | |
| X-Beatles | 1 | | |
| X-AspNetWebPages-Version | 1 | | |
| Nodo | 1 | | |
| X-Server-Id | 1 | | |
| X-Original-At | 1 | | |
| X-REDIRECTSERVER | 1 | | |
| X-Header-Set-Id | 1 | | |
| X-DEBUG-Obj-Ttl | 1 | | |
| QYSID | 1 | | |
| X-Permitted-Cross-Domain-Policies | 1 | | |
| X-WLD-LB | 1 | | |
| X-Cache-Timing | 1 | | |
| UniqueName | 1 | | |
| Hacked | 1 | | |
| Gzip | 1 | | |
| X-ApacheServer | 1 | | |
| X-Caching-Rule-Id | 1 | | |
| X-Varnish-Age | 1 | | |
| X-Libsyn-Host | 1 | | |
| Cache-Key | 1 | | |
| X-Analytics-Terminal | 1 | | |
| Lytee-CME-Version | 1 | | |
| Lytee-Server | 1 | | |
| ROCKandREVIEW.Com | 1 | | |
| X-Achmed-Status | 1 | | |
| X-DoRedirect | 1 | | |
| X-Pb-Mii | 1 | | |
| X-Version | 1 | | |
| Last-Updated | 1 | | |
| X-Debug-Serve | 1 | | |
| X-Catalyst | 1 | | |
| X-Country | 1 | | |
| X-Which-Box | 1 | | |
| X-Zone | 1 | | |
| X-Generate | 1 | | |
| X-Adobe-Content | 1 | | |
| X-CAPP-PROFILING | 1 | | |
| X-Answer | 1 | | |
| X-Phpwcms-Release | 1 | | |
| X-Phpwcms-Page-Processed-In | 1 | | |
| X-Highwire-RequestId | 1 | | |
| Response-Server | 1 | | |
| X-Highwire-SessionId | 1 | | |
| ScoreTracker | 1 | | |
| Response-File | 1 | | |
| Noahs-Classifieds | 1 | | |
| X-Tiger-TTFB | 1 | | |
| X-Cache-Action | 1 | | |
| X-Cocoon-Version | 1 | | |
| X-Powered-S | 1 | | |
| X-Question | 1 | | |
| THIELI-VERSION | 1 | | |
| Progma | 1 | | |
| X-Secoya-Server | 1 | | |
| HOST-SERVICE | 1 | | |
| Varnish-Active | 1 | | |
| X-Cache-Hit | 1 | | |
| X-IsMobileHost | 1 | | |
| With | 1 | | |
| X-IsFrontPageReq | 1 | | |
| Robots | 1 | | |
| Loadtime-SocialMedia | 1 | | |
| WS | 1 | | |
| X-Database-Slave-Connection | 1 | | |
| X-Handled-By | 1 | | |
| X-Server-Oad | 1 | | |
| Content-MD5 | 1 | | |
| Adepteo | 1 | | |
| WSID | 1 | | |
| X-I | 1 | | |
| UNIQUE-ID | 1 | | |
| X-Framework | 1 | | |
| Wn-Vars | 1 | | |
| X-CacheServer | 1 | | |
| X-Id | 1 | | |
| X-VarnishServer | 1 | | |
| X-CacheHits | 1 | | |
| Srv | 1 | | |
| X-Expires | 1 | | |
| X-Responding-Server | 1 | | |
| X-Oad-Xslt | 1 | | |
| Z-Powered-By | 1 | | |
| Accept | 1 | | |
| X-Time-Microsecs | 1 | | |
| X-Empowered-By | 1 | | |
| X3CMS-Release | 1 | | |
| ZEONWEB-Cluster | 1 | | |
| Beyond-Iis | 1 | | |
| WN | 1 | | |
| Page | 1 | | |
| X-Request-Duration | 1 | | |
| X-Original-Request | 1 | | |
| Title | 1 | | |
| X-Passed-To | 1 | | |
| Cluster | 1 | | |
| X-Beta | 1 | | |
| User-Agent | 1 | | |
| X-Who-L | 1 | | |
| CachedXSLT | 1 | | |
| PROPSON-FARM | 1 | | |
| X-FIRSTPAGE | 1 | | |
