Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.

Graph Criteria
  • Start Date:
  • End Date:
  • Header:
All Headers Active In The Past Month
Header Popularity
Content-Type
Date
Server
Connection
Set-Cookie
X-Powered-By
Cache-Control
Vary
Content-Length
Expires
Last-Modified
Pragma
Accept-Ranges
ETag
X-Pingback
P3P
X-AspNet-Version
Link
X-XSS-Protection
X-Content-Type-Options
Age
Alternate-Protocol
X-Cache
X-Adblock-Key
Content-Location
Content-Language
X-UA-Compatible
Via
Keep-Alive
X-Varnish
CF-RAY
X-Frame-Options
P3p
X-Check
X-Language
X-Template
X-Buckets
X-Generator
X-Hacker
WP-Super-Cache
Status
X-Drupal-Cache
MS-Author-Via
Access-Control-Allow-Origin
X-Pad
X-Cacheable
X-Powered-By-Plesk
X-AspNetMvc-Version
X-Runtime
MicrosoftOfficeWebServer
X-Powered-CMS
X-Request-Id
X-Cache-Lookup
X-Host
X-Server
Access-Control-Allow-Credentials
X-Rack-Cache
X-XRDS-Location
X-Type
X-Cache-Group
X-Logged-In
X-UA-Device
X-Mod-Pagespeed
MicrosoftSharePointTeamServices
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Content-Encoding
X-Cache-Hits
X-Tumblr-Pixel-1
X-INKT-SITE
X-INKT-URI
X-Robots-Tag
X-Tumblr-Pixel-2
SPRequestGuid
Host-Header
X-SharePointHealthScore
X-W3TC-Minify
X-Cnection
X-PhApp
X-Webserver
X-Varnish-Cache
X-Ua-Compatible
X-CF-Powered-By
X-Via
Composed-By
X-Firenze-Processing-Times
Served-By
X-Page-Speed
X-Forwarded-For
X-Url
Strict-Transport-Security
X-ServedBy
X-Served-By
X-Hostname
X-XN-Trace-Token
X-XN-XNHTML
X-Iinfo
X-Accel-Version
X-Tumblr-Pixel-3
Access-Control-Allow-Headers
X-MS-InvokeApp
X-Mobilized-By
Cartoon
X-ContextId
Access-Control-Allow-Methods
X-Alternate-Cache-Key
X-ShardId
X-ShopId
X-Umbraco-Version
X-Stats-Visit-Token
X-Stats-Unique-Token
X-CDN
X-AH-Environment
X-Backend
X-Powered-By-360WZB
Content-Style-Type
Content-Script-Type
Refresh
Liferay-Portal
X-Cache-Info
X-Server-Name
Magicmarker
X-PC-Host
X-PC-Date
X-PC-AppVer
X-PC-Hit
X-PC-Key
Powered-By-ChinaCache
Thanks
X-HeyJason
X-Cache-Server
X-Geo
TCN
X-Geo-Port
Rating
X-Outils-CS
X-Amz-Id-2
X-From
Cf-Railgun
X-Amz-Request-Id
X-Powered-By-Anquanbao
Page-Completion-Status
X-Content-Digest
X-FB-Debug
Real-Hostname
X-TN-ServedBy
X-Loop
X-PHP-Engine
Imagetoolbar
X-Tumblr-Pixel-4
NS-RTIMER-COMPOSITE
X-Original-Content-Length
IBM-Web2-Location
X-Amz-Cf-Id
X-Px
PICS-Label
X-Generated-By
X-Spip-Cache
SPIisLatency
Request-Id
X-Tumblr-Content-Rating
SPRequestDuration
