345
HTTP Security Headers
Analysis of Top One
Million Websites
Abstract: We present research on the security of the most popular websites, ranked
according to Alexa’s top one million list, based on an HTTP response headers analysis.
For each of the domains included in the list, we made four different requests: an
HTTP/1.1 request to the domain itself and to its “www” subdomain and two more
equivalent HTTPS requests. Redirections were always followed. A detailed discussion
of the request process and main outcomes is presented, including X.509 certicate
issues and comparison of results with equivalent HTTP/2 requests.
The body of the responses was discarded, and the HTTP response header elds were
stored in a database. We analysed the prevalence of the most important response
headers related to web security aspects. In particular, we took into account Strict-
Transport-Security, Content-Security-Policy, X-XSS-Protection, X-Frame-Options,
Set-Cookie (for session cookies) and X-Content-Type. We also reviewed the contents
of response HTTP headers that potentially could reveal unwanted information, like
Server (and related headers), Date and Referrer-Policy.
This research offers an up-to-date survey of current prevalence of web security policies
implemented through HTTP response headers and concludes that most popular sites
tend to implement it noticeably more often than less popular ones. Equally, HTTPS
sites seem to be far more eager to implement those policies than HTTP only websites.
A comparison with previous works show that web security policies based on HTTP
response headers are continuously growing, but still far from satisfactory widespread
adoption.
Artūrs Lavrenovs
NATO CCD COE
Tallinn, Estonia
arturs.lavrenovs@ccdcoe.org
F. Jesús Rubio Melón
Spanish Joint Cyber Defence Command
Madrid, Spain
jrubio@isdefe.es
2018 10th International Conference on Cyber Conict
CyCon X: Maximising Eects
T. Minárik, R. Jakschis, L. Lindström (Eds.)
2018 © NATO CCD COE Publications, Tallinn
Permission to make digital or hard copies of this publication for internal
use within NATO and for personal or educational use when for non-prot or
non-commercial purposes is granted providing that copies bear this notice
and a full citation on the rst page. Any other reproduction or transmission
requires prior written permission by NATO CCD COE.
