EDIT: Added statistics of max-age option.
To do this study, I did a GET HTTP Request and saved the headers in the HTTP response. This has been done using Python.
First of all, I scanned 10000 hosts. 555 hosts didn't respond so those statistics are based on 9445 hosts.
Then, I checked the presence of HTTP security Headers. OWASP provides a good resource here where they define HTTP Security Headers.
Basically, I checked the presence of those ones:
Here are the results:
Then, I decided to realize statistics on the different values for some of the most used HTTP header.
This header doesn't allow options so the only value is
All 202 hosts had this value.
Hope you liked it and that it gave you updated information about the (bad, unfortunately) usage of Security headers.