Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
CF-Cache-Status
Link
ETag
Expect-CT
Via
CF-RAY
Age
X-Cache
X-XSS-Protection
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
X-Cache-Hits
Referrer-Policy
X-Amz-Cf-Pop
P3P
X-Amz-Cf-Id
X-UA-Compatible
X-Served-By
CF-Ray
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-FRAME-OPTIONS
X-Drupal-Cache
X-Check
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Cacheable
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
X-DNS-Prefetch-Control
X-Ua-Compatible
Timing-Allow-Origin
P3p
X-Iinfo
X-Template
X-Language
Status
Upgrade
X-Content-Security-Policy
X-AspNetMvc-Version
X-CDN
X-Buckets
Content-Encoding
Access-Control-Expose-Headers
X-Request-ID
X-Kinja-Server-Push
Access-Control-Max-Age
Keep-Alive
X-Via
X-AH-Environment
X-Envoy-Upstream-Service-Time
X-Turbo-Charged-By
X-Drupal-Dynamic-Cache
X-Cache-Group
X-Pass-Why
X-Ws-Request-Id
X-Backend
X-Age
X-Server
X-Proxy-Cache
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Robots-Tag
Xkey
X-Page-Speed
X-Hacker
Feature-Policy
X-Server-Powered-By
Request-Context
X-Pingback
Server-Timing
X-Nginx-Cache-Status
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Grace
X-UA-Device
X-Varnish-Cache
X-Amz-Version-Id
Cf-Railgun
Report-To
X-OneAgent-JS-Injection
X-Rq
X-LiteSpeed-Cache
X-Server-Id
X-Device
X-Origin-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Vhost
X-Host
EagleEye-TraceId
X-Backend-Server
X-Node
X-Response-Time
X-Dispatcher
X-Ac
NEL
X-WebKit-CSP
X-Cache-Lookup
X-Origin-Upstream-Status
X-Dns-Prefetch-Control
Surrogate-Control
Request-Id
X-Readtime
X-Ruxit-JS-Agent
Content-Location
X-Application-Context
Fusion-Content-Source
Fusion-Template-Id
Fusion-Source
Fusion-Content-Id
Fusion-Component-Id
X-ORACLE-DMS-ECID
X-DataDome
X-HW
X-ORACLE-DMS-RID
X-Cnection
X-Mod-Pagespeed
X-Country
X-Akam-SW-Version
Edge-Control
Rating
X-Url
X-Rack-Cache
X-Cloud-Trace-Context
X-Clacks-Overhead
RTSS
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Goog-Hash
X-FTR-Request-ID
X-Vname
X-TtlSet
X-PC
X-Country-Code
X-ASPNET-VERSION
Fusion-Deployment-Id
X-DynaTrace
Allow
X-GitHub-Request-Id
Service-Worker-Allowed
Verso
X-Varnish-TTL
Accept-CH
X-Instart-Request-ID
X-MS-InvokeApp
X-D2id
X-Cdn-Fetch
X-Exp-Id
X-Kinja
X-GoogleNews-Bot
X-Use-Magma
X-Exp-Variant
X-Kinja-Revision
X-Kinja-Server
X-Kinja-Build
Content-MD5
Pinterest-Generated-By
X-Server-Name
SPRequestGuid
Accept-CH-Lifetime
X-Cached
X-Forwarded-Proto
X-Powered-By-Plesk
X-Navigation-Version
X-Trace
TCN
X-Amz-Server-Side-Encryption
X-SharePointHealthScore
X-Amz-Rid
X-Abt-Application-Version
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
Public-Key-Pins
X-Fastly-Request-ID
X-Vcache
X-Vcap-Request-Id
Nginx-Cache
X-Ttl
X-MSEdge-Ref
X-Debug
X-ESI
