Internet Storm Center
Training
Certification
SANS Technology Institute
Security Awareness
Latest News
Computer Forensics
IT Audit
Software Security
This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.
Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.
As we collect more data, we will plot changes over time.
Statistic summary for Wednesday February 22nd 2012. 20724 distinct hosts.| Header | # of Hosts | ||
|---|---|---|---|
| Content-Type | 20724 |  | |
| Date | 20652 | | |
| Server | 20522 | | |
| Connection | 18483 | | |
| Set-Cookie | 16637 | | |
| X-Powered-By | 11495 | | |
| Cache-Control | 10592 | | |
| Expires | 7715 | | |
| Content-Length | 7479 | | |
| Last-Modified | 7168 | | |
| Vary | 6735 | | |
| Pragma | 5952 | | |
| ETag | 4503 | | |
| Accept-Ranges | 4490 | | |
| X-Pingback | 2939 | | |
| P3P | 1555 | | |
| X-AspNet-Version | 1121 | | |
| X-XSS-Protection | 852 | | |
| X-Content-Type-Options | 842 | | |
| Link | 495 | | |
| Age | 432 | | |
| X-Cache | 430 | | |
| Via | 393 | | |
| Content-Language | 371 | | |
| X-UA-Compatible | 329 | | |
| Content-Location | 292 | | |
| X-Varnish | 266 | | |
| Keep-Alive | 181 | | |
| WP-Super-Cache | 161 | | |
| X-Hacker | 146 | | |
| Status | 146 | | |
| X-Runtime | 130 | | |
| X-Pad | 113 | | |
| MicrosoftOfficeWebServer | 89 | | |
| X-Nananana | 78 | | |
| MS-Author-Via | 69 | | |
| X-XRDS-Location | 66 | | |
| X-AspNetMvc-Version | 59 | | |
| X-Firenze-Processing-Times | 55 | | |
| X-Host | 54 | | |
| X-Drupal-Cache | 51 | | |
| X-Powered-CMS | 47 | | |
| X-Cacheable | 45 | | |
| Composed-By | 44 | | |
| X-Generator | 44 | | |
| X-INKT-URI | 42 | | |
| X-INKT-SITE | 42 | | |
| Content-Encoding | 39 | | |
| X-Cache-Lookup | 38 | | |
| X-Webserver | 36 | | |
| X-PhApp | 36 | | |
| X-Powered-By-Plesk | 32 | | |
| X-Frame-Options | 32 | | |
| X-Cnection | 28 | | |
| MicrosoftSharePointTeamServices | 27 | | |
| X-Mod-Pagespeed | 27 | | |
| X-Server | 26 | | |
| Served-By | 24 | | |
| X-Umbraco-Version | 24 | | |
| X-XN-Trace-Token | 22 | | |
| X-Mobilized-By | 21 | | |
| X-XN-XNHTML | 21 | | |
| X-Rack-Cache | 17 | | |
| Access-Control-Allow-Origin | 17 | | |
| Content-Script-Type | 17 | | |
| X-CF-Powered-By | 14 | | |
| Refresh | 14 | | |
| Content-Style-Type | 13 | | |
| X-Cache-Hits | 13 | | |
| X-Robots-Tag | 13 | | |
| X-Cache-Info | 12 | | |
| X-Outils-CS | 12 | | |
| X-Tumblr-User | 12 | | |
| X-Tumblr-Usec | 12 | | |
| X-Backend | 11 | | |
| SPRequestGuid | 11 | | |
| X-SharePointHealthScore | 11 | | |
| X-ServedBy | 11 | | |
| X-Served-By | 11 | | |
| IISExport | 11 | | |
