Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
P3p
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CONTENT-TYPE-OPTIONS
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-Akamai-Path-Stats
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
X-Dns-Prefetch-Control
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-Amz-Version-Id
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-Dispatcher
X-LiteSpeed-Cache
Allow
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-WebKit-CSP
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-CST
X-Server-Id
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Readtime
X-Akam-SW-Version
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Content-Location
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Fastly-Restarts
Accept-Ch-Lifetime
X-Ruxit-JS-Agent
X-MS-InvokeApp
Accept-Ch
X-Rack-Cache
X-Mod-Pagespeed
X-TtlSet
X-Vname
X-PC
X-Clacks-Overhead
X-Server-Name
RTSS
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-ESI
Cache-Tag
X-Content-Type
X-B3-TraceId
X-Vcap-Request-Id
X-Amz-Server-Side-Encryption
X-Exp-Id
X-GoogleNews-Bot
X-Kinja-Revision
X-Use-Magma
X-Cdn-Fetch
X-Kinja-Server
X-Kinja-Build
X-Kinja
X-Exp-Variant
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Cnection
X-Ac
X-D2id
X-RateLimit-Remaining
X-Element-Page-Cache
X-Navigation-Version
X-Edge
Verso
X-FastCGI-Cache
X-Abt-Application-Version
X-Client-IP
X-Middleton-Display
Pagespeed
X-Sol
X-Powered-By-Plesk
Display
X-Ser
X-Cache-TTL
X-Litespeed-Cache
X-Version
Arr-Disable-Session-Affinity
Service-Worker-Allowed
X-GitHub-Request-Id
X-Country-Code
Response
X-Middleton-Response
X-NF-Request-ID
X-Correlation-Id
Access-Control-Request-Method
X-Goog-Hash
SPRequestDuration
SPIisLatency
X-Kinsta-Cache
X-TTL
X-Edge-Location-Klb
X-Webkit-Csp
AR-Request-ID
AR-SID
AR-PoweredBy
AR-CACHE
AR-ATIME
X-Ttl
X-Cached
X-Upstream
SPRequestGuid
X-Content-Security-Policy-Report-Only
X-SharePointHealthScore
X-LLID
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Instrumentation
X-NWS-LOG-UUID
X-RateLimit-Limit
X-Powered-CMS
Edge-Cache-Tag
X-Ruxit-Js-Agent
Nginx-Cache
X-Forwarded-For
X-Cache-Key
Content-MD5
TCN
X-MSEdge-Ref
X-Id
MRF-Tech
Mrf-Cache-Status
X-Shield-Request-Id
X-Daa-Tunnel
X-B3-TraceId-Primal
X-T
X-Recruiting
S
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Content-Digest
MS-Author-Via
X-Ua-Device
X-Mg-S
X-HP-Webp
X-HP-Trace-Id
X-Jurisdiction
X-ECACHE
X-Accel-Expires
MicrosoftSharePointTeamServices
X-Protected-By
X-SRCache-Store-Status
X-Ezoic-Cdn
X-SRCache-Fetch-Status
X-DataDome
X-HS-Cache-Config
X-HS-Hub-Id
X-Frontend
X-HS-Combine-CSS
X-HS-Content-Id
X-Grace
X-Ab
X-Content
X-Ua-Browser
X-Request-Processing-Time
X-Request-Received
Front-End-Https
X-Yandex-Sdch-Disable
Server-Node
Filters
X-Server-ID
TP-L2-Cache
TP-Cache
