Analyzing the Top 10,000 Websites' HTTP Headers

Wow, 61% of websites that responded with an Access-Control-Allow-Origin header had a value set to "*". This allows for the website to be access in a cross-domain manner (think XSS, global wild cards in crossdomain.xml, etc).<p>I'm worried to think how site operators will adopt CSP (Content Security Policy) once it starts to gain traction.

It's down for me. Cached version: <a href="http://webcache.googleusercontent.com/search?q=cache:BVs3oHYHqDcJ:www.shodanhq.com/research/infodisc/report+http://www.shodanhq.com/research/infodisc/report&#38;cd=1&#38;hl=en&#38;ct=clnk" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:BVs3oHY...</a>

What does "grabbing the <i>banners</i> of those websites" mean?<p>What would I type into wget or curl to download the "banner" of a site?

Correct me if I am wrong but any of those extra headers except "Strict-Transport-Security" actually REDUCE security.<p>By default the browser will be in it's more secure state and those headers actually drop the security to allow cross communication with (specific) other websites.

Page is down...