Wow, 61% of websites that responded with an Access-Control-Allow-Origin header had a value set to "*". This allows for the website to be access in a cross-domain manner (think XSS, global wild cards in crossdomain.xml, etc).
I'm worried to think how site operators will adopt CSP (Content Security Policy) once it starts to gain traction.
This article is extremely poorly written. If you look at the top graph, 0.05% of the 10,000 websites make use of the header. Of those, 61% had a value set to " * ". 0.05% of 10,000 is 5, so 3 websites had that header set to " * ". I guess 3 is just not quite as scary as saying 61%.
-I is an HTTP HEAD request (which may return a different response code than a traditional GET). To print the headers in any kind of request, use lowercase -i.
Correct me if I am wrong but any of those extra headers except "Strict-Transport-Security" actually REDUCE security.
By default the browser will be in it's more secure state and those headers actually drop the security to allow cross communication with (specific) other websites.
You may be right about X-XSS-Protection (with the IE8 bug) and Access-Control-Allow-Origin (when set to "*"), but I wouldn't say that X-Frame-Options reduces security. It has two possible values, SAMEORIGIN and DENY, both of which help prevent clickjacking attacks without allowing any additional cross-communication.
I'm worried to think how site operators will adopt CSP (Content Security Policy) once it starts to gain traction.