X-PressLabs-Stats
X-Mid
Fastcgi-Cache
X-Origin-Server
X-DynaTrace
X-Hits
X-Distributor
X-Geo-Country
X-Microsite
X-Request-Handler-Origin-Region
X-Debug-Info
X-Amzn-Trace-Id
X-Tt-Trace-Tag
X-ORACLE-DMS-ECID
X-Tt-Trace-Host
Charset
Cleartype
Host
X-LB-Cache
X-Page-Id
X-Git-Hash
X-F-Cache
X-DIS-Request-ID
X-B3-Sampled
Cross-Origin-Opener-Policy
X-ORACLE-DMS-RID
X-Ratelimit-Reset
Pinterest-Version
X-Pinterest-Rid
X-Forwarded-Proto
Pinterest-Generated-By
X-Www-Served-By
X-Cache-Age
X-WebKit-CSP-Report-Only
Access-Control-Allow-Method
ServerID
X-Seen-By
Cache-Status
Realpath
X-AppVersion
X-Az
X-Activity-Id
Accept-Charset
X-MCACHE
Cache-Tags
X-Aspnetmvc-Version
X-Oracle-Dms-Ecid
X-Varnish-Age
X-Cluster-Name
X-Oracle-Dms-Rid
Filterid
X-Rid
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Content-Options
X-Nginx-Upstream-Cache-Status
X-Language
X-Type
X-App-Environment
Server-Name
Retry-After
X-Upgrade-Enabled
X-Tb
X-Varnish-Grace
Country
X-Origin-Cache
Node
Viewport
X-User-Agent
X-Whom
X-FB-Debug
X-B-Cache
X-Aspnet-Duration-Ms
X-Varnish-Backend
X-Signature
X-Wix-Request-Id
X-Drupal-Cache-Tags
X-Mobile-URL
X-Is-Crawler
DC
Paypal-Debug-Id
X-Providence-Cookie
X-Route-Name
X-Request-Guid
X-Flags
X-TT
X-NWS-UUID-VERIFY
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
X-VCache
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Metageneration
Fastcgi-Useragent
X-XRDS-LOCATION
Protected
X-B
X-N
X-Via-JSL
X-Fastly-Request-Id
X-Fastly-Request-ID
X-Debug
WPO-Cache-Message
X-Amz-Replication-Status
WPO-Cache-Status
X-Logged-In
X-Cache-NGX
Payment
X-Mcache
X-XRDS-Location
X-Load-Cache
X-Contextid
Surrogate-Key
X-Amz-Meta-S3cmd-Attrs
Permissions-Policy
Count-Hit
Amp-Access-Control-Allow-Source-Origin
X-Cache-Control
X-FW-Type
X-FW-Serve
X-FW-Static
X-FW-Server
X-FW-Hash
X-FW-Dynamic
X-Node-Name
X-Template
Healthy
X-Erf-Bev-Bev
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Fastcgi-Cache
SD-X-WS
X-G
X-Response-Served-From
X-Original-Request-Id
X-Jobs
X-Cache-Time
Akamai-GRN
X-Mobile
Content-Disposition
X-Proxy
Refresh
Uber-Trace-Id
X-Akamai-Request-ID2
X-Is-Bot
X-UUID
X-Trace-Id
X-Revision
X-Real-IP
X-Framework
X-Cacheable-TTL
X-Zen-Fury
X-Rendered-As
X-Adobe-Content
X-Hostname
X-Proxy-Cache-Status
X-Http-Reason
X-Adobe-Loc
X-Cache-TTL-Remaining
X-Page-View
Alternate-Protocol
Access-Control-Request-Headers
NGB
X-Debug-IsPreview
X-Drupal-Cache-Contexts
Url
X-Instance
X-Debug-IsConnected
X-Device-Type
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Yottaa-Optimizations
X-Servername
X-Yottaa-Metrics
X-IPLB-Instance
X-Cache-Grace
X-ECache
X-Mg-Request-UUID
X-Restarts
Version
X-B3-Traceid
X-Varnish-Server
X-NGENIX-Cache
X-Source
X-Environment-Context
X-L-Path
X-Oneagent-Js-Injection
From-Origin
Accept-Language
X-Cache-Rule
X-Vgn-Hpd-Reason
X-Cache-Hit
X-EdgeConnect-Cache-Status