| X-Passed-To-DLL | 1 | | |
| X-End | 1 | | |
| WP-AdvCache-MemCached | 1 | | |
| Centent-Type | 1 | | |
| X-Who-O | 1 | | |
| Web3 | 1 | | |
| Engine-Programming | 1 | | |
| X-Confluence-Request-Time | 1 | | |
| X-Duration | 1 | | |
| X-AWS-Id | 1 | | |
| If-Modified-Since | 1 | | |
| X-Origin-Srv | 1 | | |
| X-Who | 1 | | |
| X-AP-Version | 1 | | |
| X-AWCMS-Version | 1 | | |
| X-Portal | 1 | | |
| WP-KEY | 1 | | |
| Filter-Revision | 1 | | |
| X-Euro-ID | 1 | | |
| X-Account-Management-Status | 1 | | |
| X-Fueled-By | 1 | | |
| X-Bstat | 1 | | |
| Hola | 1 | | |
| X-Country-Code | 1 | | |
| SVR | 1 | | |
| Content | 1 | | |
| X-PH-Magento-Cache | 1 | | |
| WhoisCache | 1 | | |
| X-SW | 1 | | |
| Last-UpdatedL | 1 | | |
| Cache-Ctrol | 1 | | |
| X-Wf-Protocol-1 | 1 | | |
| X-Varnish-Hits | 1 | | |
| X-Back | 1 | | |
| X-Aliases | 1 | | |
| X-Purge-URL | 1 | | |
| X-Ws | 1 | | |
| X-Accelance-Front | 1 | | |
| X-Purge-Host | 1 | | |
| X-RCR | 1 | | |
| Login-Required | 1 | | |
| Hostedby | 1 | | |
| X-Abuse | 1 | | |
| P3P:CP | 1 | | |
| VTag | 1 | | |
| Cluster-Node | 1 | | |
| X-Wf-1-Structure-1 | 1 | | |
| X-Varnish-Backend | 1 | | |
| X-Origin | 1 | | |
| Www.Mossgreen.Com.Au | 1 | | |
| Wwwcr.Mossgreen.Com.Au | 1 | | |
| X-Artvisual-Server | 1 | | |
| X-ODL-Server | 1 | | |
| .Woff | 1 | | |
| X-PBY | 1 | | |
| X-QueryRuntime | 1 | | |
| X-Cached | 1 | | |
| X-Ruby-Cluster-ID | 1 | | |
| CDCHOST | 1 | | |
| X-Actual-URL | 1 | | |
| X-DmUser | 1 | | |
| X-SSS-Version | 1 | | |
| No-Cache | 1 | | |
| LibAstro | 1 | | |
| X-Cache2 | 1 | | |
| X-Papaya-Gzip | 1 | | |
| Loadtime-PropertyFeature | 1 | | |
| Vala | 1 | | |
| Apache | 1 | | |
| X-Debug | 1 | | |
| Application-Version | 1 | | |
| .Svg | 1 | | |
| X-QueryCount | 1 | | |
| X-Varnish-Hostname | 1 | | |
| X-Info | 1 | | |
| X-Real-Server | 1 | | |
| X-Site | 1 | | |
| X-Realserver | 1 | | |
| SL-NOREWRITE-REDIRECTS | 1 | | |
| Proxy-Connection | 1 | | |
| X-Papaya-Cache | 1 | | |
| X-Invocation-Time | 1 | | |
| AppTime | 1 | | |
| X-N | 1 | | |
| PFHOST | 1 | | |
| X-Test | 1 | | |
| Infra | 1 | | |
| ASTrefflag | 1 | | |
| ContentType | 1 | | |
| X-CFRM2 | 1 | | |
| Origin | 1 | | |
| X-MJ-Upstream-Addr | 1 | | |
| X-MTX-DBCache[C-Pri-1926] | 1 | | |
| X-UA-Comatible | 1 | | |
| X-SRV | 1 | | |
| Web-Hostname | 1 | | |
| ProxyServer | 1 | | |
| X-Cache-NHIT | 1 | | |
| X-FW | 1 | | |
| X-PE-Server: | 1 | | |
| Hostname | 1 | | |
| ASTadv | 1 | | |
| SmartCDS | 1 | | |
| X-Cache-Expires | 1 | | |
