Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
X-XSS-Protection
Expect-CT
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Xss-Protection
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
P3p
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
Content-Encoding
X-Envoy-Upstream-Service-Time
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CDN
X-AspNetMvc-Version
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Akamai-Path-Stats
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
Request-Context
X-Backend
EagleId
X-Dns-Prefetch-Control
X-Robots-Tag
X-Age
X-Server
X-Amz-Request-Id
X-AH-Environment
Host-Header
X-Amz-Id-2
X-Proxy-Cache
X-UA-Device
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-Dispatcher
X-Amz-Version-Id
X-Ua-Compatible
Allow
CONTENT-SECURITY-POLICY
X-LiteSpeed-Cache
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Nginx-Cache-Status
X-WebKit-CSP
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-Aws-Lambda-Call-Status
Cf-Edge-Cache
X-CST
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
Xkey
X-Application-Context
Content-Location
Rating
Accept-CH-Lifetime
X-Cloud-Trace-Context
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
Accept-Ch
X-Url
Accept-Ch-Lifetime
X-Country
Fastly-Restarts
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-Clacks-Overhead
X-Vname
X-TtlSet
X-PC
RTSS
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-Amz-Server-Side-Encryption
X-Server-Name
X-FastCGI-Cache
Cache-Tag
X-ASPNET-VERSION
X-Vcap-Request-Id
X-ESI
X-Content-Type
X-B3-TraceId
X-Dw-Request-Base-Id
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Variant
X-Kinja
X-Kinja-Revision
X-Use-Magma
X-Kinja-Server
X-Exp-Id
X-Kinja-Build
X-Edge
X-Amz-Rid
X-Px
Public-Key-Pins
X-D2id
X-Cnection
X-Ser
X-Navigation-Version
X-Ac
X-Sol
X-Middleton-Display
X-Powered-By-Plesk
Display
Pagespeed
X-Client-IP
X-Element-Page-Cache
X-Abt-Application-Version
Verso
X-Version
Arr-Disable-Session-Affinity
X-Content-Security-Policy-Report-Only
X-Litespeed-Cache
X-Cache-TTL
X-GitHub-Request-Id
X-RateLimit-Remaining
X-Country-Code
Service-Worker-Allowed
X-Middleton-Response
Response
X-NF-Request-ID
X-Ttl
X-Goog-Hash
Access-Control-Request-Method
SPRequestDuration
SPIisLatency
X-Cached
X-Kinsta-Cache
X-Correlation-Id
X-Edge-Location-Klb
X-SharePointHealthScore
SPRequestGuid
AR-Request-ID
AR-PoweredBy
AR-CACHE
AR-ATIME
AR-SID
X-Powered-CMS
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
