Recently Twitter added Public Key Pinning to their SecureHeaders Ruby Gem. There are 8 security headers now.
I wanted check the prevalence of these secure HTTP headers amongst the top websites to get a sense of the awareness around these very efficient mechanisms to address a plethora of security related issues.
For reference, CSP is documented here.
I checked most of the publicly available list of 2014 top 500 sites on the web from Fortune.com for this purpose and the stats for the 8 headers that SecureHeaders Ruby Gem covers is:
|CSP||HTTP Strict Transport Security (HSTS)||X-Frame-Options (XFO)||X-XSS-Protection||X-Content-Type-Options||X-Download-Options||X-Permitted-Cross-Domain-Policies||Public Key Pinning|
This is not a comprehensive test (and possibly not error free) but these numbers do point towards a possible lack of adoption for these gradually improving (and easy to use) security enforcement mechanisms.
Part reason for this may be the touch unreliability in the way browsers enforce these checks (for example X-Download-Options is supported only on Internet Explorer) but considering that these do not break anything if used sensibly (like CSP and Public key pinning’s report on settings) can be used to gradually improve the security stance of most websites without much effort.
Note: Tristan Waldear has created a Python-Flask package for the same headers and is hosted here.