Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
Link
CF-Cache-Status
CF-RAY
ETag
Pragma
X-XSS-Protection
Expect-CT
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Xss-Protection
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
P3p
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
X-Request-ID
Timing-Allow-Origin
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
Content-Encoding
X-Envoy-Upstream-Service-Time
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CDN
X-AspNetMvc-Version
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Akamai-Path-Stats
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
Request-Context
X-Backend
EagleId
X-Dns-Prefetch-Control
X-Age
X-Robots-Tag
X-Server
X-Amz-Request-Id
X-AH-Environment
Host-Header
X-Amz-Id-2
X-Proxy-Cache
X-UA-Device
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-Dispatcher
X-Amz-Version-Id
X-Ua-Compatible
Allow
CONTENT-SECURITY-POLICY
X-LiteSpeed-Cache
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-WebKit-CSP
X-Device
Cf-Railgun
X-Cache-Spec
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-Aws-Lambda-Call-Status
Cf-Edge-Cache
X-CST
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
Xkey
X-Application-Context
Accept-CH-Lifetime
Content-Location
Rating
X-Cloud-Trace-Context
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Url
X-Country
Fastly-Restarts
Accept-Ch
Accept-Ch-Lifetime
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-Clacks-Overhead
X-PC
X-Vname
X-TtlSet
RTSS
Edge-Control
X-Varnish-TTL
X-Amz-Server-Side-Encryption
X-VARITI-CCR
X-Server-Name
X-FastCGI-Cache
X-ESI
Cache-Tag
X-ASPNET-VERSION
X-Vcap-Request-Id
X-Content-Type
X-Cdn-Fetch
X-Kinja
X-Kinja-Server
X-Kinja-Build
X-Kinja-Revision
X-Use-Magma
X-Exp-Variant
X-GoogleNews-Bot
X-Exp-Id
X-Dw-Request-Base-Id
X-Edge
X-Amz-Rid
X-Px
Public-Key-Pins
X-B3-TraceId
X-D2id
X-Cnection
X-Ser
X-Navigation-Version
X-Ac
X-Powered-By-Plesk
X-Middleton-Display
X-Sol
Display
Pagespeed
X-Element-Page-Cache
Verso
X-Client-IP
X-Abt-Application-Version
X-Version
X-Ttl
Arr-Disable-Session-Affinity
X-Litespeed-Cache
X-Content-Security-Policy-Report-Only
X-Cache-TTL
X-GitHub-Request-Id
X-RateLimit-Remaining
X-Country-Code
Service-Worker-Allowed
Response
X-Middleton-Response
X-NF-Request-ID
X-Goog-Hash
SPIisLatency
SPRequestDuration
Access-Control-Request-Method
X-Cached
X-Kinsta-Cache
X-Correlation-Id
X-SharePointHealthScore
SPRequestGuid
AR-Request-ID
AR-SID
AR-PoweredBy
X-Edge-Location-Klb
AR-ATIME
AR-CACHE
X-Powered-CMS
X-Server-Lifecycle-Phase
X-Instrumentation
X-Kraken-Loop-Name
Edge-Cache-Tag
X-Upstream
X-LLID
X-Forwarded-For
X-Ruxit-Js-Agent
X-NWS-LOG-UUID
Content-MD5
X-Cache-Key
Nginx-Cache
X-Id
X-TTL
X-Shield-Request-Id
X-MSEdge-Ref
X-RateLimit-Limit
X-WebKit-CSP-Report-Only
TCN
X-ECACHE
MRF-Tech
Mrf-Cache-Status
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Recruiting
X-T
S
X-Content-Digest
X-Daa-Tunnel