| X-CFRH | 1 | | |
| X-Accel-Version | 1 | | |
| X-MJ-Serve-Req-Time | 1 | | |
| X-MTX-DBCache[C-1899] | 1 | | |
| X-Backend-Server | 1 | | |
| 0 | 1 | | |
| X-Wf-1-1-1-1 | 1 | | |
| X-Wf-1-Plugin-1 | 1 | | |
| X-Gentics | 1 | | |
| X-FreeTag-Count | 1 | | |
| Expire | 1 | | |
| Response | 1 | | |
| Req-Id | 1 | | |
| X-Content-Security-Policy | 1 | | |
| Hits | 1 | | |
| Rating | 1 | | |
| Content-Description | 1 | | |
| ServerName | 1 | | |
| X-Via | 1 | | |
| Product-Version | 1 | | |
| X-SmugMug-Hiring | 1 | | |
| X-Served2-By | 1 | | |
| X-SmugMug-Values | 1 | | |
| X-Powered-By-Home.Pl | 1 | | |
| X-User-Agent | 1 | | |
| ProxyTime | 1 | | |
| X-App-Hosting | 1 | | |
| Mossgreen.Com.Au | 1 | | |
| X-LiteSpeed-Cache | 1 | | |
| Server-N | 1 | | |
| X-Track | 1 | | |
| X-Hit-Cache | 1 | | |
| Powered-By | 1 | | |
| Content-Transfer-Encoding | 1 | | |
| X-MS-InvokeApp | 1 | | |
| X-Snapsis-PageBlaster | 1 | | |
| Vserver | 1 | | |
| X-Front | 1 | | |
| X-Source-Host | 1 | | |
| Backend-INFRA.WAN | 1 | | |
| X-Matchfwd-GenTime | 1 | | |
| X-Sportal-Origin | 1 | | |
| Stylesheets | 1 | | |
| X-PAGE | 1 | | |
| X-Returned-From-DLL | 1 | | |
| X-VWS-Id | 1 | | |
| Hishop | 1 | | |
| MST-Version | 1 | | |
| X-Origin-Id | 1 | | |
| X-UD-Loopcounter | 1 | | |
| X-Eznode | 1 | | |
| Db | 1 | | |
| X-Nikon-Host | 1 | | |
| X-Web-Hosting-Service-Provider | 1 | | |
| Proxy-Agent | 1 | | |
| X-20M-Cache | 1 | | |
| X-PCS-TTL | 1 | | |
| X-Ziosting-Rule | 1 | | |
| Pagename | 1 | | |
| Cluster-Id | 1 | | |
| X-GAMECOUNTRY | 1 | | |
| X-Returned-From | 1 | | |
| X-Apache-IP | 1 | | |
| X-Gateway | 1 | | |
| WEBO | 1 | | |
| Version | 1 | | |
| X-20M-WebServer | 1 | | |
| X-Filmed-By | 1 | | |
| X-Re-Srv | 1 | | |
| X-Disclaimer | 1 | | |
| X-Matchfwd-Misc | 1 | | |
| AppServer | 1 | | |
| X-USERIP | 1 | | |
| X-Oracle-DMS-ECID | 1 | | |
| X-Stat-Server | 1 | | |
| Server-Name | 1 | | |
| X-Powered-WP | 1 | | |
| X-Cache-Debug | 1 | | |
| X-CF | 1 | | |
| ERROR | 1 | | |
| X-Sitemap-URL | 1 | | |
| X-MTX-DBCache[C-1898] | 1 | | |
| X-Stackable-Node | 1 | | |
| X-Instance-Name | 1 | | |
| X-HN | 1 | | |
| X-XTM-Node | 1 | | |
| X-Ants-Machine-Id | 1 | | |
| X-Confirmit-ID | 1 | | |
| X-USERCOUNTRY | 1 | | |
| Reply-To | 1 | | |
| Type | 1 | | |
| X-Header | 1 | | |
| Access-Control-Max-Age | 1 | | |
| Nectar | 1 | | |
| Response-Type | 1 | | |
| X-UD-REMOTE-ADDR | 1 | | |
| X-Metrix-Cachesite | 1 | | |
| X-Machine-ID | 1 | | |
| X-RSS-CACHE-STATUS | 1 | | |
| Is-Cached | 1 | | |