X-Matrix-Proxy
X-Matrix-Server
X-TNCMS-Render-Time
X-TNCMS-Memory-Usage
X-TNCMS-Served-By
X-TNCMS-Version
X-ChromeLogger-Data
X-Drectory-Script
X-Content-Encoded-By
Set-Cookie2
X-Cache-Status
X-CDN-Geo
X-CDN-Any-IP
X-CDN-Geo-IP
X-Cached-By
X-Device
X-Tumblr-Pixel-5
ServerName
X-URL
X-Firenze-Processing-Time
X-Node
X-Cached
X-CMS-Version
IISExport
Access-Control-Max-Age
X-Trace-App
Retry-After
X-PF-Uncompressing
CF-Cache-Status
DynaTrace
X-SERVER
X-DynaTrace
X-Age
Generator
Accept-Encoding
X-DDC-Arch-Trace
X-Timer
SID
COMMERCE-SERVER-SOFTWARE
X-FORWARDED-FOR
Lsrequestid
Time
RTSS
X-I
X-Cache-Debug
X-Backend-Server
ServedBy
X-Cache-Hit
Powered-By
MIME-Version
X-ApacheServer
X-ATG-Version
X-SDS
X-Art-Request-Id
X-Vary-Options
Product
X-Nitra-Side
Pics-Label
X-Hosted-By
X-PERF
Access-Control-Request-Method
X-Pantheon-Endpoint
X-Pantheon-Styx-Hostname
X-Processed-By
Edge-Control
Content-Encoding-Handler
X-UD-Host
X-UD-Method
X-Vtex-Cache-Key
SFY
LFY
X-Vtex-Remote-Cache
Surrogate-Control
X-PwB-Node
X-Purge-Host
X-Original-Request
Machine
X-Srv
Host
X-Director
X-DynaTrace-JS-Agent
X-DNS-Prefetch-Control
X-Speed-Cache-Key
X-Actual-URL
X-Returned-From-DLL
X-Returned-From-BeforeDispatch
X-Returned-From
X-Handled-By
X-App-Hosting
X-Returned-From-PostProcessResponse
X-Passed-To-DLL
X-Passed-To-PostProcessResponse
X-Passed-To-BeforeDispatch
X-Passed-To
X-NoCache
X-LiteSpeed-Cache
WWW-Authenticate
X-Cache-Enabled
Charset
X-FIRSTBase
X-Cache-Expires
Location
X-Purge-URL
Node
MW-Webserver
X-Cookie-Domain
X-Yadis-Location
X-Speed-Cache
Proxy-Agent
AMF-Ver
NODE
X-CJ-Soft
Cm-Server
Website-Info
Server-Info
X-Ms-Invokeapp
X-ServerID
X-Varnish-Backend
X-TTL
X-B2f-Cache-Load
VAR-Cache
X-Orig-Vary
Proxy-Connection
Microsoftsharepointteamservices
X-LIGHTHTTP-PCDID
X-GeoIP-Country-Name
Fhost
X-Served-From-Cache
X-GeoIP-Country-Code
Content-Disposition
X-Trace-Cache
X-ACMCache
X-Content-Options
Cache
X-StoreSense
X-ProStores-StoreApiEntryPoint
S
X-Expires-Orig
Filter-Revision
Sprequestguid
X-Sharepointhealthscore
X-Duration
X-Cocoon-Version
X-Track
X-Front
X-Micro-Cache
X-ServerName
QOR-Cache
X-Request-ID
X-WR-Flags
X-Cache-Control-Orig
X-ASTRO-REWRITE
Accept-Charset
X-Varnish-TTL
X-Powered-By-Yqk
X-Yqk-Set
X-Adobe-Content
Webluker-Edge
X-Cache-Rule
X-Time
Req-Id
X-MJ-Upstream-Addr
X-Highwire-RequestId
Hamster
SN
ServerID
X-Sys-Req-ID
X-Source-Host
X-App-Start
UniqueName