X-B3-TraceId-Primal
X-Mg-S
X-Ua-Device
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-HP-Trace-Id
X-Jurisdiction
X-HP-Webp
TP-L2-Cache
TP-Cache
X-Accel-Expires
X-Grace
X-HS-Combine-CSS
X-DynaTrace
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Hub-Id
X-Frontend
MicrosoftSharePointTeamServices
X-Ezoic-Cdn
X-Request-Received
X-Request-Processing-Time
Server-Node
X-Yandex-Sdch-Disable
X-Ab
X-Content
Front-End-Https
X-DataDome
X-Ua-Browser
Filters
X-Protected-By
X-Origin-Server
X-Distributor
X-ORACLE-DMS-ECID
MS-Author-Via
X-PressLabs-Stats
X-Hits
X-ORACLE-DMS-RID
Fastcgi-Cache
X-Geo-Country
X-LB-Cache
X-Webkit-Csp
X-Mid
X-Microsite
X-Request-Handler-Origin-Region
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-Amzn-Trace-Id
Charset
Host
Cleartype
X-Git-Hash
X-Debug-Info
X-Mcache
X-F-Cache
X-B3-Sampled
X-Page-Id
Cross-Origin-Opener-Policy
X-Forwarded-Proto
Cache-Status
X-Ratelimit-Reset
X-Cache-Age
X-Seen-By
X-Fastly-Request-Id
Realpath
X-Webkit-CSP
X-DIS-Request-ID
Access-Control-Allow-Method
X-AppVersion
X-Activity-Id
X-Az
X-Server-ID
X-Www-Served-By
Accept-Charset
ServerID
Filterid
X-Aspnetmvc-Version
X-Nginx-Upstream-Cache-Status
X-Varnish-Age
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
Cache-Tags
X-Cluster-Name
X-Content-Options
Permissions-Policy
X-Rid
X-Type
Retry-After
X-FB-Debug
X-App-Environment
X-Varnish-Backend
Country
Server-Name
Viewport
X-Tb
X-User-Agent
X-Varnish-Grace
X-B-Cache
Paypal-Debug-Id
X-Drupal-Cache-Tags
DC
X-Flags
X-Providence-Cookie
X-Signature
X-Wix-Request-Id
X-Route-Name
X-Request-Guid
X-Is-Crawler
X-Aspnet-Duration-Ms
Node
X-MCACHE
X-Goog-Storage-Class
X-GUploader-UploadID
X-TT
X-Whom
X-B
X-Goog-Generation
X-Language
X-Goog-Metageneration
X-Upgrade-Enabled
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Amz-Meta-S3cmd-Attrs
X-VCache
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Fastcgi-Useragent
X-Origin-Cache
X-Mobile-URL
X-Debug
Protected
X-NWS-UUID-VERIFY
X-N
X-Cache-NGX
X-Oracle-Dms-Ecid
X-Logged-In
X-Amz-Replication-Status
X-Oracle-Dms-Rid
Payment
Surrogate-Key
X-XRDS-LOCATION
X-Load-Cache
X-Midtier
Amp-Access-Control-Allow-Source-Origin
X-XRDS-Location
WPO-Cache-Status
WPO-Cache-Message
X-Via-JSL
X-Cache-Control
Count-Hit
X-Contextid
X-B3-Traceid
Healthy
X-Node-Name
X-Restarts
X-Mobile
Alternate-Protocol
X-Browser-Type
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-NGENIX-Cache
X-FW-Server
X-FW-Dynamic
X-FW-Hash
X-FW-Serve
X-FW-Static
Content-Disposition
X-Proxy
X-FW-Type
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
Akamai-GRN
Refresh
X-Ratelimit-Remaining
X-Revision
X-Jobs
Url
X-Cache-Time
X-G
X-Zen-Fury
X-Adobe-Loc
X-Framework
X-Akamai-Request-ID2
X-Page-View
X-Cache-TTL-Remaining
X-Datadome
X-UUID
Uber-Trace-Id
X-Servername
X-Adobe-Content
NGB
X-Cacheable-TTL
X-Template
X-Cache-Grace
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-Debug-IsConnected
X-Debug-IsPreview
