Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
CF-Cache-Status
Link
ETag
Expect-CT
Via
CF-RAY
Age
X-Cache
X-XSS-Protection
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
X-Cache-Hits
Referrer-Policy
X-Amz-Cf-Pop
P3P
X-Amz-Cf-Id
X-UA-Compatible
X-Served-By
CF-Ray
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-FRAME-OPTIONS
X-Drupal-Cache
X-Check
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Cacheable
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
X-DNS-Prefetch-Control
X-Ua-Compatible
Timing-Allow-Origin
P3p
X-Iinfo
X-Template
X-Language
Status
Upgrade
X-Content-Security-Policy
X-AspNetMvc-Version
X-CDN
X-Buckets
Content-Encoding
Access-Control-Expose-Headers
X-Request-ID
X-Kinja-Server-Push
Access-Control-Max-Age
Keep-Alive
X-Via
X-AH-Environment
X-Envoy-Upstream-Service-Time
X-Turbo-Charged-By
X-Drupal-Dynamic-Cache
X-Cache-Group
X-Pass-Why
X-Ws-Request-Id
X-Backend
X-Age
X-Server
X-Proxy-Cache
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Robots-Tag
Xkey
X-Page-Speed
X-Hacker
Feature-Policy
X-Server-Powered-By
Request-Context
X-Pingback
Server-Timing
X-Nginx-Cache-Status
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
Grace
X-UA-Device
X-Varnish-Cache
X-Amz-Version-Id
Cf-Railgun
Report-To
X-OneAgent-JS-Injection
X-Rq
X-LiteSpeed-Cache
X-Device
X-Server-Id
X-Origin-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Vhost
X-Host
EagleEye-TraceId
X-Backend-Server
X-Node
X-Response-Time
X-Dispatcher
NEL
X-Ac
X-WebKit-CSP
X-Cache-Lookup
X-Origin-Upstream-Status
X-Dns-Prefetch-Control
Request-Id
Surrogate-Control
X-Readtime
X-Ruxit-JS-Agent
Content-Location
Fusion-Component-Id
Fusion-Template-Id
X-Application-Context
Fusion-Source
Fusion-Content-Source
Fusion-Content-Id
X-ORACLE-DMS-ECID
X-DataDome
X-HW
X-ORACLE-DMS-RID
X-Cnection
X-Mod-Pagespeed
X-Country
X-Akam-SW-Version
Edge-Control
Rating
X-Url
X-Rack-Cache
X-Cloud-Trace-Context
X-Clacks-Overhead
RTSS
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-FTR-Request-ID
X-Goog-Hash
X-Vname
X-TtlSet
X-PC
X-Country-Code
X-ASPNET-VERSION
Fusion-Deployment-Id
X-DynaTrace
Allow
X-GitHub-Request-Id
Verso
X-Varnish-TTL
Service-Worker-Allowed
Accept-CH
X-Instart-Request-ID
X-MS-InvokeApp
X-D2id
X-Kinja-Build
X-Exp-Id
X-Kinja-Revision
X-Cdn-Fetch
X-Kinja-Server
X-Use-Magma
X-GoogleNews-Bot
X-Kinja
X-Exp-Variant
Content-MD5
Pinterest-Generated-By
SPRequestGuid
X-Server-Name
Accept-CH-Lifetime
X-Powered-By-Plesk
X-Cached
X-Forwarded-Proto
X-Navigation-Version
X-Trace
TCN
X-SharePointHealthScore
X-Amz-Server-Side-Encryption
X-Amz-Rid
X-Abt-Application-Version
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Fastly-Request-ID
Public-Key-Pins
X-Vcache
X-Vcap-Request-Id
Nginx-Cache
X-Debug
X-Ttl
X-MSEdge-Ref
SPIisLatency
SPRequestDuration
