In our analysis of the technology used by the top websites, we have queried the data on the usage of HTTP Header security controls.
This is a breakdown of the HTTP Header security features that have been developed by different organizations. These controls can utilize features in the web browser to protect the user from browser based exploits. Unfortunately it is clear from the results that application of these security controls is at best minimal and actually closer to non existent in the top websites.
HTTP Only flag on the Set-Cookie header
Total Set-Cookie Headers: 682598
Cookies with HTTP Only Flag set: 88442
The browser must support the HTTPOnly flag for this mitigation to be effective.
Full details of the supported browsers and implementation of the HTTPOnly Cookie in dot NET, Tomcat and PHP is all covered at the wikipedia page.
X-Frame-Options HTTP Header
Number of sites with X-Frame-Options Header: 9009
This header informs the browser if a web page is allowed to be framed in another web page or not. The main purpose for this protection is to prevent malicious sites from conducting a click-jacking attack against the user.
There are two parameters available to the X-Frame-Option; the first is SAMEORIGIN that allows a page to be framed if it is within a page within the same domain. The other more restrictive parameter is DENY, which simply prevents the page from being framed.
Number of sites with X-XSS-Protection enabled: 25423
This header is only utilized by Internet Explorer 8 and will turn on the built in cross site scripting protection. The reason for this is that IE 8 was shipped with the cross site scripting protection turned off by default as they feared that some web sites may break if it was turned on.
To turn the protection on the server sends the header as this:
X-XSS-Protection “1; mode=block”.
Number of sites with this enabled: 36
If specific third party resources are required, settings are available to whitelist specific domains and file types.
Mozilla has a lot of detail on this security feature, there are actually a lot of good reasons to use the X-Content-Security-Policy header.
Unfortunately it seems most web / system administrators are not aware of it or just do not care….
These stats have been quickly pulled together from the data we have been processing, some like the x-content-security-policy total of 36 seem a bit off, but I have double checked and re-ran the query. No guarantee to accuracy is provided, but its pretty close.