X-Mg-Request-UUID
X-Proxy-Cache-Status
X-Rendered-As
X-Is-Bot
X-Instance
X-Real-IP
X-Drupal-Cache-Contexts
X-Http-Reason
X-Yottaa-Optimizations
Access-Control-Request-Headers
X-Varnish-Server
X-Device-Type
X-Yottaa-Metrics
X-HTML-Minification-Powered-By
X-Hostname
X-Environment-Context
X-ECache
X-IPLB-Instance
X-L-Path
X-Source
Version
X-EdgeConnect-Cache-Status
Frame-Options
X-Oneagent-Js-Injection
Accept-Language
MS-CV
Referer-Policy
Ms-Operation-Id
X-RTag
X-Fastly-Request-ID
Liferay-Portal
Countrycode
X-NYM-Debug-Backend
X-Trace-Id
X-Cache-Hit
X-App-Server
From-Origin
X-Cache-Rule
X-Cache-Expired-At
X-Vgn-Hpd-Reason
Cross-Origin-Window-Policy
X-APP-VERSION
Backend
X-Tumblr-User
X-Tumblr-Pixel-1
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-COUNTRY
X-Hosted-By
X-IPS-LoggedIn
X-Ratelimit-Limit
X-FW-Version
X-Unique-Id
X-Nginx-Cache
Content-Secure-Policy
WP-Super-Cache
CF-IPCountry
X-RN-RSRV
X-Status
Load-Balancing
X-Cache-Server
Upgrade-Insecure-Requests
Meta-Geo
Section-Io-Cache
X-UPSTREAM-Address
X-Labrador-Cache-Channel
X-No-Session
X-Generation-Time
X-Redis-Cache
X-PHP-Host
X-PCL
X-FB-TRIP-ID
X-Cache-Enabled
X-OCL
X-Ua
Azure-InstanceId
Fastly-SSL
Azure-SiteName
Azure-SlotName
Apigw-Requestid
Azure-RegionName
Mn-Server-Ip
Azure-Version
TWC-Locale-Group
X-ProcessESI
X-Origin-Date
X-Region
X-Origin-Hint
X-PHP-Backend
X-Sql-Count
X-Cluster-Node
X-VWS-Id
X-Request-Time
X-AWS-Id
X-LJ-Flow-ID
X-Via-Fastly
X-Be
X-RemovedCookies
X-Varnish-Cache-Hits
X-AOL-HN
X-UA-Device-Type
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Privacy
X-Uri
X-Sql-Duration-Ms
S-Rt
TWC-Connection-Speed
Webcakes-App-Name
X-Section
X-Access
X-Akamai-Edgescape
X-Format
Webcakes-Region
X-Server-W
Webcakes-App-Version
Property-Id
TWC-Device-Class
X-Mode
X-Content-Age
X-Debug-Cache
X-Content-Powered-By
X-Forwarded-Host
X-Human
X-Locale
X-Cms-Context
X-Generated-By
X-Cache-Host
X-Adobe-Source
Locale
X-ApacheServer
X-BYPASS-REASON
X-Nginx-Cache-Key
X-Cache-Tags
X-PERF
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Xfnlog-Site
X-JoinUs
X-VC-Cache
X-SaId
X-Storage
X-Site-Version
X-ProxyCache-Key
X-Platform-Server
X-ProxyCache-Status
X-Say-Cacheable
X-SayCDN-TTL
X-Say-TTL
Eomportal-Instance
X-GG-Cache-Date
X-ShardId
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Sorting-Hat-ShopId
X-Alternate-Cache-Key
X-ShopId
X-GeoCountry
X-Handled-By
X-GeoCode
X-Extlb
X-Backend-Name
X-Cache-Type
X-Hl-Ver
X-Varnishpool
X-Proxied
X-Routing-Service
X-Zipkin-Id
X-NewRelic-App-Data
X-Web-Node
X-Tid
X-ServerID
X-Detected-As
X-Edge-Location
Cache-Tv-Group
X-Storefront-Renderer-Rendered
Ec-Rule-Version
CDN-PullZone
X-Proxy-Build
X-Timing-Wait
X-Proto
CDN-RequestId
CDN-Cache
CDN-RequestCountryCode
CDN-CachedAt
CDN-Uid
Selected-Fe
CDN-EdgeStorageId
Webserver
ServedBy
X-Dc
X-Cache-Action
Fastly-Drupal-Html
X-CDN-Forward
Web-Mar-Node
X-LSADC-Cache
Onion-Location
X-GEO
SRV
X-Parallel-Accel
X-Cached-By