X-VARITI-CCR
X-ESI
Arr-Disable-Session-Affinity
Charset
X-B3-TraceId
MS-Author-Via
X-Cache-TTL
X-Accel-Expires
X-DynaTrace-JS-Agent
X-NF-Request-ID
X-Middleton-Display
Response
Pagespeed
Display
X-Middleton-Response
NR-ENABLED
X-Px
X-Sol
X-Content-Type
Realpath
Cache-Tag
X-Client-IP
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Ser
S
X-Server-ID
Access-Control-Request-Method
Edge-Cache-Tag
X-Powered-CMS
X-Grace
X-Id
Pinterest-Version
X-Pinterest-Rid
X-Webkit-Csp
Front-End-Https
WPE-Backend
X-Jurisdiction
X-Fastcgi-Cache
X-Hp-Webp
X-Shield-Request-Id
X-T
X-Upstream
X-Hits
AR-PoweredBy
AR-ATIME
X-Version
X-Element-Page-Cache
AR-Request-ID
X-Amz-Meta-S3cmd-Attrs
X-Content-Digest
X-Dw-Request-Base-Id
DynaTrace
X-Mrf-Section-Lastmod
X-Mrf-Item-Lastmod
MRF-Tech
Mrf-Cache-Status
X-B3-TraceId-Primal
X-Cache-Hit
X-Node-Name
Fastcgi-Cache
ServerID
X-Recruiting
AMP-Access-Control-Allow-Source-Origin
X-Correlation-Id
X-Mobile-URL
Ar-Sid
AR-CACHE
X-Goog-Metageneration
X-Goog-Generation
X-FTR-Realm
X-Goog-Storage-Class
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-FTR-Backend-Server
X-FTR-Backend
X-Country-Code-Real
X-FTR-Cache-Status
X-FTR-Balancer
X-FTR-DC
X-Request-Processing-Time
X-Request-Received
X-HS-Cache-Config
X-HS-Content-Id
Powered
X-HS-Hub-Id
X-Frontend
Server-Node
X-Forwarded-For
PB-RID
PB-PID
X-FTR-Expires
TP-Cache
TP-L2-Cache
Arc-Version
X-DIS-Request-ID
X-Mobile-Rewrite
Upgrade-Insecure-Requests
Refresh
X-Ezoic-Cdn
X-Shard
X-HS-Combine-CSS
Accept-Ch
Alternate-Protocol
Server-Name
Host-Header
X-XRDS-Location
X-Amzn-Trace-Id
X-Geo-Country
X-Microsite
X-NWS-LOG-UUID
X-Request-Handler-Origin-Region
X-TTL
X-N
X-F-Cache
X-Page-Id
X-Akamai-Edgescape
X-Rid
X-LB-Cache
X-FTR-Cache-Host
X-Logged-In
X-B
Fastly-Restarts
X-User-Agent
X-Content-Security-Policy-Report-Only
X-Aspnetmvc-Version
X-Varnish-Age
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
Backend-Timing
X-ATS-Timestamp
X-XRDS-LOCATION
Accept-Ch-Lifetime
MicrosoftSharePointTeamServices
X-Cache-Key
X-FastCGI-Cache
X-Kinsta-Cache
X-Zen-Fury
Healthy
X-ORACLE-APMCS-TAG
X-ORACLE-APMCS-REQUEST-ID
X-Via-JSL
X-Varnish-Grace
X-Revision
X-Origin-Server
X-Esi
X-Request-Guid
X-Tumblr-Pixel
Host
X-Tumblr-User
X-App-Environment
X-Tumblr-Pixel-0
Fastcgi-Useragent
X-ATG-Version
Paypal-Debug-Id
X-Varnish-Backend
X-Jobs
X-B-Cache
X-Cache-Age
X-Signature
X-Instance
Actual-Object-TTL
Section-Io-Cache
X-Amz-Replication-Status
X-Whom
X-AOL-HN
X-Git-Hash
X-Hostname
X-Seen-By
X-TT
X-FB-Debug
X-Cluster
Frame-Options
X-Cache-Action
X-B3-Sampled
X-Type
X-Debug-Info
X-WebKit-CSP-Report-Only
Cache-Status
Trailer
Access-Control-Allow-Method
X-Content-Options
X-Amzn-Requestid
X-Endurance-Cache-Level
X-Contextid
X-Presslabs-Stats
Source
X-Cache-Rule
X-Content-Powered-By
