Neither Good nor Bad: A Large-Scale Empirical Analysis of HTTP Security Response Headers

HTTP response headers can be of great aid to web applications to-wards augmenting their overall security level. That is, if set at the server side, these headers define whether certain security countermeasures are in place for protecting end-users. By utilising the curated Tranco list, this work conducts a wide-scale internet measurement that provides timely answers to the following questions: (a) How the adoption of these headers is developing over time?, (b) What is the penetration ratio of each key header in the community?, (c) Are there any differences in the support of these headers between different major browsers and platforms?, (d) Does the version of a browser (outdated vs. new) affects the support rate per key header?, and (e) Is the status of a header (active vs. dep-recated) reflected to its support rate by web servers? Setting aside the use of the more robust Tranco corpus, to our knowledge, with reference to literature, the contributions regarding the fourth and fifth questions are novel. Our analysis shows that the support of headers is somewhat related to the browser version, the penetration ratio of the top favourable headers fluctuates between approximately 11.8 and 15.5% across all platforms, interestingly outdated browser versions may be better supported in terms of headers, and deprecated headers still enjoy wide implementation.

KAROPOULOS Georgios;  GENEIATAKIS Dimitrios;  KAMPOURAKIS Georgios; 

2021-10-07

SPRINGER-VERLAG BERLIN

JRC124749

1611-3349 (online),    0302-9743 (print),   

https://link.springer.com/chapter/10.1007%2F978-3-030-86586-3_6,    https://publications.jrc.ec.europa.eu/repository/handle/JRC124749,   

10.1007/978-3-030-86586-3_6 (online),