HTTP Security Headers on top 10k Alexa websites

EDIT: Added statistics of max-age option.

Hi there,

This blog post deals with HTTP Security Headers on top 10k Alexa websites. Based on this discussion on netsec, I decided to do some statistics on Alexa ranking.

To do this study, I did a GET HTTP Request and saved the headers in the HTTP response. This has been done using Python.

First of all, I scanned 10000 hosts. 555 hosts didn't respond so those statistics are based on 9445 hosts.

Then, I checked the presence of HTTP security Headers. OWASP provides a good resource here where they define HTTP Security Headers.

Basically, I checked the presence of those ones:

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Strict-Transport-Security
  • Content-Security-Policy
  • Content-Security-Policy-Report-Only

Here are the results:

Then, I decided to realize statistics on the different values for some of the most used HTTP header.




Max-age statistics


This header doesn't allow options so the only value is NOSNIFF. All 202 hosts had this value.

Hope you liked it and that it gave you updated information about the (bad, unfortunately) usage of Security headers.