SPRequestDuration
X-VARITI-CCR
SPIisLatency
Arr-Disable-Session-Affinity
Charset
X-B3-TraceId
X-Accel-Expires
X-Cache-TTL
MS-Author-Via
X-DynaTrace-JS-Agent
X-NF-Request-ID
NR-ENABLED
Response
Pagespeed
Display
X-Middleton-Response
X-Middleton-Display
X-Px
X-Content-Type
X-Sol
Realpath
X-Client-IP
Cache-Tag
X-Ser
X-SRCache-Fetch-Status
S
X-SRCache-Store-Status
X-Server-ID
Edge-Cache-Tag
Access-Control-Request-Method
X-Id
X-Powered-CMS
X-Grace
X-Pinterest-Rid
Pinterest-Version
X-Webkit-Csp
WPE-Backend
Front-End-Https
X-Fastcgi-Cache
X-Jurisdiction
X-Hp-Webp
X-Shield-Request-Id
X-Upstream
X-T
X-Hits
X-Version
AR-ATIME
AR-PoweredBy
AR-Request-ID
X-Element-Page-Cache
X-Amz-Meta-S3cmd-Attrs
X-Content-Digest
X-Dw-Request-Base-Id
DynaTrace
X-Node-Name
X-Mrf-Section-Lastmod
X-B3-TraceId-Primal
X-Mrf-Item-Lastmod
Mrf-Cache-Status
MRF-Tech
X-Cache-Hit
ServerID
Fastcgi-Cache
X-Recruiting
X-Correlation-Id
AMP-Access-Control-Allow-Source-Origin
Ar-Sid
AR-CACHE
X-Mobile-URL
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Stored-Content-Length
X-FTR-DC
X-FTR-Backend
X-Country-Code-Real
X-FTR-Backend-Server
X-FTR-Cache-Status
X-FTR-Realm
X-Goog-Generation
X-FTR-Balancer
X-HS-Hub-Id
X-HS-Cache-Config
X-HS-Content-Id
Server-Node
X-Request-Processing-Time
X-Request-Received
Powered
X-Frontend
TP-L2-Cache
TP-Cache
PB-RID
X-FTR-Expires
PB-PID
X-Forwarded-For
X-DIS-Request-ID
Arc-Version
Upgrade-Insecure-Requests
X-Mobile-Rewrite
Refresh
X-Ezoic-Cdn
X-Shard
X-HS-Combine-CSS
Alternate-Protocol
Accept-Ch
Host-Header
Server-Name
X-XRDS-Location
X-Geo-Country
X-Amzn-Trace-Id
X-Request-Handler-Origin-Region
X-NWS-LOG-UUID
X-Microsite
X-TTL
X-N
X-Rid
Fastly-Restarts
X-LB-Cache
X-Page-Id
X-FTR-Cache-Host
X-F-Cache
X-Akamai-Edgescape
X-Logged-In
X-User-Agent
X-B
Backend-Timing
X-ATS-Timestamp
X-Varnish-Age
X-Aspnetmvc-Version
X-Content-Security-Policy-Report-Only
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-XRDS-LOCATION
Accept-Ch-Lifetime
MicrosoftSharePointTeamServices
X-Cache-Key
X-FastCGI-Cache
X-Kinsta-Cache
X-Zen-Fury
Healthy
X-ORACLE-APMCS-REQUEST-ID
X-ORACLE-APMCS-TAG
X-Via-JSL
X-Varnish-Grace
X-Origin-Server
X-Esi
X-Revision
X-Request-Guid
X-Jobs
Host
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Instance
Fastcgi-Useragent
X-App-Environment
X-Varnish-Backend
X-Git-Hash
Actual-Object-TTL
X-B-Cache
X-ATG-Version
X-Hostname
X-Signature
Paypal-Debug-Id
X-Cache-Age
X-TT
X-B3-Sampled
X-AOL-HN
Section-Io-Cache
X-Whom
X-FB-Debug
X-Amz-Replication-Status
X-Type
X-Seen-By
X-Debug-Info
X-Cache-Action
X-Cluster
Frame-Options
Cache-Status
X-WebKit-CSP-Report-Only
X-Content-Options
Access-Control-Allow-Method
Trailer
X-Amzn-Requestid
X-Endurance-Cache-Level
X-Cache-Rule
X-Presslabs-Stats
X-Cache-Operation
X-Contextid
