Security-related HTTP headers in the wild


As Veracode published their analysis of security headers on top 1m websites, I realized that I can actually compare their results with mine.

Veracode analysis (Security Headers on the Top 1,000,000 Websites: March 2014 Report) is valuable because it shows how websites are really using relatively new HTTP security features in production.

My data set is around 430'000 websites scanned as part of the project. My scanner is much slower than Veracode's because I'm not really scanning for HTTP headers only, but rather for cookies. And to see a more complete picture I'm running a full blown WebKit parser on each tested website to see cookies set by JavaScript and Flash — which obviously makes the scan much slower.

Header Veracode
X-XSS-Protection 7% 4%
X-Content-Type-Options 7% 4%
X-Frame-Options 5% 4%
Access-Control-Allow-Origin 1% 0.8%
Strict-Transport-Security 0.2% 0.4%
Public-Key-Pins 3 2
Content-Security-Policy 0.05% 0.1%

As you can see, both result sets are quite similar. I'm not really surprised that so few sites use Content-Security-Policy, as it's quite difficult to set up on existing websites and not really easy even on a brand new website. On the other hand, if you look what high profile websites are actually targeted by attackers (such as Google or FB, most of them do use both STS and CSP. It's just the effort of setting up these is outweighted by the increase in security for their users.

My numbers came from a quick database lookup, but the data set is open to anyone who would like to perform any deeper analysis — just contact me on G+.