How common are http security headers really?
A recent issue of the German iX magazin featured an article on improving end user security by enabling HTTP security headers
- X-XSS-Protection,
- X-Content-Type-Options MIME type sniffing,
- Content-Security-Policy,
- X-Frame-Options,
- and HSTS Strict-Transport-Security.
Usage of X-XSS-Protection
Header visible for only 14 of 245 (5%) of the scanned websites. As 2 are just disabling the setting it is only 4% of the websites enabling it.| Website | Header |
|---|---|
| www.adcash.com | X-XSS-Protection: 1; mode=block |
| www.badoo.com | X-XSS-Protection: 1; mode=block |
| www.blogger.com | X-XSS-Protection: 1; mode=block |
| www.blogspot.com | X-XSS-Protection: 1; mode=block |
| www.facebook.com | X-XSS-Protection: 0 |
| www.feedburner.com | X-XSS-Protection: 1; mode=block |
| www.github.com | X-XSS-Protection: 1; mode=block |
| www.google.de | X-XSS-Protection: 1; mode=block |
| www.live.com | X-XSS-Protection: 0 |
| www.meinestadt.de | X-XSS-Protection: 1; mode=block |
| www.openstreetmap.org | X-XSS-Protection: 1; mode=block |
| www.tape.tv | X-XSS-Protection: 1; mode=block |
| www.xing.de | X-XSS-Protection: 1; mode=block; report=https://www.xing.com/tools/xss_reporter |
| www.youtube.de | X-XSS-Protection: 1; mode=block; report=https://www.google.com/appserve/security-bugs/log/youtube |
Usage of X-Content-Type-Options
Here 15 of 245 websites (6%) enable the option.| Website | Header |
|---|---|
| www.blogger.com | X-Content-Type-Options: nosniff |
| www.blogspot.com | X-Content-Type-Options: nosniff |
| www.deutschepost.de | X-Content-Type-Options: NOSNIFF |
| www.facebook.com | X-Content-Type-Options: nosniff |
| www.feedburner.com | X-Content-Type-Options: nosniff |
| www.github.com | X-Content-Type-Options: nosniff |
| www.linkedin.com | X-Content-Type-Options: nosniff |
| www.live.com | X-Content-Type-Options: nosniff |
| www.meinestadt.de | X-Content-Type-Options: nosniff |
| www.openstreetmap.org | X-Content-Type-Options: nosniff |
| www.spotify.com | X-Content-Type-Options: nosniff |
| www.tape.tv | X-Content-Type-Options: nosniff |
| www.wikihow.com | X-Content-Type-Options: nosniff |
| www.wikipedia.org | X-Content-Type-Options: nosniff |
| www.youtube.de | X-Content-Type-Options: nosniff |
Usage of Content-Security-Policy
Actually only 1 website in the top 200 Alexa ranked websites uses CSP and this lonely site is github. The problem with CSP obviously being the necessity to have a clear structure for the origin domains of the site elements. And the less advertisments and tracking pixels you have the easier it becomes...| Website | Header |
|---|---|
| www.github.com | Content-Security-Policy: default-src *; script-src https://github.global.ssl.fastly.net https://ssl.google-analytics.com https://collector-cdn.github.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://github.global.ssl.fastly.net; object-src https://github.global.ssl.fastly.net |
Usage of X-Frame-Options
The X-Frame-Options header is currently delivered by 43 of 245 websites (17%).| Website | Header |
|---|---|
| www.adcash.com | X-Frame-Options: SAMEORIGIN |
| www.adf.ly | X-Frame-Options: SAMEORIGIN |
| www.avg.com | X-Frame-Options: SAMEORIGIN |
| www.badoo.com | X-Frame-Options: DENY |
| www.battle.net | X-Frame-Options: SAMEORIGIN |
| www.blogger.com | X-Frame-Options: SAMEORIGIN |
| www.blogspot.com | X-Frame-Options: SAMEORIGIN |
| www.dailymotion.com | X-Frame-Options: deny |
| www.deutschepost.de | X-Frame-Options: SAMEORIGIN |
| www.ebay.de | X-Frame-Options: SAMEORIGIN |
| www.facebook.com | X-Frame-Options: DENY |
| www.feedburner.com | X-Frame-Options: SAMEORIGIN |
| www.github.com | X-Frame-Options: deny |
| www.gmx.de | X-Frame-Options: deny |
| www.gmx.net | X-Frame-Options: deny |
| www.google.de | X-Frame-Options: SAMEORIGIN |
| www.groupon.de | X-Frame-Options: SAMEORIGIN |
| www.imdb.com | X-Frame-Options: SAMEORIGIN |
| www.indeed.com | X-Frame-Options: SAMEORIGIN |
| www.instagram.com | X-Frame-Options: SAMEORIGIN |
| www.java.com | X-Frame-Options: SAMEORIGIN |
| www.linkedin.com | X-Frame-Options: SAMEORIGIN |
| www.live.com | X-Frame-Options: deny |
| www.mail.ru | X-Frame-Options: SAMEORIGIN |
| www.mozilla.org | X-Frame-Options: DENY |
| www.netflix.com | X-Frame-Options: SAMEORIGIN |
| www.openstreetmap.org | X-Frame-Options: SAMEORIGIN |
| www.oracle.com | X-Frame-Options: SAMEORIGIN |
| www.paypal.com | X-Frame-Options: SAMEORIGIN |
| www.pingdom.com | X-Frame-Options: SAMEORIGIN |
| www.skype.com | X-Frame-Options: SAMEORIGIN |
| www.skype.de | X-Frame-Options: SAMEORIGIN |
| www.softpedia.com | X-Frame-Options: SAMEORIGIN |
| www.soundcloud.com | X-Frame-Options: SAMEORIGIN |
| www.sourceforge.net | X-Frame-Options: SAMEORIGIN |
| www.spotify.com | X-Frame-Options: SAMEORIGIN |
| www.stackoverflow.com | X-Frame-Options: SAMEORIGIN |
| www.tape.tv | X-Frame-Options: SAMEORIGIN |
| www.web.de | X-Frame-Options: deny |
| www.wikihow.com | X-Frame-Options: SAMEORIGIN |
| www.wordpress.com | X-Frame-Options: SAMEORIGIN |
| www.yandex.ru | X-Frame-Options: DENY |
| www.youtube.de | X-Frame-Options: SAMEORIGIN |
Usage of HSTS Strict-Transport-Security
HSTS headers can only be found on a few front pages (8 of 245). Maybe it is visible more on the login pages and is avoided on front pages for performance reasons, maybe not. That would require further analysis. What can be said is only some larger technology leaders are brave enough to use it on the front page:| Website | Header |
|---|---|
| www.blogger.com | Strict-Transport-Security: max-age=10893354; includeSubDomains |
| www.blogspot.com | Strict-Transport-Security: max-age=10893354; includeSubDomains |
| www.facebook.com | Strict-Transport-Security: max-age=2592000 |
| www.feedburner.com | Strict-Transport-Security: max-age=10893354; includeSubDomains |
| www.github.com | Strict-Transport-Security: max-age=31536000 |
| www.paypal.com | Strict-Transport-Security: max-age=14400 |
| www.spotify.com | Strict-Transport-Security: max-age=31536000 |
| www.upjers.com | Strict-Transport-Security: max-age=47336400 |