Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
P3p
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Backend
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-Akamai-Path-Stats
X-Dns-Prefetch-Control
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
Allow
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
Cf-Edge-Cache
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
X-HW
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
X-Country
Accept-Ch-Lifetime
Fastly-Restarts
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-TtlSet
X-Vname
X-PC
X-Clacks-Overhead
Accept-Ch
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-B3-TraceId
Cache-Tag
X-Varnish-TTL
X-Content-Type
X-Amz-Server-Side-Encryption
X-Vcap-Request-Id
X-Dw-Request-Base-Id
X-Kinja-Revision
X-Kinja-Server
X-Use-Magma
X-Kinja-Build
X-Kinja
X-GoogleNews-Bot
X-Exp-Id
X-Amz-Rid
X-Exp-Variant
X-Cdn-Fetch
Public-Key-Pins
X-Cnection
X-D2id
X-Px
X-Ac
X-Navigation-Version
X-Element-Page-Cache
X-Edge
X-FastCGI-Cache
Verso
X-RateLimit-Remaining
Display
X-Middleton-Display
X-Sol
Pagespeed
X-Abt-Application-Version
X-Powered-By-Plesk
X-Ser
X-Client-IP
X-Cache-TTL
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Country-Code
X-Middleton-Response
Response
X-NF-Request-ID
X-Correlation-Id
Access-Control-Request-Method
X-Goog-Hash
SPIisLatency
SPRequestDuration
X-Ttl
X-Kinsta-Cache
X-Content-Security-Policy-Report-Only
X-Edge-Location-Klb
AR-ATIME
AR-CACHE
AR-PoweredBy
AR-SID
AR-Request-ID
X-Ruxit-Js-Agent
X-Cached
X-TTL
X-Upstream
SPRequestGuid
X-SharePointHealthScore
X-LLID
X-Webkit-Csp
X-Powered-CMS
Edge-Cache-Tag
X-NWS-LOG-UUID
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-RateLimit-Limit
Nginx-Cache
X-Forwarded-For
X-Litespeed-Cache
X-Cache-Key
Content-MD5
X-MSEdge-Ref
X-Id
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
TCN
X-B3-TraceId-Primal
X-T
X-Daa-Tunnel
X-Recruiting
S
X-Content-Digest
MS-Author-Via
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
X-Mg-S
X-Ua-Device
X-Jurisdiction
X-HP-Trace-Id
X-HP-Webp
X-DataDome
X-Accel-Expires
X-Protected-By
X-Ezoic-Cdn
MicrosoftSharePointTeamServices
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Hub-Id
X-HS-Cache-Config
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Grace
X-Request-Received
X-Frontend
X-Request-Processing-Time
X-Ab
X-Content
Front-End-Https
X-Ua-Browser
Server-Node
Filters
X-ECACHE
X-WebKit-CSP-Report-Only
X-Yandex-Sdch-Disable
TP-Cache
TP-L2-Cache
X-PressLabs-Stats
X-Origin-Server
X-Server-ID
X-ORACLE-DMS-ECID
X-Mid
X-DynaTrace
Fastcgi-Cache
X-Distributor
X-Hits
X-ORACLE-DMS-RID
X-Geo-Country
X-Ratelimit-Reset
X-Microsite
X-Request-Handler-Origin-Region
X-Amzn-Trace-Id
X-Debug-Info
X-Tt-Trace-Tag
Charset
X-Tt-Trace-Host