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Cache-Operation
X-SERVER
X-Host-Name
Tracecode
X-AppVersion
X-Activity-Id
X-Az
Accept-Charset
Liferay-Portal
X-Daa-Tunnel
X-FireWall-Port
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-IPLB-Instance
X-Amz-Apigw-Id
X-PHP-Backend
DC
X-Upgrade-Enabled
X-Framework
X-APP-VERSION
From-Origin
X-WA-Info
NGB
X-Accel-Buffering
X-Response-Served-From
X-ProcessESI
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-RemovedCookies
X-Is-Bot
Retry-After
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Rendered-As
X-FW-Serve
X-Cacheable-TTL
X-Adobe-Loc
X-Adobe-Content
Surrogate-Key
X-FW-Hash
X-FW-Static
X-FW-Server
X-FW-Type
X-UUID
Srv
X-GeoIP
X-L-Path
Eomportal-Instance
X-Wix-Request-Id
X-Environment-Context
Payment
X-Region
X-Mobile
X-Varnish-Server
X-Time-Microsecs
Filters
X-Cache-NE
X-RequestSource
X-Cached-By
X-UA-Device-Type
X-RateLimit-Remaining
X-Handled-By
X-Proxy
X-Varnish-Hostname
X-Unique-Id
X-Origin-Response-Time
X-TIME
Xserver
X-Webkit-CSP
X-NGENIX-Cache
X-Cache-TTL-Remaining
X-B3-Traceid
Filterid
X-EdgeConnect-Cache-Status
X-Cache-Server
Datacenter
X-Cache-Control
X-Akamai-Transformed
X-Cache-Time
Nel
X-Srv
GEO-INFO
MS-CV
X-Backend-Name
Version
X-CST
Server-Info
X-Status
Odigeo-Trace-Id
X-Rule
X-Cache-Enabled
S-Cnection
X-Cache-2
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Cache-Var-Map
X-CCM
X-Cache-Var
Cache-Tv-Group
Cache-Tags
X-ES-SERVER
Meta-Geo
X-IP
X-Path-Route
X-Redis-Cache
OT-Force-Account-Verify
Azure-InstanceId
Webserver
X-Mode
X-RN-RSRV
Azure-SiteName
Azure-Version
X-Amzn-Remapped-Content-Length
X-FW-Dynamic
X-FC-Vary-Parameters
X-Loop
Ec-Rule-Version
X-Detected-As
DB-Nickname
Azure-SlotName
Azure-RegionName
X-TNCMS
X-Proto
Origin-Edge-Control
X-Say-TTL
Origin-Cache-Control
X-SayCDN-TTL
Decoy-Debug-Status
X-Web-Node
X-ServerID
X-Pubstack
X-Hosted-By
X-Say-Cacheable
NGX
Decoy-Debug-TTL
X-Adobe-Source
Cleartype
Decoy-Debug-Key
Cache-Hits
X-Real-IP
S-Rt
X-Via-Fastly
X-R9-Blue-Green-Version
Cross-Origin-Window-Policy
Now
X-Hl-Ver
Country
X-NCache
ServedBy
X-Cache-Config
X-Sorting-Hat-PodId
X-TX-ID
X-Akamai-Request-ID2
X-Site-Version
X-EIG-Tracking-Id
X-Vgn-Hpd-Reason
Webcakes-App-Name
Webcakes-App-Version
X-RCS-CacheZone
Content-Disposition
TWC-Device-Class
X-PERF
Webcakes-Region
TWC-GeoIP-Country
X-Sorting-Hat-ShopId
X-Alternate-Cache-Key
TWC-Connection-Speed
X-Origin-Hint
X-ApacheServer
Akamai-GRN
TWC-GeoIP-LatLong
Section-Io-Origin-Time-Seconds
X-Human
Section-Origin-Responded
X-Shopify-Generated-Cart-Token
X-ShopId
Property-Id
X-ShardId
Section-Io-Id
X-Locale
X-Proxy-Cache-Status
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Device-Type
X-Shopify-Stage
TWC-Privacy
X-Cache-Status-Check
TWC-Locale-Group
X-Origin
X-Generated
Section-Io-Origin-Status
X-Forwarded-Host
X-Timing-Wait
Selected-Fe
X-FB-TRIP-ID
X-HTML-Minification-Powered-By
X-ProxyCache-Status
X-JoinUs
Cache-Key
X-LJ-Flow-ID
X-VWS-Id
X-Proxy-Build
X-NYM-Debug-Backend
X-ProxyCache-Key
X-Cache-NGX
X-Www-Served-By
X-BYPASS-REASON
Access-Control-Request-Headers
X-Viewer-Country
X-AWS-Id
X-Tb
X-Content-Age
X-SaId
X-Debug-Cache
X-Soup
X-MP-GENERATED-AT
X-Cache-Remote
X-Xfnlog-Site
X-Microcachable
X-Format
X-Cdn
X-Oss-Object-Type
X-Oss-Storage-Class
X-No-Session
X-Oss-Server-Time
X-Oss-Hash-Crc64ecma
X-Oss-Request-Id
X-Section
Mn-Server-Ip
X-Routing-Service
X-Proxied
X-BCube-Filmed-By
X-Access
X-Zipkin-Id
Node
X-Dc
X-Request-Time
X-EC-Lua
X-Backend-TTL
X-Varnish-Hits
Cf-Ipcountry
X-Generated-By
X-Pinterest-Direct
Time
X-Pad
Accept-Language
X-Geo
X-Drupal-Cache-Tags
X-Akamai-Request-ID
X-From
X-IPS-LoggedIn
X-CF-Powered-By
X-NewRelic-App-Data
X-Azure-Ref
X-Old-Content-Length
X-NC
Uber-Trace-Id
X-URL
X-RTag
Ms-Operation-Id
FilterID
X-Amzn-RequestId
X-NWS-UUID-VERIFY
X-Uri
X-RateLimit-Limit
X-VCT
User-Agent
X-PressLabs-Stats
X-Cache-Grace
Cache-Name
X-Source
X-CS
X-Edge
X-MCACHE
X-UA
X-GoCache-CacheStatus
X-Newrelic-Synthetics
X-Litespeed-Cache
X-PHP-Host
X-Labrador-Cache-Channel
X-PCL
X-Nginx-Cache
X-OCL
Cache
X-ECACHE
X-Qloud-Router
X-FORWARDED-FOR
Proxy-Connection
X-Varnish-Cache-Hits
X-APP
X-Magnolia-Registration
X-Hyper-Cache
X-Reboot
X-Region-Sid
X-Request-URI
X-Edge-Location
Fastcgi-X-Cache-Version
X-Processor
ServerName
T-Server
X-Info
X-Request-UUID
True-Client-Country-4JS
X-S
X-S-Cookie
VivaBuild
X-ScT
GEO-REGION-INFO
X-Instart-Info
X-Rewrite-Enabled
Viewtype
X-Rocket-Nginx-Bypass
X-PAYTM-SRV-ID
X-Drupal-Cache-Contexts
Apple-News-Services-Host
Apple-News-Services-Handled
Proxy-Firewall
Meta-Geo-Continent
Apple-News-Services-Parsed-Url
Mobile-Detection-Method
AsisCache
Arc-Country
Apple-News-Services-Request-Url
Rendered-Blocks
Request-Country
X-FW-Version
Xc-Version
MD5-Digest
Machine
X-G
User-Cache-Control
X-GeoIP-Country-Code
Memcached
Request-EU
BehaviorPad-Version
X-Rojux
X-Trv-Group
X-B-Cookie
X-Tumblr-Pixel-3
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Application
X-ARC
X-VG-WebServer
X-Transaction
X-Destination
X-Connection-Hash
X-Cdn-Srv
X-Vdms-Version
X-VG-WebCache
X-D
X-SRCache-Key
X-DPWN-IS-SECURE
X-A-Ccd
X-A-Dam
X-A-Dcw
X-Session-Fingerprint
X-A
X-Vtex-Remote-Cache
X-External-Request-Id
X-A-Dgt
X-Developer
X-Date
X-Twitter-Response-Tags
X-Aed
X-Accel-Expires-Debug
X-Vtex-Processado-Em
X-A-Wwc
X-Cache-Bucket
X-Mid
X-CDN-Forward
X-Cluster-Name
X-IN-APIGATEWAY
X-Hnp-Log
X-IN-APIGATEWAYSSL
Gh-Request-Id
X-Clara-WADP
X-Core-Value
X-JWT-State
X-GeoIP-City
X-Is-Gdpr
X-Contensis-Viewer-Groups
N-Cache
On-Server
X-Generated-On
Vix-Hermes-Req-Id
Server-Surrogate-Control
X-Fmm-Version
X-Backend-Host
Server-Host
