

Analyzing the Top 10,000 Websites' HTTP Headers  - fmavituna
http://www.shodanhq.com/research/infodisc/report

======
marcinw
Wow, 61% of websites that responded with an Access-Control-Allow-Origin header
had a value set to "*". This allows for the website to be access in a cross-
domain manner (think XSS, global wild cards in crossdomain.xml, etc).

I'm worried to think how site operators will adopt CSP (Content Security
Policy) once it starts to gain traction.

~~~
wvl
This article is extremely poorly written. If you look at the top graph, 0.05%
of the 10,000 websites make use of the header. Of those, 61% had a value set
to " * ". 0.05% of 10,000 is 5, so 3 websites had that header set to " * ". I
guess 3 is just not quite as scary as saying 61%.

------
CWIZO
It's down for me. Cached version:
[http://webcache.googleusercontent.com/search?q=cache:BVs3oHY...](http://webcache.googleusercontent.com/search?q=cache:BVs3oHYHqDcJ:www.shodanhq.com/research/infodisc/report+http://www.shodanhq.com/research/infodisc/report&cd=1&hl=en&ct=clnk)

------
Sukotto
What does "grabbing the _banners_ of those websites" mean?

What would I type into wget or curl to download the "banner" of a site?

~~~
fmavituna
It's referring to HTTP Headers in the response. I think -I switch in curl will
give you only response headers.

~~~
marcinw
-I is an HTTP HEAD request (which may return a different response code than a traditional GET). To print the headers in any kind of request, use lowercase -i.

------
ck2
Correct me if I am wrong but any of those extra headers except "Strict-
Transport-Security" actually REDUCE security.

By default the browser will be in it's more secure state and those headers
actually drop the security to allow cross communication with (specific) other
websites.

~~~
kijin
You may be right about X-XSS-Protection (with the IE8 bug) and Access-Control-
Allow-Origin (when set to "*"), but I wouldn't say that X-Frame-Options
reduces security. It has two possible values, SAMEORIGIN and DENY, both of
which help prevent clickjacking attacks without allowing any additional cross-
communication.

------
GoGlobal
Page is down...

~~~
sp332
Here's a cache <http://www.shodanhq.com.nyud.net/research/infodisc/report>