X-Highwire-SessionId
X-Pangea-Version
X-MJ-Serve-Req-Time
X-SRV
X-FW
Nodo
X-Gamma-Serve
X-Old-Content-Length
ORIGIN
CT
X-Hits
X-Server-ID
CommunityServer
X-Session-Reinit
X-Blog
NetMindSessionID
X-AOL-SNH
X-Atraveo-Varnish-Server-Id
X-Microcachable
X-Atraveo-TTL
X-Atraveo-NC
X-Atraveo-From-Varnish-Cache
Debug
X-Atraveo-Cache-Control
Debug-Begin-IP
X-CHSN
Id
X-App
A-Powered-By
X-Info
Debug-IP-Cntry
X-Cluster-Node
X-AspNetWebPages-Version
X-Trash-Talk
X-Target
X-Header
Pagely
X-Engine
X-Server-Web
X-UPSTREAM
X-Microcache-Status
X-WebServer
X-Pass-Why
X-Varnish-Host
X-Varnish-Hits
X-Device-Type
X-Cache-TTL
X-Distil-CS
X-Accelerated-By
X-N
NtCoent-Length
WP-Cache
X-Phpwcms-Release
X-Varnish-Action
Server2
X-Varnish-IP
X-HS-MC-Reqs
X-ID
X-Phpwcms-Page-Processed-In
From
X-PvInfo
MvcResult
X-Cdn
X-Src-Webcache
X-ACCELERATE
X-Cache-Operation
OHS-WebNode
X-Request-Duration
X-Cache-Action
MirrorName
X-Force
X-PRAM
X-Nginx-Cache
X-Database-Slave-Connection
X-Wily-Info
Server-Name
X-Ttl
X-Turbo-Control
X-Channel-Maxage
ScoreTracker
X-Kirra-SiteId
X-Wily-Servlet
X-Machine-Name
X-Grid-Server
X-Varnish-Age
X-Geo-IP
X-FS-UUID
X-Enhanced-By
X-Source
X-Directory-Script
X-LI-UUID
X-Li-Pop
X-Li-Fabric
X-Uid
X-DeliveryServer
Pool-Info
X-Source-ID
X-CacheHits
X-Magento-Action
X-Benchmark-Total
X-FreeTag-Count
Content-Transfer-Encoding
X-Benchmark-Sphinx
X-Benchmark-Db
Provided-Host
X-Whom
X-ServerCache-Info
X-SN
X-Benchmark-Cache
X-Magento-Lifetime
X-Benchmark-Sphinx-Count
Warning
Author
X-Hrouter
SynthaSite-ID
-Onnection
LBVIS
X-EdgeRouter
X-Varnish-Server
X-Country-Code
X-Varnish-Device
X-Varnish-ID
SEOMOZ
NLCacheNote
MJ12bot
X-Oracle-DMS-ECID
X-Transaction
OriginServer
CountryCode
X-ATP-Server
X-App-Server
X-SV
Powered
X-Powered
X-Device-Group
X-TISSERVER
X-Bettercache-Proxy
RequestTime
X-S
X-Mii-Cache-Hit
X-Pb-Mii
X-Version
X-USERNAME
X-Debug
X-Varnish-Debug-Hits
X-Amz-Id-1
X-Varnish-Debug-Age
X-Response-Time
X-Max-Age
X-Id
X-Frontend
X-HOSTTYPE
X-Framework
X-Flex-Tags
X-Flex-Tag
X-Flex-Evstart
X-WP
X-WLD-LB
X-Expires
Content
Front
F-In-Cache
X-REDIRECTSERVER
X-Monstercache-Timeout
X-Flex-Community
X-Flex-Evend
X-NewRelic-App-Data
X-Flex-Lastmod
X-Flex-Lang
X-Web-Node
Bs-Header
X-CMS-Server
Aoestatic
Jobb.Gil.Se
Jobb.Assistentpoolen.Se
Jobb.Passal.Se
X-Origin-Id
X-User-Id
NodeID
X-Cache-Me-Harder
X-Garden-Version
X-Varnish-Cache-Local
X-JAL
X-Varnish-Cache-Hits
ProxiaInstanceId
