Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
X-Served-By
P3P
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
P3p
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CONTENT-TYPE-OPTIONS
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Akamai-Path-Stats
X-Backend
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
Allow
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Nginx-Cache-Status
X-WebKit-CSP
X-Device
X-Cache-Spec
Cf-Railgun
X-OneAgent-JS-Injection
X-Host
X-Page-Speed
X-Node
X-CST
X-Aws-Lambda-Call-Status
X-Server-Id
X-Pingback
Request-Id
Surrogate-Control
Cf-Edge-Cache
X-Backend-Server
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
Xkey
Accept-CH-Lifetime
X-Application-Context
Content-Location
X-ASPNET-VERSION
Rating
X-Cloud-Trace-Context
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Url
X-Country
Fastly-Restarts
Accept-Ch
X-MS-InvokeApp
Accept-Ch-Lifetime
X-Ruxit-JS-Agent
X-Rack-Cache
X-Mod-Pagespeed
X-PC
X-TtlSet
X-Vname
X-Clacks-Overhead
RTSS
Edge-Control
X-VARITI-CCR
X-Server-Name
X-ESI
X-Amz-Server-Side-Encryption
X-Varnish-TTL
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
X-Dw-Request-Base-Id
X-Kinja-Revision
X-Kinja-Server
X-Exp-Variant
X-GoogleNews-Bot
X-Kinja
X-Exp-Id
X-Use-Magma
X-Kinja-Build
X-Cdn-Fetch
X-Amz-Rid
X-B3-TraceId
Public-Key-Pins
X-Px
X-Cnection
X-Edge
X-FastCGI-Cache
X-D2id
X-Ac
X-Ser
X-Navigation-Version
X-Element-Page-Cache
Verso
X-Abt-Application-Version
X-Powered-By-Plesk
X-RateLimit-Remaining
X-Sol
Pagespeed
X-Client-IP
Display
X-Middleton-Display
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Ttl
Service-Worker-Allowed
X-Country-Code
X-Cache-TTL
X-Content-Security-Policy-Report-Only
X-Middleton-Response
Response
X-NF-Request-ID
X-Goog-Hash
Access-Control-Request-Method
SPRequestDuration
SPIisLatency
X-Correlation-Id
X-Kinsta-Cache
X-Cached
AR-PoweredBy
AR-Request-ID
AR-SID
AR-CACHE
AR-ATIME
X-Edge-Location-Klb
SPRequestGuid
X-SharePointHealthScore
X-Ruxit-Js-Agent
X-Powered-CMS
X-Upstream
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
Edge-Cache-Tag
X-LLID
X-NWS-LOG-UUID
X-Forwarded-For
X-Cache-Key
Content-MD5
X-Litespeed-Cache
X-TTL
Nginx-Cache
X-MSEdge-Ref
X-RateLimit-Limit
X-Shield-Request-Id
MRF-Tech
Mrf-Cache-Status
X-Id
TCN
X-T
X-Recruiting
S
X-Server-ID
X-B3-TraceId-Primal
X-Daa-Tunnel
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
X-Content-Digest
X-WebKit-CSP-Report-Only
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-ECACHE
X-HP-Webp
X-Mg-S
X-Jurisdiction
X-HP-Trace-Id
X-Ua-Device
X-DataDome
X-Accel-Expires
X-HS-Content-Id
X-HS-Cache-Config
X-Grace
X-HS-Combine-CSS
X-HS-Hub-Id
X-Protected-By
MicrosoftSharePointTeamServices
X-Ezoic-Cdn
X-Frontend
X-Request-Processing-Time
X-Content
X-Ab
X-DynaTrace
MS-Author-Via
X-Ua-Browser
X-Request-Received
Server-Node