X-Varnish-Hostname
X-Cache-Remote
X-Hyper-Cache
X-IPLB-Request-ID
Cache-Hits
Mime-Version
X-App-Version
X-Fastcgi-Cache
X-Magnolia-Registration
X-Cluster
SID
X-Cache-Operation
X-Cdn
X-Rule
X-Rewrite-Enabled
X-SRV
X-Tt-Logid
X-Air-Source
X-Air-Hostname
X-Air-Trace-Id
X-Envoy-Decorator-Operation
X-Soup
X-Varnish-Hits
X-Origin-CC
X-Origin-TTL
Xserver
LB
X-Accel-Buffering
X-Pubstack
X-Microcachable
X-TT-LOGID
X-Reqid
Xet-Cookie
DB-Nickname
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
Cache
Server-Info
Country-Code
X-Tumblr-Pixel-3
Source
X-TA-CDN-Provider
X-Buckets
Decoy-Debug-Status
Decoy-Debug-TTL
Decoy-Debug-Key
X-Via-NSCOPI
X-Request-Host
X-CSRF-Token
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Origin-Response-Time
X-B3-SpanId
X-Endurance-Cache-Level
X-Tx-Id
Candidate-Md5Url
Cdncip
Pramga
Cache-Key
Rendered-Blocks
BehaviorPad-Version
Sslversion
X-Vtex-Processado-Em
Surrogated-Key
A
X-Skip-Cache
Cdnsip
DCR-Processing-Time-Ms
DCR-Decision-By
Meta-Geo-Continent
Expiry
Fastcgi-X-Cache-Version
MD5-Digest
Host-ID
Mobile-Detection-Method
Cmstype
Lang
NM-Fastcgi-Cache
X-Vtex-Remote-Cache
T-Server
Cmsid
Xc-Version
Odigeo-Trace-Id
X-Conf
X-Geo-Header
X-Ftr-Request-Id
X-Shop-Environment
X-Gzip
X-Session-Fingerprint
X-Forwarded-Path
X-SRCache-Key
X-Ec-GeoHdr
X-Ec-Fail
X-Epic-Correlation-Id
X-Esi-Check
X-External-Request-Id
X-Hash
X-SD-PageType
X-Rojux
X-Processor
X-S
X-S-Cookie
X-ScT
X-PBS-Appsvrname
X-PAYTM-SRV-ID
X-HS-Content-Campaign-Id
X-Ig-Push-State
X-NAPM-TraceId
X-Orig-Expires
X-Developer
X-Destination
X-User
X-A-Wwc
X-Aed
X-AK-Request-ID
X-TrackingId
X-Vdms-Path
X-A-Dcw
X-Vdms-Version
X-A
X-A-Ccd
X-A-Dam
X-TIM-N
X-Application
X-CF-Lambda-Fn
X-Cdn-Srv
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-Tenant
X-Cache-NE
X-ARC
X-B-Cookie
X-BCube-Filmed-By
X-Cache-Id
X-VG-WebCache
X-A-Dgt
Datacenter
X-Newrelic-Synthetics
DynaTrace
X-Ms-Version
X-Ms-Request-Id
X-Cache-Status-Check
X-Sigma
X-Sigma-Backend
Wxu-Next-Region
X-SVT-ORM-RULES
Wxu-Next-Hostname
X-Ad-Defer-Variation
X-Scheme
X-Cache-Bucket
X-Rocket-Build-Number
X-Cache-Backend
X-Bc-Bl
X-Amzn-Remapped-Content-Length
X-SB
X-SVT-ORM-VERSION
X-Varnish-Ttl
Machine
Memcached
Kp-EeAlive
Is-Eu
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-Variation
X-V-Cache
Server-Host
State
Producers
X-TNCMS
Platform
X-Cache-Info
X-Ckpd-Fst-Backend
X-Has-Esi
X-Nyt-Route
X-Origin
X-GeoIP
X-Gdpr
X-Origin-Expires
X-Irp-Debug
X-Is-Gdpr
X-Mvc-Supplant-Cachable
X-Loop
X-Node-Id
X-NodeID
X-JWT-State
X-Origin-Time
X-Fmm-Version
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Core-Value
X-Core-Mission
X-Varnish-Remaining-TTL
X-Clara-WADP
X-DefElseHash
X-DefHash
X-Fastly-Cache
X-Fetched-On
X-DPWN-IS-SECURE
X-Device-Os
X-Developers
X-CacheTTL
Wxu-Next-Commit
Mail-Subject
X-Via-Ucdn
X-Worker
VNS-Cache
Environment
AKAMAI
Adler-Geo
CPC-Age
X-Azure-Ref
X-Wix-Viewer-Type
CPC-Cache
We-Hiring
VNS-Age
XM
X-WADP-Cache