Countrycode
X-HTML-Minification-Powered-By
Ms-Operation-Id
MS-CV
X-RTag
X-Cache-Expired-At
X-Datadome
X-Parallel-Accel
Referer-Policy
Frame-Options
X-App-Server
Liferay-Portal
X-NYM-Debug-Backend
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-1
Cross-Origin-Window-Policy
X-FW-Version
Backend
X-IPS-LoggedIn
X-COUNTRY
X-Midtier
X-Nginx-Cache
Content-Secure-Policy
X-ProcessESI
X-RemovedCookies
WP-Super-Cache
X-Redis-Cache
X-Hosted-By
Upgrade-Insecure-Requests
Meta-Geo
X-Cache-Action
X-RN-RSRV
X-UPSTREAM-Address
Cache-Tv-Group
X-Cache-Server
Section-Io-Cache
X-Cache-Enabled
X-Detected-As
X-FB-TRIP-ID
X-OCL
X-Content-Age
CF-IPCountry
X-APP-VERSION
X-Region
X-Web-Node
X-No-Session
X-Ua
X-PCL
X-UA-Device-Type
X-Generation-Time
X-Format
X-Generated-By
Apigw-Requestid
Ec-Rule-Version
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Locale-Group
TWC-Privacy
Fastly-SSL
TWC-Device-Class
S-Rt
X-Site-Version
Property-Id
Mn-Server-Ip
Locale
Webcakes-App-Name
Webcakes-App-Version
X-Akamai-Edgescape
Azure-InstanceId
X-AOL-HN
X-Unique-Id
X-Be
Azure-RegionName
Azure-SiteName
Webcakes-Region
X-Access
Azure-Version
Azure-SlotName
X-Cluster-Node
X-Sql-Count
X-Say-TTL
X-Server-W
TWC-Connection-Speed
X-Say-Cacheable
X-Section
X-Urbn-Context-Path
X-Urbn-Site-Id
X-PHP-Backend
X-SayCDN-TTL
X-Origin-Date
X-Origin-Hint
X-Via-Fastly
X-Sql-Duration-Ms
X-Mode
X-Varnish-Cache-Hits
X-Uri
X-Request-Time
X-Human
X-Storage
X-Nginx-Cache-Key
X-Ratelimit-Remaining
CDN-Cache
X-ApacheServer
X-Adobe-Source
X-Sorting-Hat-ShopId
CDN-RequestId
X-ProxyCache-Key
Eomportal-Instance
X-Xfnlog-Site
X-ProxyCache-Status
CDN-Uid
X-Shopify-Stage
CDN-EdgeStorageId
CDN-PullZone
CDN-RequestCountryCode
CDN-CachedAt
X-Sorting-Hat-PodId
X-Status
X-Cache-Tags
X-Platform-Server
X-Content-Powered-By
X-ShopId
X-Debug-Cache
X-Cache-Host
X-BYPASS-REASON
X-ShardId
X-Forwarded-Host
X-PERF
X-Alternate-Cache-Key
X-Zipkin-Id
X-NewRelic-App-Data
X-Routing-Service
X-JoinUs
X-Webkit-CSP
X-Proxied
X-Varnishpool
X-Locale
X-ServerID
X-Cache-Type
X-Extlb
X-Backend-Name
X-Labrador-Cache-Channel
X-Tid
X-SaId
X-Hl-Ver
X-Handled-By
X-PHP-Host
X-Hyper-Cache
X-TT-LOGID
Selected-Fe
X-AWS-Id
X-Timing-Wait
X-VWS-Id
X-Proxy-Build
X-LJ-Flow-ID
X-GG-Cache-Date
X-VC-Cache
X-Cms-Context
ServedBy
Webserver
X-Rule
X-Edge-Location
X-Cache-Operation
X-Storefront-Renderer-Rendered
X-LSADC-Cache
Mime-Version
X-Proto
Fastly-Drupal-Html
Load-Balancing
X-Dc
Web-Mar-Node
X-Cached-By
SRV
X-GeoCode
X-Accel-Buffering
SID
X-Rewrite-Enabled
X-GeoCountry
X-App-Version
X-CDN-Forward
X-Cache-Remote
Onion-Location
X-Soup
X-GEO
X-Cdn
X-Varnish-Hostname
Xserver
X-TA-CDN-Provider
X-Pubstack
Cache-Hits
X-Reqid
Country-Code
X-SRV
X-Buckets
X-Cluster
X-Origin-CC
X-Request-Host
X-Origin-TTL
X-Varnish-Hits
X-Ratelimit-Limit
X-Microcachable
Decoy-Debug-TTL