TP-Cache
TP-L2-Cache
X-Yandex-Sdch-Disable
Filters
Front-End-Https
X-PressLabs-Stats
X-Distributor
X-Origin-Server
Fastcgi-Cache
X-Geo-Country
X-ORACLE-DMS-ECID
X-Mid
X-Hits
X-ORACLE-DMS-RID
X-Microsite
X-Tt-Trace-Host
X-Request-Handler-Origin-Region
X-Tt-Trace-Tag
X-LB-Cache
X-Amzn-Trace-Id
Charset
X-Debug-Info
X-Oneagent-Js-Injection
Cleartype
X-Webkit-Csp
Host
X-Ratelimit-Reset
X-Fastly-Request-Id
Cross-Origin-Opener-Policy
X-B3-Sampled
X-Git-Hash
X-Page-Id
X-Forwarded-Proto
X-F-Cache
X-DIS-Request-ID
X-Mcache
Cache-Status
X-Cache-Age
Realpath
X-Seen-By
X-Www-Served-By
Access-Control-Allow-Method
X-Az
X-Activity-Id
X-AppVersion
ServerID
Accept-Charset
X-Webkit-CSP
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
Filterid
X-Varnish-Age
Cache-Tags
X-Cluster-Name
X-Nginx-Upstream-Cache-Status
X-Aspnetmvc-Version
X-Content-Options
X-Rid
Retry-After
X-Type
X-FB-Debug
X-Language
X-App-Environment
Server-Name
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
Country
Viewport
X-User-Agent
X-Varnish-Backend
X-Tb
DC
X-Varnish-Grace
X-Drupal-Cache-Tags
Paypal-Debug-Id
X-Upgrade-Enabled
X-Signature
X-Wix-Request-Id
X-B-Cache
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Oracle-Dms-Ecid
X-Whom
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
X-Origin-Cache
Node
X-Aspnet-Duration-Ms
Permissions-Policy
X-Oracle-Dms-Rid
X-TT
X-Route-Name
X-VCache
X-Providence-Cookie
X-Is-Crawler
X-Mobile-URL
X-Flags
X-Request-Guid
X-MCACHE
X-B
X-NWS-UUID-VERIFY
X-Debug
Protected
Fastcgi-Useragent
X-XRDS-LOCATION
X-Amz-Replication-Status
X-Amz-Meta-S3cmd-Attrs
X-Logged-In
X-Cache-NGX
X-N
Payment
WPO-Cache-Message
Surrogate-Key
WPO-Cache-Status
X-Via-JSL
X-Load-Cache
X-Cache-Control
X-Contextid
Amp-Access-Control-Allow-Source-Origin
X-XRDS-Location
Count-Hit
X-Node-Name
Healthy
X-ECache
X-Erf-Bev-Bev-Is-Generated
X-B3-Traceid
X-Browser-Type
X-Erf-Bev-Bev
X-Mobile
X-FW-Dynamic
X-FW-Type
X-FW-Server
X-FW-Static
X-FW-Hash
X-FW-Serve
X-Original-Request-Id
X-Response-Served-From
X-Template
SD-X-WS
Akamai-GRN
Content-Disposition
X-Midtier
Refresh
X-Restarts
X-Proxy
X-NGENIX-Cache
Url
Alternate-Protocol
X-Real-IP
X-Zen-Fury
X-Revision
X-Jobs
X-Cache-Time
Uber-Trace-Id
X-UUID
X-Cache-TTL-Remaining
X-Framework
X-Is-Bot
X-Servername
X-G
X-Drupal-Cache-Contexts
X-Akamai-Request-ID2
NGB
X-Proxy-Cache-Status
X-Device-Type
X-Rendered-As
X-Yottaa-Optimizations
X-Debug-IsPreview
X-Cacheable-TTL
X-Trace-Id
X-Hostname
X-Yottaa-Metrics
X-Instance
X-Debug-IsConnected
X-Cache-Grace
X-Adobe-Content
X-Page-View
X-Adobe-Loc
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
Access-Control-Request-Headers
X-Http-Reason
X-Mg-Request-UUID
X-Varnish-Server
X-IPLB-Instance
X-EdgeConnect-Cache-Status
X-Source
X-Environment-Context
Version
X-L-Path
X-HTML-Minification-Powered-By
Frame-Options
Ms-Operation-Id
X-RTag
Accept-Language
MS-CV
Countrycode
X-Fastly-Request-ID
X-Cache-Hit
From-Origin
X-Cache-Rule
X-Datadome
Referer-Policy
X-Fastcgi-Cache
X-NYM-Debug-Backend
X-Cache-Expired-At
X-App-Server
Liferay-Portal
X-Ratelimit-Remaining
X-Vgn-Hpd-Reason
Cross-Origin-Window-Policy
Backend
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel-1
X-IPS-LoggedIn
X-FW-Version
X-COUNTRY
X-APP-VERSION
Content-Secure-Policy
X-Unique-Id
X-Hosted-By
Upgrade-Insecure-Requests
X-Nginx-Cache
X-RN-RSRV
X-Ratelimit-Limit
X-UPSTREAM-Address
Meta-Geo
X-Cache-Server
X-Generation-Time
X-No-Session
X-Cache-Enabled
X-FB-TRIP-ID
Section-Io-Cache
X-OCL
X-PCL
X-Redis-Cache
X-Section
TWC-GeoIP-LatLong
X-Content-Age
X-Request-Time
TWC-Privacy
X-Format
Webcakes-App-Name
TWC-Device-Class
X-Cluster-Node
Webcakes-App-Version
Azure-SlotName
TWC-GeoIP-Country
Azure-RegionName
Property-Id
Mn-Server-Ip
Azure-SiteName
WP-Super-Cache
X-Region
Azure-Version
X-Via-Fastly
X-ProcessESI
S-Rt
X-Varnish-Cache-Hits
X-AOL-HN
X-Be
X-UA-Device-Type
X-Origin-Hint
X-Server-W
X-PHP-Backend
TWC-Connection-Speed
X-RemovedCookies
X-Ua
X-Origin-Date
Azure-InstanceId
X-Access
Webcakes-Region
TWC-Locale-Group
X-Mode
X-NewRelic-App-Data
CF-IPCountry
X-SayCDN-TTL
X-Sorting-Hat-PodId
X-Sorting-Hat-ShopId
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-ProxyCache-Status
X-Say-TTL
X-Say-Cacheable
Apigw-Requestid
X-Sql-Duration-Ms
X-Xfnlog-Site
X-PERF
Eomportal-Instance
X-Sql-Count
X-Parallel-Accel
X-BYPASS-REASON
X-ApacheServer
X-Akamai-Edgescape
X-Nginx-Cache-Key
X-Shopify-Stage
X-Locale
X-Debug-Cache
X-ProxyCache-Key
X-Content-Powered-By
X-Forwarded-Host
X-Generated-By
X-Human
X-Storage
X-Uri
Fastly-SSL
X-Status
X-Site-Version
X-Varnishpool
X-Platform-Server
X-Routing-Service
X-AWS-Id
X-Cache-Host
X-JoinUs
X-Zipkin-Id
X-Urbn-Context-Path
Locale
X-Hl-Ver
X-VC-Cache
X-Labrador-Cache-Channel
X-Urbn-Site-Id
X-PHP-Host
X-Cms-Context
X-Cache-Type
X-Cache-Tags
X-Proxied
X-Backend-Name
X-VWS-Id
X-Web-Node
X-Extlb
X-LJ-Flow-ID
X-Detected-As
X-Adobe-Source
X-SaId
Ec-Rule-Version
X-GG-Cache-Date
X-Tid
X-ServerID
X-Handled-By
Load-Balancing
Selected-Fe
X-Timing-Wait
X-Proxy-Build
Cache-Tv-Group
ServedBy
CDN-RequestCountryCode
X-Cache-Action
CDN-RequestId
CDN-PullZone
CDN-EdgeStorageId
CDN-CachedAt
CDN-Uid
X-Storefront-Renderer-Rendered
CDN-Cache
X-Dc
X-Edge-Location
X-Proto
SRV
X-CDN-Forward
X-GeoCode
X-GeoCountry
Web-Mar-Node
X-LSADC-Cache
Fastly-Drupal-Html
Webserver
Onion-Location
X-Hyper-Cache
X-Rule
X-App-Version
Mime-Version
X-Cache-Operation
X-Cache-Remote
X-Cached-By
X-GEO
X-Varnish-Hostname
X-Rewrite-Enabled
Cache-Hits
X-Soup
X-TT-LOGID
SID
Xet-Cookie
Xserver
X-Cluster
X-Cdn
X-Magnolia-Registration
X-Origin-TTL
X-Origin-CC
X-Pubstack
X-Varnish-Ttl
X-Accel-Buffering
X-Varnish-Hits
X-Reqid
X-IPLB-Request-ID
X-Envoy-Decorator-Operation
X-SRV
X-Air-Hostname
X-Air-Source
X-Air-Trace-Id
Server-Info
LB
Country-Code
X-Microcachable
X-TA-CDN-Provider
X-Tt-Logid
X-Tumblr-Pixel-3
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
DB-Nickname
Cache
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
Source
X-Buckets
X-Request-Host
X-CSRF-Token
X-Amz-Apigw-Id
X-Newrelic-Synthetics
X-Amzn-RequestId
X-Ms-Version
X-Ms-Request-Id
X-Via-NSCOPI
X-Origin-Response-Time
X-Endurance-Cache-Level
BehaviorPad-Version
Cdnsip
Cdncip
A
Expiry
DCR-Processing-Time-Ms
DCR-Decision-By
Host-ID
Fastcgi-X-Cache-Version
Lang
X-Cdn-Srv
X-PBS-Appsvrname
X-PAYTM-SRV-ID
X-Processor
X-Rojux
X-S-Cookie
X-S
X-Orig-Expires
X-NAPM-TraceId
X-Ftr-Request-Id
X-Forwarded-Path
X-Geo-Header
X-Hash
X-Ig-Push-State
X-HS-Content-Campaign-Id
X-ScT
X-SD-PageType
X-Vdms-Version
X-Vdms-Path
X-VG-WebCache
X-Vtex-Processado-Em
Xc-Version
X-Vtex-Remote-Cache
X-User
X-TrackingId
X-Shop-Environment
X-Session-Fingerprint
X-SRCache-Key
X-Tenant
X-TIM-N
X-External-Request-Id
X-Epic-Correlation-Id
X-A-Ccd
T-Server
X-A-Dam
X-A-Dcw
X-A-Wwc
X-A-Dgt
Surrogated-Key
Sslversion
Mobile-Detection-Method
Meta-Geo-Continent
Odigeo-Trace-Id
Pramga
Rendered-Blocks
X-Aed
X-AK-Request-ID
X-D
X-Connection-Hash
X-Destination
X-Developer
X-Ec-GeoHdr
X-Ec-Fail
X-Conf
X-CF-Lambda-Version
X-ARC
X-Application
X-B-Cookie
X-Cache-NE
X-CF-Lambda-Fn
MD5-Digest
X-A
X-Skip-Cache
X-NCache
X-RCS-CacheZone
X-Tx-Id
X-B3-SpanId
X-Bc-Bl
X-Time
X-Cache-Backend
X-Cache-Bucket
X-Cache-Info
X-Core-Mission
X-Core-Value
X-Clara-WADP
X-Ckpd-Fst-Backend
X-CacheTTL
X-Cache-Id
Wxu-Next-Hostname
Mail-Subject
Machine
Fastly-GeoIP-CountryCode
Cmstype
Memcached
NM-Fastcgi-Cache
Wxu-Next-Region
Wxu-Next-Commit
We-Hiring
State
X-Amzn-Remapped-Content-Length
X-Azure-Ref
X-Scheme
X-Server-IP
X-SB
X-Rocket-Build-Number
X-Origin-Time
X-Sigma
X-Sigma-Backend
X-WADP-Cache
X-Worker
X-Via-Ucdn
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Origin-Expires
X-Node-Id
X-Fastly-Cache
X-Fetched-On
X-Esi-Check
X-Device-Os
X-Developers
X-Fmm-Version
X-Gdpr
X-Mvc-Supplant-Cachable
X-Irp-Debug
X-Gzip
X-GeoIP
Cmsid
X-Nyt-Route
AKAMAI
Cache-Name
X-Varnish-Beresp-Grace
X-HN
X-Hnp-Log
X-Httpd
X-Cache-Status-Check
X-Generated-On
X-Gamma-Serve
X-Gen-Mode
X-GeoIP-City
X-LAGOON
X-Origin
X-Platform
X-Pod-Name
X-NodeID
X-Minions-Version
X-Level-Front-Cache
X-Loc
X-Forwarded-Site
X-Eu-Site
X-BBC-Edge-Cache-Status
X-Block-Status
X-Cache-Date
X-Auto-Login
X-Aicache-OS
User-Cache-Control
Web-Mar-Region
X-Cdn-Origin
X-CGP
X-Dispatcher-Number
X-DPWN-IS-SECURE
X-Ec-Custom-Error
Datacenter
X-DefHash
X-Csrf-Jwt
X-DefElseHash
X-Policy
Traceparent
X-Viewer-Country
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-VG-TLSProxy
X-VarnishDD-TTL
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
Kp-EeAlive
X-Has-Esi
X-Wix-Viewer-Type
