Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Shodan HTTP Header Survey

After a few months of back and forth, the first stage of our HTTP Header research is now live on the Shodan website.

A survey of Alexa’s top 10,000 websites on the Internet was conducted to measure the usage of security-related HTTP headers, mobile awareness and potential information leakage.

The HTTP Header Survey includes analysis of the top 10,000 websites using techniques I initially discussed with the UA-Tester tool. By gathering information on the top 10,000 websites we can begin to examine the different responses and usage of HTTP headers, including those specifically designed to assist in securing sites and browsers from attack.

The initial report covers some of the findings from this research, including the usage of security related headers, such as .:

  • X-XSS-Protection
  • X-Frame-Options
  • Access-Control-Allow-Origin
  • Strict-Transport-Security (where possible)

Click to view the complete survey

We also touch on some of the more interesting responses from servers that expose information regarding the background infrastructure, server types and software versions in use.

The data we’ve gathered still has a lot of secrets to give, but analysis takes time, and we wanted to get this first stage out in the public eye for comments and feedback. We also wanted to provide a direct link to the data we’ve collected to allow you to do your own analysis should you wish.

We hope you find the information useful.



Comments are closed.

%d bloggers like this: