Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Strict-Transport-Security
Content-Length
X-Content-Type-Options
Link
Last-Modified
Cf-Request-Id
CF-Cache-Status
CF-RAY
ETag
X-XSS-Protection
Accept-Ranges
Expect-CT
Pragma
X-Powered-By
X-Cache
Via
Age
Content-Security-Policy
Report-To
NEL
Alt-Svc
Referrer-Policy
Access-Control-Allow-Origin
Content-Language
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
X-Served-By
P3P
X-Download-Options
X-Xss-Protection
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Varnish
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
Content-Security-Policy-Report-Only
X-AspNet-Version
X-Runtime
P3p
X-DNS-Prefetch-Control
Accept-CH
Accept-CH-Lifetime
X-Cache-Status
X-Drupal-Cache
X-Check
X-Generator
X-Ua-Compatible
Server-Timing
X-Cacheable
X-Envoy-Upstream-Service-Time
Timing-Allow-Origin
X-Iinfo
X-Request-ID
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-Content-Security-Policy
Feature-Policy
Content-Encoding
X-CDN
Status
X-AspNetMvc-Version
Upgrade
Access-Control-Max-Age
X-Via
X-Amz-Request-Id
X-Amz-Id-2
Host-Header
CF-Ray
Cf-Edge-Cache
X-Backend
Allow
Request-Context
X-UA-Device
Keep-Alive
X-Robots-Tag
X-Server
X-Cache-Group
X-Hacker
X-AH-Environment
X-Turbo-Charged-By
X-Ws-Request-Id
X-Proxy-Cache
X-Age
X-Rq
Xkey
X-Vhost
EagleId
X-Dispatcher
X-Server-Powered-By
X-Amz-Version-Id
X-Varnish-Cache
Grace
Cf-Apo-Via
X-Page-Speed
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Cf-Railgun
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Device
Ali-Swift-Global-Savetime
X-WebKit-CSP
EagleEye-TraceId
X-LiteSpeed-Cache
X-Aws-Lambda-Call-Status
X-CST
X-Dns-Prefetch-Control
X-OneAgent-JS-Injection
X-Backend-Server
Permissions-Policy
X-Server-Id
X-Readtime
X-Response-Time
X-Host
X-Akam-SW-Version
Request-Id
Surrogate-Control
X-Litespeed-Cache
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-HW
X-Nginx-Upstream-Cache-Status
X-Cloud-Trace-Context
X-Cache-Lookup
X-Node
X-Nginx-Cache-Status
X-Application-Context
X-Country-Code
Content-Location
X-Trace
X-Ruxit-JS-Agent
X-Country
Service-Worker-Allowed
X-Url
X-Content-Type
X-Clacks-Overhead
X-Oneagent-Js-Injection
X-Origin-Cache-Key
X-Edge
Accept-Ch-Lifetime
X-Rack-Cache
X-Amz-Server-Side-Encryption
Cross-Origin-Opener-Policy
Cache-Tag
X-FTR-Request-ID
X-Mcache
X-Midtier
X-Mod-Pagespeed
X-ECACHE
Nginx-Cache
X-MS-InvokeApp
X-TtlSet
X-Vname
X-PC
X-ESI
X-Upstream
X-Powered-By-Plesk
Rating
Edge-Control
X-Server-Name
X-Browser-Type
X-D2id
X-Element-Page-Cache
X-Times
Verso
X-GoogleNews-Bot
X-Exp-Id
X-Kinja
X-Cdn-Fetch
X-Kinja-Build
