Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Strict-Transport-Security
Content-Length
X-Content-Type-Options
Link
Last-Modified
Cf-Request-Id
CF-Cache-Status
ETag
X-XSS-Protection
Accept-Ranges
Expect-CT
CF-RAY
Pragma
X-Powered-By
X-Cache
Via
Age
Content-Security-Policy
Report-To
NEL
Alt-Svc
Referrer-Policy
Access-Control-Allow-Origin
Content-Language
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
X-Served-By
P3P
X-Xss-Protection
X-Download-Options
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Varnish
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
X-AspNet-Version
Content-Security-Policy-Report-Only
P3p
X-Runtime
Accept-CH
X-DNS-Prefetch-Control
X-Cache-Status
Accept-CH-Lifetime
X-Drupal-Cache
CF-Ray
X-Check
X-Ua-Compatible
X-Generator
Server-Timing
X-Cacheable
X-Envoy-Upstream-Service-Time
Timing-Allow-Origin
X-Iinfo
X-Request-ID
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-Content-Security-Policy
Feature-Policy
Content-Encoding
X-CDN
Status
X-AspNetMvc-Version
Upgrade
Access-Control-Max-Age
X-Via
X-Amz-Request-Id
X-Amz-Id-2
Host-Header
Cf-Edge-Cache
Allow
X-Backend
Request-Context
Keep-Alive
X-UA-Device
X-Robots-Tag
X-Server
X-Cache-Group
X-Hacker
X-AH-Environment
X-Turbo-Charged-By
X-Ws-Request-Id
X-Proxy-Cache
X-Age
Xkey
X-Rq
X-Vhost
EagleId
X-Dispatcher
X-Server-Powered-By
X-Amz-Version-Id
X-Varnish-Cache
Grace
Cf-Apo-Via
X-Page-Speed
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Cf-Railgun
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Device
Ali-Swift-Global-Savetime
X-LiteSpeed-Cache
EagleEye-TraceId
X-Dns-Prefetch-Control
X-Aws-Lambda-Call-Status
X-CST
X-WebKit-CSP
X-OneAgent-JS-Injection
X-Backend-Server
Permissions-Policy
X-Readtime
X-Server-Id
X-Response-Time
X-Host
X-Akam-SW-Version
Request-Id
Surrogate-Control
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Litespeed-Cache
X-HW
X-Nginx-Upstream-Cache-Status
X-Cloud-Trace-Context
X-Cache-Lookup
X-Node
X-Nginx-Cache-Status
X-Application-Context
X-Country-Code
Content-Location
X-Trace
X-Country
X-Ruxit-JS-Agent
Service-Worker-Allowed
X-Url
X-Content-Type
X-Clacks-Overhead
X-Oneagent-Js-Injection
X-Origin-Cache-Key
Accept-Ch-Lifetime
X-Edge
X-Rack-Cache
Cross-Origin-Opener-Policy
Cache-Tag
X-Amz-Server-Side-Encryption
X-ECACHE
X-FTR-Request-ID
X-Midtier
X-Mcache
X-Mod-Pagespeed
X-MS-InvokeApp
Nginx-Cache
X-PC
X-TtlSet
X-Vname
X-ESI
X-Upstream
X-Powered-By-Plesk
Rating
Edge-Control
X-Server-Name
X-Browser-Type
X-D2id
Verso
X-Element-Page-Cache
X-Cnection
X-Times
X-Kinja-Build
X-Exp-Id
X-Kinja-Server