| Accept-Encoding | 11 | | |
| Powered-By-ChinaCache | 11 | | |
| X-Firenze-Processing-Time | 10 | | |
| Liferay-Portal | 10 | | |
| X-PosterousHostName | 9 | | |
| X-GitSHA | 9 | | |
| X-RateLimit-Remaining | 9 | | |
| X-RateLimit-Limit | 9 | | |
| R-Host | 9 | | |
| X-Vary-Options | 8 | | |
| X-Language | 8 | | |
| X-Check | 8 | | |
| X-Template | 8 | | |
| WP-Cache | 7 | | |
| X-B2f-Cache-Load | 7 | | |
| TCN | 7 | | |
| X-Drectory-Script | 7 | | |
| X-Request-Id | 7 | | |
| X-Content-Encoded-By | 7 | | |
| Imagetoolbar | 7 | | |
| X-Age | 6 | | |
| X-Type | 6 | | |
| X-Secret | 6 | | |
| X-Content-Digest | 6 | | |
| X-Amz-Id-2 | 6 | | |
| Cache | 6 | | |
| X-Highwire-SessionId | 6 | | |
| X-Trace-App | 6 | | |
| X-PHP-Engine | 6 | | |
| Real-Hostname | 6 | | |
| X-TN-ServedBy | 6 | | |
| X-Loop | 6 | | |
| Xonnection | 6 | | |
| X-Cache-Group | 6 | | |
| X-Varnish-Cache | 6 | | |
| X-Highwire-RequestId | 5 | | |
| Host | 5 | | |
| X-Restarts | 5 | | |
| X-Amz-Request-Id | 5 | | |
| Generator | 5 | | |
| MIME-Version | 5 | | |
| X-Hits | 5 | | |
| X-Hostname | 5 | | |
| X-TNCMS-Venue | 5 | | |
| X-TNCMS-Version | 5 | | |
| X-TNCMS-Served-By | 5 | | |
| X-TNCMS-Memory-Usage | 5 | | |
| X-TNCMS-Render-Time | 5 | | |
| NS-RTIMER-COMPOSITE | 5 | | |
| PICS-Label | 5 | | |
| COMMERCE-SERVER-SOFTWARE | 5 | | |
| CT | 4 | | |
| X-UD-Host | 4 | | |
| Railo-Version | 4 | | |
| Accept-Language | 4 | | |
| Accept | 4 | | |
| WP-AdvCache-MemCached | 4 | | |
| ServerName | 4 | | |
| X-DmUser | 4 | | |
| MW-Webserver | 4 | | |
| X-Request-Start | 4 | | |
| X-UD-Method | 4 | | |
| X-AH-Environment | 4 | | |
| X-Responding-Server | 4 | | |
| X-Request-Path | 4 | | |
| X-I | 4 | | |
| X-Hosted-By | 4 | | |
| X-Src-Webcache | 4 | | |
| X-Request-Finish | 4 | | |
| X-StoreSense | 4 | | |
| X-ClientIP | 4 | | |
| X-ProStores-StoreApiEntryPoint | 4 | | |
| Node | 4 | | |
| X-UD-Target | 4 | | |
| User-Agent | 4 | | |
| X-S | 3 | | |
| X-PF-Uncompressing | 3 | | |
| X-Cocoon-Version | 3 | | |
| From | 3 | | |
| X-Matrix-Server | 3 | | |
| A-Powered-By | 3 | | |
| X-Generated-By | 3 | | |
| Charset | 3 | | |
| Iinfo | 3 | | |
| Cartoon | 3 | | |
| Cookie | 3 | | |
| X-EdgeRouter | 3 | | |
| Page-Completion-Status | 3 | | |
| X-SmugMug-Hiring | 3 | | |
| X-SmugMug-Values | 3 | | |
| X-Yadis-Location | 3 | | |
| X-CDN | 3 | | |
| X-FB-Debug | 3 | | |
| X-Enhanced-By | 3 | | |
| Lsrequestid | 3 | | |
| X-Cache-Server | 3 | | |
| SynthaSite-ID | 3 | | |
| X-Node | 3 | | |
| Cm-Server | 3 | | |
| X-Ignore | 3 | | |
| X-Quazar | 2 | | |