X-Kinja-Revision
X-Kinja-Server
X-Exp-Variant
X-Cnection
X-Ac
SPIisLatency
SPRequestDuration
X-B3-TraceId
AR-Request-ID
AR-PoweredBy
AR-ATIME
AR-SID
X-Ruxit-Js-Agent
SPRequestGuid
X-SharePointHealthScore
X-Abt-Application-Version
X-Navigation-Version
X-Vcap-Request-Id
X-Ser
X-NF-Request-ID
X-Dw-Request-Base-Id
X-GitHub-Request-Id
X-NWS-LOG-UUID
AR-CACHE
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
X-RateLimit-Remaining
X-Mg-S
X-VARITI-CCR
S
X-Sol
Display
X-Middleton-Display
Pagespeed
X-Client-IP
X-Ttl
Edge-Cache-Tag
X-Cache-Key
RTSS
Fastly-Restarts
X-Amz-Rid
X-Amzn-Trace-Id
X-Cache-TTL
X-Powered-CMS
X-Goog-Hash
X-Erf-Bev-Bev-Is-Generated
X-Instrumentation
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Erf-Bev-Bev
Cache-Status
X-Kinsta-Cache
X-Edge-Location-Klb
X-Version
Accept-Ch
Access-Control-Request-Method
X-Recruiting
X-Server-ID
X-Erf-Stays-Pdp-Viaduct-Migration-Web-V2
X-Varnish-TTL
X-ARC
Origin-Trial
X-Middleton-Response
Response
X-Content-Digest
X-TraceId
X-Forwarded-For
Arr-Disable-Session-Affinity
X-T
X-Content-Security-Policy-Report-Only
X-MSEdge-Ref
X-SRCache-Store-Status
X-SRCache-Fetch-Status
Content-MD5
MicrosoftSharePointTeamServices
X-Accel-Expires
X-Daa-Tunnel
TP-Cache
X-Shield-Request-Id
X-Hits
X-Cached
Cross-Origin-Resource-Policy
Front-End-Https
Public-Key-Pins
X-Id
X-FTR-Backend-Server
MS-Author-Via
X-Country-Code-Real
X-FTR-Backend
X-FTR-Balancer
X-FTR-Cache-Status
X-FTR-Expires
X-HS-Hub-Id
X-Request-Processing-Time
X-HS-Content-Id
X-HS-Combine-CSS
X-DIS-Request-ID
X-HS-Cache-Config
X-Request-Received
X-Ua-Browser
Server-Node
Payment
X-Frontend
X-Forwarded-Proto
X-Fastcgi-Cache
X-LLID
X-HP-Trace-Id
X-Jurisdiction
X-HP-Webp
Realpath
X-Webkit-Csp
X-ORACLE-DMS-RID
X-Protected-By
X-GUploader-UploadID
X-FastCGI-Cache
TP-L2-Cache
X-LB-Cache
X-Ratelimit-Limit
Cache-Tags
X-Distributor
X-Amz-Apigw-Id
X-Origin-Server
X-Amzn-RequestId
X-Request-Handler-Origin-Region
X-Microsite
Count-Hit
X-Page-Id
X-Hostname
Referer-Policy
X-Kong-Proxy-Latency
X-Activity-Id
X-Kong-Upstream-Latency
X-B3-TraceId-Primal
MRF-Tech
X-AppVersion
Mrf-Cache-Status
X-Az
X-Geo-Country
X-Cluster-Name
X-ORACLE-DMS-ECID
X-Debug-Info
X-Www-Served-By
X-RateLimit-Limit
X-F-Cache
X-Varnish-Backend
X-Correlation-Id
Accept-Charset
Fastcgi-Cache
Host
X-NGENIX-Cache
X-Envoy-Decorator-Operation
X-App-Server
X-Varnish-Server
X-XRDS-LOCATION
X-FB-Debug
X-Ua-Device
X-Goog-Metageneration
X-PressLabs-Stats
X-TTL
Access-Control-Allow-Method
X-Git-Hash
X-CSRF-Token
Retry-After
X-Fastly-Request-Id
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
