• Accept-CH

    Client Hints is a new proposed header that requests additional user agent information such as device pixel ratio (DPR), screen width etc. The header standardizes the way this information is delivered from the client browser through a HTTP header, rather than previously employed JavaScript APIs.

    Count: 4
  • Access-Control-Allow-Origin

    Controls origins (websites) that are allowed to load data from this web service over JavaScript-based APIs as part of Cross-Origin Resource Sharing (CORS) standard. By default, a web browser will refuse to load data over XmlHttpRequest from a website that is not in the same origin, which is a precaution against various types of data stealing attacks. The target server has to explicitly allow the origin domain using the Access-Control-Allow-Origin (ACAO) header, or it may allow all origins to access it using a wildcard *. The latter however creates a potential security issue if the website in question is transactional and processing sensitive data, so the wildcard should be only used on websites consciously offering public APIs.

    Count: 59442
  • Clear-Site-Data

    The header instructs the browser to clear sensitive user data from persistent storage, such as browser cache, cookies etc.

    Count: 1
  • Content-Security-Policy

    Content Security Policy is used by a web server to declare a list of trusted content types (images, scripts, media etc) and origins from which they can be safely loaded as intended by the website authors. The Content-Security-Policy-Report-Only header instruct the browser to enable CSP in enforcement mode.

    Count: 4100
  • Content-Security-Policy-Report-Only

    Content Security Policy is used by a web server to declare a list of trusted content types (images, scripts, media etc) and origins from which they can be safely loaded as intended by the website authors. The Content-Security-Policy-Report-Only header instruct the browser to enable CSP in "report-only" mode where no content blocking is enforced and would-be-blocked origins are reported allowing website authors to fine-tune the policy.

    Count: 1356
  • DNT

    Do-Not-Track (DNT) header can be seen in both in HTTP request and response. In the request, it indicates the user's preference as it comes to online tracking and behavioral advertising (1=don't mind tracking, 0=do not track). In response, a compliant server should respond with the same value. In addition, Tk (Tracking Status) header should be set.detailing the tracking policy.

    Count: 66
  • Expect-CT

    The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.

    Count: 9991
  • Feature-Policy

    Allows web developers selectively enable and disable specific web technologies, especially those that enable two-way communication between the user and web application. For example, the header may inform the user mobile device that the website is not using camera or location tracking by design.

    Count: 158
  • Frame-Options

    A misspelled and incorrect variant of the X-Frame-Options header introduced as a result of incorrect interpretation of RFC 7034 standard. The Frame-Options variant was introduced to be used in Content Security Policy (CSP) while for HTTP headers the X-Frame-Options remains the valid name.

    Count: 89
  • Link

    Indicates location of sub-resources for the given page, in machine-readable format. It may come in a number of types, for example next page, previous page, index page, preloading resources etc.

    Count: 152496
  • Location

    The HTTP Location header is being returned by a server to redirect the web browser to a new URL of the requested resource. The URL may be relative (/index.html) or absolute (https://example.com).

    Count: 77942
  • MicrosoftOfficeWebServer

    A non-standard header used by Microsoft SharePoint and Office applications to communicate the version of server platform. Since it contains a detailed version of the software, it probably shouldn't be advertised on the public Internet.

    Count: 2229
  • MicrosoftSharePointTeamServices

    A non-standard header used by Microsoft SharePoint and Office applications to communicate the version of server platform. Since it contains a detailed version of the software, it probably shouldn't be advertised on the public Internet.

    Count: 2459
  • NEL

    Network Error Logging (NEL) defines a mechanism enabling web applications to declare a reporting policy that can be used by an user agent to report network errors for a given origin.

    Count: 70
  • P3P

    Largely abandoned format for declaring website's privacy policy in machine-readable format. The only reason for many websites to use the header was that old versions of Microsoft Internet Explorer disallowed third-party cookies on websites missing P3P.

    Count: 119054
  • PICS-Label

    Platform for Internet Content Selection (PICS) is a largely abandoned standard for rating and labelling web content.

    Count: 313
  • Public-Key-Pins

    Announces a list of X.509 certificate hashes that are allowed to appear in the website's TLS certification path (HTTP Public Key Pinning or HPKP). This prevents malicious proxy servers from transparently replacing the public certificates with their own and wiretapping the TLS connection of the unsuspecting user. This header sets HPKP in enforcement mode.