X-Content-Powered-By
Source
X-Erf-Bev-Bev-Is-Generated
X-Host-Name
X-Erf-Bev-Bev
X-SERVER
Tracecode
Liferay-Portal
X-Az
X-Activity-Id
X-AppVersion
Accept-Charset
X-Daa-Tunnel
X-FireWall-Port
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-IPLB-Instance
X-Amz-Apigw-Id
DC
X-Upgrade-Enabled
X-PHP-Backend
X-APP-VERSION
From-Origin
X-Framework
X-WA-Info
X-Accel-Buffering
NGB
X-Response-Served-From
X-ProcessESI
X-Tumblr-Pixel-2
X-RemovedCookies
Retry-After
X-Tumblr-Pixel-1
X-Rendered-As
X-FW-Server
VIX-Pulpo-Node
Surrogate-Key
Srv
VIX-Pulpo-Upstream-Status
X-FW-Hash
X-FW-Type
X-FW-Serve
X-UUID
X-Is-Bot
X-FW-Static
X-Cacheable-TTL
X-Adobe-Content
Payment
X-Adobe-Loc
X-L-Path
X-Environment-Context
X-Cache-NE
X-Region
X-GeoIP
Eomportal-Instance
X-Varnish-Server
X-Wix-Request-Id
X-RequestSource
X-Mobile
X-Time-Microsecs
X-Cached-By
Filters
X-Handled-By
X-Unique-Id
X-UA-Device-Type
X-RateLimit-Remaining
X-Proxy
X-Origin-Response-Time
X-Varnish-Hostname
Nel
X-NGENIX-Cache
Xserver
X-TIME
X-Cache-TTL-Remaining
X-Webkit-CSP
Filterid
Datacenter
X-B3-Traceid
X-EdgeConnect-Cache-Status
X-Cache-Control
X-Cache-Server
X-Akamai-Transformed
X-Cache-Time
GEO-INFO
X-Srv
MS-CV
X-Backend-Name
Version
X-CST
X-Status
Server-Info
Cache-Tv-Group
X-Mode
S-Cnection
X-Rule
Odigeo-Trace-Id
X-Cache-2
X-Cache-Enabled
X-Yottaa-Optimizations
Cache-Tags
X-Yottaa-Metrics
Meta-Geo
Webserver
X-CCM
X-Cache-Var-Map
X-Cache-Var
X-ES-SERVER
X-IP
X-Path-Route
X-Amzn-Remapped-Content-Length
Azure-SlotName
X-TNCMS
X-Detected-As
Azure-SiteName
DB-Nickname
Azure-RegionName
X-RN-RSRV
X-Redis-Cache
OT-Force-Account-Verify
X-Loop
Azure-InstanceId
Ec-Rule-Version
Azure-Version
X-FW-Dynamic
X-FC-Vary-Parameters
S-Rt
TWC-GeoIP-Country
Webcakes-Region
TWC-Locale-Group
X-NCache
TWC-GeoIP-LatLong
Akamai-GRN
TWC-Connection-Speed
Webcakes-App-Version
TWC-Device-Class
X-SayCDN-TTL
NGX
TWC-Privacy
X-Say-Cacheable
X-ApacheServer
Origin-Cache-Control
Origin-Edge-Control
X-Origin-Hint
Country
Cross-Origin-Window-Policy
Now
X-Web-Node
X-Proto
X-Origin
X-PERF
X-Say-TTL
X-ServerID
Cleartype
X-Real-IP
X-Human
X-Pubstack
X-Forwarded-Host
X-TX-ID
X-Hosted-By
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
X-R9-Blue-Green-Version
X-Adobe-Source
ServedBy
Webcakes-App-Name
X-Via-Fastly
Cache-Hits
X-Hl-Ver
Property-Id
X-Alternate-Cache-Key
Section-Io-Id
X-ProxyCache-Status
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
Cache-Key
Section-Io-Origin-Status
Access-Control-Request-Headers
X-RCS-CacheZone
X-ShopId
Content-Disposition
X-Akamai-Request-ID2
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Generated
X-Vgn-Hpd-Reason
X-Format
X-Cache-NGX
X-ProxyCache-Key
X-Locale
X-NYM-Debug-Backend
X-LJ-Flow-ID
X-Proxy-Cache-Status
X-Cache-Status-Check
X-Device-Type