X-Upgrade-Enabled
X-Load-Cache
X-Ezoic-Cdn
X-RateLimit-Reset
X-Content-Options
Server-Name
X-WebKit-CSP-Report-Only
X-Seen-By
X-Px
X-Contextid
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Revision
X-Datadog-Parent-Id
TCN
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Request-Guid
X-Amz-Meta-S3cmd-Attrs
Charset
X-Cache-Control
DC
X-Trace-Id
X-Grace
X-Type
Section-Io-Cache
X-Kinja-CCPA
X-Varnish-Ttl
Paypal-Debug-Id
Cleartype
X-TT
X-B
X-B3-Sampled
X-Rid
X-Signature
X-B-Cache
X-Newrelic-App-Data
X-Fb-Rlafr
X-App-Environment
X-Ratelimit-Remaining
X-Whom
Healthy
X-Oracle-Dms-Ecid
X-Wix-Request-Id
X-Node-Name
X-Origin-Cache
Frame-Options
X-Mobile
X-Amz-Replication-Status
X-Magnolia-Registration
X-EdgeConnect-Cache-Status
X-Azure-Ref
X-Goog-Generation
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Proxy
X-Providence-Cookie
X-Is-Crawler
X-Route-Name
X-Logged-In
X-Flags
X-Aspnet-Duration-Ms
X-N
X-Language
Filterid
X-Oracle-Dms-Rid
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-Fastly-Request-ID
X-Air-Pt
Backend
Content-Disposition
Akamai-GRN
X-Time
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
Upgrade-Insecure-Requests
X-Template
NGB
X-Response-Served-From
X-Original-Request-Id
X-Proxy-Cache-Info
X-Cache-Age
X-Rendered-As
X-RemovedCookies
X-Datadog-Sampled
X-Debug-IsPreview
X-Tumblr-Pixel
Refresh
X-Tumblr-Pixel-1
X-Yottaa-Metrics
X-Tumblr-User
X-Varnish-Grace
X-ProcessESI
X-Yottaa-Optimizations
X-Is-Bot
X-Tumblr-Pixel-0
X-Unique-Id
SD-X-WS
X-Debug-IsConnected
Liferay-Portal
MS-CV
Ms-Operation-Id
X-UUID
X-IPS-LoggedIn
X-Adobe-Content
X-Adobe-Loc
X-Instance
X-Amzn-Remapped-Content-Length
Viewport
X-Servername
X-RTag
X-App-Version
X-G
X-Cacheable-TTL
X-Cache-Grace
X-FW-Version
X-FW-Type
X-FW-Hash
X-FW-Serve
X-FW-Server
X-FW-Static
X-FW-Dynamic
X-Debug
Fastly-SIE
X-User-Agent
Fastly-SWR
X-Environment-Context
X-Region
From-Origin
X-L-Path
X-Hl-Ver
X-Backend-Name
X-NYM-Debug-Backend
Country
X-Device-Type
X-Rule
X-Cache-Hit
X-Status
X-Jobs
ServerID
Url
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
X-Via-JSL
X-B3-SpanId
X-CCDN-Origin-Time
Countrycode
X-VC-Cache
X-Origin-TTL
X-Origin-CC
X-INCAP-ABP
WPO-Cache-Message
WPO-Cache-Status
Version
X-Page-View
X-Webkit-CSP
Alternate-Protocol
X-Air-Trace-Id
X-Air-Hostname
Surrogate-Key
X-Cache-Status-Check
X-Hosted-By
X-Air-Source
X-HTML-Minification-Powered-By
X-Akamai-Request-ID2
X-Content-Powered-By
X-Source
Protected
X-NODE
GEO-INFO
X-WP-CF-Super-Cache-Active
CDN-RequestId
Amp-Access-Control-Allow-Source-Origin
X-Rocket-Nginx-Serving-Static
X-Storage
X-Nginx-Cache
X-Akamai-Edgescape
X-B3-Traceid
X-Accel-Version
OT-Force-Account-Verify
SRV
Access-Control-Request-Headers
X-Tec-Api-Version
X-Framework
X-VC
X-Tec-Api-Origin
X-Tec-Api-Root
X-Http-Reason
X-Real-IP
X-Edge-Location
Front
X-Cache-Rule
X-ServerID
X-Mode
X-CDN-Forward
Xet-Cookie
Meta-Geo
X-UPSTREAM-Address
X-Upstream-Ct
X-Xfnlog-Site
Filters
X-Rn-Rsrv
CF-IPCountry
Webserver
AMP-Access-Control-Allow-Source-Origin
X-Httpd
X-Upstream-Ht
X-Cache-Operation
X-Rewrite-Enabled
X-Cache-Time
X-Origin
Accept-Language
X-Soup
X-Director
X-Proxy-Build
X-Timing-Wait
X-Tumblr-Pixel-2
X-SaId
X-Tumblr-Pixel-3
X-JoinUs
X-Varnish-Cache-Hits
X-Served-From
Selected-Fe
X-Detected-As
X-Handled-By
X-Say-Cacheable
X-Labrador-Cache-Channel
ServedBy
X-Logging-Id
Node
X-Web-Node
X-Use-Mantle
X-Endurance-Cache-Level
X-Redis-Cache
X-PHP-Host
X-Worker
X-SayCDN-TTL
X-Cache-Debug
X-Say-TTL
X-Adobe-Source
Azure-InstanceId
Apigw-Requestid
Azure-RegionName
X-VCT
X-Is-Desktop
X-GeoCountry
X-GeoCode
X-Is-Mobile
X-Is-Supported-Browser
X-Loop
X-Is-Tablet
X-Geo-Region
X-Varnish-Age
DB-Nickname
Azure-Version
Azure-SlotName
X-AB
Property-Id
X-Varnish-Beresp-Grace
X-Browser-Name
Azure-SiteName
Webcakes-App-Version
X-Restarts
X-BYPASS-REASON
X-S
X-Cms-Context
X-ProxyCache-Status
X-ProxyCache-Key
Section-Io-Id
X-Server-W
X-Tncms
Webcakes-Region
X-Tcp-Rtt
TWC-Connection-Speed
X-RM-Cache-TTL
X-Skip-Cache
X-Format
TWC-Locale-Group
Xserver
Web-Mar-Node
TWC-GeoIP-LatLong
TWC-GeoIP-Country
X-No-Session
TWC-Device-Class
Webcakes-App-Name
TWC-Privacy
X-Origin-Hint
X-Lambda-Id
X-AWS-Id
X-Locale
X-DynaTrace
X-IPLB-Instance
X-Fetched-On
X-LJ-Flow-ID
X-Generation-Time
X-Site-Version
X-IPLB-Request-ID
X-Git-Commit
X-Cache-Host
X-Vercel-Id
X-Container-Uri
X-RCS-CacheZone
X-Tb
Mn-Server-Ip
Cross-Origin-Embedder-Policy
X-VWS-Id
X-Vercel-Cache
X-R9-Blue-Green-Version
X-Cache-Server
X-Provided-By
X-Zipkin-Id
X-Platform-Router
X-Ms-Version
X-Ms-Request-Id
X-Frame-Option
X-Reqid
X-Platform-Processor
X-Cluster
X-Routing-Service
X-Proxied
X-Forwarded-Host
X-Platform-Cluster
X-Extlb
X-TT-LOGID
X-Vcache
X-Webstats-RespID
X-Uri
X-Drupal-Cache-Tags
X-MP-GENERATED-AT
X-Drupal-Cache-Contexts
WP-Super-Cache
X-Origin-Date
X-Storefront-Renderer-Rendered
X-Alternate-Cache-Key
CDN-Cache
X-Shopify-Stage
CDN-EdgeStorageId
CDN-Uid
Cache-Tv-Group
CDN-RequestPullSuccess
CDN-RequestPullCode
CDN-PullZone
CDN-RequestCountryCode
CDN-CachedAt
Source
Priority
Fastcgi-Useragent
X-Sucuri-Cache
X-XRDS-Location
Content-Secure-Policy
X-FB-TRIP-ID
X-Vcl-Version
X-Sql-Duration-Ms
X-Sql-Count
X-Sucuri-ID
X-Sorting-Hat-ShopId
