“...I was surprised at how many of the security headers were incorrectly specified"

Interesting research project by Isaac Dawson: http://www.veracode.com/blog/2012/11/security-headers-report/ where he checked four kinds of security headers on 1,000,000 Alexa Top sites: x-frame-options (clickjacking protection), access-control (who’s allowed in cross-origin requests), strict-transport-security (force everything HTTPS for new connections) and content-security-policy (restrict from where an application can load resources, firefox and chrome experimental, partial support in IE10).

He tested with Firefox 16 user agents but I believe he said he was planning to do again as Chrome.
Basically, many sites either

  • mis-spelled the headers (sometimes browsers were forgiving anyway though)
  • used the wrong values associated with that header (sometimes browsers were forgiving by just always allowing everything, making the whole point moot)
  • setting max-ages so low as to be pointless

This was interesting, like looking at what weirdness sites put into their x-varnish headers :smiley: