Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Pragma
Link
X-Powered-By
ETag
Expect-CT
X-XSS-Protection
CF-RAY
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
P3P
X-Cache-Hits
X-Xss-Protection
Alt-Svc
X-Served-By
CF-Ray
X-Timer
X-Download-Options
X-Varnish
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Request-ID
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
Timing-Allow-Origin
X-DNS-Prefetch-Control
X-Iinfo
P3p
X-Content-Security-Policy
Status
X-AspNetMvc-Version
Content-Encoding
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
Access-Control-Expose-Headers
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Template
X-Dns-Prefetch-Control
X-Language
X-Backend
X-Cache-Group
X-Hacker
X-Amz-Request-Id
X-Server
X-Robots-Tag
X-Amz-Id-2
X-AH-Environment
X-UA-Device
EagleId
X-Proxy-Cache
Request-Context
X-Turbo-Charged-By
X-Server-Powered-By
X-Nginx-Cache-Status
Server-Timing
Grace
Host-Header
Report-To
Xkey
X-Page-Speed
X-Rq
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Buckets
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Cf-Railgun
X-LiteSpeed-Cache
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Amz-Version-Id
X-Vhost
X-Host
X-WebKit-CSP
X-Backend-Server
NEL
X-Dispatcher
X-Device
X-Server-Id
X-Node
Surrogate-Control
X-Ruxit-JS-Agent
Request-Id
Content-Location
X-Response-Time
Accept-CH-Lifetime
X-Cache-Lookup
X-Akam-SW-Version
X-Origin-Cache
EagleEye-TraceId
Accept-CH
X-Ac
Cf-Bgj
X-ASPNET-VERSION
X-Readtime
X-HW
Rating
X-Mod-Pagespeed
Allow
X-Country
X-Cloud-Trace-Context
X-Application-Context
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
Edge-Control
Pinterest-Generated-By
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-DataDome
X-Country-Code
X-PC
X-Vname
X-TtlSet
X-Cnection
X-Varnish-TTL
X-MS-InvokeApp
X-Origin-Upstream-Status
X-Content-Type
X-GitHub-Request-Id
X-Url
X-D2id
X-Clacks-Overhead
Fusion-Source
Fusion-Component-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Deployment-Id
X-Trace
Response
X-Middleton-Response
X-Sol
Display
Pagespeed
X-Middleton-Display
Pinterest-Version
X-Pinterest-Rid
X-Abt-Application-Version
X-Vcap-Request-Id
X-Server-Name
X-Webkit-CSP
X-Px
X-B3-TraceId
X-CST
X-Rack-Cache
X-Navigation-Version
MS-Author-Via
Verso
Service-Worker-Allowed
X-DynaTrace
X-FTR-Request-ID
X-Cached
X-FastCGI-Cache
X-Fastly-Request-ID
X-ESI
X-Client-IP
X-Element-Page-Cache
Arr-Disable-Session-Affinity
X-TTL
X-Cache-TTL
X-Dw-Request-Base-Id
X-Powered-By-Plesk
SPRequestGuid
X-SharePointHealthScore
X-Upstream
X-VARITI-CCR
X-Kinja
X-Cdn-Fetch
X-Exp-Id
X-GoogleNews-Bot
X-Kinja-Build
AR-CACHE
AR-Request-ID
Fastly-Restarts
AR-PoweredBy
AR-ATIME
X-Kinja-Server
X-Use-Magma
X-Kinja-Revision
X-Exp-Variant
Ar-Sid
Content-MD5
X-NF-Request-ID
X-Debug
X-Goog-Hash
X-Version
X-Forwarded-Proto
X-MSEdge-Ref
X-T
Access-Control-Request-Method
X-Powered-CMS
X-XRDS-Location
X-Jurisdiction
SPIisLatency
SPRequestDuration
X-Release
X-Pinterest-Direct
X-Amz-Rid
S
X-Edge
X-Content-Digest
Accept-Ch
TP-L2-Cache
TP-Cache
TCN
RTSS
Cache-Tag
X-Ttl
Public-Key-Pins
X-Ezoic-Cdn
X-Litespeed-Cache
X-Node-Name
X-Cache-Key
X-MCACHE
Fastcgi-Cache
X-Mid
X-Yandex-Sdch-Disable
X-Request-Received
X-Request-Processing-Time
Front-End-Https
Server-Node
X-NWS-LOG-UUID
X-Accel-Expires
X-Amzn-Trace-Id
X-PressLabs-Stats
X-Recruiting
X-Ser
X-Kinsta-Cache
X-B3-TraceId-Primal
MRF-Tech
Mrf-Cache-Status
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Microsite
X-Request-Handler-Origin-Region
X-Mg-S
X-Amz-Server-Side-Encryption
X-Logged-In
X-Grace
ServerID
X-Origin-Server
X-Ratelimit-Remaining
Accept-Charset
X-Cache-Hit
X-Page-Id
X-HP-Webp
X-Varnish-Age
Host
X-DIS-Request-ID
X-ECACHE
X-Content-Security-Policy-Report-Only
Nginx-Cache
X-B
X-Shield-Request-Id
Edge-Cache-Tag
X-Mobile-URL
X-Hostname
MicrosoftSharePointTeamServices
Alternate-Protocol
X-Server-ID
X-Hits
Realpath
X-Ratelimit-Limit
X-F-Cache
X-Content-Options
X-LB-Cache
X-Az
X-Activity-Id
X-AppVersion
X-Git-Hash
X-FTR-Balancer
X-FTR-Cache-Status
X-FTR-Backend-Server
X-FTR-Backend
X-Country-Code-Real
X-FTR-DC
X-FTR-Realm
Cache-Tags
X-N
X-FTR-Expires
X-Load-Cache
X-Seen-By
X-Type
X-Request-Guid
X-Cache-Age
X-Jobs
DynaTrace
Accept-Ch-Lifetime
X-Correlation-ID
X-App-Environment
X-Cached-By
X-Varnish-Backend
X-Rid
Paypal-Debug-Id
Cleartype
X-FireWall-Port
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Powered-By-ChinaCache
Fastcgi-Useragent
X-Forwarded-For
X-Upgrade-Enabled
Filterid
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
Access-Control-Allow-Method
X-Proxy
X-Amz-Meta-S3cmd-Attrs
X-Respond-Thread
X-Zen-Fury
X-Varnish-Grace
X-WebKit-CSP-Report-Only
X-FB-Debug
X-Akamai-Edgescape
X-Daa-Tunnel
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-HS-Hub-Id
X-HS-Content-Id
X-HS-Cache-Config
X-B3-Sampled
X-HS-Combine-CSS
X-App-Server
DC
X-IPLB-Instance
X-Host-Name
X-Id
X-B-Cache
X-Cache-Rule
X-AOL-HN
X-Signature
X-Cache-Operation
X-Debug-Info
X-Geo-Country
Healthy
X-User-Agent
X-Region
X-Whom
MS-CV
X-Mobile
X-Accel-Buffering
X-Response-Served-From
X-Original-Request-Id
Charset
X-Frontend
X-Content-Powered-By
AMP-Access-Control-Allow-Source-Origin
X-VCache
Payment
X-HTML-Minification-Powered-By
Content-Disposition
Filters
X-Cacheable-TTL
X-Distributor
X-UUID
X-FW-Serve
X-Instance
X-FW-Dynamic
X-FW-Hash
X-FW-Type
X-FW-Static
X-Rule
X-FW-Server
X-Cache-Time
X-Wix-Request-Id
X-Tumblr-User
Liferay-Portal
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-Tumblr-Pixel
Surrogate-Key
X-Tumblr-Pixel-0
X-Protected-By
X-Is-Bot
X-Rendered-As
Refresh
X-Acc-Debug-Context
Akamai-Age-Ms
Viewport
X-Via-JSL
S-Cnection
X-Endurance-Cache-Level
X-Ua
X-Amz-Apigw-Id
X-Amzn-RequestId
Datacenter
X-App-Version
X-Amz-Replication-Status
X-Backend-Name
X-Cache-Expired-At
PB-RID
PB-PID
Arc-Version
Nel
GEO-INFO
X-Esi
X-XRDS-LOCATION
X-Hyper-Cache
X-URL
Section-Io-Cache
NGB
X-Cache-Server
X-Ah-Environment
X-Cache-Action
Countrycode
X-Tec-Api-Version
X-Oneagent-Js-Injection
Version
X-Sucuri-ID
X-Varnish-Server
X-Tec-Api-Root
Retry-After
X-Tec-Api-Origin
X-Source
X-Air-Hostname
Server-Name
Referer-Policy
X-EdgeConnect-Cache-Status
Eomportal-Instance
X-Unique-Id
X-RemovedCookies
X-Real-IP
X-ProcessESI
X-Yottaa-Metrics
X-Environment-Context
X-L-Path
X-Yottaa-Optimizations
Frame-Options
X-Framework
X-Azure-Ref
X-WA-Info
X-Cache-Control
X-Proxy-Cache-Status
X-RTag
Ms-Operation-Id
X-Revision
Meta-Geo
X-ES-SERVER
X-Cache-Var-Map
X-Drupal-Cache-Contexts
X-NewRelic-App-Data
X-Cache-Var
X-RN-RSRV
X-PHP-Backend
X-GeoIP
X-From
X-Sucuri-Cache
X-Mode
X-R9-Blue-Green-Version
X-Xfnlog-Site
X-Qloud-Router
X-ProxyCache-Status
X-Cache-Host
Cache-Tv-Group
X-ProxyCache-Key
X-Cache-TTL-Remaining
X-BYPASS-REASON
X-DynaTrace-JS-Agent
X-Human
X-LJ-Flow-ID
X-NYM-Debug-Backend
X-OCL
X-Loop
X-Cluster
DB-Nickname
Cross-Origin-Window-Policy
Ec-Rule-Version
Mn-Server-Ip
X-AWS-Id
X-PCL
X-Handled-By
X-VWS-Id
X-Time-Microsecs
X-TNCMS
Webcakes-App-Name
TWC-Privacy
Webcakes-App-Version
Webcakes-Region
TWC-Locale-Group
X-Access
X-Amzn-Remapped-Content-Length
TWC-GeoIP-Country
Property-Id
X-Zipkin-Id
X-Hl-Ver
Selected-Fe
TWC-Connection-Speed
X-Timing-Wait
TWC-Device-Class
TWC-GeoIP-LatLong
X-Be
X-Section
X-Server-W
X-Locale
X-Routing-Service
X-Origin-Hint
X-PHP-Host
X-Proxy-Build
X-ServerID
X-Site-Version
X-FB-TRIP-ID
X-Detected-As
X-Status
X-Format
X-FW-Version
X-Hosted-By
X-Drupal-Cache-Tags
X-Proxied
X-Labrador-Cache-Channel
X-No-Session
Uber-Trace-Id
X-Via-Fastly
X-Redis-Cache
X-Proto
X-Debug-Cache
X-Contextid
X-CDN-Forward
CACHE
X-Pinterest-Sli-Endpoint-Name
X-Cache-PHP
X-Pinterest-Sli-Response-Type
X-Pinterest-Sli-Latency-Threshold
X-Device-Type
X-Ratelimit-Reset
X-BCube-Filmed-By
X-Generated-By
FSS-Cache
X-ATG-Version
Cache
Powered
Webserver
X-Time
X-CSRF-Token
X-Adobe-Content
From-Origin
X-Adobe-Loc
X-AIR-PT
X-NC
X-Varnish-Cache-Hits
X-Fastcgi-Cache
X-FTR-Cache-Host
X-SaId
X-JoinUs
X-TIME
VIX-Pulpo-Node
X-TT
VIX-Pulpo-Upstream-Status
X-Is-Crawler
X-Providence-Cookie
OT-Force-Account-Verify
X-Route-Name
X-Flags
X-Aspnet-Duration-Ms
X-Tt-Trace-Tag
X-Oss-Request-Id
X-Oss-Object-Type
X-Tt-Trace-Host
X-Oss-Server-Time
X-Oss-Hash-Crc64ecma
X-Oss-Storage-Class
CF-Cached-On
X-NCache
X-Correlation-Id
Azure-SiteName
Azure-SlotName
Azure-RegionName
X-Origin
Azure-InstanceId
Azure-Version
Upgrade-Insecure-Requests
Access-Control-Request-Headers
X-Akamai-Transformed
X-GoCache-CacheStatus
X-Hp-Webp
X-COUNTRY
X-Cache-2
SD-X-WS
X-NWS-UUID-VERIFY
X-CCM
X-Adobe-Source
X-Storefront-Renderer-Rendered
X-Alternate-Cache-Key
X-Sorting-Hat-PodId
X-Shopify-Stage
X-IPS-LoggedIn
X-ShopId
X-Sorting-Hat-ShopId
X-ShardId
X-LAGOON
X-Cache-Grace
X-ApacheServer
X-Backend-Host
X-PERF
X-Soup
X-Forwarded-Host
X-IP
X-UPSTREAM-Address
X-Backend-TTL
X-SayCDN-TTL
X-Say-Cacheable
Cache-Status
X-Cluster-Name
X-Varnishpool
X-TA-CDN-Provider
Fastly-SSL
X-Web-Node
X-Storage
X-EC-Lua
X-Say-TTL
X-Pubstack
X-APP-VERSION
Decoy-Debug-Key
X-Cache-Enabled
X-ECache
Decoy-Debug-Status
Country
Node
Decoy-Debug-TTL
X-Ruxit-Js-Agent
X-Bc-Bl
X-TX-ID
X-G
X-External-Request-Id
X-ScT
Machine
X-Application
X-A-Wwc
X-Aed
X-D
X-Connection-Hash
X-Tumblr-Pixel-3
X-CF-Lambda-Version
X-Cache-NE
X-CF-Lambda-Fn
Mobile-Detection-Method
Meta-Geo-Continent
Apple-News-Services-Parsed-Url
MD5-Digest
X-Destination
X-B-Cookie
X-ARC
X-A
X-Vtex-Processado-Em
Apple-News-Services-Request-Url
DCR-Processing-Time-Ms
DCR-Decision-By
X-Processor
X-S-Cookie
X-RCS-CacheZone
X-VG-WebServer
X-VG-WebCache
X-Trv-Group
Fastcgi-X-Cache-Version
X-EIG-Tracking-Id
X-Vdms-Path
X-Vdms-Version
X-PBS-Appsvrname
Apple-News-Services-Handled
Apple-News-Services-Host
X-Request-UUID
X-A-Dgt
X-Rewrite-Enabled
X-PAYTM-SRV-ID
X-S
X-Rojux
X-A-Dcw
X-Cache-Backend
X-A-Ccd
X-Vtex-Remote-Cache
X-Worker
Xc-Version
X-A-Dam
Host-ID
Rendered-Blocks
X-Cache-Config
X-Viewer-Country
X-Cdn
Platform
CDN-PullZone
X-Ms-Version
Adler-Geo
CDN-Uid
X-Varnish-CookieHashed-On
X-Ms-Request-Id
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-Variation
X-Page-View
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Servername
X-Platform-Server
CloudFront-Viewer-Country
X-Twitter-Response-Tags
X-Transaction
X-VG-TLSProxy
Fastly-SIE
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Envoy-Decorator-Operation
X-DPWN-IS-SECURE
X-DefElseHash
X-DefHash
X-Generation-Time
Is-Eu
CDN-RequestId
Fastly-SWR
CDN-RequestCountryCode
CDN-Cache
CDN-EdgeStorageId
CDN-CachedAt
X-Cms-Context
Gh-Request-Id
Country-Code
Fastly-Backend-Name
Fastly-Drupal-HTML
L
X-Li-Pop
X-Owner
X-Platform
X-Policy
X-Request-Host
X-Old-Content-Length
X-Minions-Version
X-Li-Fabric
X-LI-UUID
X-Method
X-Micro-Cache
X-Request-Start
X-Skip-Cache
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-Core-Value
X-Microcachable
X-WADP-Cache
X-Varnish-Cacheable
X-Slack-Backend
X-SN
X-Thanos
X-JWT-State
X-Is-Gdpr
X-Bip
X-Cache-Bucket
X-Cache-NGX
X-Clara-WADP
X-Backend-State
X-Auto-Login
Origin
Rt-Fastcgi-Cache
Wxu-Next-Commit
Wxu-Next-Region
X-Clientip
X-Core-Mission
X-Fmm-Version
X-Has-Esi
X-Hash
X-Irp-Debug
X-Fastly-Cache
X-Fastly-Backend
X-CUA
X-Developers
X-Dispatcher-Server
NM-Fastcgi-Cache
Wxu-Next-Hostname
C-Via
CacheControlHeader
AKAMAI
X-UA
X-CS
Backend
X-VarnishDD-TTL
X-Render-Time
X-LLID
X-Cache-Date
X-Cache-Debug
L5d-Success-Class
X-Webstats-RespID
X-HS-Content-Campaign-Id
X-Gzip
X-HN
X-Geo-Header
X-Level-Front-Cache
SRV
X-Gamma-Serve
X-Location
X-Reqid
X-Amz-Meta-Cb-Modifiedtime
X-Varnish-Ttl
PFcat
Akamai-GRN
X-Content-Age
X-OVcl
X-CGP
X-OVcl-Cache
X-Esi-Check
X-Cache-Tags
X-Generated-On
X-Eu-Site
Ha-Gx-Prefs
X-Session-Fingerprint
X-Branch-Name
X-Csrf-Jwt
X-Cache-Id
HA-Ipaddr
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
Pagetype
X-Date
X-GEO
X-Mvc-Supplant-Cachable
X-Accel-Expires-Debug
UCS
X-Wa
Surrogated-Key
X-DC
X-NGENIX-Cache
X-Up
X-Edge-Location
FSS-Proxy
X-Req
X-Refresh
X-LB-ID
X-Via-CDN
X-B3-Spanid
Time
Now
Group
X-Cache-URL
X-Cdn-Srv
X-Via-Popn
X-PF-Uncompressing
We-Hiring
Ufe-Result
Memcached
X-Via-Poph
Mail-Subject
X-FORWARDED-FOR
X-NODE
X-Aicache-OS
X-ID
X-Proxy-Upstream
Hostname
X-B3-Traceid
X-Mvc-Supplant-OutputCached
X-Nginx-Cache
X-Presslabs-Stats
X-RateLimit-Remaining
X-Servedbyhost
NGX
X-LI-Proto
X-Ftr-Cache-Host
X-Sql-Duration-Ms
X-Sql-Count
X-Agile-Age
X-Agile-Id
HostName
X-Debug-Cache-Store
X-Dc
X-BC
X-ZONE
X-Debug-Cache-Fetch
X-Agile
X-Datadome
X-Cache-Remote
X-NU-AKA-ACS-Version
X-Varnish-Hostname
X-Ua-Device
X-Check-Cacheable
X-CACHE-AGE
X-Request-Time
M-TraceId
X-SRV
X-FPC
X-Www-Served-By
Xserver
X-SERVER
Edge-Copy-Time
XServer
X-Via-Edge
X-S-Maxage
X-Via-SSL
Cache-Hits
X-Cache-Spec
X-CSRF-TOKEN
X-SERVER-NAME
X-Cluster-Node
X-VCL-Version
ServedBy
X-LiteSpeed-Cache-Control
Arc-Country
SID
X-Cdn-Forward
X-Erf-Stays-Bingo-Pdp-Web
X-Svr
On-Server
X-MP-GENERATED-AT
Cdn-Request-Time
X-Zone
VivaBuild
Geoip-Latitude
X-APP
X-Edge-Server
X-Via-Popv
Cdn-Host
Viewtype
NtCoent-Length
GeoIp-Country-Code
X-CF-Powered-By
WebServer
X-Bc
X-UnsetCookies
X-Srv
X-Dynatrace-Js-Agent
T-Server
Protected
X-HS-Status
X-RunCloud-Cache
X-Via-Ucdn
ProcessTime
X-Action
X-Pass-Why
X-Cs
Srv
Ohc-File-Size
X-NGINX-Cache
X-DSS
X-RSL
X-RPS
X-RPM
X-Oss-Cdn-Auth
X-DI
X-DW
WWW-Authenticate
X-DB
Memory
Apigw-Requestid
X-Vgn-Hpd-Ssi
X-Erf-Bev-Bev
N-Cache
Server-Host
Pics-Label
X-Erf-Bev-Bev-Is-Generated
X-We-Are-Hiring
Server-Info
X-Varnish-Hits
User-Agent
Processtime
X-Acc-Rdl
W
X-MSEdge-Features
X-VC
X-SB
WZWS-RAY
Magicmarker
X-Instart-Request-ID
X-MSEdge-Flight
LB
X-Geo
Amp-Access-Control-Allow-Source-Origin
X-Uri
CF-IPCountry
Sid
GeoIP-Country-Code
S-Rt
GeoIP-Latitude
X-Webkit-CSP-Report-Only
X-Tb
Ohc-Cache-HIT
X-Newrelic-App-Data
X-HOST
X-Hit
X-Vcache
X-Unique-ID
X-Info
CDN
X-Akamai-Request-ID2
X-TT-LOGID
Cteonnt-Length
X-Newrelic-Synthetics
Section-Io-Id
Actual-Object-TTL
DSUID
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
X-ORACLE-APMCS-REQUEST-ID