X-Page-Id
X-LB-Cache
Cleartype
Host
X-F-Cache
X-Git-Hash
X-B3-Sampled
Cross-Origin-Opener-Policy
X-DIS-Request-ID
X-Forwarded-Proto
X-Www-Served-By
X-Cache-Age
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
Access-Control-Allow-Method
ServerID
X-Seen-By
Cache-Status
X-Az
X-Activity-Id
Realpath
X-AppVersion
Accept-Charset
Cache-Tags
X-XRDS-LOCATION
X-Varnish-Age
Filterid
X-Cluster-Name
X-Aspnetmvc-Version
X-MCACHE
X-Fastly-Request-Id
X-Nginx-Upstream-Cache-Status
X-Language
X-Rid
X-Kong-Proxy-Latency
X-Content-Options
X-Kong-Upstream-Latency
X-Type
X-App-Environment
Retry-After
Server-Name
Country
X-Varnish-Grace
X-Upgrade-Enabled
Node
Viewport
X-FB-Debug
X-Signature
X-Whom
X-User-Agent
DC
X-B-Cache
X-Aspnet-Duration-Ms
Paypal-Debug-Id
X-Drupal-Cache-Tags
X-Flags
X-Request-Guid
X-Providence-Cookie
X-Is-Crawler
X-Route-Name
X-Tb
X-Origin-Cache
X-Wix-Request-Id
X-Varnish-Backend
X-Mobile-URL
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Oracle-Dms-Ecid
X-Goog-Generation
X-Goog-Metageneration
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-TT
Fastcgi-Useragent
X-Oracle-Dms-Rid
X-NWS-UUID-VERIFY
Protected
X-VCache
X-B
X-Mcache
X-Debug
X-Via-JSL
WPO-Cache-Status
WPO-Cache-Message
X-N
X-Logged-In
X-Amz-Replication-Status
X-Cache-NGX
Payment
X-Load-Cache
X-Contextid
X-Amz-Meta-S3cmd-Attrs
Surrogate-Key
Permissions-Policy
X-Cache-Control
X-Template
Count-Hit
X-Node-Name
X-Trace-Id
X-FW-Static
X-FW-Dynamic
X-FW-Serve
X-FW-Type
X-FW-Server
X-FW-Hash
X-Browser-Type
X-Fastly-Request-ID
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-ECache
Healthy
X-Mobile
X-Original-Request-Id
SD-X-WS
X-Response-Served-From
Refresh
Content-Disposition
X-Proxy
Akamai-GRN
X-Rendered-As
X-Revision
X-UUID
X-Akamai-Request-ID2
X-XRDS-Location
X-Real-IP
X-Cache-Time
X-G
X-Is-Bot
X-Jobs
X-Cacheable-TTL
Uber-Trace-Id
X-Page-View
X-Zen-Fury
Amp-Access-Control-Allow-Source-Origin
Alternate-Protocol
X-Fastcgi-Cache
X-Framework
X-Http-Reason
VIX-Pulpo-Upstream-Status
X-Cache-TTL-Remaining
VIX-Pulpo-Node
NGB
X-Drupal-Cache-Contexts
X-Adobe-Content
X-Proxy-Cache-Status
X-Device-Type
X-Instance
X-Adobe-Loc
X-Hostname
Access-Control-Request-Headers
X-Yottaa-Optimizations
X-Debug-IsConnected
X-Yottaa-Metrics
X-Debug-IsPreview
X-IPLB-Instance
Url
X-Cache-Grace
X-Servername
X-Restarts
X-NGENIX-Cache
Version
X-Varnish-Server
X-Source
X-Mg-Request-UUID
X-Environment-Context
X-L-Path
Accept-Language
X-B3-Traceid
X-Cache-Rule
Countrycode
X-Cache-Hit
X-EdgeConnect-Cache-Status
X-HTML-Minification-Powered-By
X-Oneagent-Js-Injection
X-RTag
Ms-Operation-Id
From-Origin
MS-CV
Frame-Options
X-Vgn-Hpd-Reason
X-Cache-Expired-At
Referer-Policy
X-Datadome
X-NYM-Debug-Backend
X-App-Server
Liferay-Portal
X-Parallel-Accel
