Neither Good nor Bad: A Large-Scale Empirical Analysis of HTTP Security Response Headers

HTTP security-focused response headers can be of great aid to web applications towards augmenting their overall security level. That is, if set at the server side, these headers define whether certain security countermeasures are in place for protecting end-users. By utilising the curated Tranco list, this work conducts a wide-scale internet measurement that provides timely answers to the following questions: (a) How the adoption of these headers is developing over time?, (b) What is the penetration ratio of each key header in the community?, (c) Are there any differences in the support of these headers between diverse major browsers and platforms?, (d) Does the version of a browser (outdated vs. new) affects the support rate per key header?, and (e) Is the status of a header (active vs. deprecated) reflected to its support rate by web servers? Setting aside the use of the more robust Tranco corpus, to our knowledge, with reference to the literature, the contributions regarding the third and fifth questions are novel, while for the rest an updated, up-to-the-minute view of the state of play is provided. Amongst others, the results reveal that the support of headers is somewhat related to the browser version, the penetration ratio of all headers is less than 17% across all platforms, outdated browser versions may be better supported in terms of headers, while deprecated headers still enjoy wide implementation.