| X-Webstats-RespID | 2 | | |
| X-Page-Generation-Time | 2 | | |
| X-Page-Generated-At | 2 | | |
| MASTERWEBLET | 2 | | |
| X-Vivastreet | 2 | | |
| X-JSON-API-TTL | 2 | | |
| X-DDC-Arch-Trace | 2 | | |
| X-JSON-API-AGE | 2 | | |
| Referer | 2 | | |
| X-JSON-API-LATENCY | 2 | | |
| D | 2 | | |
| X-Wix-Renderer-Server | 2 | | |
| NnCoection | 2 | | |
| X-RE-Ref | 2 | | |
| X-LiteSpeed-Cache | 2 | | |
| X-Forwarded-For | 2 | | |
| X-PvInfo | 2 | | |
| Web-Server | 2 | | |
| X-Catalyst | 2 | | |
| CommunityServer | 2 | | |
| X-Country | 2 | | |
| ANDO | 2 | | |
| X-Cluster-Node | 2 | | |
| Proxy-Connection | 2 | | |
| Robots | 2 | | |
| X-Via-Node | 2 | | |
| X-Protocol | 2 | | |
| X-TwBackServer | 2 | | |
| EMP | 2 | | |
| X-Micro-Cache | 2 | | |
| X-Duration | 2 | | |
| Proxy-Agent | 2 | | |
| X-Varnish-Action | 2 | | |
| X-ATG-Version | 2 | | |
| X-Matrix-Proxy | 2 | | |
| X-TTL-Age | 2 | | |
| X-Invocation-Time | 2 | | |
| Content-Disposition | 2 | | |
| X-Country-Code | 2 | | |
| X-Frames-Options | 2 | | |
| X-Would-Your-GrandPa-Wait | 2 | | |
| IBM-Web2-Location | 2 | | |
| X-CMS-Version | 2 | | |
| X-Your-GrandPa-Would-Wait | 2 | | |
| X-Papaya-Cache | 2 | | |
| X-Garden-Version | 2 | | |
| X-Papaya-Gzip | 2 | | |
| X-Header | 2 | | |
| X-Cache-Status | 2 | | |
| X-ServerID | 2 | | |
| X-ELC-Checkpoint4 | 2 | | |
| Server-Name | 2 | | |
| Filter-Revision | 2 | | |
| X-Amz-Cf-Id | 2 | | |
| P3P:CP | 2 | | |
| X-Wily-Servlet | 2 | | |
| X-MidCOM-Meta-Cache | 2 | | |
| X-ApacheServer | 2 | | |
| Header | 2 | | |
| Publisher | 2 | | |
| X-Wily-Info | 2 | | |
| ServerID | 2 | | |
| Originate-Date | 2 | | |
| X-Cache-Hit | 2 | | |
| X-Cache-Expires | 2 | | |
| X-Source-Host | 2 | | |
| X-QuazarCache | 2 | | |
| X-Server-ID | 2 | | |
| X-Purge-URL | 2 | | |
| X-Cache-Debug | 2 | | |
| X-Purge-Host | 2 | | |
| X-Server-Name | 2 | | |
| X-Web-Hosting-Service-Provider | 1 | | |
| X-Amz-Meta-S3cmd-Attrs | 1 | | |
| Nr-Static-Host | 1 | | |
| X-Varnish-Machine | 1 | | |
| AmProxy | 1 | | |
| X-API-Limit-Remaining | 1 | | |
| X-Powered-Developer | 1 | | |
| X-Accelerated-By | 1 | | |
| X-JOBOFFER | 1 | | |
| X-Amz-Id-1 | 1 | | |
| Retry-After | 1 | | |
| X-Is-Mobile-Browser | 1 | | |
| X-Varnish-Age | 1 | | |
| HSID | 1 | | |
| X-DeliveryServer | 1 | | |
| HostName | 1 | | |
| X-HP-CAM-COLOR | 1 | | |
| Content-Base | 1 | | |
| X-MidCOM-Data-Cache | 1 | | |
| Response-Type | 1 | | |
| X-Vkk-Server | 1 | | |
| Aka-DNS-Name | 1 | | |
| MST-Version | 1 | | |
| XSecure | 1 | | |
| Magicmarker | 1 | | |
| X-REDIRECTSERVER | 1 | | |
| X-Context-Uid | 1 | | |
