Shared publicly  - 
 
http://www.veracode.com/blog/2013/03/security-headers-on-the-top-1000000-websites-march-2013-report/ is a fairly interesting survey of the headers sent out by the top 1,000,000 sites. It's worth flipping through to see how things like 'Content-Security-Policy' and 'X-Frame-Options' are used in the wild.

A few things jump out at me:

1. 'Content-Security-Policy' has a long road ahead of it. ~100 of the top 1,000,000 sites are sending the header. I'd like to see that number increase, as I think CSP is useful. I think we'll be in better shape later this year when Firefox and Safari roll out support for the canonical header, because we'll be able to push a single header rather than two distinct prefixed headers. I'm happy to see that Facebook's rolled it out widely, however. That's huge.

2. A small number of sites send multiple 'X-Frame-Options' headers, which WebKit currently handles less than optimally (http://wkbug.com/113387). We should fix that.

3. We can do better at warning developers about invalid headers that aren't actually having any effect on the way browsers handle their sites. For example, the 'access-control-allow-origin' header accepts either '*' or a single host as its value. About 1% of sites that use the header apparently get it wrong. It'd be nice if we threw some console message noting the error (http://wkbug.com/113407).

I like this stuff. Data is excellent... I'm looking forward to digging through the details to see exactly how folks are actually using CSP. :)
7
3
Takashi Toyoshima's profile photoНиколай Алещанов's profile photo
Add a comment...