X-ShardId
X-ShopId
X-Sorting-Hat-PodId
X-Generated-By
X-Cdn-Origin
Onion-Location
X-SRV
Cross-Origin-Embedder-Policy-Report-Only
X-Xrds-Location
X-Content-Age
X-Urbn-Context-Path
X-Newrelic-Synthetics
X-Urbn-Site-Id
Locale
X-Pass-Why
Sid
X-Buckets
S-Rt
Atl-Traceid
X-Cluster-Node
WZWS-RAY
TDXMobile
X-CMSURLCustom
Thinkindot-CacheControl-Type
Thinkindot-Control
X-Shield-Cache-Expires
X-Thinkindot-L3
Thinkindot-CacheControl
X-Scope-Id
Cache
X-DataDome
X-Cache-Action
HostName
Cross-Origin-Window-Policy
X-LSADC-Cache
X-Use-Magma
X-Proxy-Cache-Status
X-GEO
X-WP-CF-Super-Cache-Cookies-Bypass
X-Varnish-Beresp-Ttl
X-Cache-Expired-At
X-Ua
X-Optimistic-Header
X-Via-Edge
X-Via-CDN
X-Via-SSL
Edge-Copy-Time
CDCHOST
X-Rojux
X-S-Cookie
DCR-Processing-Time-Ms
DCR-Decision-By
X-SRCache-Key
Candidate-Md5Url
X-PAYTM-SRV-ID
X-ScT
Gannett-Cam-Experience-Id
X-Scheme
X-Platform
X-Ec-GeoHdr
X-A-Dam
X-A-Dcw
X-A-Dgt
X-A-Ccd
X-A
Vix-Hermes-Req-Id
X-Destination
X-D
X-A-Wwc
X-Aed
X-BCube-Filmed-By
X-Bl-Debug
X-Cache-Bucket
X-Bc-Bl
X-B-Cookie
X-Conf
X-Cache-NE
X-Application
X-Developer
Type
Origin
Origin-Agent-Cluster
X-Epic-Correlation-Id
X-External-Request-Id
Ngx.Var.Host
MD5-Digest
Meta-Geo-Continent
Ngx-Var-Key
X-Ec-Fail
Redirect-Candidate
Surrogated-Key
T-Server
X-Dispatcher-Server
Sslversion
X-Ec-Custom-Error
Rendered-Blocks
Req-ID
Server-Host
Lang
X-Request-Start
X-Varnish-Hostname
X-Viewer-Country
X-TIM-N
X-Vdms-Version
X-Vtex-Remote-Cache
X-Vdms-Path
X-Request-URI
X-Connection-Hash
Expiry
User-Cache-Control
A
Fastly-GeoIP-CountryCode
X-GeoIP-Country-Code
Fastly-SSL
X-Dc
DSUID
X-Instance-Name
Cluster
X-Human
X-Level-Front-Cache
X-Gzip
Content-Script-Type
X-We-Are-Hiring
X-WA-Info
X-GeoIP-Region-Code
Content-Style-Type
Environment
X-Gdpr
Pramga
Server-Ext
V-Age
L
X-Esi-Check
X-VCache
Server-Hostname
X-Access
Ssr
Sever-Int
Release
X-TA-CDN-Provider
NM-Fastcgi-Cache
Magicmarker
X-Debug-Cache-Fetch
Apple-News-Services-Handled
Host-ID
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
X-Fastly-Cache
X-Debug-Cache-Store
X-Forwarded-Site
X-Generated-On
X-Loc
X-Cache-Info
X-Section
X-Bip
X-Request-Time
X-Pubstack
X-Proxied-Request
X-Op-Id-All
X-Varnish-Beresp-Status
X-SB
X-Rocket-Build-Number
X-Branch-Name
X-Sigma-Backend
Fastly-Drupal-HTML
X-Mg-Request-UUID
X-Sigma
X-TH-Server
X-Thanos
X-SD-PageType
X-Cache-Id
X-Varnish-Director
X-Pool
X-Node-Id
X-Nyt-Route
X-Clientip
X-NMSegId
X-Mly-Id
X-VServer
X-Core-Value
X-Origin-Time
X-Correlation-ID
X-VG-TLSProxy
X-VG-WebCache
X-Varnishpool
X-Datadome
X-TimeS
X-Origin-Response-Time
X-Service
X-Moov-Xdn-Version