X-Vivastreet-KiwiiPage
X-Vivastreet
A1B2C3
X-JSL
X-View
SIP
Www.Myjob.Se
CDN
X-Apache-Backend
X-Actindo-RS
Cluster-ID
D
Content-MD5
X-Jcms-Ajax-Id
X-Farm-Server
X-NGINX-CACHED
SiteSpect-Identity
X-NGINX-CACHED-AT
Hash
X-MidCOM-Meta-Cache
MASTERWEBLET
X-Venda-Hitid
Ec
Cache-Ctrol
X-UD-Target
X-Response
Www.Mirrorgate.Se
P3P:CP
Www.Mabracertifiering.Se
X-UD-REMOTE-ADDR
X-B
Backend-Host
X-Conf
X-UD-Loopcounter
X-T
X-Ocache
Open.Jobgate.Se
Test.Executivepeople.Se
X-Haiku
X-GLaDOS
Backend
Compression-Control
X-VarnCache
X-Vhost
Srv
X-Translation
Pool
If-Modified-Since
Beyond-Iis
X-B2f-Not-Route
X-Amz-Meta-S3cmd-Attrs
X-Via-Kemp
Ssl-Enabled
X-Object-Type
X-Object-Id
X-Cf-Powered-By
WEBO
X-Jphone-Copyright
X-Geo-IP-Region
X-Geo-IPV
X-Cms-Mode
X-Varnish-Debug-Fetch-Host
X-Recruiting
X-Route
X-Geo-IP-Metro
X-Geo-IP-Country
X-ManagedFusion-Rewriter-Version
Content-Instance
SRV
X-Rewritten-By
PowerCDN
Rt-Server
X-CMS
X-Cache-Term
SS
Hej
CacheControlMode
CacheControlHeader
X-Varnish-Cache-Server
Preview-Refresh
Cmstype
X-Hosting-Env
Cmsid
7e-Page-Cache
VTag
X-MSG-02
X-MSG-03
X-MSG-01
X-MSG-00
X-DEBUG-Obj-Ttl
X-DEBUG-X-Id
X-MSG-04
X-Content-Age
X-Rewrite
Copyright
X-Cluster-Host
Mobiquo-Is-Login
PUBLISH
CP
No
X-Vtex-Processado-Em
X-MCB-Server
X-GC-App
X-Powered-By-Server
Proxy-From
X-Provisioner-Version
X-Node-Name
X-GC-Read
X-GC-Write
X-MSG-05
X-MSG-06
X-Server-By
X-Permitted-Cross-Domain-Policies
B-Powered-By
X-Domain-Checked
X-Nginx-Server
X-PM-ID
X-ERM-RunTime
X-Test
X-ERM-ServerName
X-ERM-ServerName-AppPage
Ms
Content-Security-Policy
X-Frames-Options
X-Author
Xc
X-Full-URL
Publisher
X-Monstercache
Provider
X-SilverStripe-Cache
XX
X-Artvisual-Server
X-Optimization
At-Shoptype
INCOMING-TIME
X-Cache-Backend
X-Geoip-Country-Code
POOL
Robots
At-Isb
X-Monstercache-Host
Atp-Isdpp
X-Monstercache-Hash
SiteName
Head
X-Symfony-Cache
Ibm-Web2-Location
Esi-Enabled
X-Answer
X-ORACLE-DMS-ECID
X-JSON-API-LATENCY
X-JSON-API-TTL
X-Nucleus-Cache
X-TLServer
X-RE-Ref
Telligent-Evolution
X-Page-Generated-At
SVR
Front-End-Https
WebServer
X-TTL-Age
X-Header-Set-Id
X-Page-Generation-Time
Custom
X-Caching-Rule-Id
Expire
X-NginX-Cache
X-Client-Vid
X-NginX-Server
X-Fett
RequestId
X-Varnish-Debug-Varnish-TTL-Set-From-Server
X-EPiphany-Vid
X-Execution-Time
X-Agentscape-Info
X-Forwarded-Proto
Access-Control-Expose-Headers
X-IDS-WS
X-Proxy
X-CCM
X-PHP-Cache
X-IP-Address
X-WA-Info