X-LLID
X-Upstream
Edge-Cache-Tag
X-TTL
X-Forwarded-For
X-NWS-LOG-UUID
X-Ruxit-Js-Agent
Content-MD5
Nginx-Cache
X-Cache-Key
X-Id
X-Shield-Request-Id
X-MSEdge-Ref
X-RateLimit-Limit
X-WebKit-CSP-Report-Only
TCN
X-ECACHE
X-TEC-API-ORIGIN
MRF-Tech
X-TEC-API-ROOT
X-TEC-API-VERSION
Mrf-Cache-Status
X-T
X-Recruiting
S
X-Content-Digest
X-B3-TraceId-Primal
X-Daa-Tunnel
X-Mg-S
X-Ua-Device
X-SRCache-Fetch-Status
X-SRCache-Store-Status
TP-L2-Cache
TP-Cache
X-Accel-Expires
X-Grace
X-Jurisdiction
X-HP-Webp
X-HP-Trace-Id
X-HS-Content-Id
X-HS-Combine-CSS
X-Frontend
X-DynaTrace
X-HS-Hub-Id
X-HS-Cache-Config
MicrosoftSharePointTeamServices
X-Request-Received
X-Request-Processing-Time
Front-End-Https
X-DataDome
X-Ezoic-Cdn
X-Content
X-Ab
X-Ua-Browser
X-Yandex-Sdch-Disable
Filters
Server-Node
X-Protected-By
X-Origin-Server
X-PressLabs-Stats
X-Distributor
MS-Author-Via
X-Hits
X-Mcache
Fastcgi-Cache
X-Geo-Country
X-LB-Cache
X-Mid
X-Webkit-Csp
X-Microsite
X-Request-Handler-Origin-Region
X-ORACLE-DMS-ECID
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-Amzn-Trace-Id
X-ORACLE-DMS-RID
Charset
Cleartype
X-Debug-Info
Host
X-F-Cache
X-Git-Hash
X-Forwarded-Proto
X-B3-Sampled
Cross-Origin-Opener-Policy
X-Page-Id
X-Ratelimit-Reset
Cache-Status
X-Cache-Age
X-Seen-By
Realpath
X-Fastly-Request-Id
X-Webkit-CSP
X-DIS-Request-ID
X-Activity-Id
X-AppVersion
X-Az
X-Server-ID
Access-Control-Allow-Method
X-Www-Served-By
Accept-Charset
ServerID
X-Aspnetmvc-Version
Filterid
X-Nginx-Upstream-Cache-Status
X-Varnish-Age
Cache-Tags
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
X-Cluster-Name
Permissions-Policy
X-Rid
X-Content-Options
Retry-After
X-Type
X-FB-Debug
Country
X-Varnish-Backend
X-App-Environment
X-Tb
Server-Name
Viewport
X-Oracle-Dms-Ecid
X-B-Cache
X-Flags
X-Drupal-Cache-Tags
X-Route-Name
X-Oneagent-Js-Injection
X-Oracle-Dms-Rid
X-Signature
X-Is-Crawler
X-Wix-Request-Id
DC
X-Aspnet-Duration-Ms
X-Providence-Cookie
X-User-Agent
Paypal-Debug-Id
X-Request-Guid
X-B
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Language
X-TT
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Goog-Generation
X-Varnish-Grace
X-Upgrade-Enabled
X-VCache
X-Whom
Node
Fastcgi-Useragent
X-Kong-Upstream-Latency
X-Amz-Meta-S3cmd-Attrs
X-Origin-Cache
X-Kong-Proxy-Latency
X-Mobile-URL
X-Debug
X-NWS-UUID-VERIFY
Protected
X-N
X-Amz-Replication-Status
X-Logged-In
X-Cache-NGX
Payment
X-XRDS-LOCATION
X-Load-Cache
WPO-Cache-Message
X-Midtier
Surrogate-Key
Amp-Access-Control-Allow-Source-Origin
