MantisBT 1.2.1 introduced anti-clickjacking features in the form of both X-Content-Security Policy and X-Frame-Options HTTP headers. SHODAN is a search engine that allows the searching of HTTP server fingerprints obtained from internet facing hosts. If we search for X-Frame-Options in SHODAN’s database, just over 7000 results are returned. Performing the same check for the X-Content-Security-Policy header returns just over 90 results. Interestingly, the great majority of search results for X-Content-Security-Policy are MantisBT installations. It therefore appears that other web applications (and websites) have yet to implement X-Content-Security-Policy in readiness for the stable release of Firefox 4.