Cache-Key
Candidate-Md5Url
X-TNCMS
X-Loop
X-Is-Gdpr
X-JWT-State
X-Variation
X-V-Cache
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Rebelmouse-Surrogate-Control
X-Qloud-Router
X-Proxy-Upstream
X-BCube-Filmed-By
X-Proxy-Cache-Info
X-Region-Sid
X-Request-URI
X-Sn-Servicetimems
DynaTrace
X-Thinkindot-L3
X-Slack-Backend
X-SIPLIST1
X-Rocket-Nginx-Serving-Static
X-Served-From
X-Pool
X-Rebelmouse-Cache-Control
Producers
Gh-Request-Id
HA-Ipaddr
Is-Eu
L
IsBot
Svr
Fastly-SWR
Fastcgi-Cache-TTL
Environment
Apple-News-Services-Parsed-Url
X-R9-Blue-Green-Version
Fastly-SIE
L5d-Success-Class
Ssr
Origin-EX
Origin-CC
PFcat
Release
Platform
Redirect-Candidate
Origin
Req-Svc-Chain
Apple-News-Services-Handled
Apple-News-Services-Host
N-Cache
Server-Host
Adler-Geo
TDXMobile
Ha-Gx-Prefs
CloudFront-Viewer-Country
Cluster
Thinkindot-Control
Thinkindot-CacheControl
CDCHOST
Apple-News-Services-Request-Url
Thinkindot-CacheControl-Type
CPC-Age
X-Xrds-Location
X-Planisys-CDN-TTL
X-SplitTest
V-Age
XM
X-Datadog-Sampling-Priority
Vix-Hermes-Req-Id
Ohc-File-Size
X-Planisys-CDN-Cache
CPC-Cache
VNS-Age
X-Datadog-Parent-Id
VNS-Cache
HostName
X-Planisys-CDN-Rules
X-Optimistic-Header
X-Datadog-Trace-Id
Server-Ext
Sever-Int
X-VServer
DSUID
GEO-INFO
X-Branch-Name
NGX
CDN
Server-Hostname
X-From
X-Owner
X-Webstats-RespID
X-Refresh
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-Scale
X-Parent-Response-Time
X-WA-Info
Pics-Label
Fastly-Backend-Name
X-Ad-Defer-Variation
X-AIR-PT
X-ZONE
X-Location
X-Micro-Cache
X-CS
X-VC
X-EC-Lua
X-Tb-Optimization-Total-Bytes-Saved
X-CACHE-KEY
X-NC
Locid
X-Cache-ASPX
X-Ah-Environment
X-Contensis-Viewer-Groups
X-LB-NoCache
X-Edge-Pop
Servername
Env
Ms-Author-Via
X-TIME
X-Srv
X-Servedbyhost
X-Response-By
X-Udemy-Cache-App-Namespace
X-Mvc-Supplant-OutputCached
X-Varnish-Authentication
Path
X-Men
Arc-Country
AMP-Access-Control-Allow-Source-Origin
X-Generated-In
Ngx.Var.Host
X-Old-Content-Length
Cache-Host
X-Amz-Meta-Cb-Modifiedtime
X-TraceId
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
Lb
X-RPS
X-RPM
X-DW
Memory
X-RSL
X-DI
X-Via-Poph
Time
X-Varnish-Beresp-TTL
X-DSS
X-Via-Popn
X-Via-Popv
X-DB
X-Proxy-CacheRZ
XkeyRZ
Ohc-Cache-HIT
X-Date
X-HA-Backend
ITXSESSIONID
X-Accel-Expires-Debug
X-S-Maxage
X-Akamai-Transformed
GeoIp-Country-Code
X-API-Version
X-RateLimit-Reset
X-Vc
True-Client-IP
X-GeoIP-Country-Code
X-Clientip
X-Cs
X-VCL-Version
X-GeoIP-Region-Code
Client
FSS-Cache
X-Cache-Debug
X-Api-Version
Geoip-Latitude
X-Zone
Hostname
X-VHOST
X-DC
X-Trace-ID
Server-ID
Fusion-Template-Id
Fusion-Content-Id
X-URL
Fusion-Source
Fusion-Component-Id
Fusion-Deployment-Id
Fusion-Content-Source
X-Dmc
X-Fpc
X-FireWall-Port
X-Presslabs-Stats
CacheControlHeader
X-Correlation-ID
X-TH-Server
X-MSEdge-Flight
True-Client-Country-4JS
X-Action
NtCoent-Length
X-TX-ID
X-MSEdge-Features
X-Render-Time