WPO-Cache-Status
X-MCACHE
X-XRDS-Location
X-Cache-Control
X-Via-JSL
Count-Hit
X-Contextid
Healthy
X-Node-Name
X-Restarts
Alternate-Protocol
X-Mobile
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-NGENIX-Cache
X-Browser-Type
X-FW-Type
X-FW-Server
X-FW-Dynamic
X-FW-Static
X-FW-Serve
X-FW-Hash
X-Proxy
Content-Disposition
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
Akamai-GRN
Refresh
X-G
X-Ratelimit-Remaining
Url
X-Revision
X-Zen-Fury
X-Jobs
X-Page-View
X-Servername
X-Cache-TTL-Remaining
X-Adobe-Loc
X-Real-IP
X-UUID
X-Adobe-Content
X-Datadome
X-Cache-Time
X-Instance
X-Http-Reason
X-Framework
X-Akamai-Request-ID2
X-Cacheable-TTL
X-Debug-IsConnected
X-Debug-IsPreview
NGB
X-Drupal-Cache-Contexts
VIX-Pulpo-Upstream-Status
X-Cache-Grace
X-Template
X-Rendered-As
X-Is-Bot
X-Proxy-Cache-Status
VIX-Pulpo-Node
Uber-Trace-Id
X-Mg-Request-UUID
X-Yottaa-Metrics
X-Yottaa-Optimizations
Access-Control-Request-Headers
X-Device-Type
X-Varnish-Server
X-L-Path
X-Environment-Context
X-ECache
X-Hostname
X-Source
X-HTML-Minification-Powered-By
X-B3-Traceid
X-IPLB-Instance
Version
X-EdgeConnect-Cache-Status
X-RTag
Frame-Options
Ms-Operation-Id
MS-CV
X-Fastly-Request-ID
Accept-Language
Referer-Policy
Countrycode
Liferay-Portal
X-Trace-Id
X-NYM-Debug-Backend
X-Cache-Hit
X-Cache-Expired-At
X-App-Server
X-Cache-Rule
From-Origin
Cross-Origin-Window-Policy
X-Vgn-Hpd-Reason
X-APP-VERSION
Backend
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
X-COUNTRY
X-IPS-LoggedIn
X-Hosted-By
X-Nginx-Cache
X-Ratelimit-Limit
X-Unique-Id
Content-Secure-Policy
X-FW-Version
X-UPSTREAM-Address
Meta-Geo
Section-Io-Cache
X-RN-RSRV
Load-Balancing
CF-IPCountry
X-Status
WP-Super-Cache
X-Labrador-Cache-Channel
X-Cache-Server
X-PCL
X-FB-TRIP-ID
X-Generation-Time
Upgrade-Insecure-Requests
X-OCL
X-Ua
X-Redis-Cache
X-PHP-Host
TWC-Device-Class
Webcakes-Region
X-Section
X-Access
Azure-Version
X-Sql-Count
X-AOL-HN
Webcakes-App-Name
S-Rt
Property-Id
TWC-Locale-Group
Fastly-SSL
TWC-Privacy
X-Sql-Duration-Ms
TWC-Connection-Speed
TWC-GeoIP-LatLong
Webcakes-App-Version
X-Cache-Enabled
Azure-RegionName
Azure-InstanceId
X-Varnish-Cache-Hits
X-No-Session
Azure-SiteName
X-Origin-Hint
X-PHP-Backend
X-ProcessESI
X-Format
X-RemovedCookies
X-Via-Fastly
X-Region
Azure-SlotName
X-Uri
Apigw-Requestid
X-Request-Time
TWC-GeoIP-Country
X-Content-Age
X-Mode
X-Generated-By
X-Debug-Cache
X-Content-Powered-By
X-GG-Cache-Date
X-Human
X-Nginx-Cache-Key
X-Locale