X-Exp-Variant
X-Cdn-Fetch
X-Kinja-Revision
X-Kinja
X-GoogleNews-Bot
SPRequestDuration
X-Ruxit-Js-Agent
X-Ac
SPIisLatency
AR-Request-ID
AR-ATIME
AR-SID
AR-PoweredBy
X-SharePointHealthScore
SPRequestGuid
X-Abt-Application-Version
X-Navigation-Version
X-Ser
X-Vcap-Request-Id
X-NWS-LOG-UUID
X-B3-TraceId
X-Dw-Request-Base-Id
X-GitHub-Request-Id
X-RateLimit-Remaining
X-NF-Request-ID
AR-CACHE
Pinterest-Generated-By
X-Pinterest-Rid
Pinterest-Version
X-Mg-S
X-VARITI-CCR
X-Server-ID
S
Display
X-Client-IP
X-Sol
X-Middleton-Display
Pagespeed
Edge-Cache-Tag
X-Cache-Key
RTSS
Fastly-Restarts
X-Amzn-Trace-Id
X-Amz-Rid
X-Cache-TTL
X-Powered-CMS
X-Ttl
Cache-Status
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Goog-Hash
X-Edge-Location-Klb
X-Kinsta-Cache
X-Version
Access-Control-Request-Method
X-Erf-Stays-Pdp-Viaduct-Migration-Web-V2
X-Recruiting
X-ARC
X-Middleton-Response
Response
X-Content-Digest
X-TraceId
X-Varnish-TTL
Origin-Trial
X-Forwarded-For
Arr-Disable-Session-Affinity
X-T
X-MSEdge-Ref
X-SRCache-Store-Status
X-SRCache-Fetch-Status
Content-MD5
MicrosoftSharePointTeamServices
TP-Cache
X-Content-Security-Policy-Report-Only
X-Daa-Tunnel
X-Accel-Expires
X-Shield-Request-Id
Front-End-Https
X-Cached
Cross-Origin-Resource-Policy
X-Hits
Public-Key-Pins
X-Id
MS-Author-Via
X-FTR-Cache-Status
X-FTR-Backend-Server
X-FTR-Balancer
X-Country-Code-Real
X-FTR-Backend
X-FTR-Expires
X-HS-Hub-Id
X-Ua-Browser
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Combine-CSS
Server-Node
X-DIS-Request-ID
X-Request-Processing-Time
X-Request-Received
X-Forwarded-Proto
Payment
X-Frontend
X-Webkit-Csp
X-FastCGI-Cache
X-LLID
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
Realpath
X-Fastcgi-Cache
X-Protected-By
X-GUploader-UploadID
TP-L2-Cache
X-ORACLE-DMS-RID
Cache-Tags
X-Distributor
X-LB-Cache
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Origin-Server
X-Ratelimit-Limit
X-TTL
X-Microsite
X-Request-Handler-Origin-Region
X-RateLimit-Limit
Referer-Policy
MRF-Tech
Mrf-Cache-Status
Count-Hit
X-Page-Id
X-B3-TraceId-Primal
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Activity-Id
X-Az
X-AppVersion
X-Hostname
X-NGENIX-Cache
X-Debug-Info
X-Www-Served-By
X-Cluster-Name
X-Varnish-Backend
X-F-Cache
X-Geo-Country
Host
Accept-Charset
X-Varnish-Server
Fastcgi-Cache
X-Correlation-Id
X-Envoy-Decorator-Operation
X-App-Server
X-ORACLE-DMS-ECID
X-Ua-Device
X-PressLabs-Stats
X-XRDS-LOCATION
X-Varnish-Ttl
X-FB-Debug
X-Goog-Metageneration
Retry-After
Access-Control-Allow-Method
X-Git-Hash
X-CSRF-Token
X-Upgrade-Enabled
X-Ezoic-Cdn
X-Load-Cache
X-Webkit-CSP