X-Ratelimit-Remaining
Cross-Origin-Window-Policy
X-Midtier
X-Tumblr-Pixel-1
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-User
X-FW-Version
Backend
X-Nginx-Cache
X-IPS-LoggedIn
Content-Secure-Policy
X-COUNTRY
X-APP-VERSION
X-Hosted-By
Upgrade-Insecure-Requests
Meta-Geo
X-ProcessESI
X-RemovedCookies
X-Redis-Cache
X-UPSTREAM-Address
X-Cache-Server
X-RN-RSRV
X-Unique-Id
X-Ua
X-OCL
X-Detected-As
Section-Io-Cache
CF-IPCountry
X-Generation-Time
X-No-Session
X-PCL
X-Cache-Action
X-Content-Age
X-Human
X-Be
X-FB-TRIP-ID
Azure-RegionName
Fastly-SSL
X-Mode
Locale
X-Uri
X-Via-Fastly
X-Cluster-Node
Azure-InstanceId
X-Urbn-Site-Id
X-Varnish-Cache-Hits
Azure-SlotName
Azure-Version
X-Server-W
S-Rt
X-Site-Version
X-Urbn-Context-Path
X-UA-Device-Type
X-Cache-Enabled
Azure-SiteName
X-Request-Time
Apigw-Requestid
X-Sql-Count
X-PHP-Backend
X-Sql-Duration-Ms
Cache-Tv-Group
X-Content-Powered-By
X-AOL-HN
X-ShardId
X-Shopify-Stage
X-ShopId
X-Alternate-Cache-Key
X-BYPASS-REASON
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Access
X-Cache-Host
X-Debug-Cache
X-ProxyCache-Key
TWC-GeoIP-Country
Ec-Rule-Version
Eomportal-Instance
TWC-GeoIP-LatLong
TWC-Locale-Group
Webcakes-App-Name
TWC-Privacy
X-Storage
TWC-Device-Class
Mn-Server-Ip
Property-Id
TWC-Connection-Speed
X-SayCDN-TTL
X-Say-Cacheable
X-Say-TTL
Webcakes-App-Version
CDN-Uid
X-Origin-Hint
CDN-Cache
X-Section
X-Origin-Date
X-Nginx-Cache-Key
X-Generated-By
Webcakes-Region
CDN-CachedAt
CDN-EdgeStorageId
CDN-RequestCountryCode
X-Region
CDN-RequestId
CDN-PullZone
X-ProxyCache-Status
X-Format
X-Akamai-Edgescape
X-Adobe-Source
X-Platform-Server
X-Zipkin-Id
X-Locale
X-ApacheServer
X-Web-Node
X-Varnishpool
X-Routing-Service
X-Tid
X-ServerID
X-Status
X-NewRelic-App-Data
X-SaId
X-TT-LOGID
X-Xfnlog-Site
X-Handled-By
X-Cache-Tags
X-Extlb
X-Hl-Ver
X-Backend-Name
X-Proxied
X-PERF
X-JoinUs
X-Labrador-Cache-Channel
X-Cache-Type
X-PHP-Host
WP-Super-Cache
X-Forwarded-Host
X-VWS-Id
X-LJ-Flow-ID
Selected-Fe
X-Timing-Wait
X-AWS-Id
X-Proxy-Build
X-Hyper-Cache
X-GG-Cache-Date
X-Cms-Context
ServedBy
X-Webkit-CSP
X-Dc
X-VC-Cache
X-Rule
X-Storefront-Renderer-Rendered
X-Cache-Operation
X-Edge-Location
X-LSADC-Cache
X-Proto
Load-Balancing
SID
Web-Mar-Node
X-Ratelimit-Limit
X-Cached-By
Mime-Version
Fastly-Drupal-Html
Onion-Location
X-Rewrite-Enabled
X-Accel-Buffering
Webserver
X-Soup
X-Cache-Remote
SRV
X-TA-CDN-Provider
X-App-Version
X-GeoCode
X-GeoCountry
X-CDN-Forward
X-Varnish-Hostname
X-GEO
X-Pubstack
Cache-Hits
X-Cdn
Xserver
X-Reqid
X-Cluster
X-Varnish-Ttl
X-SRV
Country-Code
X-Origin-CC
X-Buckets
X-Origin-TTL
X-Microcachable
Decoy-Debug-TTL
Decoy-Debug-Key
X-Varnish-Hits
Decoy-Debug-Status
X-Request-Host
X-CSRF-Token
X-Tumblr-Pixel-3
X-MP-GENERATED-AT
X-Envoy-Decorator-Operation