X-Moov-T
X-Amz-Meta-Cb-Modifiedtime
X-B3-Trace-ID
X-Auto-Login
X-Device-Os
X-Contensis-Viewer-Groups
X-Req
X-Block-Status
X-UA-Device-Type
X-Acquia-Purge-Cdn-Unconfigured
X-Nginx-Cache-Key
X-Cache-TTL-Remaining
X-BBC-Edge-Cache-Status
X-Gen-Mode
X-Hnp-Log
X-Zen-Fury
X-NCache
X-GeoIP
X-PERF
X-Policy
X-Varnish-Authentication
X-Org
X-Old-Content-Length
X-Mvc-Supplant-Cachable
X-Mvc-Supplant-OutputCached
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Server-IP
X-SVT-ORM-VERSION
X-V-Cache
X-Var-Ttl
X-Request-Host
X-Cache-Date
X-Micro-Cache
X-Men
Cache-Provider
C-Via
Req-Svc-Chain
Wxu-Next-Commit
X-DPWN-IS-SECURE
Wxu-Next-Hostname
X-FC-Vary-Parameters
X-From
X-HS-Content-Campaign-Id
X-Irp-Debug
X-GoCache-CacheStatus
X-GeoIP-City
X-Geo-Header
X-SVT-ORM-RULES
Wxu-Next-Region
X-Aicache-OS
Producers
Platform
True-Client-Country-4JS
Uber-Trace-Id
We-Hiring
On-Server
Mail-Subject
Canary
Adler-Geo
Esi-Enabled
Gh-Request-Id
Machine
Web-Mar-Region
Is-Eu
X-ApacheServer
X-Ad-Load-Variation
X-Cache-Aspx
X-ECache
Click-Count-Error
X-Sn-Servicetimems
X-App-Name
X-ND-Cache
Locid
X-Slack-Backend
X-Slack-Shared-Secret-Outcome
Tube-Return
X-Region-Sid
AKAMAI
Cdn-Request-Time
Cdn-Host
Cache-Key
Cf-Device-Type
X-Test
Cdnsip
X-Hash
Cdncip
X-AK-Request-ID
Country-Code
Yak-Timeinfo
X-Cdn-Srv
Click-Count-Action-Start
Tube-Get-Contents
Tube-Got-Eval
Tube-Got-Results
W
X-Proto
Proxy-Firewall
X-Fmm-Version
RNT-Machine
X-Wikidot-Backend
X-Fastly-Backend
X-Up
X-Edge-Server
X-Wikidot-Static-Cache
RNT-Time
X-Azure-Ref-OriginShield
X-Parent-Response-Time
X-DC
Ha-Gx-Prefs
X-VarnishDD-TTL
X-Ratelimit-Reset
X-CGP
PFcat
X-Csrf-Jwt
X-Amz-Storage-Class
NGX
X-HN
X-CacheTTL
HA-Ipaddr
X-Accel-Expires-Debug
X-Eu-Site
Fastly-Backend-Name
X-Date
L5d-Success-Class
X-Tx-Id
X-Core-Mission
X-LB-ID
X-Ah-Environment
Pics-Label
X-Owner
X-Backend-Instance
X-ZONE
X-COUNTRY
IsBot
X-Via-Popv
XM
X-DynaTrace-JS-Agent
Datacenter
X-Via-Poph
X-Via-Popn
X-HA-Backend
X-SIPLIST1
LB
X-Servedbyhost
X-Tb-Optimization-Total-Bytes-Saved
X-API-Version
NtCoent-Length
X-Origin-Expires
X-CACHE-GROUP
X-Varnish-Hits
X-Refresh
X-NGINX-Cache
Cdn
X-Cache-Backend
X-Qloud-Router
X-Lagoon
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-LB-NoCache
N-Cache
Expect-Staple
X-UA
X-VHOST
SID
Xc-Version
RATING
X-Shop-Environment
X-Orig-Expires
X-Forwarded-Path
X-CDN-Cache-Status
GeoIp-Country-Code
X-Tenant
X-Cache-Type
Cdn-Requestid
CloudFront-Viewer-Country
X-Nananana
X-Srv
X-Wa
X-Nc
Cmstype
Cmsid
Server-ID
X-Gamma-Serve
Cross-Origin-Opener-Policy-Report-Only
CPC-Age
X-Zone
X-RID
CPC-Cache
X-Presslabs-Stats