| X-SATserver | 1 | | |
| Window-Target | 1 | | |
| X-DEBUG2 | 1 | | |
| Rating | 1 | | |
| X-TicketABC-Theme | 1 | | |
| X-Application-Version | 1 | | |
| X-RSS-CACHE-STATUS | 1 | | |
| Upstream-Response-Time | 1 | | |
| Application/Zip | 1 | | |
| Mega-Cache | 1 | | |
| Upstream-Status | 1 | | |
| X-HG005 | 1 | | |
| X-Hrouter | 1 | | |
| X-Cache-Action | 1 | | |
| Progma | 1 | | |
| ISrvName | 1 | | |
| X-Real-Server | 1 | | |
| Jobb.Assistentpoolen.Se | 1 | | |
| Jobb.Gil.Se | 1 | | |
| Jobb.Passal.Se | 1 | | |
| Open.Jobgate.Se | 1 | | |
| Test.Executivepeople.Se | 1 | | |
| Www.Mabracertifiering.Se | 1 | | |
| Origin | 1 | | |
| Www.Mirrorgate.Se | 1 | | |
| X-PageCache | 1 | | |
| Time | 1 | | |
| WEBO | 1 | | |
| Compression-Control | 1 | | |
| X-IPC-BALANCEID | 1 | | |
| X-Jobs | 1 | | |
| Is-Cached | 1 | | |
| X-FarmId | 1 | | |
| X-NoLimit | 1 | | |
| X-Confirmit-ID | 1 | | |
| No-Cache | 1 | | |
| X-SiteFramework | 1 | | |
| X-Timer | 1 | | |
| Ajax-Info | 1 | | |
| Orignator | 1 | | |
| X-HomeAway-ServerPageType | 1 | | |
| X-Request-Time | 1 | | |
| X-Proxy | 1 | | |
| X-SOURCE | 1 | | |
| X-Cachestatus | 1 | | |
| X-Core-Mission | 1 | | |
| X-Head-Commit-Id | 1 | | |
| X-From | 1 | | |
| X-FrameworkVersion | 1 | | |
| X-Flex-Evend | 1 | | |
| ANUIESF5HOST | 1 | | |
| X-UD-REMOTE-ADDR | 1 | | |
| X-CMS-CRMSet | 1 | | |
| X-Age-Hash | 1 | | |
| X-Px | 1 | | |
| Docx | 1 | | |
| X-CMS-Info | 1 | | |
| X-Flex-Lang | 1 | | |
| X-SixCMS-CacheInfo | 1 | | |
| X-VIP-Info | 1 | | |
| ReqId | 1 | | |
| ANUIESF5URL | 1 | | |
| X-AWC-Cache | 1 | | |
| Expire | 1 | | |
| RareMVC | 1 | | |
| X-Pool-Info | 1 | | |
| Mirror | 1 | | |
| Content-Control | 1 | | |
| X-UD-Loopcounter | 1 | | |
| X-CMS-Collection | 1 | | |
| X-Lift-Version | 1 | | |
| Last-Modified: | 1 | | |
| X-Benchmark-Total | 1 | | |
| X-Server-By | 1 | | |
| X-MTX-DBCache[C-Pri] | 1 | | |
| X-Debug-0 | 1 | | |
| X-Flex-Evstart | 1 | | |
| Tempo | 1 | | |
| Author | 1 | | |
| X-CMS-Live | 1 | | |
| Http | 1 | | |
| X-RemoteIp | 1 | | |
| Cubix-Server | 1 | | |
| X-Panel-Id | 1 | | |
| X-Flex-Tag | 1 | | |
| Accept-Charset | 1 | | |
| ErrorCodeCount | 1 | | |
| X-Internal-Server | 1 | | |
| X-Cookie | 1 | | |
| X-Artvisual-Server | 1 | | |
| Request-Finish | 1 | | |
| TCP-Client-Port | 1 | | |
| X-Head | 1 | | |
| X-CPU-Time | 1 | | |
| Resp | 1 | | |
| X-SmartBan-Host | 1 | | |
| X-CMS-Nid | 1 | | |
| Set-Cookie2 | 1 | | |
| X-Content-Age | 1 | | |
| X-Onexcale-Version | 1 | | |
| X-Smart-Cache | 1 | | |
| Xlsx | 1 | | |
| X-ACMCache | 1 | | |
| X-Cache-Svr | 1 | | |