X-SplitTest
Fastly-GeoIP-CountryCode
X-RCS-CacheZone
X-NCache
X-Rebelmouse-Surrogate-Control
X-Wikidot-Static-Cache
X-CGP
X-Wikidot-Backend
X-Aicache-OS
X-Served-From
X-Region-Sid
X-Rebelmouse-Cache-Control
X-Csrf-Jwt
X-Cdn-Origin
X-Block-Status
X-Cache-Date
Fastly-SWR
X-Branch-Name
Apple-News-Services-Host
X-Rocket-Nginx-Serving-Static
Apple-News-Services-Request-Url
X-Auto-Login
X-BBC-Edge-Cache-Status
Apple-News-Services-Handled
X-Request-URI
X-Dispatcher-Number
X-Generated-On
Fastly-Backend-Name
X-Gen-Mode
X-Gamma-Serve
X-Time
X-Forwarded-Site
X-HN
X-Hnp-Log
X-Level-Front-Cache
X-Loc
X-LAGOON
Redirect-Candidate
X-Httpd
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Proxy-Upstream
X-Proxy-Cache-Info
X-Xrds-Location
X-Qloud-Router
X-Datadog-Sampling-Priority
X-Datadog-Trace-Id
X-Ec-Custom-Error
X-Pool
X-Platform
X-Planisys-CDN-TTL
X-Eu-Site
X-Pod-Name
X-Policy
X-Datadog-Parent-Id
Apple-News-Services-Parsed-Url
Thinkindot-CacheControl
Fastcgi-Cache-TTL
TDXMobile
CloudFront-Viewer-Country
Thinkindot-CacheControl-Type
Thinkindot-Control
X-Slack-Backend
Fastly-SIE
X-Sn-Servicetimems
Traceparent
Cluster
Svr
X-Thinkindot-L3
Sever-Int
Req-Svc-Chain
Server-Ext
Ssr
L
L5d-Success-Class
PFcat
Gh-Request-Id
User-Cache-Control
V-Age
X-VG-TLSProxy
X-Varnish-Beresp-Grace
X-VarnishDD-TTL
Origin
CDCHOST
NGX
Ohc-File-Size
X-ZONE
N-Cache
Origin-CC
X-SIPLIST1
X-Minions-Version
Web-Mar-Region
Ha-Gx-Prefs
Vix-Hermes-Req-Id
X-Viewer-Country
HA-Ipaddr
IsBot
Origin-EX
X-VServer
Server-Hostname
CDN
X-EC-Lua
Cache-Name
X-Optimistic-Header
X-Scale
X-GeoIP-City
Release
X-Owner
X-R9-Blue-Green-Version
X-Server-IP
X-Micro-Cache
X-WA-Info
DSUID
HostName
X-AIR-PT
GEO-INFO
X-Refresh
Pics-Label
X-Parent-Response-Time
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-CS
X-CACHE-KEY
X-Cache-ASPX
Path
X-From
X-Contensis-Viewer-Groups
X-Webstats-RespID
X-Ah-Environment
X-NC
X-VC
X-TIME
X-Tb-Optimization-Total-Bytes-Saved
Ms-Author-Via
X-Mvc-Supplant-OutputCached
Cache-Host
X-Varnish-Authentication
X-Location
Ngx.Var.Host
Servername
X-LB-NoCache
Env
X-Udemy-Cache-App-Namespace
Locid
X-Edge-Pop
X-Servedbyhost
Lb
X-Correlation-ID
XkeyRZ
X-Proxy-CacheRZ
X-Men
Memory
Time
X-Via-Poph
X-TraceId
X-Via-Popv
X-Response-By
Arc-Country
X-Generated-In
X-Via-Popn
X-Amz-Meta-Cb-Modifiedtime
X-Srv
Ohc-Cache-HIT
X-Old-Content-Length
X-API-Version
X-Akamai-Transformed
X-Clientip
X-Presslabs-Stats
GeoIp-Country-Code
ITXSESSIONID
X-Varnish-Beresp-TTL
X-Trace-ID
AMP-Access-Control-Allow-Source-Origin
X-Vc
X-DSS
X-RSL
X-DW
True-Client-IP
X-RateLimit-Reset
X-Accel-Expires-Debug
X-DB
Client
X-DI
X-HA-Backend
X-RPM
X-RPS
X-S-Maxage
X-Date
X-VCL-Version
X-Cs
Hostname
X-VHOST
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
Server-ID
X-GeoIP-Region-Code
Geoip-Latitude
X-DC
X-GeoIP-Country-Code
X-Dmc
X-URL
X-Render-Time
X-MSEdge-Features
X-Api-Version
X-Cache-Debug
FSS-Cache
X-Fpc
X-MSEdge-Flight
Fusion-Content-Source