X-Tumblr-Pixel-2
Xet-Cookie
X-Time
Server-Info
X-Magnolia-Registration
X-Air-Trace-Id
X-Air-Source
X-Ms-Request-Id
X-Ms-Version
X-Air-Hostname
DB-Nickname
LB
X-Amzn-RequestId
X-IPLB-Request-ID
X-Amz-Apigw-Id
Cache
X-Endurance-Cache-Level
Odigeo-Trace-Id
DCR-Processing-Time-Ms
X-Cache-NE
Lang
X-Cache-Bucket
Mobile-Detection-Method
X-Hash
X-HS-Content-Campaign-Id
X-Ig-Push-State
NM-Fastcgi-Cache
Fastcgi-X-Cache-Version
X-Destination
X-NAPM-TraceId
Expiry
X-Orig-Expires
X-AK-Request-ID
MD5-Digest
X-D
Meta-Geo-Continent
Pramga
BehaviorPad-Version
X-Cache-Id
X-CF-Lambda-Version
A
X-Connection-Hash
X-B-Cookie
Host-ID
X-Ec-GeoHdr
X-Ec-Fail
X-Epic-Correlation-Id
X-Esi-Check
X-Conf
X-External-Request-Id
X-Forwarded-Path
X-Geo-Header
X-Application
Cmsid
Cmstype
X-Gzip
X-Developer
Cdnsip
X-ARC
Cdncip
X-CF-Lambda-Fn
X-Ftr-Request-Id
Source
DCR-Decision-By
Rendered-Blocks
Surrogated-Key
Sslversion
X-Rojux
X-A-Ccd
X-Vdms-Path
X-A-Dcw
X-Vtex-Remote-Cache
X-A-Dam
X-Vtex-Processado-Em
X-S
X-VG-WebCache
X-Session-Fingerprint
X-A
X-SD-PageType
X-ScT
X-S-Cookie
X-Vdms-Version
X-Shop-Environment
X-A-Dgt
T-Server
Xc-Version
X-Bc-Bl
X-A-Wwc
X-TrackingId
X-Tenant
X-TIM-N
X-PAYTM-SRV-ID
X-PBS-Appsvrname
X-User
X-Aed
X-Processor
X-SRCache-Key
CDN
X-Varnish-Beresp-Grace
X-B3-SpanId
X-NCache
X-CACHE-KEY
X-RCS-CacheZone
Environment
X-Block-Status
X-TNCMS
X-V-Cache
X-Device-Os
X-Dispatcher-Number
X-Ec-Custom-Error
X-Cache-Backend
X-Core-Value
Cache-Name
Machine
X-CacheTTL
Mail-Subject
Memcached
User-Cache-Control
DynaTrace
X-Cache-Info
X-Cdn-Srv
X-Worker
We-Hiring
Fastly-GeoIP-CountryCode
X-Via-Ucdn
X-Core-Mission
X-WADP-Cache
X-Wix-Viewer-Type
X-Ckpd-Fst-Backend
X-Clara-WADP
Web-Mar-Region
X-SVT-ORM-RULES
X-Irp-Debug
X-Is-Gdpr
X-JWT-State
X-LAGOON
X-Hnp-Log
X-Rocket-Build-Number
X-SB
AKAMAI
X-Has-Esi
X-Loop
X-Mvc-Supplant-Cachable
X-Nyt-Route
X-Planisys-CDN-Cache
X-Origin
X-Origin-Time
X-NodeID
X-Planisys-CDN-Rules
Server-Host
X-Planisys-CDN-TTL
X-Node-Id
X-Scheme
X-Amzn-Remapped-Content-Length
X-Fmm-Version
X-Fetched-On
State
X-Origin-Response-Time
X-Slack-Backend
X-Gen-Mode
X-Sigma-Backend
X-Sigma
X-SVT-ORM-VERSION
X-Gdpr
X-R9-Blue-Green-Version
X-Fastly-Cache
X-Server-IP
X-Azure-Ref
X-Newrelic-Synthetics
HostName
AMP-Access-Control-Allow-Source-Origin
X-Branch-Name
X-Cache-Date
Wxu-Next-Commit
Vix-Hermes-Req-Id
X-BBC-Edge-Cache-Status
V-Age
X-Auto-Login
Wxu-Next-Region
Wxu-Next-Hostname
X-Aicache-OS
X-Minions-Version
X-Served-From
X-Skip-Cache
X-Thinkindot-L3
X-Rocket-Nginx-Serving-Static
X-Region-Sid
X-Proxy-Upstream
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Variation
X-Varnish-CookieHashed-On
X-VServer
X-Webstats-RespID
X-Via-NSCOPI
X-Viewer-Country
X-VG-TLSProxy
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