X-Content-Options
X-Fastly-Request-Id
X-Seen-By
X-RateLimit-Reset
X-Px
Server-Name
X-Datadog-Trace-Id
X-Revision
X-Contextid
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Tt-Trace-Host
X-Request-Guid
X-Tt-Trace-Tag
Section-Io-Cache
X-Trace-Id
TCN
X-Type
Charset
X-Amz-Meta-S3cmd-Attrs
X-Cache-Control
Cleartype
X-Oracle-Dms-Ecid
X-Grace
X-B3-Sampled
X-B
X-TT
DC
Paypal-Debug-Id
X-B-Cache
Healthy
X-Signature
X-Whom
X-TEC-API-ROOT
X-App-Environment
X-TEC-API-ORIGIN
X-Fb-Rlafr
X-TEC-API-VERSION
X-Wix-Request-Id
X-Node-Name
X-Rid
X-WebKit-CSP-Report-Only
X-Newrelic-App-Data
X-Origin-Cache
X-Kinja-CCPA
X-Mobile
Frame-Options
X-Magnolia-Registration
X-Amz-Replication-Status
Accept-Ch
X-Proxy
X-Azure-Ref
X-Oracle-Dms-Rid
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-EdgeConnect-Cache-Status
X-Ratelimit-Remaining
X-Route-Name
X-Is-Crawler
X-Fastly-Request-ID
X-Providence-Cookie
X-Aspnet-Duration-Ms
X-Flags
X-Logged-In
X-N
Filterid
X-WP-CF-Super-Cache-Cache-Control
X-Language
X-WP-CF-Super-Cache
X-Air-Pt
Content-Disposition
Akamai-GRN
Backend
NGB
X-App-Version
X-Original-Request-Id
X-Response-Served-From
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-Rendered-As
X-Template
Upgrade-Insecure-Requests
X-Cache-Age
X-Time
X-Is-Bot
X-Yottaa-Optimizations
X-Varnish-Grace
SD-X-WS
X-Debug-IsConnected
X-Yottaa-Metrics
X-RemovedCookies
Refresh
X-ProcessESI
Viewport
Ms-Operation-Id
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Liferay-Portal
X-RTag
X-Servername
X-Datadog-Sampled
X-Tumblr-Pixel-1
X-Tumblr-User
MS-CV
X-Debug-IsPreview
X-Proxy-Cache-Info
X-Unique-Id
X-UUID
X-FW-Dynamic
X-FW-Hash
X-Amzn-Remapped-Content-Length
X-FW-Server
X-Adobe-Content
X-IPS-LoggedIn
X-FW-Type
X-FW-Version
X-Adobe-Loc
X-Debug
X-FW-Static
X-Instance
X-FW-Serve
X-Region
X-Cacheable-TTL
X-Cache-Grace
X-NYM-Debug-Backend
X-L-Path
Fastly-SIE
Fastly-SWR
X-Environment-Context
X-G
X-User-Agent
X-Hl-Ver
X-Device-Type
X-B3-Traceid
From-Origin
X-Backend-Name
X-Status
Country
X-Rule
X-Cache-Hit
Url
ServerID
X-CCDN-Origin-Time
X-CCDN-CacheTTL
X-Jobs
X-Hcs-Proxy-Type
X-Via-JSL
X-INCAP-ABP
X-VC-Cache
X-B3-SpanId
X-Origin-CC
X-Origin-TTL
Countrycode
WPO-Cache-Status
WPO-Cache-Message
X-Tec-Api-Root
X-Tec-Api-Origin
X-Tec-Api-Version
X-Page-View
Alternate-Protocol
X-Air-Hostname
X-Air-Trace-Id
X-HTML-Minification-Powered-By
X-Cache-Status-Check
Version
X-Air-Source
X-NODE
Surrogate-Key
X-Source
X-Akamai-Request-ID2
X-Hosted-By
X-Content-Powered-By
X-Nginx-Cache
GEO-INFO
Protected
X-WP-CF-Super-Cache-Active
CDN-RequestId
Amp-Access-Control-Allow-Source-Origin
X-Storage
X-Rocket-Nginx-Serving-Static
SRV
X-Akamai-Edgescape
X-Accel-Version
OT-Force-Account-Verify
Access-Control-Request-Headers
X-VC
X-CDN-Forward
X-Http-Reason
X-Real-IP
X-Framework
X-Edge-Location
CF-IPCountry
AMP-Access-Control-Allow-Source-Origin
X-Mode
Front
X-Cache-Rule
X-ServerID
X-Use-Mantle
X-UPSTREAM-Address
X-Upstream-Ct
X-Xfnlog-Site
X-Upstream-Ht
X-Cache-Time
Webserver
Accept-Language
Filters
X-Cache-Operation
X-Rewrite-Enabled
X-Rn-Rsrv
Meta-Geo
X-Cache-Debug
X-Detected-As
X-Director
X-LJ-Flow-ID
X-AWS-Id
ServedBy
Cross-Origin-Embedder-Policy
Mn-Server-Ip
Selected-Fe
X-Origin
X-Proxy-Build
X-Tumblr-Pixel-3
X-Varnish-Cache-Hits
X-VWS-Id
X-Tumblr-Pixel-2
X-Timing-Wait
X-SaId
X-Served-From
X-Soup
Xet-Cookie
X-JoinUs
X-Httpd
X-BYPASS-REASON
X-Adobe-Source
Webcakes-Region
X-Cluster
X-Cms-Context
X-Format
X-Extlb
X-Endurance-Cache-Level
Webcakes-App-Version
Web-Mar-Node
TWC-Device-Class
TWC-Connection-Speed
Property-Id
TWC-GeoIP-Country
TWC-GeoIP-LatLong
X-Handled-By
TWC-Privacy
TWC-Locale-Group
Webcakes-App-Name
X-Lambda-Id
X-SayCDN-TTL
X-Say-TTL
X-Say-Cacheable
X-Web-Node
X-Worker
Section-Io-Id
Xserver
X-Zipkin-Id
X-Routing-Service
X-Restarts
X-Origin-Hint
X-Logging-Id
Node
X-PHP-Host
X-Proxied
X-Redis-Cache
X-ProxyCache-Status
X-ProxyCache-Key
X-Labrador-Cache-Channel
X-No-Session
Apigw-Requestid
X-Is-Mobile
X-Is-Supported-Browser
X-Is-Tablet
X-Locale
X-IPLB-Request-ID
X-IPLB-Instance
X-Browser-Name
X-Geo-Region
X-GeoCode
X-GeoCountry
X-Loop
X-RCS-CacheZone
X-Tncms
X-Tcp-Rtt
X-Varnish-Age
X-Varnish-Beresp-Grace
X-VCT
X-Skip-Cache
X-Site-Version
X-RM-Cache-TTL
X-S
Azure-RegionName
X-Server-W
X-AB
X-Is-Desktop
Azure-SlotName
Azure-Version
Azure-InstanceId
Azure-SiteName
DB-Nickname
X-R9-Blue-Green-Version
X-Cache-Server
X-Forwarded-Host
X-Container-Uri
X-Vercel-Id
X-Generation-Time
X-DynaTrace
X-Git-Commit
X-Cache-Host
X-Reqid
X-Platform-Cluster
X-Drupal-Cache-Tags
X-Vercel-Cache
X-Fetched-On
X-Platform-Processor
X-Platform-Router
X-Tb
X-Frame-Option
X-Uri
X-Drupal-Cache-Contexts
X-Provided-By
X-Ms-Request-Id
X-Ms-Version
X-Webstats-RespID
X-Vcache
X-TT-LOGID
X-MP-GENERATED-AT
CDN-RequestPullCode
CDN-RequestPullSuccess
CDN-RequestCountryCode
CDN-CachedAt
X-Shopify-Stage
X-Storefront-Renderer-Rendered
CDN-Cache
CDN-Uid
CDN-PullZone
CDN-EdgeStorageId
X-Alternate-Cache-Key
X-Origin-Date
X-XRDS-Location
Cache-Tv-Group
WP-Super-Cache
Source
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Sucuri-Cache
Fastcgi-Useragent
X-ShardId
X-ShopId
X-Sql-Duration-Ms
X-Sql-Count
X-Sucuri-ID
Priority
X-FB-TRIP-ID
Content-Secure-Policy
X-Cdn-Origin
Cross-Origin-Embedder-Policy-Report-Only
X-Vcl-Version
X-Generated-By
X-Xrds-Location
Onion-Location
Sid
X-Urbn-Site-Id
X-Urbn-Context-Path
Locale
X-Pass-Why
X-Content-Age
X-Newrelic-Synthetics
Atl-Traceid
X-Buckets
WZWS-RAY
X-SRV
TDXMobile
X-CMSURLCustom
Thinkindot-Control
X-Scope-Id
X-Thinkindot-L3
X-Shield-Cache-Expires
X-Cluster-Node
HostName
S-Rt
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
X-Proxy-Cache-Status
Cache
X-LSADC-Cache
X-DataDome
Cross-Origin-Window-Policy
X-Varnish-Beresp-Ttl
X-Cache-Action
X-Cache-Expired-At
X-WP-CF-Super-Cache-Cookies-Bypass
X-Via-SSL
X-GEO
X-Ua
Edge-Copy-Time
X-Via-Edge
X-Via-CDN
X-Optimistic-Header
X-Connection-Hash
Expiry
User-Cache-Control
MD5-Digest
Lang
Gannett-Cam-Experience-Id
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
A
Apple-News-Services-Request-Url
Candidate-Md5Url
DCR-Processing-Time-Ms
DCR-Decision-By
CDCHOST
L
X-Varnish-Hostname
X-Section
X-Bc-Bl
Surrogated-Key
X-ScT
X-Application
X-B-Cookie
X-BCube-Filmed-By
X-Bl-Debug
Sslversion
X-Conf
X-Cache-NE
X-SRCache-Key
X-Cache-Bucket
X-Aed
X-Access
T-Server
X-S-Cookie
Type
Vix-Hermes-Req-Id
X-A
X-Rojux
X-SB
X-Scheme
X-A-Dgt
X-A-Wwc
X-A-Dcw
X-A-Dam
X-A-Ccd
Sever-Int
X-D
X-Vtex-Remote-Cache
X-Instance-Name
Origin-Agent-Cluster
Rendered-Blocks
Server-Ext
Req-ID
X-Op-Id-All
X-PAYTM-SRV-ID
Ngx-Var-Key
X-Request-Start
X-Platform
Ngx.Var.Host
Origin
X-Viewer-Country
X-Vdms-Version
X-Dispatcher-Server
X-Ec-Custom-Error
X-Developer
X-TIM-N
X-Destination
X-Ec-Fail
Server-Hostname
X-External-Request-Id
X-Vdms-Path
X-Epic-Correlation-Id
X-Ec-GeoHdr
Server-Host
Meta-Geo-Continent
Redirect-Candidate
X-VCache
Fastly-Drupal-HTML
X-Correlation-ID
X-Datadome
X-TimeS
Ssr
X-NMSegId
X-Node-Id
X-Nyt-Route
V-Age
X-NCache
X-Moov-Xdn-Version
X-Moov-T
Wxu-Next-Region
Wxu-Next-Hostname
X-Origin-Time
Wxu-Next-Commit
X-Nginx-Cache-Key
X-Pubstack
X-Rocket-Build-Number
X-Request-URI
X-SD-PageType
X-Sigma
X-Sigma-Backend
NM-Fastcgi-Cache
X-Request-Time
X-Mly-Id
X-Proxied-Request
Release
Pramga
X-Req
X-Pool
X-Acquia-Purge-Cdn-Unconfigured
X-Clientip
X-Gen-Mode
X-Generated-On
X-GeoIP-Country-Code
X-Cache-TTL-Remaining
X-GeoIP-Region-Code
X-Core-Value
X-Gdpr
X-Dc
X-Esi-Check
X-Fastly-Cache
X-Debug-Cache-Store
X-Forwarded-Site
X-Debug-Cache-Fetch
X-Gzip
X-Cache-Info
X-TA-CDN-Provider
X-B3-Trace-ID
X-Auto-Login
X-Level-Front-Cache
X-Loc
X-Amz-Meta-Cb-Modifiedtime
X-BBC-Edge-Cache-Status
X-Human
X-Hnp-Log
X-Cache-Id
X-Branch-Name
X-Block-Status
X-Bip
Host-ID
Req-Svc-Chain
Cluster
X-Varnish-Beresp-Status
X-Varnish-Director
Content-Script-Type
Content-Style-Type
DSUID
X-UA-Device-Type
X-VG-TLSProxy
X-VG-WebCache
X-We-Are-Hiring
X-Zen-Fury
Magicmarker
X-WA-Info
X-VServer
Cache-Provider
C-Via
Environment
X-Varnishpool
Fastly-GeoIP-CountryCode
X-TH-Server
X-Thanos
Fastly-SSL
X-Service
X-Mg-Request-UUID
X-Origin-Response-Time
X-Irp-Debug
X-ApacheServer
X-SVT-ORM-RULES
X-Aicache-OS
X-HS-Content-Campaign-Id
Adler-Geo
X-Ad-Load-Variation
Canary
X-Mvc-Supplant-Cachable
X-Mvc-Supplant-OutputCached
X-SVT-ORM-VERSION
Mail-Subject
Machine
Cdncip
Esi-Enabled
X-Micro-Cache
Locid
X-Cache-Date
X-From
Yak-Timeinfo
X-Contensis-Viewer-Groups
X-Fmm-Version
X-FC-Vary-Parameters
X-ND-Cache
X-DPWN-IS-SECURE
X-Device-Os
X-Geo-Header
X-Cdn-Srv
Is-Eu
Gh-Request-Id
X-Cache-Aspx
X-GoCache-CacheStatus
X-AK-Request-ID
X-GeoIP
X-GeoIP-City
Cdnsip
X-Men
X-Region-Sid
X-Policy
Country-Code
Tube-Got-Eval
On-Server
X-RateLimit-Limit-Second
Tube-Get-Contents
True-Client-Country-4JS
X-Var-Ttl
X-RateLimit-Remaining-Second
X-Varnish-Authentication
X-Org
X-Old-Content-Length
X-V-Cache
X-PERF
Producers
RNT-Machine
Tube-Got-Results
X-Request-Host
W
Web-Mar-Region
We-Hiring
Click-Count-Action-Start
RNT-Time
Click-Count-Error
Tube-Return
Uber-Trace-Id
X-Server-IP
Platform
X-Azure-Ref-OriginShield
X-Use-Magma
X-CGP
X-Edge-Server
Proxy-Firewall
X-HN
X-Fastly-Backend
X-Up
X-Amz-Storage-Class
X-Eu-Site
PFcat
X-Csrf-Jwt
Ha-Gx-Prefs
X-App-Name
X-Slack-Shared-Secret-Outcome
X-Sn-Servicetimems
X-Slack-Backend
Cache-Key
Cdn-Request-Time
X-Test
Cf-Device-Type
X-Wikidot-Backend
X-Wikidot-Static-Cache
HA-Ipaddr
L5d-Success-Class
X-Proto
X-Hash
Cdn-Host
AKAMAI
X-DC
X-Ratelimit-Reset
X-VarnishDD-TTL
X-Parent-Response-Time
Pics-Label
X-Backend-Instance
X-LB-ID
X-CacheTTL
X-Accel-Expires-Debug
X-Date
Fastly-Backend-Name
NGX
X-Ah-Environment
X-ZONE
X-Owner
X-HA-Backend
X-Via-Popv
X-Tx-Id
X-Core-Mission
X-Via-Poph
X-SIPLIST1
IsBot
X-Via-Popn
X-COUNTRY
XM
LB
X-Varnish-Hits
Cdn
X-DynaTrace-JS-Agent
X-API-Version
X-Origin-Expires
X-Cache-Backend
X-CACHE-GROUP
X-Servedbyhost
X-Srv
X-Refresh
X-Nf-Request-Id
X-Qloud-Router
NtCoent-Length
X-Tb-Optimization-Total-Bytes-Saved
X-LB-NoCache
X-VHOST
X-Lagoon
Datacenter
X-UA
X-CF-Lambda-Version
RATING
N-Cache
Expect-Staple
X-CF-Lambda-Fn
X-NGINX-Cache
Cdn-Requestid
X-Wa
X-Tenant
X-Orig-Expires
X-Cache-Type
X-CDN-Cache-Status
Server-ID
Xc-Version
GeoIp-Country-Code
X-ECache
X-Shop-Environment
X-Forwarded-Path
X-Nc
X-RID
SID
X-Gamma-Serve
Cross-Origin-Opener-Policy-Report-Only
X-Nananana
CloudFront-Viewer-Country
Cmsid
Cmstype
X-Fpc
X-Via-Fastly
X-Zone
CPC-Age
CPC-Cache
X-TX-ID
Cache-Hits
X-Hit
GeoIP-Latitude
X-Vmg-Version
DataCenter
Resin-Trace
X-B3-Parentspanid
X-Cdn-Diag
Uri
X-Tt-Logid
User-Agent
X-Proxy-CacheRZ
XkeyRZ
X-Location
X-Ig-Origin-Region
X-Akamai-Transformed
X-Client-Ip
X-Presslabs-Stats
Fusion-Template-Id
X-LAGOON
Fusion-Source
Fusion-Content-Source
Fusion-Content-Id
X-URL
Fusion-Deployment-Id
Fusion-Component-Id
X-Cloudmap
X-Info
X-Fastly-Country-Code
Powered-By
CacheControlHeader
X-Amz-Meta-Opti
X-Datacenter
X-Variation
True-Client-Ip
X-TIME
X-CS
Tcn
Origin-EX
Origin-CC
X-B3-Spanid
X-CUA
Mime-Version
MIME-Version
X-Jungle-Id
X-DataCenter
X-HostName
X-NWS-UUID-VERIFY
X-NewRelic-App-Data
X-IAuth-Set-Uid
True-Client-IP
Fastly-Drupal-Html
X-User
X-CACHE-AGE
X-Cached-By
X-Geo
X-Dynatrace-Js-Agent
X-AIR-PT
X-Api-Version
Load-Balancing
X-Segment-20210421
VNS-Cache
VNS-Age
Lb
Srv
Cf-Ipcountry
X-Cdn-Forward
Debug
X-HOST
X-LiteSpeed-Tag
X-Render-Time
X-Vc
X-Varnish-Beresp-TTL
X-LiteSpeed-Cache-Control
CDN
X-Powered-By-VTEX-Cache
X-VTEX-Cache-Server
X-VTEX-Cache-Time
X-Webkit-Csp-Report-Only
Edge-Cache
X-Auth-Group-Type
Hostname
X-Dispatcher-Number
X-Wormhole-Sdk
X-CSRF-TOKEN
Cl-Cache
Ohc-File-Size
Cache-Name
X-FPC
GeoIP-Country-Code
X-MCACHE
X-Dispatch
Ohc-Cache-HIT
X-NC
X-Cdn-Cache-Status
Server-Id
X-Esi
X-Ig-Push-State
X-WA
X-Litespeed-Tag
X-Oracle-DMS-ECID
X-Mid
X-Cs
Odigeo-Trace-Id
X-Lb-Nocache
X-NodeID
X-VCL-Version
X-Vgn-Hpd-Reason
X-ServedByHost
X-Custom-Header
X-Cache-Ttl
X-APP-VERSION
CountryCode
BehaviorPad-Version
X-MSEdge-Flight
X-PHP-Backend
X-Fastly-Backend-Reqs
X-Depends
X-MSEdge-Features
Ms-Author-Via
X-Litespeed-Cache-Control
X-Pad
X-Cdn-Request-ID
X-DefElseHash
X-DefHash
Xkeylog
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-Cache-Enabled
X-Varnish-Remaining-TTL
X-Via-PopV
X-Via-PopN
X-Lb-Id
X-Proxy-Cache-La3
Xkey-La3
X-Akamai-Pragma-Client-IP
X-Ha-Backend
X-Via-PopH
X-MiniProfiler-Ids
X-Acquia-Site
X-VC-TTL
X-M-Reqid
PICS-Label
X-Acquia-Purge-Tags
X-M-Log
YJS-ID
OriginIP
X-IN-APIGATEWAY
Server-Info
Location
Ngx
FSS-Cache
X-Snapshot-Date
X-Acquia-Application-UUID
Srvid
X-IN-APIGATEWAYSSL
X-FL-QIT-DEBUG
Memcached
Memory
Time
X-Acquia-Application-Trace
X-FL-EDGE
X-Sorting-Hat-Shopid
X-Sorting-Hat-Podid
X-Shardid
X-Cache-Version
X-Shopid
My-App
CF-Ctrl
Warning
X-Internal-Host
X-Wp-Cf-Super-Cache-Cookies-Bypass
X-Serial
X-Check-Cacheable
X-Mg-Cache
X-Service-Response-Time
X-Dw-Trace-Id
X-Web-Server
Sm-Log-Id
X-Udemy-Cache-App-Namespace
X-Sucuri-Id
CF-Cached-On
X-Th-Server
Geoip-Latitude
Akamai-Cache-Status
X-RequestId
X-Lsadc-Cache