X-EIG-Tracking-Id
X-VWS-Id
X-Sorting-Hat-PodId
X-Cache-Config
X-Site-Version
X-Shopify-Stage
X-ShardId
X-Shopify-Generated-Cart-Token
X-BYPASS-REASON
X-Sorting-Hat-ShopId
X-Tb
X-AWS-Id
Selected-Fe
X-Proxied
X-Proxy-Build
X-MP-GENERATED-AT
X-BCube-Filmed-By
X-Section
X-JoinUs
X-SaId
X-Access
X-Content-Age
X-FB-TRIP-ID
X-Viewer-Country
X-Debug-Cache
X-Routing-Service
Mn-Server-Ip
X-Timing-Wait
X-Zipkin-Id
X-Xfnlog-Site
X-Www-Served-By
X-HTML-Minification-Powered-By
X-Microcachable
X-Soup
X-Cache-Remote
Node
X-Oss-Storage-Class
X-Oss-Server-Time
X-Oss-Hash-Crc64ecma
X-No-Session
X-Oss-Request-Id
X-Oss-Object-Type
X-Request-Time
X-Cdn
X-Backend-TTL
X-EC-Lua
X-Dc
X-Varnish-Hits
X-Generated-By
X-Pinterest-Direct
X-Akamai-Request-ID
Cf-Ipcountry
Time
X-Drupal-Cache-Tags
X-Geo
X-Pad
X-From
Accept-Language
X-NewRelic-App-Data
X-IPS-LoggedIn
X-CF-Powered-By
X-Azure-Ref
X-Old-Content-Length
X-VCT
Uber-Trace-Id
X-NC
X-URL
X-RTag
X-Amzn-RequestId
Ms-Operation-Id
FilterID
X-Source
X-RateLimit-Limit
X-NWS-UUID-VERIFY
X-Uri
X-CS
X-Edge
Cache-Name
X-MCACHE
X-Cache-Grace
User-Agent
X-PressLabs-Stats
X-UA
X-PCL
X-Newrelic-Synthetics
X-Labrador-Cache-Channel
X-PHP-Host
X-OCL
X-GoCache-CacheStatus
X-Qloud-Router
X-Nginx-Cache
X-Litespeed-Cache
Cache
X-Varnish-Cache-Hits
X-FORWARDED-FOR
X-APP
X-Drupal-Cache-Contexts
Proxy-Connection
X-Edge-Location
X-ECACHE
X-Magnolia-Registration
X-Hyper-Cache
Fastcgi-X-Cache-Version
X-Info
X-Instart-Info
X-B-Cookie
X-GeoIP-Country-Code
X-External-Request-Id
BehaviorPad-Version
X-G
GEO-REGION-INFO
X-FW-Version
X-ARC
Apple-News-Services-Host
X-PAYTM-SRV-ID
X-Cache-Bucket
X-Mid
X-Processor
X-Reboot
Xc-Version
User-Cache-Control
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
X-DPWN-IS-SECURE
Apple-News-Services-Handled
Arc-Country
MD5-Digest
X-A
X-A-Ccd
X-Cdn-Srv
X-Connection-Hash
VivaBuild
X-Application
X-CF-Lambda-Fn
X-A-Dam
X-Aed
X-CF-Lambda-Version
X-Accel-Expires-Debug
X-A-Wwc
X-A-Dcw
X-A-Dgt
Viewtype
True-Client-Country-4JS
X-Destination
X-Region-Sid
X-Developer
Mobile-Detection-Method
Memcached
Meta-Geo-Continent
Rendered-Blocks
Request-Country
ServerName
T-Server
X-D
X-Date
Request-EU
Machine
AsisCache
X-Vtex-Remote-Cache
X-Vtex-Processado-Em
X-S-Cookie
X-S
X-Rojux
X-Transaction
X-Rocket-Nginx-Bypass
X-ScT
X-Session-Fingerprint
X-Tumblr-Pixel-3
X-Trv-Group
X-Twitter-Response-Tags
X-SRCache-Key
X-VG-WebCache
X-Vdms-Version
X-Rewrite-Enabled
X-VG-WebServer
X-Request-UUID
X-Request-URI
X-Cluster-Name
CF-Cached-On
X-CDN-Forward
X-Sucuri-ID
Thinkindot-Control
X-Clara-WADP
X-Sn-Servicetimems
Server-Host
Web-Mar-Node
X-Cache-ASPX
X-Webstats-RespID
X-Wikidot-Backend
X-Fastly-Cache
X-Geo-Header
X-Gamma-Serve
X-Gen-Mode
X-Core-Value
X-Slack-Backend
Gh-Request-Id
X-Fmm-Version
Server-Surrogate-Control