X-Cms-Context
X-Cluster-Node
X-Akamai-Edgescape
X-Adobe-Source
Mn-Server-Ip
X-ApacheServer
X-Be
X-Origin-Date
X-Cache-Host
Locale
X-Platform-Server
X-AWS-Id
X-Xfnlog-Site
X-Urbn-Site-Id
X-JoinUs
X-LJ-Flow-ID
X-VWS-Id
X-VC-Cache
X-SaId
X-Urbn-Context-Path
X-UA-Device-Type
X-Say-TTL
X-Say-Cacheable
Eomportal-Instance
X-SayCDN-TTL
X-Server-W
X-Storage
X-Site-Version
X-PERF
X-Forwarded-Host
X-Sorting-Hat-PodId
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-Sorting-Hat-ShopId
X-Shopify-Stage
X-GeoCountry
X-NewRelic-App-Data
X-Handled-By
X-BYPASS-REASON
X-GeoCode
X-Cache-Tags
X-ProxyCache-Key
X-Detected-As
X-Extlb
X-Cache-Type
X-Proxied
X-Web-Node
X-Routing-Service
X-Varnishpool
X-Tid
X-Zipkin-Id
X-ProxyCache-Status
X-Storefront-Renderer-Rendered
X-Hl-Ver
Cache-Tv-Group
X-Backend-Name
X-Edge-Location
Selected-Fe
X-Timing-Wait
CDN-EdgeStorageId
CDN-Uid
Ec-Rule-Version
X-Proxy-Build
CDN-Cache
CDN-RequestId
CDN-CachedAt
CDN-PullZone
CDN-RequestCountryCode
X-ServerID
X-Proto
ServedBy
Fastly-Drupal-Html
X-Dc
X-Cache-Action
Webserver
Web-Mar-Node
X-CDN-Forward
X-LSADC-Cache
Onion-Location
SRV
X-GEO
X-Parallel-Accel
X-Cached-By
X-Cache-Remote
X-Hyper-Cache
X-App-Version
Mime-Version
Cache-Hits
X-Varnish-Hostname
X-Fastcgi-Cache
X-Magnolia-Registration
X-IPLB-Request-ID
X-Rule
X-Cdn
SID
X-Cache-Operation
X-Tt-Logid
X-Rewrite-Enabled
X-Cluster
X-SRV
X-Air-Trace-Id
X-Soup
X-Air-Hostname
X-Air-Source
X-Envoy-Decorator-Operation
X-Varnish-Hits
X-Origin-CC
X-Origin-TTL
LB
Xserver
X-Pubstack
X-Accel-Buffering
X-Microcachable
Xet-Cookie
X-TT-LOGID
X-Tumblr-Pixel-3
Country-Code
X-Tumblr-Pixel-2
Cache
DB-Nickname
X-Reqid
Source
X-TA-CDN-Provider
X-Buckets
X-MP-GENERATED-AT
Server-Info
Decoy-Debug-Key
Decoy-Debug-Status
Decoy-Debug-TTL
X-Amz-Apigw-Id
X-Request-Host
X-Origin-Response-Time
X-CSRF-Token
X-Amzn-RequestId
X-Via-NSCOPI
X-B3-SpanId
X-Tx-Id
X-Endurance-Cache-Level
Mobile-Detection-Method
Pramga
X-VG-WebCache
Rendered-Blocks
Odigeo-Trace-Id
Cmstype
Cdncip
Cdnsip
Cmsid
Candidate-Md5Url
Cache-Key
X-Skip-Cache
A
BehaviorPad-Version
DCR-Decision-By
DCR-Processing-Time-Ms
Xc-Version
Meta-Geo-Continent
X-Vtex-Remote-Cache
MD5-Digest
Lang
Expiry
Fastcgi-X-Cache-Version
Host-ID
X-Vtex-Processado-Em
X-SD-PageType
X-Ec-GeoHdr
X-Ec-Fail
X-Epic-Correlation-Id
X-Esi-Check
X-External-Request-Id
X-ScT
X-Developer
X-Conf
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-Destination
X-Forwarded-Path
X-Ftr-Request-Id
X-PAYTM-SRV-ID
X-Orig-Expires