Server-Cache-Control
X-Auto-Login
Thinkindot-CacheControl
X-Fastly-Cache
Viewport
Thinkindot-Control
Thinkindot-CacheControl-Type
X-BBXSRF
X-Bc-Bl
X-Cache-Info
X-Gamma-Serve
X-Cdn-Origin
X-Has-Esi
X-Geo-Header
Web-Mar-Node
X-Block-Status
SD-X-WS
Rt-Fastcgi-Cache
X-Cache-ASPX
X-Gen-Mode
Content-Script-Type
X-Served-From
X-ServiceProvider
X-Slack-Backend
CF-Cached-On
X-Webstats-RespID
X-VServer
X-Micro-Cache
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-Idcheck
Cache-Cookie-Set-From
X-Varnish-Authentication
X-Sn-Servicetimems
X-Trafficlayer-App-Scope
X-Trafficlayer-App-Version
X-COUNTRY
X-WADP-Cache
X-Trafficlayer-App-Name
X-VCache
X-We-Are-Hiring
X-Thinkindot-L3
X-TrackingId
X-Matched-Rule
X-Request-Host
X-Li-Pop
X-Li-Fabric
X-Irp-Debug
Content-Style-Type
X-LI-Proto
X-LI-UUID
X-Level-Front-Cache
X-UnsetCookies
X-Sucuri-ID
X-S-Maxage
X-Storage
Group
X-WebServer
X-Distributor
X-Thanos
X-Swa-Ws
Countrycode
X-Urbn-Context-Path
Is-Eu
X-SN
IsBot
X-Skip-Cache
Heartbleed
X-Backend-State
Country-Code
X-Cms-Context
Locale
X-App-Name
X-Urbn-Site-Id
X-Cache-Tags
X-Device-Os
X-LAGOON
X-Cache-URL
X-SS-Set-Cookie
X-Var-Ttl
Fastly-SWR
X-Cluster-Node
X-DevSite-Last-Modified
X-Dispatch
X-SIPLIST1
X-Bip
X-Variation
X-Varnish-Ttl
AKAMAI
X-Cache-FS-Status
X-Dispatcher-Server
X-Trace-Id
X-Servername
X-Origin-Date
X-Wikidot-Static-Cache
X-NX-Host
X-Origin-Expires
X-Owner
Server-ID
X-Platform-Server
X-Wikidot-Backend
X-NodeID
X-Debug-Cookies
Platform
Cache-Host
X-Ms-Request-Id
Mail-Subject
X-Generated-In
X-Ms-Version
A
Adler-Geo
X-Generation-Time
X-Proxy-Upstream
We-Hiring
X-Hash
X-Scheme
Fastly-SIE
X-Server-W
X-Logging-Id
X-Debug-Log
Kp-EeAlive
X-VC-Cache
X-CUA
V-Age
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Rebelmouse-Surrogate-Control
X-VG-TLSProxy
X-Clientip
X-Varnish-Cacheable
X-Fetched-On
X-App-Server
X-Rocket-Build-Number
X-Response-By
X-Req
X-Nginx-Cache-Key
X-Eu-Site
X-Sigma
X-Distil-CS
X-Epic-Correlation-Id
X-Sigma-Backend
X-TT-TIMESTAMP
W
RNT-Machine
CDCHOST
RNT-Time
X-Developers
Wxu-Next-Hostname
Wxu-Next-Commit
X-CSRF-Token
Locid
Fastly-Drupal-HTML
X-Vdms-Path
FNAC-ModuleRouting
Ha-Gx-Prefs
L5d-Success-Class
HA-Ipaddr
Wxu-Next-Region
X-Varnish-Beresp-Grace
X-Agile
X-Cache-Expired-At
X-Cache-PHP
X-CGP
X-Core-Mission
X-Varnish-Beresp-Status
NM-Fastcgi-Cache
X-Agile-Age
X-Agile-Id
Request-Time
X-Debug-Cache-Fetch
X-Debug-Cache-Store
X-Instart-Isnd
X-Debug-Cache-Expiry
X-OVcl
X-OVcl-Cache
X-B3-Spanid
X-RESPONSE-TIME
X-C
X-Refresh
X-Hit
Server-Hostname
PFcat
Sever-Int
Server-Ext
X-Varnish-Beresp-Ttl
X-CLOUD-TRACE-CONTEXT
X-CACHE-KEY
X-TA-CDN-Provider
M-TraceId
Pagetype
X-Node-Id
HostName
X-Protected-By
X-Time
X-FPC
X-Parent-Response-Time
X-Nc
Mime-Version
X-Ua-Device
X-MSEdge-Features
X-MSEdge-Flight
X-Method
X-Via-PopV
X-Via-PopH