X-Varnish-Authentication
X-We-Are-Hiring
X-Thinkindot-L3
X-Is-Gdpr
Proxy-Firewall
X-TrackingId
X-Trafficlayer-App-Scope
Vix-Hermes-Req-Id
X-Trafficlayer-App-Name
X-Has-Esi
X-VCache
X-Contensis-Viewer-Groups
X-JWT-State
On-Server
X-Generated-On
N-Cache
X-COUNTRY
Server-Cache-Control
Viewport
X-Trafficlayer-App-Version
X-DevSite-Last-Modified
SD-X-WS
X-Request-Host
X-Served-From
X-Wikidot-Static-Cache
X-LI-UUID
X-Server-W
X-Servername
X-GeoIP-City
Cache-Cookie-Set-From
X-ServiceProvider
X-Cdn-Origin
X-Matched-Rule
Thinkindot-CacheControl
X-BBXSRF
X-Backend-State
X-WADP-Cache
X-Auto-Login
X-Micro-Cache
X-Cache-URL
X-Bc-Bl
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-Idcheck
X-Hnp-Log
X-IN-APIGATEWAY
X-IN-APIGATEWAYSSL
Thinkindot-CacheControl-Type
X-Block-Status
X-Backend-Host
X-VG-TLSProxy
X-LI-Proto
Content-Style-Type
X-Level-Front-Cache
X-Li-Fabric
X-Li-Pop
X-VServer
X-Irp-Debug
Content-Script-Type
Rt-Fastcgi-Cache
X-Cache-Info
X-S-Maxage
X-Storage
X-UnsetCookies
X-Varnish-Ttl
X-CGP
X-Varnish-Cacheable
X-VC-Cache
X-Cache-Tags
X-Cache-PHP
X-Variation
X-Var-Ttl
X-TT-TIMESTAMP
X-Cluster-Node
X-Clientip
X-Core-Mission
X-Swa-Ws
X-Ms-Request-Id
X-Ms-Version
X-Nginx-Cache-Key
X-NodeID
X-Scheme
X-Logging-Id
X-Sigma
X-LAGOON
X-Cache-FS-Status
X-NX-Host
X-Rocket-Build-Number
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Proxy-Upstream
X-Platform-Server
X-Origin-Date
X-Origin-Expires
X-Owner
X-Hash
X-Sigma-Backend
X-Dispatcher-Server
X-Thanos
X-Distil-CS
X-Distributor
X-Dispatch
X-Device-Os
X-Debug-Cookies
X-Debug-Log
X-Trace-Id
X-Req
X-Epic-Correlation-Id
X-Generated-In
X-SIPLIST1
Heartbleed
X-Skip-Cache
X-SN
X-Eu-Site
X-Fetched-On
Locale
X-CUA
W
X-Urbn-Context-Path
Fastly-Drupal-HTML
Fastly-SIE
Fastly-SWR
Platform
Countrycode
Adler-Geo
Cache-Host
CDCHOST
Country-Code
Mail-Subject
Locid
Is-Eu
X-Urbn-Site-Id
HA-Ipaddr
Ha-Gx-Prefs
IsBot
Kp-EeAlive
FNAC-ModuleRouting
L5d-Success-Class
AKAMAI
A
RNT-Machine
X-Developers
X-Agile-Id
X-Agile-Age
X-Agile
X-Cms-Context
X-App-Name
X-SS-Set-Cookie
X-Bip
X-WebServer
Group
Wxu-Next-Region
X-Generation-Time
Server-ID
RNT-Time
Wxu-Next-Hostname
V-Age
Wxu-Next-Commit
We-Hiring
X-App-Server
X-CSRF-Token
X-Cache-Expired-At
X-Vdms-Path
X-Hit
X-Response-By
X-C
Request-Time
X-Varnish-Beresp-Grace
NM-Fastcgi-Cache
X-Varnish-Beresp-Status
X-Instart-Isnd
X-B3-Spanid
X-Debug-Cache-Fetch
X-RESPONSE-TIME
X-OVcl-Cache
X-OVcl
X-Refresh
X-Debug-Cache-Expiry
X-Debug-Cache-Store
X-Varnish-Beresp-Ttl
Sever-Int
Server-Hostname
Server-Ext
PFcat
X-CLOUD-TRACE-CONTEXT
X-TA-CDN-Provider
X-CACHE-KEY
M-TraceId
Pagetype
X-Node-Id
X-Protected-By
HostName
X-Nc
Mime-Version
X-FPC
X-Parent-Response-Time
X-Time
X-Method
X-Ua-Device
X-Ratelimit-Remaining
X-Worker
X-MSEdge-Features