X-PBS-Appsvrname
X-Processor
X-Rojux
X-NAPM-TraceId
X-Ig-Push-State
X-Geo-Header
X-Gzip
X-HS-Content-Campaign-Id
X-S-Cookie
X-CF-Lambda-Fn
X-Cdn-Srv
X-Tenant
X-TIM-N
X-SRCache-Key
X-A-Dam
X-A-Dcw
X-A-Ccd
X-User
X-Vdms-Version
Surrogated-Key
X-Vdms-Path
T-Server
X-A-Dgt
X-A-Wwc
X-Session-Fingerprint
X-BCube-Filmed-By
X-Cache-Id
X-Cache-NE
X-S
X-B-Cookie
X-Shop-Environment
X-Aed
X-AK-Request-ID
X-Application
X-ARC
Sslversion
X-A
DynaTrace
X-Newrelic-Synthetics
Datacenter
X-Cache-Status-Check
X-SB
X-Ckpd-Fst-Backend
Producers
Wxu-Next-Commit
X-Loop
X-Via-Ucdn
Platform
X-Clara-WADP
X-Core-Mission
Machine
X-DefElseHash
NM-Fastcgi-Cache
X-Is-Gdpr
X-Core-Value
Environment
X-DefHash
X-Has-Esi
X-Hash
X-TNCMS
X-Amzn-Remapped-Content-Length
Is-Eu
X-JWT-State
X-RateLimit-Remaining-Second
X-TrackingId
X-Bc-Bl
Wxu-Next-Region
Fastly-GeoIP-CountryCode
X-RateLimit-Limit-Second
X-SVT-ORM-VERSION
Wxu-Next-Hostname
X-Cache-Bucket
X-Scheme
X-Cache-Backend
X-Cache-Info
X-Developers
X-Ad-Defer-Variation
XM
State
X-Varnish-CookieINHashed-On
VNS-Cache
X-Nyt-Route
X-SVT-ORM-RULES
VNS-Age
X-Origin
X-Origin-Expires
X-Fetched-On
X-Fmm-Version
X-Varnish-Remaining-TTL
X-Varnish-Ttl
X-Fastly-Cache
X-Origin-Time
X-V-Cache
CPC-Cache
CPC-Age
X-WADP-Cache
X-Azure-Ref
Server-Host
X-Node-Id
Adler-Geo
X-Device-Os
AKAMAI
X-DPWN-IS-SECURE
X-NodeID
X-Variation
X-Gdpr
X-Worker
X-Wix-Viewer-Type
X-Varnish-CookieHashed-On
X-NCache
X-Ms-Version
X-Ms-Request-Id
X-RCS-CacheZone
X-Planisys-CDN-Rules
X-Httpd
X-Xrds-Location
Vix-Hermes-Req-Id
Thinkindot-Control
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Traceparent
X-Policy
Web-Mar-Region
V-Age
User-Cache-Control
X-Varnish-Beresp-Grace
X-CacheTTL
X-Ec-Custom-Error
X-ZONE
X-Gen-Mode
X-Dispatcher-Number
X-Proxy-Upstream
X-Generated-On
X-Gamma-Serve
X-Sigma
X-Sigma-Backend
X-Forwarded-Site
X-SIPLIST1
X-Slack-Backend
X-Sn-Servicetimems
X-GeoIP
X-GeoIP-City
X-HN
X-Auto-Login
X-Aicache-OS
X-Rebelmouse-Cache-Control
X-Hnp-Log
X-BBC-Edge-Cache-Status
X-Block-Status
X-Proxy-Cache-Info
X-Thinkindot-L3
X-Cdn-Origin
TDXMobile
X-Cache-Date
X-Pool
Server-Hostname
Fastcgi-Cache-TTL
X-Loc
X-Request-URI
X-Wikidot-Backend
X-Minions-Version
Svr
Fastly-SIE
Fastly-SWR
Gh-Request-Id
X-SplitTest
We-Hiring
Mail-Subject
X-Region-Sid
X-Wikidot-Static-Cache
X-Mvc-Supplant-Cachable
X-Rocket-Build-Number
CDCHOST
Apple-News-Services-Parsed-Url
X-Platform
Apple-News-Services-Request-Url
X-Time
X-Served-From
X-VServer
Apple-News-Services-Host