Decoy-Debug-Key
Server-Info
Decoy-Debug-Status
X-Envoy-Decorator-Operation
X-MP-GENERATED-AT
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-CSRF-Token
LB
X-Ms-Request-Id
X-Magnolia-Registration
Xet-Cookie
X-Ms-Version
X-Air-Hostname
X-Time
X-Air-Source
X-Air-Trace-Id
Cache
X-Amzn-RequestId
X-Amz-Apigw-Id
DB-Nickname
X-Tx-Id
X-B3-SpanId
X-RCS-CacheZone
X-Endurance-Cache-Level
X-NCache
X-A
X-A-Dcw
X-A-Ccd
X-A-Dam
Source
T-Server
Surrogated-Key
Sslversion
Rendered-Blocks
Odigeo-Trace-Id
Pramga
NM-Fastcgi-Cache
A
Fastcgi-X-Cache-Version
Cmsid
Cmstype
Expiry
DCR-Decision-By
X-A-Dgt
Cdnsip
Host-ID
BehaviorPad-Version
DCR-Processing-Time-Ms
Cdncip
Meta-Geo-Continent
Lang
MD5-Digest
Mobile-Detection-Method
X-Device-Os
X-S
X-Rojux
X-S-Cookie
X-ScT
X-Session-Fingerprint
X-SD-PageType
X-Processor
X-PBS-Appsvrname
X-NAPM-TraceId
X-Ig-Push-State
X-Node-Id
X-Orig-Expires
X-PAYTM-SRV-ID
X-Shop-Environment
X-SRCache-Key
X-VG-WebCache
X-Vdms-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Vdms-Path
X-User
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Tenant
X-TIM-N
X-TrackingId
X-HS-Content-Campaign-Id
X-Hash
X-Cdn-Srv
X-Cache-NE
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Connection-Hash
X-Cache-Id
X-Cache-Bucket
X-AK-Request-ID
X-Aed
X-Application
X-ARC
X-B-Cookie
X-Core-Mission
X-D
X-Forwarded-Path
X-Fetched-On
X-Ftr-Request-Id
X-Geo-Header
X-Gzip
X-External-Request-Id
X-Esi-Check
X-Developer
X-Destination
X-Ec-Fail
X-Ec-GeoHdr
X-Epic-Correlation-Id
X-A-Wwc
X-Conf
DynaTrace
X-IPLB-Request-ID
X-Bc-Bl
X-Varnish-Beresp-Grace
X-Varnish-Ttl
Traceparent
X-Planisys-CDN-Cache
Thinkindot-Control
X-Planisys-CDN-Rules
User-Cache-Control
Web-Mar-Region
X-Origin-Time
X-Origin-Response-Time
X-Origin-Expires
Wxu-Next-Region
Wxu-Next-Hostname
Thinkindot-CacheControl-Type
Wxu-Next-Commit
We-Hiring
TDXMobile
Origin-CC
Origin-EX
Memcached
Mail-Subject
Machine
X-Rocket-Build-Number
Platform
Producers
X-Planisys-CDN-TTL
X-Origin
State
Server-Host
X-Dispatcher-Number
Thinkindot-CacheControl
X-NodeID
X-Gdpr
X-Core-Value
X-Clara-WADP
X-Ckpd-Fst-Backend
X-GeoIP
X-Gen-Mode
X-From
X-Fmm-Version
X-Ec-Custom-Error
X-DPWN-IS-SECURE
X-Developers
X-DefHash
X-Fastly-Cache
X-DefElseHash
X-CacheTTL
X-Cache-Info
X-LAGOON
X-JWT-State
X-Amzn-Remapped-Content-Length
X-Loop
X-SB
X-Mvc-Supplant-Cachable
X-Is-Gdpr
X-Irp-Debug
X-Has-Esi
X-R9-Blue-Green-Version
X-Cache-Date
X-Hnp-Log
X-Block-Status
X-Cache-Backend
X-Nyt-Route
Release
X-Sigma-Backend
X-VServer
X-Server-IP
Adler-Geo
Is-Eu
X-Scheme
Environment
X-Sigma
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
Fastly-GeoIP-CountryCode
Cache-Name
X-Via-Ucdn
X-Thinkindot-L3
X-WADP-Cache
X-Slack-Backend
X-V-Cache
X-TNCMS
CloudFront-Viewer-Country
X-Variation
X-Skip-Cache
X-Webstats-RespID
X-Wix-Viewer-Type
X-Varnish-CookieHashed-On
X-Worker