Powered-By-ChinaCache
X-Via-PopV
Geo-Info
X-Via-PopH
Magicmarker
Origin
X-Varnish-URL
X-MSEdge-Flight
PICS-Label
X-Request-Start
X-SRV
Geoip-City
Pramga
X-Envoy-Upstream-Healthchecked-Cluster
X-Branch-Name
X-Wa
X-Lb-Id
Geoip-Latitude
X-Be
Memory
X-Policy
GeoIp-Country-Code
X-Service
X-ND-Cache
Cloudfront-Viewer-Country
X-GEO
X-Planisys-CDN-Rules
X-SERVER-NAME
X-Planisys-CDN-Cache
X-ECache
X-Planisys-CDN-TTL
XServer
HitType
X-C-Key
X-C-Zone
X-Pjax-Url
X-Load-Cache
Esi-Enabled
X-HS-Status
X-BACKEND-TTL
Environment
X-DC
Who
Dt-Cache-Category
X-Wix-Viewer-Type
Cteonnt-Length
X-Reqid
X-Bc
X-Newrelic-App-Data
X-Azure-Ref-OriginShield
X-Myra-Origin2
X-Zone
X-Via-Ucdn
X-Cdn-Forward
NtCoent-Length
X-Ua
X-CSRF-TOKEN
TTL
X-Referer
Fastly-Backend-Name
X-Country-IP
X-Servedbyhost
X-VCL-Version
X-Up
X-Cache-Metadata
X-Origin-CC
Ttl
X-Vcl-Version
X-Ratelimit-Limit
X-Origin-TTL
SRV
X-Server-Time
Cdn
X-ServedByHost
X-Cache-Host
X-BC
Product
Resin-Trace
X-ZONE
UCS
X-Oneagent-Js-Injection
Pragrma
X-TT-LOGID
Hostname
X-Swift-Error
X-App-Version
X-Pf-Uncompressing
Cdn-Host
Cdn-Request-Time
X-Edge-Server
X-Fastly-Country-Code
X-NGINX-Cache
X-AK-Request-ID
Cdncip
Cdnsip
X-Server-IP
X-Correlation-ID
Release
CACHE
Lb
Load-Balancing
X-Tec-Api-Origin
X-AIR-PT
X-NU-AKA-ACS-Version
FSS-Cache
X-Tec-Api-Version
X-Tec-Api-Root
X-Ruxit-Js-Agent
LB
C-Via
X-SVT-ORM-VERSION
X-Node-ID
X-SVT-ORM-RULES
Sid
X-Datadome
X-PJAX-URL
X-Configured-By
GeoIP-Country-Code
X-WA
X-WPE-Loopback-Upstream-Addr
Warning
Dnion-Transfer-Encoding
GeoIP-Latitude
GeoIP-City
X-Air-Hostname
MIME-Version
Ohc-File-Size
X-Location
X-BE
My-App
X-Cache-Id
X-Tb-Optimization-Total-Bytes-Saved
X-Esi-Check
X-Gzip
X-UPSTREAM-Address
X-Cache-Backend
X-TH-Server
X-Cache-Debug
X-RAMCache
X-Svr
RequestId
Ohc-Cache-HIT
X-Powered-Y
X-Varnish-Url
X-Sucuri-Cache
X-Mvc-Supplant-Cachable
X-VarnishDD-TTL
X-Mvc-Supplant-OutputCached
X-Fpc
X-Fastly-Request-Id
X-Fastly-Backend-Reqs
X-B3-SpanId
Pics-Label
IBM-Web2-Location
Lfy
X-Varnish-Beresp-TTL
X-Apw-Access-Action
X-Apw-Access-Object
X-Apw-Hits
X-Dynatrace-Js-Agent
X-Apw-Access-Token
X-MID
X-Edge-O15-RID
X-ElasticPress-Query
Xet-Cookie
Requestid
X-User
X-LiteSpeed-Cache-Control
CDN
Fastly-SSL
X-Zalando-Child-Request-Id
Server-Int
X-Page-Impression-Id
X-Ocache
X-ElasticPress-Search
X-Agile-Brick-Ok
X-Flow-Id
CF-IPCountry
Cneonction
X-Amzn-Remapped-Date
Processtime
X-SD-PageType
X-Amzn-Remapped-Connection
Powered-By
X-Akamai-ERPolicy
Host-ID
X-Aicache-OS
X-Unique-ID
X-Akamai-ERRuleID
X-Check-Cacheable
X-Debug-Controller
X-B3-Parentspanid
X-Debug-Revision
X-Sucuri-Id
ProcessTime
X-Cache-Tag
DataCenter
X-MiniProfiler-Ids
X-LB-ID
CloudFront-Viewer-Country
X-PF-Uncompressing
X-Dw-Trace-Id
X-Request-Url
URI
X-Request-URL
X-Fastly-Cache-Hits
X-Nananana