Browser Security Headers

Lots of new HTTP headers have been proposed by various browser vendors and Internet companies, here we look at how popular and widely deployed those measures are. This information is periodically updated to see how the adoption changes over time.

Forgot Your Obfuscation?

Numerous websites obfuscate their "Server" or "X-Powered-By" headers, but some forget to also hide the information for mobile browsers. By requesting the website with different user agents, these inconsistencies can be detected and corrected.

Different user agent, different server

Based on the user agent, mobile devices can be sent to completely different servers for the same website and URL. For example, desktop clients for microsoft.com get sent to an instance of IIS 7.5 while mobile browsers are sent to an IIS 7.0 server.

In partnership with

Last updated on: 22 Sep, 2012

Celebrating 3 years of Shodan.

Top 10 Websites

facebook.com
google.com
youtube.com
yahoo.com
baidu.com
wikipedia.org
live.com
twitter.com
qq.com
amazon.com

« Browse all websites »

Top 10 Headers

Date
Server
Content-Type
Content-Length
Location
Connection
Set-Cookie
Cache-Control
Vary
X-Powered-By

« Browse all headers »