AKAMAI
X-Azure-Ref
Apple-News-Services-Host
X-Level-Front-Cache
X-Aicache-OS
X-Minions-Version
CDCHOST
X-Location
X-Loc
Apple-News-Services-Request-Url
Apple-News-Services-Handled
Apple-News-Services-Parsed-Url
X-Branch-Name
X-Forwarded-Site
X-Csrf-Jwt
X-Gamma-Serve
HostName
X-Datadog-Parent-Id
X-Datadog-Sampling-Priority
X-Eu-Site
X-Via-NSCOPI
X-Datadog-Trace-Id
X-CGP
X-Generated-On
X-VG-TLSProxy
X-VarnishDD-TTL
X-BBC-Edge-Cache-Status
X-Httpd
X-HN
X-Viewer-Country
CDN
X-Cdn-Origin
X-GeoIP-City
X-Auto-Login
X-ZONE
HA-Ipaddr
X-Proxy-Upstream
X-Qloud-Router
PFcat
X-RateLimit-Limit-Second
Ha-Gx-Prefs
X-Rocket-Nginx-Serving-Static
Req-Svc-Chain
X-Pool
Gh-Request-Id
Redirect-Candidate
Origin
X-RateLimit-Remaining-Second
Kp-EeAlive
X-Request-URI
L
L5d-Success-Class
X-Region-Sid
IsBot
X-Rebelmouse-Cache-Control
NGX
N-Cache
X-Rebelmouse-Surrogate-Control
Server-Ext
X-Proxy-Cache-Info
X-SIPLIST1
Fastcgi-Cache-TTL
Fastly-SIE
DSUID
V-Age
Cluster
X-Sn-Servicetimems
Ohc-File-Size
Fastly-SWR
Vix-Hermes-Req-Id
X-Pod-Name
Server-Hostname
Svr
X-Policy
Sever-Int
Ssr
X-Served-From
X-Platform
X-Newrelic-Synthetics
X-Optimistic-Header
X-Scale
X-Owner
X-WP-CF-Super-Cache
X-WP-CF-Super-Cache-Cache-Control
X-BCube-Filmed-By
X-Ad-Defer-Variation
Candidate-Md5Url
Cache-Key
X-NC
X-Parent-Response-Time
X-CS
X-Refresh
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-Men
X-VC
Arc-Country
Datacenter
X-Tb-Optimization-Total-Bytes-Saved
Pics-Label
Locid
X-CACHE-KEY
CPC-Cache
CPC-Age
GEO-INFO
X-Tt-Logid
X-Cache-ASPX
Env
X-Old-Content-Length
X-Contensis-Viewer-Groups
X-EC-Lua
X-SplitTest
VNS-Age
X-Ah-Environment
XM
VNS-Cache
X-Response-By
X-Cache-Status-Check
X-TraceId
Ms-Author-Via
X-WA-Info
X-RPM
X-Tec-Api-Origin
X-RSL
X-Srv
X-Webkit-Csp-Report-Only
X-DI
X-Tec-Api-Version
X-RPS
X-Tec-Api-Root
Servername
X-LB-NoCache
X-RateLimit-Reset
AMP-Access-Control-Allow-Source-Origin
X-DB
X-Varnish-Authentication
X-DW
Fastly-Backend-Name
X-DSS
X-Udemy-Cache-App-Namespace
X-Edge-Pop
Time
X-Mvc-Supplant-OutputCached
X-Date
X-Accel-Expires-Debug
X-Micro-Cache
X-Amz-Meta-Cb-Modifiedtime
Memory
X-Akamai-Transformed
Lb
X-TIME
X-Xrds-Location
X-AIR-PT
X-Via-Popv
X-Via-Popn
X-GeoIP-Country-Code
X-GeoIP-Region-Code
X-Servedbyhost
X-Via-Poph
X-Generated-In
Path
X-API-Version
Ohc-Cache-HIT
X-HA-Backend
GeoIp-Country-Code
ITXSESSIONID
X-Trace-ID
X-S-Maxage
X-Cache-Debug
Ngx.Var.Host
FSS-Cache
X-VCL-Version
Client
X-DC
Cache-Host
Fusion-Deployment-Id
Fusion-Source
Fusion-Content-Id
Fusion-Content-Source
Fusion-Component-Id
Fusion-Template-Id
Geoip-Latitude
X-Varnish-Beresp-TTL
CacheControlHeader
True-Client-IP
X-Vc
XkeyRZ
X-VHOST
X-Cs
X-Proxy-CacheRZ
X-TH-Server
X-Api-Version
X-Clientip
X-Action
Geo-Info
Server-ID
True-Client-Country-4JS
X-Presslabs-Stats
X-Backend-TTL
Hostname
X-Zone
X-Fpc
X-FireWall-Port