X-Via-Fastly
X-Fpc
X-Vmg-Version
X-Cdn-Diag
X-B3-Parentspanid
X-TX-ID
Cache-Hits
X-Akamai-Transformed
Uri
X-Hit
Resin-Trace
GeoIP-Latitude
X-Location
X-Ig-Origin-Region
User-Agent
X-Nf-Request-Id
X-Tt-Logid
XkeyRZ
X-Proxy-CacheRZ
X-Client-Ip
DataCenter
Fusion-Deployment-Id
Fusion-Content-Id
X-URL
Fusion-Content-Source
Fusion-Source
CacheControlHeader
X-Variation
Fusion-Component-Id
X-LAGOON
Fusion-Template-Id
X-Cloudmap
X-Fastly-Country-Code
True-Client-Ip
X-Api-Version
X-Info
Powered-By
X-DataCenter
X-Amz-Meta-Opti
X-TIME
X-CS
Fastly-Drupal-Html
Tcn
True-Client-IP
Origin-CC
X-Jungle-Id
X-CUA
Lb
Cf-Ipcountry
X-NWS-UUID-VERIFY
X-Datacenter
Origin-EX
Mime-Version
MIME-Version
X-Cdn-Forward
X-B3-Spanid
X-NewRelic-App-Data
Srv
X-HostName
X-CACHE-AGE
X-Geo
X-User
VNS-Age
VNS-Cache
X-IAuth-Set-Uid
X-Cached-By
X-Dynatrace-Js-Agent
X-LiteSpeed-Tag
Debug
X-Segment-20210421
Load-Balancing
X-Varnish-Beresp-TTL
X-LiteSpeed-Cache-Control
X-Webkit-Csp-Report-Only
X-HOST
X-Vc
X-Render-Time
Hostname
X-Powered-By-VTEX-Cache
X-AIR-PT
X-VTEX-Cache-Time
Cache-Name
X-Dispatcher-Number
CDN
X-VTEX-Cache-Server
X-Auth-Group-Type
Edge-Cache
Cl-Cache
X-FPC
X-Wormhole-Sdk
Ohc-File-Size
X-CSRF-TOKEN
X-MCACHE
GeoIP-Country-Code
X-Dispatch
Server-Id
Ohc-Cache-HIT
X-Litespeed-Tag
X-Esi
X-Mid
X-Cdn-Cache-Status
X-WA
X-NC
X-Ig-Push-State
X-APP-VERSION
X-Cs
X-NodeID
Odigeo-Trace-Id
X-Oracle-DMS-ECID
X-Lb-Nocache
X-Custom-Header
X-ServedByHost
BehaviorPad-Version
X-Vgn-Hpd-Reason
X-Cache-Ttl
X-PHP-Backend
X-Depends
X-Cache-Enabled
CountryCode
X-Fastly-Backend-Reqs
Ms-Author-Via
X-Litespeed-Cache-Control
X-Pad
X-VCL-Version
X-MiniProfiler-Ids
X-Akamai-Pragma-Client-IP
X-Ha-Backend
X-MSEdge-Features
X-Lb-Id
YJS-ID
X-MSEdge-Flight
X-Via-PopH
X-Via-PopN
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
X-Varnish-CookieHashed-On
X-DefHash
X-Via-PopV
X-DefElseHash
Server-Info
X-Cdn-Request-ID
Xkey-La3
X-Proxy-Cache-La3
Xkeylog
X-IN-APIGATEWAYSSL
X-Snapshot-Date
Srvid
X-FL-QIT-DEBUG
FSS-Cache
X-IN-APIGATEWAY
PICS-Label
X-M-Reqid
X-VC-TTL
X-M-Log
My-App
Location
OriginIP
X-FL-EDGE
Time
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-Acquia-Site
Ngx
Memcached
Memory
X-Acquia-Purge-Tags
X-Sorting-Hat-Shopid
X-Cache-Version
X-Sorting-Hat-Podid
X-Shopid
X-Shardid
CF-Ctrl
X-Udemy-Cache-App-Namespace
X-RequestId
X-Serial
CF-Cached-On
X-Web-Server
X-Th-Server
X-Sucuri-Id
Warning
Geoip-Latitude
X-Dw-Trace-Id
X-Wp-Cf-Super-Cache-Cookies-Bypass
X-Internal-Host
Sm-Log-Id
X-Mg-Cache
Akamai-Cache-Status
X-Check-Cacheable
X-Fastly-Cache-Hits
X-Lsadc-Cache
X-Service-Response-Time