Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Pragma
Link
X-Powered-By
ETag
Expect-CT
X-XSS-Protection
CF-RAY
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-UA-Compatible
X-Amz-Cf-Id
P3P
X-Cache-Hits
Alt-Svc
X-Served-By
X-Xss-Protection
CF-Ray
X-Timer
X-Download-Options
X-Varnish
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Request-ID
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Iinfo
X-Content-Security-Policy
P3p
Status
Content-Encoding
X-AspNetMvc-Version
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
Access-Control-Expose-Headers
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Cache-Group
X-Server
X-Backend
X-Amz-Request-Id
X-Hacker
X-Robots-Tag
X-Amz-Id-2
X-UA-Device
Request-Context
X-AH-Environment
X-Proxy-Cache
EagleId
X-Turbo-Charged-By
X-Server-Powered-By
Server-Timing
X-Template
X-Nginx-Cache-Status
Grace
X-Dns-Prefetch-Control
Host-Header
X-Language
Report-To
X-Rq
X-Page-Speed
Xkey
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Ua-Compatible
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Cf-Railgun
X-LiteSpeed-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Amz-Version-Id
X-Buckets
X-Vhost
X-Host
NEL
X-Backend-Server
X-Server-Id
X-WebKit-CSP
X-Dispatcher
X-Device
Surrogate-Control
Accept-CH-Lifetime
X-Node
X-Ruxit-JS-Agent
Request-Id
Content-Location
Accept-CH
X-Response-Time
EagleEye-TraceId
X-Cache-Lookup
X-Akam-SW-Version
X-Origin-Cache
X-Ac
Allow
X-Readtime
Rating
X-Mod-Pagespeed
X-HW
X-Country
X-Application-Context
X-Cloud-Trace-Context
X-ORACLE-DMS-ECID
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
Edge-Control
X-ORACLE-DMS-RID
Pinterest-Generated-By
X-MS-InvokeApp
X-PC
X-Vname
X-TtlSet
X-Cnection
X-Country-Code
X-CST
X-Varnish-TTL
X-DataDome
X-GitHub-Request-Id
X-Content-Type
X-ASPNET-VERSION
X-Server-Name
X-Clacks-Overhead
X-Trace
X-D2id
X-Middleton-Display
Pagespeed
X-Middleton-Response
Response
X-Sol
Display
MS-Author-Via
X-Origin-Upstream-Status
Pinterest-Version
X-Pinterest-Rid
X-B3-TraceId
X-Vcap-Request-Id
Fusion-Content-Id
Fusion-Template-Id
Fusion-Component-Id
Fusion-Source
Fusion-Deployment-Id
Fusion-Content-Source
X-FastCGI-Cache
X-Abt-Application-Version
X-Px
X-ESI
X-Rack-Cache
X-Webkit-CSP
Service-Worker-Allowed
X-Url
X-Navigation-Version
Verso
X-TTL
Arr-Disable-Session-Affinity
X-Client-IP
X-Element-Page-Cache
X-Cache-TTL
X-Cached
X-Fastly-Request-ID
X-DynaTrace
X-FTR-Request-ID
X-Dw-Request-Base-Id
X-VARITI-CCR
SPRequestGuid
X-SharePointHealthScore
X-Kinja-Server
X-Use-Magma
X-Kinja-Revision
X-Kinja-Build
X-Exp-Id
X-Exp-Variant
X-GoogleNews-Bot
X-Kinja
X-Cdn-Fetch
X-Goog-Hash
X-Powered-By-Plesk
X-Upstream
Fastly-Restarts
X-NF-Request-ID
AR-Request-ID
AR-CACHE
AR-PoweredBy
AR-ATIME
Ar-Sid
X-Debug
Content-MD5
X-Pinterest-Direct
X-MSEdge-Ref
SPRequestDuration
SPIisLatency
X-Forwarded-Proto
X-Powered-CMS
X-Version
Access-Control-Request-Method
X-Release
X-XRDS-Location
X-Amz-Rid
X-T
X-Jurisdiction
X-Edge
S
X-Content-Digest
TCN
RTSS
TP-Cache
TP-L2-Cache
Public-Key-Pins
X-Ezoic-Cdn
Cache-Tag
X-Litespeed-Cache
X-Cache-Key
Front-End-Https
X-Mid
X-MCACHE
X-Yandex-Sdch-Disable
X-Node-Name
Server-Node
X-Ttl
X-Mg-S
X-Request-Processing-Time
X-Amz-Server-Side-Encryption
X-Request-Received
Fastcgi-Cache
Mrf-Cache-Status
X-B3-TraceId-Primal
MRF-Tech
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Recruiting
X-HP-Webp
X-Amzn-Trace-Id
X-Accel-Expires
X-Ser
X-Kinsta-Cache
X-Grace
X-Request-Handler-Origin-Region
X-Microsite
X-PressLabs-Stats
X-NWS-LOG-UUID
Accept-Ch
X-Origin-Server
MicrosoftSharePointTeamServices
Accept-Charset
X-Varnish-Age
ServerID
X-Logged-In
X-DIS-Request-ID
X-Page-Id
Cf-Bgj
Edge-Cache-Tag
Host
X-ECACHE
X-Ratelimit-Remaining
X-Shield-Request-Id
Nginx-Cache
X-Content-Security-Policy-Report-Only
X-Cache-Hit
X-Hits
Powered-By-ChinaCache
X-Hostname
X-B
X-Forwarded-For
Cache-Tags
X-F-Cache
X-LB-Cache
X-Mobile-URL
X-Server-ID
X-Respond-Thread
Cleartype
X-Git-Hash
Realpath
X-Cached-By
X-Activity-Id
X-Az
X-AppVersion
X-Upgrade-Enabled
X-N
X-Content-Options
Alternate-Protocol
X-Cache-Age
X-Ratelimit-Limit
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-Amz-Meta-S3cmd-Attrs
X-Type
DynaTrace
Paypal-Debug-Id
X-Rid
X-App-Environment
X-Request-Guid
X-Varnish-Backend
X-Jobs
X-Load-Cache
Fastcgi-Useragent
X-FTR-DC
X-FTR-Realm
X-FTR-Cache-Status
X-FTR-Balancer
X-FTR-Backend
X-Country-Code-Real
X-FTR-Backend-Server
Access-Control-Allow-Method
X-Seen-By
X-FTR-Expires
X-Proxy
X-WebKit-CSP-Report-Only
X-HS-Hub-Id
X-HS-Cache-Config
X-HS-Content-Id
Charset
X-Zen-Fury
X-Goog-Generation
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-B3-Sampled
X-Akamai-Edgescape
X-HS-Combine-CSS
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
X-URL
X-FireWall-Port
X-VCache
X-IPLB-Instance
X-FB-Debug
X-Signature
X-B-Cache
X-Debug-Info
Healthy
X-Varnish-Grace
Filterid
Filters
X-Daa-Tunnel
X-Whom
X-AOL-HN
DC
X-Mobile
X-Correlation-ID
X-Host-Name
Viewport
MS-CV
X-Region
X-Geo-Country
X-User-Agent
Payment
X-Response-Served-From
X-Cache-Rule
X-Frontend
Liferay-Portal
X-Accel-Buffering
X-Original-Request-Id
X-Cache-Operation
X-App-Server
AMP-Access-Control-Allow-Source-Origin
X-Id
X-HTML-Minification-Powered-By
X-Distributor
X-Instance
Surrogate-Key
X-FW-Type
X-FW-Static
X-Tumblr-Pixel-1
X-FW-Dynamic
X-FW-Hash
X-Cacheable-TTL
X-Cache-Time
X-UUID
X-Tumblr-User
X-FW-Serve
X-FW-Server
X-Tumblr-Pixel
X-Tumblr-Pixel-2
X-Tumblr-Pixel-0
CACHE
Refresh
X-Protected-By
X-Amz-Replication-Status
X-Rule
X-Content-Powered-By
Accept-Ch-Lifetime
S-Cnection
Section-Io-Cache
X-Via-JSL
X-Cache-Expired-At
X-Acc-Debug-Context
X-Rendered-As
X-Wix-Request-Id
Version
X-Is-Bot
Content-Disposition
X-Tec-Api-Origin
X-Tec-Api-Version
X-Hyper-Cache
X-Cache-Action
GEO-INFO
X-Tec-Api-Root
X-Backend-Name
X-Amz-Apigw-Id
X-Amzn-RequestId
Server-Name
X-Sucuri-ID
X-XRDS-LOCATION
Nel
Retry-After
X-App-Version
X-Air-Hostname
Arc-Version
X-Endurance-Cache-Level
PB-RID
PB-PID
X-Ua
Datacenter
X-Cache-Server
X-Ah-Environment
X-Oneagent-Js-Injection
X-Source
X-Unique-Id
X-Real-IP
X-L-Path
Eomportal-Instance
X-EdgeConnect-Cache-Status
X-Environment-Context
X-Framework
X-Revision
X-Yottaa-Metrics
X-Pinterest-Sli-Endpoint-Name
X-Pinterest-Sli-Latency-Threshold
Referer-Policy
X-ProcessESI
X-Pinterest-Sli-Response-Type
X-RemovedCookies
X-Yottaa-Optimizations
X-Correlation-Id
Frame-Options
X-Sucuri-Cache
X-Drupal-Cache-Contexts
X-Varnish-Server
X-RTag
Ms-Operation-Id
Countrycode
X-Cache-Spec
Akamai-Age-Ms
NGB
X-Drupal-Cache-Tags
X-Cache-Var
X-Cache-Var-Map
X-Cache-Control
Webserver
X-ES-SERVER
Meta-Geo
X-RN-RSRV
X-WA-Info
X-Proxy-Cache-Status
X-Mode
X-CDN-Forward
X-Xfnlog-Site
X-TIME
X-ProxyCache-Status
X-Time-Microsecs
DB-Nickname
X-BYPASS-REASON
X-Cache-Host
X-Qloud-Router
X-Azure-Ref
X-Cache-TTL-Remaining
X-ProxyCache-Key
Property-Id
Cache-Tv-Group
Cross-Origin-Window-Policy
X-Contextid
TWC-Connection-Speed
X-GeoIP
Mn-Server-Ip
TWC-Device-Class
Ec-Rule-Version
X-Server-W
X-LJ-Flow-ID
TWC-GeoIP-Country
X-Labrador-Cache-Channel
X-Human
X-Cluster
X-Handled-By
X-NYM-Debug-Backend
X-Origin-Hint
X-Redis-Cache
X-Status
X-R9-Blue-Green-Version
X-PHP-Host
X-VWS-Id
X-Aspnet-Duration-Ms
X-FW-Version
X-Flags
X-AWS-Id
X-Amzn-Remapped-Content-Length
Webcakes-Region
Webcakes-App-Name
Webcakes-App-Version
X-Route-Name
X-Hl-Ver
TWC-GeoIP-LatLong
TWC-Locale-Group
X-Is-Crawler
X-Providence-Cookie
TWC-Privacy
X-TNCMS
X-Timing-Wait
X-Via-Fastly
X-Be
X-ServerID
X-Proto
X-Site-Version
X-No-Session
X-Zipkin-Id
X-Locale
X-Hosted-By
X-Format
X-FB-TRIP-ID
Selected-Fe
X-Loop
X-OCL
X-Routing-Service
X-Proxy-Build
X-Proxied
X-PCL
X-Section
X-Access
X-Detected-As
X-NewRelic-App-Data
X-From
X-Adobe-Content
X-Adobe-Loc
X-TT
X-AIR-PT
Uber-Trace-Id
X-LLID
X-Tt-Trace-Host
X-Cache-PHP
X-Debug-Cache
X-Tt-Trace-Tag
FSS-Cache
X-DynaTrace-JS-Agent
X-Device-Type
X-Generated-By
X-Ratelimit-Reset
X-BCube-Filmed-By
X-NC
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-ATG-Version
Upgrade-Insecure-Requests
X-PHP-Backend
X-Esi
Azure-SiteName
Azure-InstanceId
Azure-SlotName
Azure-RegionName
Azure-Version
X-Varnish-Cache-Hits
Access-Control-Request-Headers
X-Aspnetmvc-Version
X-CSRF-Token
OT-Force-Account-Verify
From-Origin
X-UPSTREAM-Address
X-Fastcgi-Cache
X-Akamai-Transformed
Cache-Status
X-NCache
X-GoCache-CacheStatus
X-Oss-Server-Time
X-CCM
X-Adobe-Source
X-Oss-Storage-Class
SD-X-WS
X-Oss-Object-Type
X-Oss-Request-Id
X-Origin
X-Oss-Hash-Crc64ecma
CF-Cached-On
X-Page-View
X-Cache-2
X-COUNTRY
X-Backend-TTL
X-Varnishpool
X-LAGOON
X-G
X-Storefront-Renderer-Rendered
X-Alternate-Cache-Key
X-ApacheServer
X-Soup
X-Cache-Grace
X-ShardId
X-Forwarded-Host
X-PERF
Country
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Pubstack
X-Shopify-Stage
X-ShopId
X-Say-TTL
X-Say-Cacheable
X-SayCDN-TTL
X-Web-Node
X-Backend-Host
X-Cluster-Name
X-SaId
SRV
Powered
X-JoinUs
Node
Decoy-Debug-Status
Fastly-SSL
X-Storage
Decoy-Debug-Key
Decoy-Debug-TTL
X-FTR-Cache-Host
X-ID
X-Time
X-IP
Cache
X-ECache
X-APP-VERSION
X-Cache-Enabled
X-Ruxit-Js-Agent
X-TX-ID
X-GEO
X-Via-CDN
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Viewer-Country
X-Vtex-Processado-Em
X-Aed
X-Vdms-Path
X-Vtex-Remote-Cache
X-Application
X-Worker
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-External-Request-Id
X-Cache-NE
Xc-Version
X-A
X-VG-WebServer
Rendered-Blocks
X-Connection-Hash
X-B-Cookie
X-S
X-D
X-S-Cookie
X-Rojux
X-VG-WebCache
X-Rewrite-Enabled
X-Destination
X-Vdms-Version
X-ARC
Meta-Geo-Continent
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Apple-News-Services-Handled
X-Processor
X-ScT
X-Trv-Group
Apple-News-Services-Request-Url
X-PBS-Appsvrname
DCR-Processing-Time-Ms
DCR-Decision-By
X-PAYTM-SRV-ID
X-A-Ccd
X-RCS-CacheZone
Machine
X-A-Dgt
MD5-Digest
X-Request-UUID
X-A-Wwc
Mobile-Detection-Method
X-A-Dam
X-Session-Fingerprint
X-A-Dcw
Host-ID
Fastcgi-X-Cache-Version
X-Tumblr-Pixel-3
X-NWS-UUID-VERIFY
X-Cdn
X-Cache-Config
X-EC-Lua
X-IPS-LoggedIn
X-Auto-Login
X-Cache-Debug
X-Cache-Bucket
X-Microcachable
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Servername
CDN-Cache
X-Platform-Server
Fastly-SIE
Fastly-SWR
X-Micro-Cache
X-Ms-Request-Id
X-Ms-Version
X-Variation
CDN-CachedAt
CloudFront-Viewer-Country
CDN-PullZone
CDN-Uid
CDN-RequestCountryCode
X-WADP-Cache
X-VG-TLSProxy
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
CDN-EdgeStorageId
X-Clara-WADP
Gh-Request-Id
X-Varnish-Beresp-Grace
X-DefHash
Platform
X-DPWN-IS-SECURE
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
X-Cms-Context
X-CUA
X-DefElseHash
Adler-Geo
X-Envoy-Decorator-Operation
X-Fastly-Cache
X-Fmm-Version
CDN-RequestId
Is-Eu
X-Cache-Backend
Backend
Wxu-Next-Hostname
Wxu-Next-Commit
Rt-Fastcgi-Cache
L
NM-Fastcgi-Cache
Fastly-Drupal-HTML
PFcat
Origin
Wxu-Next-Region
X-Generation-Time
X-Owner
X-Policy
X-Request-Host
X-OVcl-Cache
X-OVcl
X-Location
X-Method
X-Old-Content-Length
X-Request-Start
X-Skip-Cache
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-Irp-Debug
X-Webstats-RespID
X-VarnishDD-TTL
X-SN
X-Thanos
X-Varnish-Cacheable
X-LI-UUID
X-Li-Pop
X-Core-Value
X-Developers
X-Dispatcher-Server
X-Clientip
X-Cache-Id
X-Bip
X-Branch-Name
X-Cache-Date
X-Esi-Check
X-Fastly-Backend
X-Is-Gdpr
X-JWT-State
X-Li-Fabric
X-HN
X-Has-Esi
X-Gamma-Serve
X-Gzip
X-Backend-State
X-Cache-NGX
C-Via
Akamai-GRN
X-B3-Spanid
CacheControlHeader
X-Bc-Bl
X-B3-Traceid
X-UA
X-Cache-Tags
X-Hash
X-HS-Content-Campaign-Id
X-Csrf-Jwt
X-Level-Front-Cache
X-CGP
X-Geo-Header
X-Eu-Site
X-Core-Mission
X-Content-Age
X-DC
X-Platform
X-PF-Uncompressing
L5d-Success-Class
X-Cache-Remote
X-Mvc-Supplant-Cachable
X-Generated-On
X-Varnish-Ttl
Ha-Gx-Prefs
AKAMAI
HA-Ipaddr
Fastly-Backend-Name
X-Slack-Backend
X-Render-Time
X-CS
X-Refresh
Pagetype
X-Reqid
X-Transaction
X-Twitter-Response-Tags
X-Sql-Duration-Ms
X-Sql-Count
X-Wa
X-EIG-Tracking-Id
X-Presslabs-Stats
FSS-Proxy
X-Minions-Version
X-TA-CDN-Provider
UCS
X-Aicache-OS
XServer
X-Amz-Meta-Cb-Modifiedtime
X-Ftr-Cache-Host
X-SRV
Country-Code
X-NODE
X-Www-Served-By
X-NU-AKA-ACS-Version
X-Via-Popn
X-Via-Poph
X-Date
NGX
X-Accel-Expires-Debug
Surrogated-Key
X-Hp-Webp
X-NGENIX-Cache
Cache-Hits
X-S-Maxage
X-Vgn-Hpd-Cached
Protected
X-RateLimit-Remaining
X-Vgn-Hpd-Variations-Key
X-Up
X-Mvc-Supplant-OutputCached
X-Edge-Location
X-LB-ID
X-Servedbyhost
X-Req
X-LI-Proto
Hostname
X-Nginx-Cache
X-Check-Cacheable
X-Dc
Ufe-Result
We-Hiring
X-Debug-Cache-Store
Group
Mail-Subject
Memcached
X-Debug-Cache-Fetch
X-Cdn-Srv
X-Cache-URL
Time
HostName
X-Proxy-Upstream
X-Via-SSL
On-Server
ServedBy
X-Svr
X-Ua-Device
Edge-Copy-Time
X-Varnish-Hostname
X-FPC
X-Via-Edge
Now
X-CACHE-AGE
X-Request-Time
GeoIp-Country-Code
Geoip-Latitude
X-ZONE
X-BC
X-Dynatrace-Js-Agent
X-Webkit-Csp
X-Agile-Age
T-Server
X-VCL-Version
X-Agile-Id
X-Agile
X-Pass-Why
X-CSRF-TOKEN
X-Cluster-Node
X-FORWARDED-FOR
SID
X-Uri
X-Cs
Section-Origin-Responded
X-NGINX-Cache
Pics-Label
Section-Io-Origin-Status
M-TraceId
Section-Io-Id
X-LiteSpeed-Cache-Control
Section-Io-Origin-Time-Seconds
X-Acc-Rdl
Xserver
X-UnsetCookies
WZWS-RAY
X-Varnish-Hits
N-Cache
X-Cdn-Forward
X-MP-GENERATED-AT
X-Via-Popv
X-SB
X-VC
X-Datadome
ProcessTime
Magicmarker
Server-Host
X-TT-LOGID
X-Bc
X-Zone
Ohc-File-Size
X-Info
Arc-Country
DSUID
X-HS-Status
X-Erf-Stays-Bingo-Pdp-Web
X-CF-Powered-By
Apigw-Requestid
X-APP
X-Srv
Cache-Name
Ohc-Cache-HIT
NtCoent-Length
X-UA-Device-Type
Cteonnt-Length
Viewtype
Cdn-Host
Cdn-Request-Time
X-Edge-Server
X-We-Are-Hiring
VivaBuild
X-Origin-Date
User-Cache-Control
Odigeo-Trace-Id
User-Agent
CF-IPCountry
Processtime
X-Action
Tracecode
Memory
X-Via-Ucdn
W
X-RunCloud-Cache
X-MSEdge-Flight
WebServer
X-MSEdge-Features
Amp-Access-Control-Allow-Source-Origin
Srv
LB
S-Rt
Sid
X-RPS
X-DSS
X-DW
X-DI
WWW-Authenticate
X-Oss-Cdn-Auth
X-DB
X-Magnolia-Registration
X-RPM
X-RSL
X-Tb
Server-Info
CountryCode
X-Newrelic-App-Data
X-HOST
Ssr
Lfy
X-Vgn-Hpd-Ssi
CDN
X-HITS
X-Dynatrace
Locid
X-Contensis-Viewer-Groups
X-Response-By
X-VServer
X-SRCache-Key
X-Cache-Hm
X-Cache-Hfrom
Server-Ext
X-Developer
IsBot
X-Vcl-Version
MIME-Version
Path
X-Request-URI
CDCHOST
X-Cache-Expires
X-Cc-Req-Id
X-Cc-Via
X-Cache-ASPX
X-SVT-ORM-VERSION
D-Cc-Upstream
X-SIPLIST1
X-Block-Status
X-Scheme
X-SVT-ORM-RULES
X-SD-PageType
X-Varnish-Authentication
X-Varnish-Url
X-Server-IP
Server-ID
X-Pjax-Url
X-User
X-Cache-Info
Instruction
Server-Hostname
Vix-Hermes-Req-Id
X-Node-Id
V-Age
True-Client-Country-4JS
X-Origin-CC
X-Nyt-Route
Sever-Int
X-Hnp-Log
X-Loc
X-Browser-Type
X-API-Version
Web-Mar-Node
X-Nginx-Cache-Key
X-Unique-ID
X-Origin-Expires
Geo-Info
X-BBC-Edge-Cache-Status
SR-User-Adfree
X-BBXSRF
X-Gen-Mode
X-Origin-TTL
X-Origin-Time
X-Gdpr
X-Geo
X-Webkit-CSP-Report-Only
X-Hit
X-Generated-In
GeoIP-Latitude
X-Azure-Ref-OriginShield
X-Trace-Id
X-Matched-Rule
X-Thinkindot-L3
X-Swa-Ws
X-Traceid
X-GeoIP-City
X-Goog-Meta-Goog-Reserved-File-Mtime
GeoIP-Country-Code
X-Newrelic-Synthetics
Thinkindot-Control
Release
Pramga
A
Thinkindot-CacheControl-Type
X-Fetched-On
X-Device-Os
Thinkindot-CacheControl
X-NodeID
X-Sn-Servicetimems
X-Var-Ttl
Cache-Host
X-FC-Vary-Parameters
X-Cdn-Origin
X-Fastly-Country-Code
X-CACHE-KEY
X-Oracle-Dms-Rid
X-Akamai-Request-ID2
Cdn
Lb
X-Fpc
X-Provided-By
X-Lb-Id
X-Nc
X-Via-NSCOPI
X-Envoy-Upstream-Healthchecked-Cluster
X-Epic-Correlation-Id
Cf-Device-Type
X-Origin-Response-Time
X-Cache-Tag
X-Men
X-ServedByHost
X-Li-Proto
Accept-Language
FNAC-ModuleRouting
Source
X-Fastly-Request-Id
X-StackifyID
Expiry
X-Via-PopH
X-SERVER-NAME
X-Akamai-Pragma-Client-IP
X-TH-Server
X-Served-From
X-Sigma
X-Sigma-Backend
Esi-Enabled
X-Rocket-Build-Number
Kp-EeAlive
X-Amzn-Remapped-Date
X-Via-PopV
Cache-Key
X-Amzn-Remapped-Connection
Server-Ttl
X-Via-PopN
X-ORACLE-APMCS-REQUEST-ID
Actual-Object-TTL
X-B3-SpanId
X-Instart-Request-ID
Content-Script-Type
Url
X-Parent-Response-Time
Content-Style-Type
X-Key
Cache-Provider
X-Vgn-Hpd-Reason
X-No-Cache
X-Batcache
X-Tt-Logid
X-Agile-Brick-Ok
EpKe-Alive
X-ServiceProvider
X-RateLimit-Limit-Second
X-Proxy-Cachei7
X-Akamai-Request-ID
X-ElasticPress-Query
X-RateLimit-Remaining-Second
Xkeyi7
Content-Secure-Policy
X-WA
Req-Svc-Chain
X-MiniProfiler-Ids
X-VC-Cache
X-Yottaa-OS
X-Mobile-Rewrite
X-Request-URL
Tcn
X-Vcache
X-ND-Cache
BehaviorPad-Version
X-BBC-Origin-Response-Status
URI
Location
X-B3-Parentspanid
X-RateLimit-Limit
X-Dispatch
Inserted-Into-Cache-At
Proxy-Firewall
Origin-Cache-Control
X-HostName
X-Instart-Info
Origin-Edge-Control
Who
X-PJAX-URL
X-Apw-Hits
X-Varnish-Beresp-TTL
X-Apw-Access-Token
X-Apw-Access-Object
X-Apw-Access-Action
X-Selected-Scheme
X-Selected-Host-Header
X-Selected-Name
X-Geo-Region
Powered-By
DataCenter
X-TrackingId
X-TraceId
Cf-Alt-Svc
HitType
X-RAMCache
Pragrma
Xet-Cookie
PICS-Label
X-Snapshot-Date
X-C
Mime-Version
NnCoection
X-Dw-Trace-Id
Resin-Trace
Vha6-Origin