Section-Origin-Responded
X-HITS
Odigeo-Trace-Id
X-Vcl-Version
X-Cache-Hfrom
X-UA-Device-Type
X-Cache-Hm
User-Cache-Control
X-Envoy-Upstream-Healthchecked-Cluster
X-Pjax-Url
X-Epic-Correlation-Id
Geo-Info
Cache-Name
Tracecode
X-Fpc
A
Accept-Language
X-FC-Vary-Parameters
X-Fastly-Country-Code
X-Origin-Date
Ssr
X-Nc
X-CACHE-KEY
X-Magnolia-Registration
Esi-Enabled
Lb
Lfy
Cdn
X-Mobile-Rewrite
X-Provided-By
CountryCode
V-Age
Vix-Hermes-Req-Id
X-API-Version
X-Block-Status
X-BBXSRF
True-Client-Country-4JS
X-Cache-Expires
Web-Mar-Node
X-BBC-Edge-Cache-Status
X-Developer
Sever-Int
X-Cc-Via
X-Cc-Req-Id
Locid
X-Amzn-Remapped-Date
X-Scheme
FNAC-ModuleRouting
CDCHOST
IsBot
D-Cc-Upstream
MIME-Version
SR-User-Adfree
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
Server-ID
Server-Hostname
Path
Release
Server-Ext
Thinkindot-Control
X-Gen-Mode
X-Request-URI
X-Response-By
X-SD-PageType
X-Origin-TTL
X-Key
X-Origin-CC
X-Via-NSCOPI
X-Origin-Expires
X-SIPLIST1
X-SRCache-Key
X-Varnish-Url
X-VServer
X-Amzn-Remapped-Connection
X-User
X-Thinkindot-L3
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Nyt-Route
X-Origin-Time
X-Hnp-Log
X-Goog-Meta-Goog-Reserved-File-Mtime
Instruction
X-Gdpr
X-Loc
X-GeoIP-City
X-Nginx-Cache-Key
X-Matched-Rule
X-Node-Id
X-Traceid
X-Trace-Id
X-Generated-In
X-Varnish-Authentication
X-Device-Os
Kp-EeAlive
X-Contensis-Viewer-Groups
X-Var-Ttl
X-Swa-Ws
X-Server-IP
X-Fetched-On
X-Azure-Ref-OriginShield
X-Cache-ASPX
X-Sn-Servicetimems
X-Cache-Info
X-NodeID
Pramga
X-Cdn-Origin
X-Men
X-ServedByHost
X-StackifyID
Cache-Host
X-Li-Proto
X-Cache-Tag
X-Dynatrace
X-Served-From
Proxy-Firewall
Origin-Edge-Control
Cache-Key
X-Akamai-Pragma-Client-IP
X-Geo-Region
X-B3-SpanId
X-Instart-Info
X-Rocket-Build-Number
X-Sigma
X-Sigma-Backend
Server-Ttl
X-Dispatch
Origin-Cache-Control
X-TH-Server
X-Via-PopN
X-Lb-Id
X-Parent-Response-Time
X-Via-PopH
X-Via-PopV
Source
X-RAMCache
Powered-By
Cache-Provider
Cf-Device-Type
X-No-Cache
X-LiteSpeed-Tag
X-ServiceProvider
X-RateLimit-Remaining-Second
X-Batcache
X-RateLimit-Limit-Second
HitType
X-Apw-Access-Action
X-VC-Cache
X-Apw-Access-Object
X-ElasticPress-Query
X-Apw-Hits
X-Tt-Logid
X-Apw-Access-Token
X-WA
X-Agile-Brick-Ok
Fastcgi-Cache-TTL
Tcn
Content-Script-Type
Vha6-Origin
Content-Style-Type
X-Pf-Uncompressing
Cf-Alt-Svc
Expiry
Req-Svc-Chain
X-Origin-Response-Time
X-HostName
X-PJAX-URL
BehaviorPad-Version
X-Generated
X-Varnish-Beresp-TTL
X-Request-URL
X-Yottaa-OS
Who
X-MiniProfiler-Ids
X-TrackingId
X-RateLimit-Limit
Xet-Cookie
X-Selected-Scheme
X-Selected-Host-Header
X-Selected-Name
Inserted-Into-Cache-At
Resin-Trace
Dnion-Transfer-Encoding
X-Snapshot-Date
X-BACKEND-TTL
X-B3-Parentspanid
X-Vgn-Hpd-Reason
X-C
X-Dw-Trace-Id
Pragrma
Mime-Version
X-BBC-Origin-Response-Status
PICS-Label