X-Pool
X-Policy
X-Developers
X-DPWN-IS-SECURE
X-Eu-Site
X-DefHash
X-DefElseHash
X-Datadog-Parent-Id
X-Datadog-Sampling-Priority
X-Datadog-Trace-Id
X-Forwarded-Site
X-From
Traceparent
X-Origin-Expires
X-Platform
X-Level-Front-Cache
X-GeoIP
X-Gamma-Serve
X-Generated-On
X-Csrf-Jwt
X-CGP
Origin-CC
Origin
N-Cache
Origin-EX
Platform
Release
Redirect-Candidate
Producers
Kp-EeAlive
Is-Eu
CloudFront-Viewer-Country
X-Tx-Id
Adler-Geo
Cluster
Fastcgi-Cache-TTL
HA-Ipaddr
Ha-Gx-Prefs
Gh-Request-Id
Req-Svc-Chain
L5d-Success-Class
Thinkindot-CacheControl-Type
Thinkindot-Control
Ssr
Server-Hostname
Sever-Int
Thinkindot-CacheControl
Server-Ext
Svr
TDXMobile
X-HN
IsBot
X-Tec-Api-Version
Fastly-SIE
X-Sn-Servicetimems
X-SIPLIST1
Fastly-SWR
X-Owner
Apple-News-Services-Handled
Apple-News-Services-Host
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
X-Location
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
DSUID
X-Loc
CDCHOST
X-Scale
L
X-Optimistic-Header
NGX
X-Tec-Api-Root
PFcat
X-Proxy-Cache-Info
X-VarnishDD-TTL
X-Qloud-Router
X-Tec-Api-Origin
X-ZONE
X-Httpd
X-Cdn-Origin
X-Request-URI
X-GeoIP-City
X-Pod-Name
X-VC
Datacenter
X-WP-CF-Super-Cache
X-Refresh
Candidate-Md5Url
Ohc-File-Size
X-WP-CF-Super-Cache-Cache-Control
Cache-Key
X-NC
X-BCube-Filmed-By
X-Cache-Status-Check
X-CS
VNS-Age
VNS-Cache
X-SplitTest
X-Wikidot-Static-Cache
CPC-Age
Arc-Country
X-Cache-ASPX
Pics-Label
GEO-INFO
Locid
X-Contensis-Viewer-Groups
X-Ad-Defer-Variation
X-Men
X-Wikidot-Backend
X-Parent-Response-Time
CPC-Cache
X-TraceId
X-Tb-Optimization-Total-Bytes-Saved
X-EC-Lua
XM
X-Tt-Logid
Fastly-Backend-Name
X-Edge-Pop
Env
X-Response-By
X-Varnish-Authentication
X-WA-Info
X-Ah-Environment
X-Old-Content-Length
Ms-Author-Via
Lb
Servername
X-Srv
X-LB-NoCache
X-DI
X-RPS
X-RSL
X-Micro-Cache
X-DW
X-RPM
X-DSS
X-DB
X-Udemy-Cache-App-Namespace
X-Mvc-Supplant-OutputCached
GeoIp-Country-Code
X-Date
X-AIR-PT
X-Via-Popv
X-Via-Poph
X-Amz-Meta-Cb-Modifiedtime
Time
X-Accel-Expires-Debug
Memory
X-Via-Popn
X-Xrds-Location
X-TIME
X-Akamai-Transformed
X-GeoIP-Region-Code
X-GeoIP-Country-Code
X-Generated-In
X-HA-Backend
Path
Ngx.Var.Host
Geoip-Latitude
X-Api-Version
ITXSESSIONID
X-Cache-Debug
X-Servedbyhost
Cache-Host
FSS-Cache
X-S-Maxage
Ohc-Cache-HIT
X-RateLimit-Reset
X-API-Version
X-Varnish-Beresp-TTL
True-Client-IP
Client
Fusion-Deployment-Id
X-Cs
Fusion-Template-Id
Fusion-Component-Id
X-Proxy-CacheRZ
Fusion-Content-Id
X-PX
Fusion-Source
XkeyRZ
Fusion-Content-Source
CacheControlHeader
X-VCL-Version
X-Vc
X-Clientip
X-VHOST
X-DC
X-Trace-ID
Geo-Info
Server-ID
X-TH-Server
True-Client-Country-4JS
X-Action
X-TX-ID
X-Zone
X-Presslabs-Stats
X-FireWall-Port
Hostname
X-Backend-TTL
Edge-Cache
X-Req
X-Dmc
Powered-By
X-B3-Spanid
NtCoent-Length