Fusion-Deployment-Id
Fusion-Template-Id
Fusion-Source
Fusion-Content-Id
Fusion-Component-Id
X-Zone
X-INCAP-ABP
X-FireWall-Port
X-DynaTrace-JS-Agent
X-TRACE-ID
Powered-By
NtCoent-Length
X-Gateway-Cache-Status
Rip
X-Gateway-Request-Id
X-Gateway-Skip-Cache
X-Service
CacheControlHeader
X-Gateway-Cache-Key
C-Via
X-Webkit-Csp-Report-Only
X-M-Reqid
X-TX-ID
Esi-Enabled
X-Qnm-Cache
X-TH-Server
True-Client-Country-4JS
X-M-Log
Tube-Return
Tube-Got-Results
Click-Count-Error
Click-Count-Action-Start
Tube-Get-Contents
X-B3-Spanid
X-Action
X-PX
Tube-Got-Eval
X-CSRF-TOKEN
Test
On-Server
X-Backend-TTL
Tcn
X-Traceid
HIT
X-NGINX-Cache
Edge-Cache
X-Cdn-Request-ID
X-Alfa-Service
X-FPC
X-Pass-Why
X-Beluga-Status
X-Beluga-Trace
X-HS-Status
X-Check-Cacheable
X-Beluga-Response-Time
Geo-Info
X-Beluga-Node
X-Req
X-Beluga-Cache-Status
User-Agent
X-Vcl-Version
OT-Force-Account-Verify
Server-Id
X-Beluga-Record
X-Akamai-Pragma-Client-IP
X-Edge-Origin-Shield-Bytes
X-Origin-Upstream-Status
Cdn
X-Edge-Origin-Shield-Region
X-Proxy-Cache-Hk
GeoIP-Latitude
My-App
Uri
Proxy-Connection
X-Via-PopV
Resin-Trace
Srv
X-Ha-Backend
Srvid
Cf-Int-Pingora-Origin-Digest
X-Via-PopH
GeoIP-Country-Code
X-Via-PopN
X-CLOUD-TRACE-CONTEXT
X-Up
X-Varnish-Beresp-Ttl
Sid
M-TraceId
X-APP
X-Webkit-CSP-Report-Only
X-CCDN-Origin-Time
X-App
Epwk-X-Cache
X-ServedByHost
X-Provided-By
X-CCDN-CacheTTL
MIME-Version
X-LB-ID
X-Hcs-Proxy-Type
X-Cdn-Forward
WebServer
DT-Hot-News
ENV
X-Fastly-Backend-Reqs
X-Backend-Host
X-LI-Proto
Server-Ttl
X-Li-Fabric
X-Li-Pop
X-LI-UUID
Warning
X-Esi
X-Thanos
X-Fetch-By
XServer
X-Geo
X-UnsetCookies
X-Akamai-Request-ID
X-Bip
X-Edge-POP
ServerName
X-RAMCache
X-B3-Traceid-Primal
X-Lb-Nocache
X-HostName
True-Client-Ip
X-CF-Powered-By
X-ND-Cache
X-ElasticPress-Query
WZWS-RAY
PICS-Label
X-Newrelic-App-Data
CF-Cached-On
X-Vercel-Id
X-Vercel-Cache
X-HITS
X-Nc
CountryCode
X-Yottaa-OS
Section-Io-Origin-Time-Seconds
X-Time-Microsecs
Section-Io-Id
X-Dw-Trace-Id
X-Cc-Via
Section-Origin-Responded
X-Request-Url
X-Serial
Section-Io-Origin-Status
DataCenter
X-LiteSpeed-Cache-Control
Fastly-Drupal-HTML
Cf-Device-Type
X-Iplb-Instance
Inserted-Into-Cache-At
X-CUA
Dt-Hot-News
X-IN-APIGATEWAYSSL
X-Iplb-Request-Id
X-IN-APIGATEWAY
D-Url-Rewrites
X-Request-Start
X-Vcache
Cdn-Uid
Cdn-Requestid
Cdn-Cachedat
Cdn-Requestcountrycode
Cdn-Edgestorageid
Cdn-Cache
Cdn-Pullzone
Servedby
X-Air-Pt
Wp-Super-Cache
Vha6-Origin
X-Snapshot-Date
X-MiniProfiler-Ids
X-LiteSpeed-Tag
X-Wp-Cf-Super-Cache-Cache-Control
Hit
X-Request-URL
Content-Style-Type
Content-Script-Type
X-Back
X-Platform-Router
X-Th-Server
X-Sucuri-Cache
X-Sucuri-ID
X-BBC-Origin-Response-Status
X-Dist-Code
X-Azure-Ref-OriginShield
X-Var-Ttl
X-Platform-Processor
X-Platform-Cluster
Tracecode
Target-Params
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-ATG-Version
X-Release
X-Storefront-Renderer-Verified
X-Fragments
X-FC-Vary-Parameters
X-Fastly-Backend
X-Wp-Cf-Super-Cache