X-B3-Spanid
X-Webkit-Csp-Report-Only
Powered-By
X-Traceid
X-Backend-TTL
X-INCAP-ABP
X-DynaTrace-JS-Agent
Rip
X-NGINX-Cache
X-PX
X-Gateway-Request-Id
X-Gateway-Cache-Status
X-Service
C-Via
X-Gateway-Skip-Cache
X-Gateway-Cache-Key
X-M-Reqid
Tube-Got-Eval
X-CSRF-TOKEN
X-M-Log
X-Qnm-Cache
Edge-Cache
Tube-Return
Test
X-FPC
HIT
Esi-Enabled
Click-Count-Action-Start
X-Pass-Why
Tube-Get-Contents
Click-Count-Error
Geo-Info
Tcn
Tube-Got-Results
X-Req
X-TRACE-ID
X-Cdn-Request-ID
Server-Id
My-App
On-Server
X-Origin-Upstream-Status
X-Akamai-Pragma-Client-IP
X-Beluga-Node
X-Beluga-Record
X-HS-Status
X-Beluga-Cache-Status
X-Vcl-Version
X-Beluga-Response-Time
User-Agent
OT-Force-Account-Verify
Uri
X-Alfa-Service
X-Beluga-Status
X-Webkit-CSP-Report-Only
X-Beluga-Trace
X-Check-Cacheable
X-Up
X-Ha-Backend
X-Proxy-Cache-Hk
X-Via-PopH
X-Via-PopN
Cf-Int-Pingora-Origin-Digest
X-Provided-By
X-Via-PopV
Sid
X-LB-ID
Resin-Trace
GeoIP-Latitude
GeoIP-Country-Code
X-Edge-Origin-Shield-Bytes
Proxy-Connection
Srvid
Cdn
X-CLOUD-TRACE-CONTEXT
X-Varnish-Beresp-Ttl
X-Edge-Origin-Shield-Region
WebServer
X-APP
M-TraceId
X-CCDN-CacheTTL
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
Epwk-X-Cache
X-ServedByHost
X-LI-UUID
X-Li-Fabric
X-Li-Pop
X-UnsetCookies
X-RAMCache
MIME-Version
X-LI-Proto
Srv
DataCenter
X-Cdn-Forward
X-Geo
X-ND-Cache
X-Time-Microsecs
X-App
WZWS-RAY
X-Fetch-By
ENV
X-Backend-Host
X-LiteSpeed-Cache-Control
X-Cache-Ttl
Warning
X-Esi
X-Lb-Nocache
X-Serial
X-CUA
XServer
X-Fastly-Backend-Reqs
X-Dw-Trace-Id
X-B3-Traceid-Primal
Cf-Device-Type
ServerName
X-Edge-POP
Server-Ttl
Dt-Hot-News
X-MG-S
Fastly-Drupal-HTML
X-ID
X-HostName
X-Newrelic-App-Data
PICS-Label
Section-Origin-Responded
X-CF-Powered-By
X-ElasticPress-Query
Section-Io-Id
X-Nc
X-Platform-Cluster
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
X-Request-Url
X-HITS
X-Bip
Target-Params
X-Akamai-Request-ID
X-Thanos
X-Platform-Router
X-Azure-Ref-OriginShield
X-Platform-Processor
CF-Cached-On
X-ATG-Version
Tracecode
DT-Hot-News
X-Fragments
X-Yottaa-OS
X-Vcache
X-Sucuri-ID
Inserted-Into-Cache-At
Lfy
X-Sucuri-Cache
X-Request-Start
X-LiteSpeed-Tag
X-IN-APIGATEWAY
True-Client-Ip
X-Cc-Via
X-FC-Vary-Parameters
X-Var-Ttl
X-IN-APIGATEWAYSSL
D-Url-Rewrites
Cf-Ipcountry
X-Iplb-Instance
X-Fastly-Backend
X-Iplb-Request-Id
Cdn-Cache
Cdn-Pullzone
Servedby
Cdn-Requestcountrycode
Cdn-Requestid
Cdn-Uid
Cdn-Edgestorageid
Cdn-Cachedat
Wp-Super-Cache
Cneonction
Ngx
X-Cache-Expires
X-Storefront-Renderer-Verified
Vha6-Origin
X-Snapshot-Date
X-Dist-Code
X-BBC-Origin-Response-Status
X-Release
X-Th-Server
X-MiniProfiler-Ids
X-Vercel-Id
X-Wp-Cf-Super-Cache
X-Wp-Cf-Super-Cache-Cache-Control
X-Fastly-Cache-Hits
X-Varnish-Beresp-Status
X-Back
Content-Style-Type
Content-Script-Type
X-Vercel-Cache
CountryCode
X-NU-AKA-ACS-Version
X-Request-URL
Fastcgi-Cache-Ttl