Apple-News-Services-Handled
X-Rocket-Nginx-Serving-Static
Cluster
CloudFront-Viewer-Country
X-Viewer-Country
IsBot
X-Pod-Name
X-Planisys-CDN-TTL
Release
PFcat
Origin-EX
Origin
Kp-EeAlive
Req-Svc-Chain
Server-Ext
X-Planisys-CDN-Cache
X-VarnishDD-TTL
X-Rebelmouse-Surrogate-Control
Sever-Int
X-Qloud-Router
X-Irp-Debug
Redirect-Candidate
Origin-CC
X-Level-Front-Cache
Ohc-File-Size
Fastly-Backend-Name
L
NGX
Memcached
X-LAGOON
X-VG-TLSProxy
N-Cache
X-EC-Lua
Cache-Name
CDN
HostName
X-Eu-Site
X-WA-Info
X-Owner
X-R9-Blue-Green-Version
X-Optimistic-Header
X-Micro-Cache
DSUID
Ha-Gx-Prefs
X-Datadog-Trace-Id
HA-Ipaddr
L5d-Success-Class
Ssr
X-Server-IP
X-Branch-Name
X-Scale
X-Csrf-Jwt
X-CGP
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-AIR-PT
GEO-INFO
Pics-Label
X-Refresh
X-Parent-Response-Time
X-CS
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-VC
X-CACHE-KEY
X-Cache-ASPX
X-NC
X-Ah-Environment
Path
X-From
X-Webstats-RespID
X-Contensis-Viewer-Groups
Ms-Author-Via
X-TIME
X-Tb-Optimization-Total-Bytes-Saved
Servername
X-Varnish-Authentication
X-Location
Env
Ngx.Var.Host
X-LB-NoCache
Locid
X-Udemy-Cache-App-Namespace
X-Edge-Pop
X-Mvc-Supplant-OutputCached
Cache-Host
X-Servedbyhost
X-Correlation-ID
Lb
XkeyRZ
X-Proxy-CacheRZ
X-Men
X-Srv
X-Response-By
X-Via-Popn
Arc-Country
X-TraceId
X-Amz-Meta-Cb-Modifiedtime
X-Via-Poph
X-Via-Popv
Ohc-Cache-HIT
ITXSESSIONID
Time
X-Old-Content-Length
X-Clientip
X-API-Version
X-Generated-In
X-Varnish-Beresp-TTL
X-Akamai-Transformed
Memory
X-Trace-ID
AMP-Access-Control-Allow-Source-Origin
X-DB
X-Accel-Expires-Debug
X-DI
GeoIp-Country-Code
X-RPS
X-RateLimit-Reset
X-DW
X-RSL
X-DSS
X-Date
Client
X-HA-Backend
X-S-Maxage
X-RPM
True-Client-IP
X-Vc
X-VCL-Version
X-VHOST
X-Cs
X-Tec-Api-Version
X-Tec-Api-Root
Geoip-Latitude
X-GeoIP-Region-Code
X-GeoIP-Country-Code
X-DC
X-Tec-Api-Origin
Server-ID
X-URL
X-Cache-Debug
FSS-Cache
Hostname
X-Presslabs-Stats
X-MSEdge-Flight
X-Dmc
X-Api-Version
X-MSEdge-Features
X-Render-Time
X-Fpc
Fusion-Content-Source
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Component-Id
Fusion-Source
Fusion-Template-Id
X-Zone
X-FireWall-Port
X-INCAP-ABP
X-DynaTrace-JS-Agent
X-TRACE-ID
Powered-By
C-Via
NtCoent-Length
CacheControlHeader
Rip
X-Webkit-Csp-Report-Only
X-Service
X-M-Reqid
X-TX-ID
X-Qnm-Cache
X-TH-Server
Tube-Got-Eval
X-B3-Spanid
X-Gateway-Cache-Status
X-PX
Tube-Get-Contents
X-Gateway-Cache-Key
X-Action
X-Gateway-Request-Id
Click-Count-Error
Click-Count-Action-Start