    Count: 359
  • Public-Key-Pins-Report-Only

    Announces a list of X.509 certificate hashes that are allowed to appear in the website's TLS certification path (HTTP Public Key Pinning or HPKP). This prevents malicious proxy servers from transparently replacing the public certificates with their own and wiretapping the TLS connection of the unsuspecting user. This header sets HPKP in report-only mode.

    Count: 210
  • Referrer-Policy

    The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

    Count: 3263
  • Report-To

    The header defines a generic reporting framework which allows web developers to associate a set of named reporting endpoints with an origin. Various platform features (like Content Security Policy, Network Error Reporting, and others) may use these endpoints to deliver feature-specific reports in a consistent manner.

    Count: 77
  • Server

    Announces web server software and optionally version details.

    Count: 1314406
  • Strict-Transport-Security

    HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header.

    Count: 37854
  • Tk

    Tracking Status header provides detailed information on server's tracking policy and status. Most common values are N (not tracking) and T (tracking with user consent).

    Count: 28
  • X-AspNet-Version

    A non-standard header used by Microsoft ASP.NET platform to advertise its detailed version.

    Count: 79349
  • X-Clacks-Overhead

    Purely informational and non-standard header initially established in memory of a popular fantasy author Terry Pratchett. Counterintuitively for most IT people, the most frequently seen value GNU is not related to the open-source GNU project, but rather is a sophisticated telegraph code originating from Pratchett's "Discworld" cult series.

    Count: 473
  • X-Content-Security-Policy

    Legacy and deprecated variant of the Content-Security-Policy header used by WebKit browsers in the initial period.

    Count: 652
  • X-Content-Security-Policy-Report-Only

    Legacy and deprecated variant of the Content-Security-Policy-Report-Only header used by Firefox and MSIE browsers in the initial period.

    Count: 60
  • X-Content-Type-Options

    A non-standard but widely accepted header introduced originally by Microsoft to disable "content sniffing" or heuristic content type discovery in absence or mismatch of a proper HTTP Content-Type declaration, which led to a number of web attacks. In general, presence of the header with its only defined value of nosniff is considered as part of a properly secured HTTP response.

    Count: 91976
  • X-Frame-Options

    Instructs the browser if the current website can be embedded in HTML frame by another website. Since this allows the parent website to control the framed page, this creates a potential for data theft attacks ("clickjacking") and most sensitive websites won't allow them to be framed at all (deny) or just allow parts of them to be embedded in frames created by themselves only (samesite).

    Count: 78448
  • X-Permitted-Cross-Domain-Policies

    Header used by Adobe Flash engine to control cross-site access for Flash applications. Most websites not using Flash would prefer to set it with the value of none as an additional precaution against using them in advanced Flash-based XSS vectors. Flash-serving websites can use them to declare the scope of detailed Flash cross-site policies per Adobe specification.

    Count: 1941
  • X-Powered-By

    A non-standard and purely informational, but still very widespread header, whose only purpose is to advertise the name and optionally version of the software used to run the web server.

    Count: 638053
  • X-Robots-Tag

    Controls the behavior of search engine bots and may contain most of the directives usually found in robots.txt file.

    Count: 6205
  • X-WebKit-CSP

    Legacy and deprecated variant of the Content-Security-Policy header used by WebKit browsers in the initial period.

    Count: 336
  • X-WebKit-CSP-Report-Only

    Legacy and deprecated variant of the Content-Security-Policy-Report-Only header used by WebKit browsers in the initial period.

    Count: 31
  • X-XSS-Protection

    Controls an Cross-Site Scripting (XSS) filters built into the majority of web browsers. The filter is usually turned on by default anyway, but requirement to set the header to 1 became part of canonical set of "secure" HTTP headers. Over time, vulnerabilities in the "sanitizing" mode filter were found, so 1; mode=block became the recommended value. Some companies decided that they don't really need a browser-side XSS filter to mess with their web services which are XSS-free anyway and they became consciously disabling the XSS filter by setting the header to 0.

    Count: 79358
Fully automated RESTful API is now available. Subscribe for your free trial today!