X-Webkit-Csp-Report-Only
X-Fpc
X-MSEdge-Flight
X-MSEdge-Features
X-FPC
X-Render-Time
X-Pass-Why
My-App
X-DynaTrace-JS-Agent
X-INCAP-ABP
X-Traceid
Tcn
X-Provided-By
Test
X-Origin-Upstream-Status
X-NGINX-Cache
X-CSRF-TOKEN
Rip
X-Service
X-Up
X-Gateway-Skip-Cache
Server-Id
C-Via
X-Vcl-Version
X-Cdn-Request-ID
X-Gateway-Cache-Key
X-Gateway-Request-Id
X-Gateway-Cache-Status
X-M-Reqid
X-Correlation-ID
Cf-Int-Pingora-Origin-Digest
X-Varnish-Beresp-Ttl
User-Agent
X-Beluga-Trace
Tube-Got-Eval
Tube-Return
X-Webkit-CSP-Report-Only
X-Qnm-Cache
Esi-Enabled
X-Beluga-Record
X-Beluga-Response-Time
OT-Force-Account-Verify
HIT
X-Beluga-Node
X-HS-Status
X-Beluga-Cache-Status
Tube-Got-Results
X-Beluga-Status
X-M-Log
Click-Count-Error
X-LB-ID
Click-Count-Action-Start
Tube-Get-Contents
Proxy-Connection
X-Alfa-Service
On-Server
DataCenter
X-Via-PopH
X-LI-UUID
X-Via-PopN
X-URL
X-APP
X-UnsetCookies
Resin-Trace
X-ServedByHost
Srvid
Uri
X-Li-Pop
X-Via-PopV
X-Li-Fabric
X-Ha-Backend
X-Dynatrace
X-Geo
X-CLOUD-TRACE-CONTEXT
WebServer
Srv
X-Cdn-Forward
X-ND-Cache
Sid
X-RAMCache
GeoIP-Latitude
GeoIP-Country-Code
WZWS-RAY
X-Time-Microsecs
X-Akamai-Pragma-Client-IP
X-Check-Cacheable
MIME-Version
X-CCDN-Origin-Time
X-CCDN-CacheTTL
X-Proxy-Cache-Hk
Epwk-X-Cache
X-LI-Proto
X-Hcs-Proxy-Type
X-Fetch-By
X-CUA
Fastly-Drupal-HTML
X-TRACE-ID
X-Platform-Processor
X-Platform-Cluster
X-Platform-Router
Cf-Device-Type
X-Backend-Host
X-Edge-Origin-Shield-Bytes
ENV
X-ATG-Version
Tracecode
X-Fastly-Backend-Reqs
X-Fragments
Target-Params
ServerName
X-Lb-Nocache
X-Edge-Origin-Shield-Region
Warning
X-Esi
Cdn
X-Sucuri-ID
XServer
M-TraceId
X-Sucuri-Cache
X-Var-Ttl
Lfy
X-FC-Vary-Parameters
X-Fastly-Backend
X-Edge-POP
Server-Ttl
X-B3-Traceid-Primal
X-Srcache-Fetch-Status
X-Srcache-Store-Status
X-MG-S
X-HostName
Dt-Hot-News
X-ElasticPress-Query
X-Request-Url
CF-Cached-On
Inserted-Into-Cache-At
X-Varnish-Beresp-Status
X-Azure-Ref-OriginShield
X-App
X-Newrelic-App-Data
X-Yottaa-OS
X-Cache-Expires
Section-Origin-Responded
PICS-Label
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
Section-Io-Id
Wp-Super-Cache
X-Iplb-Request-Id
X-NU-AKA-ACS-Version
X-Backend-State
X-Iplb-Instance
X-Li-Proto
Magicmarker
Cf-Ipcountry
X-Vcache
X-Nc
X-Serial
X-Dw-Trace-Id
X-CF-Powered-By
X-LiteSpeed-Cache-Control
D-Url-Rewrites
Servedby
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-BBC-Origin-Response-Status
X-Acquia-Application-Trace
X-Wp-Cf-Super-Cache-Cache-Control
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
CountryCode
X-Vercel-Id
X-Acquia-Site
X-Vercel-Cache
Content-Style-Type
X-Snapshot-Date
X-Storefront-Renderer-Verified
Ngx
Cneonction
X-Release
X-Th-Server
X-Back
Content-Script-Type
X-Request-URL
X-Dist-Code
X-Litespeed-Cache-Control
Fastcgi-Cache-Ttl