Tube-Got-Results
Tube-Return
X-M-Log
True-Client-Country-4JS
X-Gateway-Skip-Cache
X-CSRF-TOKEN
X-Traceid
On-Server
Esi-Enabled
HIT
X-Backend-TTL
Tcn
Test
X-NGINX-Cache
X-Alfa-Service
X-FPC
Edge-Cache
X-Cdn-Request-ID
X-Pass-Why
X-Beluga-Cache-Status
X-Beluga-Node
X-Req
Geo-Info
X-Check-Cacheable
User-Agent
X-Beluga-Record
X-Beluga-Response-Time
X-Beluga-Status
X-Vcl-Version
X-Esi
X-Beluga-Trace
Server-Id
OT-Force-Account-Verify
X-HS-Status
X-Origin-Upstream-Status
X-Edge-Origin-Shield-Bytes
X-Akamai-Pragma-Client-IP
X-Edge-Origin-Shield-Region
Cdn
X-Proxy-Cache-Hk
My-App
GeoIP-Latitude
Uri
Srvid
X-Via-PopN
X-Via-PopV
X-Via-PopH
Resin-Trace
X-Ha-Backend
Cf-Int-Pingora-Origin-Digest
Srv
GeoIP-Country-Code
X-CLOUD-TRACE-CONTEXT
X-Varnish-Beresp-Ttl
Proxy-Connection
Sid
X-APP
X-Up
M-TraceId
X-Webkit-CSP-Report-Only
DT-Hot-News
X-Provided-By
X-Hcs-Proxy-Type
Epwk-X-Cache
X-CCDN-CacheTTL
X-ServedByHost
MIME-Version
X-CCDN-Origin-Time
X-LB-ID
X-App
X-Cdn-Forward
WebServer
ENV
X-Backend-Host
X-Fastly-Backend-Reqs
X-LI-Proto
X-Li-Pop
X-Li-Fabric
Server-Ttl
X-Edge-POP
X-LI-UUID
Warning
X-Geo
X-Bip
X-Thanos
X-RAMCache
X-Akamai-Request-ID
X-UnsetCookies
X-Fetch-By
X-B3-Traceid-Primal
X-Lb-Nocache
ServerName
XServer
X-HostName
X-CF-Powered-By
PICS-Label
WZWS-RAY
True-Client-Ip
X-Newrelic-App-Data
X-Vercel-Cache
X-ElasticPress-Query
X-HITS
CF-Cached-On
X-Vercel-Id
X-Nc
X-ND-Cache
X-Request-Start
X-Serial
Section-Io-Id
Section-Io-Origin-Status
Section-Origin-Responded
Section-Io-Origin-Time-Seconds
X-Time-Microsecs
X-Yottaa-OS
X-Dw-Trace-Id
X-Request-Url
X-Cc-Via
Fastly-Drupal-HTML
X-LiteSpeed-Cache-Control
DataCenter
X-CUA
Cf-Device-Type
X-IN-APIGATEWAY
Inserted-Into-Cache-At
X-Iplb-Instance
D-Url-Rewrites
X-IN-APIGATEWAYSSL
X-Vcache
X-Iplb-Request-Id
Dt-Hot-News
Servedby
Cdn-Uid
Cdn-Requestid
Cdn-Requestcountrycode
Cdn-Cache
Cdn-Cachedat
Cdn-Pullzone
X-Air-Pt
Cdn-Edgestorageid
Wp-Super-Cache
X-Snapshot-Date
Hit
X-Wp-Cf-Super-Cache-Cache-Control
X-LiteSpeed-Tag
X-MiniProfiler-Ids
Vha6-Origin
X-Request-URL
Content-Script-Type
X-Sucuri-Cache
Content-Style-Type
X-Back
X-Platform-Router
CountryCode
X-Sucuri-ID
X-BBC-Origin-Response-Status
X-Dist-Code
X-Azure-Ref-OriginShield
X-Var-Ttl
X-Th-Server
X-Platform-Processor
Tracecode
X-ATG-Version
Target-Params
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Fastly-Backend
X-Release
X-Platform-Cluster
X-Storefront-Renderer-Verified
X-Fragments
X-FC-Vary-Parameters
X-Wp-Cf-Super-Cache