WEBSERVER
X-JSON-API-AGE
X-Your-GrandPa-Would-Wait
Application-Version
X-Would-Your-GrandPa-Wait
No-Cache
X-Webstats-RespID
X-Host-Url
DeleGate-Ver
X-PP
X-Platform
Apache
X-Upstream
X-Cache-Ttl
X-T3CacheTags
Noahs-Classifieds
X-Ratelimit
X-Modules
X-Time-Microsecs
X-Hit
Rt-Fastcgi-Cache
X-FCMS-Cache
HAVer
HCVer
X-Server-Id
X-Empowered-By
X-Purge-Level
X-Serial
Web-Head
TimeRestart
X-OPNET-Transaction-Trace
X-Varnish-Cookie-Debug
Accept-Language
X-Box
X-XHR-Current-Location
X-Varnish-Cacheable
MIH-PUBLIC-IDENTIFIER
X-Extra-Header
Web-Server
CachedXSLT
X-Allow-Redis
MIH-CLIENT-FARM
Spot
Xonnection
X-DEBUG
EbdTrace
X-Pixelsilk-Server
Mime-Version
X-7d-Version
X-LAvg
X-Pixelsilk-Version
MIH-PLATFORM
X-7dig
X-Abuse
ExecutionTime
X-FW-Static
X-Cache-NHIT
X-Secret
X-WorkerInstancename
Worker
X-T3CacheInfo
X-DELIVERYSERVER
X-Nocache
X-WEBSERVER
X-T3Cache
X-SERVERID
X-MSEdge-Ref
Www.Aujourdhui.Com
MachineName
Test
X-Hc-Host
INFO
X-Set-Cookie
OMNI-C
X-GeoIP
RayEngine
X-Yottaa-Metrics
X-ProcessESI
X-Crafted
X-WebKit-CSP
X-PS-MURDOCK-ORIG-PROTOCOL
X-User-Agent
Last-Modified:
X-Server-Node
Progma
Ap-Exec-Time-Mks
Srv-N
X-Process-Time
HostName
X-BackendServer
UNIQUE-ID
X-Cache-Lifetime
X-Cache-Age
X-Backend-Host
X-Catalyst
X-Varnish-HitMiss
X-AISO-Cache
X-Developer
X-AISO-Server
X-Varnish-Count
X-Loc
X-Life
CacheInfo
X-NID
CacheInfoFetch
Optimizer
X-Wm-1
X-Varnish-Hit
X-Yottaa-Optimizations
VM
BKREF
X-BKSrc
OriginalHost
TypeOfContent
X-Site:
X-RemovedCookies
X-ProxyInstancename
ServerId
Public-Extension
ResourceTag
X-Mobile
X-Unbounce-Instance
X-IP
X-Origin
Mark
Nbaid
Nbmt
X-DC-Origin-IP
OGHopCount
X-PBY
X-GitHub-Request-Id
X-ACLR-Version
X-Rot
X-Vhost-ID
X-V-I-TTL
X-V-Outer
X-Req-Url
X-Req-Host
Origin
X-Created
WZ-Device-Match
WZ-Cache
X-Processing-Begin
X-Processing-Finished
X-Hash
X-Continum-Server
X-Stackable-Node
OutputRewritten
X-Pta-Px
X-WR-MODIFICATION
Http
X-Status
X-Powered-Developer
X-PoolMember
SAVVIS
Content-Control
Allow
X-V-TTL
Response
X-Environment
X-Cache-Control
Login-Required
X-VCache
X-Pagename
X-TTFB-L
X-Hit-Cache
X-Trace
Description
HTTP
X-PS-MURDOCK-CASE-NORMALIZATION
X-Papaya-Gzip
X-Papaya-Cache
Keywords
X-UA
X-TTFB
X-SmugMug-Values
X-CMS-Live
X-CMS-Nid
X-CMS-CRMSet
X-CMS-Collection
WP-AdvCache-MemCached
Accept
X-CMS-Sid
X-CMS-Stage
X-Web-Hosting-Service-Provider
X-SmugMug-Hiring
X-Bcwwwid
SLB
X-CMS-State
X-CMS-Tid
X-PS-MURDOCK-ORIG-FILEEXT