| X-Flex-Lastmod | 1 | | |
| KrkosskaHeaders | 1 | | |
| QYSID | 1 | | |
| X-CMS-Track | 1 | | |
| IP-Client-Addr | 1 | | |
| Svr | 1 | | |
| X-CMS-Server | 1 | | |
| X-Cache-0 | 1 | | |
| X-Confluence-Request-Time | 1 | | |
| X-Benchmark-Cache | 1 | | |
| Machine | 1 | | |
| Metrix-Cachesite | 1 | | |
| X-Cache-Operation | 1 | | |
| X-Zocalo-Cache | 1 | | |
| X-MID | 1 | | |
| Greenty-LTD | 1 | | |
| X-Backend-Ip | 1 | | |
| X-Aaid | 1 | | |
| X-T3CacheInfo | 1 | | |
| X-Bak | 1 | | |
| X-Header-Set-Id | 1 | | |
| X-Brought-To-You-By | 1 | | |
| X-Baked-By | 1 | | |
| X-Generated | 1 | | |
| X-Instance-Name | 1 | | |
| X-Coremedia-Cacheable | 1 | | |
| X-Gyrobase-Publication | 1 | | |
| X-Continum-Cache | 1 | | |
| X-Rewritten-By | 1 | | |
| X-ServerNickName | 1 | | |
| X-Totalblogs | 1 | | |
| Db | 1 | | |
| X-Hit-Cache | 1 | | |
| X-Tile | 1 | | |
| X-T3Cache | 1 | | |
| X-Beatles | 1 | | |
| X-Caching-Rule-Id | 1 | | |
| Noahs-Classifieds | 1 | | |
| 0 | 1 | | |
| B2f-Router-WisipageRouteRegex | 1 | | |
| X-RAMCache | 1 | | |
| X-Ba-0 | 1 | | |
| X-Transaction | 1 | | |
| X-App-Server | 1 | | |
| X-Generated-Time | 1 | | |
| X-Esi-Processing | 1 | | |
| X-Asid | 1 | | |
| X-PWb-Node | 1 | | |
| X-LOADED-FROM-CACHE | 1 | | |
| X-AspNetWebPages-Version | 1 | | |
| X-Benchmark-Sphinx-Count | 1 | | |
| X-Processing-Time | 1 | | |
| X-MTX-DBCache[C-247] | 1 | | |
| X-MTX-DBCache[C-217] | 1 | | |
| X-Benchmark-Sphinx | 1 | | |
| Route | 1 | | |
| X-Benchmark-Db | 1 | | |
| X-MTX-DBCache[C-216] | 1 | | |
| X-Cache-Rule | 1 | | |
| X-Revision | 1 | | |
| X-LB-Host | 1 | | |
| X-Filmed-By | 1 | | |
| X-Cache-TTL | 1 | | |
| X-Afp | 1 | | |
| X-AppExplorer | 1 | | |
| X-Nginx-Cache | 1 | | |
| X-Debug-SIP | 1 | | |
| X-Dynamic | 1 | | |
| Page.Ly | 1 | | |
| X-AMXFCGI | 1 | | |
| X-SmartBan-URL | 1 | | |
| X-ServerName | 1 | | |
| SrvName | 1 | | |
| Location | 1 | | |
| Access-Control-Allow-Credentials | 1 | | |
| X-Serendipity-ML-SL-RESET | 1 | | |
| RTSS | 1 | | |
| X-MadeOn | 1 | | |
| X-Worker | 1 | | |
| X-ManagedFusion-Rewriter-Version | 1 | | |
| X-Serendipity-InterfaceLangSource | 1 | | |
| X-CMS | 1 | | |
| X-Rootblog | 1 | | |
| X-ServerCache-Info | 1 | | |
| X-Answer | 1 | | |
| Spot | 1 | | |
| X-Ravn-Src | 1 | | |
| X-ServerCache-Fresh | 1 | | |
| X-Cache-Headers-Set-By | 1 | | |
| Content-MD5 | 1 | | |
| Origin-Server | 1 | | |
| X-Url | 1 | | |
| Head | 1 | | |
| X-Pixelsilk-Version | 1 | | |
| JP | 1 | | |
| X-Serendipity-ContentLang | 1 | | |
| -Onnection | 1 | | |
| X-Software-Info | 1 | | |
| X-Serendipity-InterfaceLang | 1 | | |
