HTTP Secure Headers – How prevalent are these?


Recently Twitter added Public Key Pinning to their SecureHeaders Ruby Gem. There are 8 security headers now.

I wanted check the prevalence of these secure HTTP headers amongst the top websites to get a sense of the awareness around these very efficient mechanisms to address a plethora of security related issues.

For reference, CSP is documented here.

I checked most of the publicly available list of 2014 top 500 sites on the web from Fortune.com for this purpose and the stats for the 8 headers that SecureHeaders Ruby Gem covers is:

CSP HTTP Strict Transport Security (HSTS) X-Frame-Options (XFO) X-XSS-Protection X-Content-Type-Options X-Download-Options X-Permitted-Cross-Domain-Policies Public Key Pinning
2 5 81 12 26 0 1 0

This is not a comprehensive test (and possibly not error free) but these numbers do point towards a possible lack of adoption for these gradually improving (and easy to use) security enforcement mechanisms.

Part reason for this may be the touch unreliability in the way browsers enforce these checks (for example X-Download-Options is supported only on Internet Explorer) but considering that these do not break anything if used sensibly (like CSP and Public key pinning’s report on settings) can be used to gradually improve the security stance of most websites without much effort.

Note: Tristan Waldear has created a Python-Flask package for the same headers and is hosted here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s