PICS-Label
Powered-By-ChinaCache
X-Worker
X-Varnish-URL
Geo-Info
X-Ratelimit-Remaining
Magicmarker
X-Lb-Id
X-Branch-Name
Geoip-City
X-Wa
Pramga
X-Envoy-Upstream-Healthchecked-Cluster
Origin
Geoip-Latitude
X-SRV
X-Be
X-Request-Start
Cloudfront-Viewer-Country
Memory
X-Service
GeoIp-Country-Code
X-ND-Cache
X-GEO
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-SERVER-NAME
X-Policy
X-Planisys-CDN-Cache
HitType
X-C-Zone
XServer
X-C-Key
X-Pjax-Url
X-Load-Cache
X-ECache
Environment
X-HS-Status
X-BACKEND-TTL
X-DC
Who
Dt-Cache-Category
Esi-Enabled
X-Wix-Viewer-Type
X-Reqid
X-Bc
X-Newrelic-App-Data
X-Myra-Origin2
X-Azure-Ref-OriginShield
X-Zone
NtCoent-Length
X-Cdn-Forward
Cteonnt-Length
X-Ua
X-VCL-Version
X-Up
Fastly-Backend-Name
X-Servedbyhost
X-Country-IP
X-Via-Ucdn
X-Referer
TTL
X-CSRF-TOKEN
X-Cache-Metadata
X-Vcl-Version
Ttl
X-Origin-TTL
X-Origin-CC
SRV
X-BC
Resin-Trace
Pragrma
X-Oneagent-Js-Injection
X-ServedByHost
UCS
Product
Cdn
X-Server-Time
X-TT-LOGID
X-ZONE
Hostname
X-Ratelimit-Limit
X-Swift-Error
X-Cache-Host
X-Edge-Server
Cdn-Request-Time
X-Pf-Uncompressing
X-App-Version
Cdn-Host
X-Fastly-Country-Code
X-NGINX-Cache
X-AK-Request-ID
Release
X-Correlation-ID
X-Server-IP
Cdnsip
Cdncip
Lb
Load-Balancing
CACHE
X-NU-AKA-ACS-Version
X-Tec-Api-Version
X-Tec-Api-Root
X-Tec-Api-Origin
X-AIR-PT
FSS-Cache
X-Ruxit-Js-Agent
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-PJAX-URL
X-Node-ID
LB
GeoIP-Country-Code
C-Via
X-Configured-By
X-Datadome
Sid
X-Air-Hostname
X-WPE-Loopback-Upstream-Addr
Warning
GeoIP-City
GeoIP-Latitude
X-WA
Dnion-Transfer-Encoding
Ohc-File-Size
MIME-Version
My-App
X-Location
X-Tb-Optimization-Total-Bytes-Saved
X-Gzip
X-Cache-Id
X-Esi-Check
X-BE
X-UPSTREAM-Address
X-TH-Server
X-Sucuri-Cache
X-Mvc-Supplant-Cachable
Ohc-Cache-HIT
X-RAMCache
X-Cache-Debug
RequestId
X-Svr
X-Powered-Y
X-Cache-Backend
X-Fastly-Backend-Reqs
X-Varnish-Url
Lfy
X-Fastly-Request-Id
X-VarnishDD-TTL
IBM-Web2-Location
Pics-Label
X-Varnish-Beresp-TTL
X-Mvc-Supplant-OutputCached
X-B3-SpanId
X-Fpc
X-Apw-Access-Object
X-Apw-Access-Action
X-Dynatrace-Js-Agent
X-MID
X-Apw-Access-Token
X-Apw-Hits
X-Edge-O15-RID
X-Ocache
Server-Int
X-LiteSpeed-Cache-Control
Fastly-SSL
CDN
Xet-Cookie
X-ElasticPress-Query
X-User
X-ElasticPress-Search
X-Flow-Id
X-Agile-Brick-Ok
X-Page-Impression-Id
X-Zalando-Child-Request-Id
Requestid
CF-IPCountry
X-SD-PageType
Cneonction
X-Check-Cacheable
Processtime
Host-ID
X-B3-Parentspanid
X-Aicache-OS
X-Debug-Revision
X-Amzn-Remapped-Connection
X-Amzn-Remapped-Date
X-Akamai-ERRuleID
X-Akamai-ERPolicy
X-Debug-Controller
X-Unique-ID
Powered-By
X-Sucuri-Id
CloudFront-Viewer-Country
X-MiniProfiler-Ids
X-LB-ID
X-Request-URL
ProcessTime
X-Dw-Trace-Id
X-Fastly-Cache-Hits
X-Nananana
DataCenter
URI
X-Request-Url
X-Cache-Tag
X-PF-Uncompressing