Edge-Cache
X-Req
Powered-By
X-TX-ID
X-Pass-Why
X-B3-Spanid
My-App
X-Dmc
NtCoent-Length
X-PX
X-Traceid
Test
X-INCAP-ABP
X-MSEdge-Flight
X-Provided-By
X-FPC
X-Render-Time
X-MSEdge-Features
X-Origin-Upstream-Status
X-NGINX-Cache
X-Cdn-Request-ID
C-Via
X-Up
X-CSRF-TOKEN
X-Varnish-Beresp-Ttl
Cf-Int-Pingora-Origin-Digest
X-Correlation-ID
X-Beluga-Cache-Status
X-Beluga-Node
Tube-Get-Contents
Rip
X-Beluga-Trace
User-Agent
X-Gateway-Cache-Key
X-Gateway-Cache-Status
Click-Count-Error
X-Gateway-Request-Id
Click-Count-Action-Start
Tube-Return
X-Service
Tube-Got-Eval
X-Beluga-Record
Tube-Got-Results
X-LB-ID
X-Gateway-Skip-Cache
Server-Id
X-Beluga-Response-Time
X-HS-Status
X-Beluga-Status
X-Webkit-CSP-Report-Only
X-M-Reqid
X-Qnm-Cache
X-M-Log
OT-Force-Account-Verify
Proxy-Connection
Esi-Enabled
X-Vcl-Version
Tcn
DataCenter
X-UnsetCookies
X-LI-UUID
X-Ha-Backend
X-Li-Pop
X-Li-Fabric
X-URL
GeoIP-Latitude
GeoIP-Country-Code
On-Server
HIT
X-Via-PopN
X-DynaTrace-JS-Agent
X-Alfa-Service
Srvid
Uri
Resin-Trace
X-Via-PopH
X-Via-PopV
X-CLOUD-TRACE-CONTEXT
X-Dynatrace
X-ND-Cache
X-ServedByHost
Sid
X-Time-Microsecs
WZWS-RAY
X-RAMCache
X-Check-Cacheable
X-Akamai-Pragma-Client-IP
X-CCDN-CacheTTL
Epwk-X-Cache
X-CCDN-Origin-Time
X-Hcs-Proxy-Type
X-APP
X-CUA
X-Fetch-By
X-Proxy-Cache-Hk
X-Geo
X-LI-Proto
Srv
Cdn
X-Cdn-Forward
X-TRACE-ID
X-Edge-POP
X-Platform-Router
Cf-Device-Type
X-Platform-Cluster
X-Fragments
X-ATG-Version
X-Backend-Host
X-Fastly-Backend-Reqs
Tracecode
MIME-Version
Target-Params
X-Platform-Processor
X-Edge-Origin-Shield-Bytes
X-Esi
X-App
X-Var-Ttl
X-B3-Traceid-Primal
X-Fastly-Backend
X-FC-Vary-Parameters
Lfy
ENV
ServerName
X-Sucuri-ID
X-Sucuri-Cache
XServer
Fastly-Drupal-HTML
WebServer
X-Lb-Nocache
X-HostName
X-Edge-Origin-Shield-Region
X-Srcache-Fetch-Status
X-Srcache-Store-Status
X-MG-S
X-ElasticPress-Query
Section-Io-Id
Section-Io-Origin-Status
Inserted-Into-Cache-At
Section-Io-Origin-Time-Seconds
M-TraceId
Section-Origin-Responded
X-Yottaa-OS
Server-Ttl
X-Cache-Expires
X-Azure-Ref-OriginShield
Warning
CF-Cached-On
X-Varnish-Beresp-Status
PICS-Label
X-Newrelic-App-Data
D-Url-Rewrites
X-Li-Proto
Magicmarker
X-Backend-State
Cf-Ipcountry
X-NU-AKA-ACS-Version
X-Iplb-Instance
X-Serial
X-LiteSpeed-Cache-Control
X-Nc
X-Request-Url
X-Dw-Trace-Id
X-Dynatrace-Js-Agent
X-Iplb-Request-Id
X-Vcache
X-CF-Powered-By
DT-Hot-News
Servedby
X-Fastly-Cache-Hits
True-Client-Ip
X-Wp-Cf-Super-Cache-Cache-Control
X-Storefront-Renderer-Verified
X-Wp-Cf-Super-Cache
Hit
X-Vercel-Id
X-Release
X-Vercel-Cache
X-Dist-Code
X-Snapshot-Date
Dt-Hot-News
Cneonction
X-Litespeed-Cache-Control
X-Back
X-Acquia-Site
X-Acquia-Purge-Tags
X-Acquia-Application-Trace
X-Acquia-Application-UUID
Content-Style-Type
Content-Script-Type
X-Th-Server
Fastcgi-Cache-Ttl
X-Request-URL
X-BBC-Origin-Response-Status
CountryCode
Ngx