| X-Created-On | 1 | | |
| XX-Secured-By | 1 | | |
| X-Cached | 1 | | |
| X-Id | 1 | | |
| X-TISSERVER | 1 | | |
| ServedBy | 1 | | |
| DCGI-Server | 1 | | |
| Thanks | 1 | | |
| Source | 1 | | |
| X-GLaDOS | 1 | | |
| SN | 1 | | |
| Edge-Control | 1 | | |
| X-Blog | 1 | | |
| X-Haiku | 1 | | |
| Req-Id | 1 | | |
| X-Page-Speed | 1 | | |
| X-Src-Loadbalancer | 1 | | |
| NLCacheNote | 1 | | |
| X-Nitra-Side | 1 | | |
| X-Processing-Finished | 1 | | |
| X-Session-Reinit | 1 | | |
| S | 1 | | |
| Exprires | 1 | | |
| X-User-Agent | 1 | | |
| X-Ttl | 1 | | |
| X-Bettercache-Proxy | 1 | | |
| Pool | 1 | | |
| Access-Control-Allow-Methods | 1 | | |
| X-Object-Id | 1 | | |
| X-Object-Type | 1 | | |
| Beyond-Iis | 1 | | |
| X-Processing-Begin | 1 | | |
| X-Snapsis-PageBlaster | 1 | | |
| X-Handled-By | 1 | | |
| X-Hesa-Caching-Strategy | 1 | | |
| X-XTM-Node | 1 | | |
| X-Nocache | 1 | | |
| X-NGINX-CACHED | 1 | | |
| X-Phpwcms-Release | 1 | | |
| X-VBackend | 1 | | |
| SHOULD-BE-HTTPS | 1 | | |
| Content | 1 | | |
| Www.Jxyxyz.Net | 1 | | |
| X-ERM-RunTime | 1 | | |
| CachedXSLT | 1 | | |
| X-Cache-Control-Orig | 1 | | |
| Max-Age | 1 | | |
| Request-Time | 1 | | |
| X-CDIVarnish-HomePage | 1 | | |
| X-Processed-By | 1 | | |
| Wrapper | 1 | | |
| Srv | 1 | | |
| X-Apublish-Id | 1 | | |
| X-Hosting | 1 | | |
| X-Phpwcms-Page-Processed-In | 1 | | |
| X-Changefreq | 1 | | |
| X-Flex-Tags | 1 | | |
| If-Modified-Since | 1 | | |
| X-Via | 1 | | |
| Backend | 1 | | |
| Request-Start | 1 | | |
| X-Generate | 1 | | |
| X-Origin | 1 | | |
| X-CMS-Sid | 1 | | |
| X-Varnish-Hostname | 1 | | |
| X-BinarySEC-NoCache | 1 | | |
| X-CMS-Stage | 1 | | |
| X-Whom | 1 | | |
| X-CMS-State | 1 | | |
| Language | 1 | | |
| A | 1 | | |
| SrvID | 1 | | |
| X-Oneclick-Backend | 1 | | |
| ExecutionTime | 1 | | |
| X-Capcom-Uid | 1 | | |
| S-Maxage | 1 | | |
| X-Pixelsilk-Server | 1 | | |
| Load-Balanced | 1 | | |
| X-Varnish-TTL | 1 | | |
| CacheControl | 1 | | |
| CACHED-RESPONSE | 1 | | |
| Cahe-Control | 1 | | |
| X-Varnish-Cacheable | 1 | | |
| X-Varnish-Host | 1 | | |
| X-ORACLE-DMS-ECID | 1 | | |
| X-LinkFreeze-Control | 1 | | |
| X-DIP | 1 | | |
| X-NGINX-CACHED-AT | 1 | | |
| X-Capcom-Srvr | 1 | | |
| Cneonction | 1 | | |
| X-Logged-In | 1 | | |
| X-Application | 1 | | |
| X-ERM-ServerName-AppPage | 1 | | |
| RayEngine | 1 | | |
| X-Expires-Orig | 1 | | |
| Nocache | 1 | | |
| X-CMS-Tid | 1 | | |
Internet Storm Center
Training
Certification
SANS Technology Institute
Security Awareness
Latest News
Computer Forensics
IT Audit
Software Security
