Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-RAY
CF-Cache-Status
Accept-Ranges
Link
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Report-To
NEL
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
Alt-Svc
X-UA-Compatible
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Request-Id
X-Varnish
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-FRAME-OPTIONS
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Content-Security-Policy
Feature-Policy
X-Iinfo
X-Request-ID
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CDN
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
Upgrade
X-Via
X-XSS-PROTECTION
X-Ws-Request-Id
Access-Control-Max-Age
Server-Timing
P3p
X-Cache-Group
X-Turbo-Charged-By
EagleId
X-Backend
Keep-Alive
Request-Context
X-Age
X-Server
X-Robots-Tag
X-AH-Environment
X-UA-Device
X-Proxy-Cache
Host-Header
X-Amz-Request-Id
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
Ali-Swift-Global-Savetime
X-Varnish-Cache
X-Vhost
X-Amz-Version-Id
X-LiteSpeed-Cache
CONTENT-SECURITY-POLICY
X-Ua-Compatible
X-WebKit-CSP
EagleEye-TraceId
X-Nginx-Cache-Status
X-Dispatcher
X-OneAgent-JS-Injection
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Cache-Spec
X-Device
Cf-Railgun
X-Page-Speed
X-Host
Allow
X-Node
X-Akamai-Path-Stats
X-Pingback
X-Server-Id
Accept-CH
X-Backend-Server
Surrogate-Control
X-Aws-Lambda-Call-Status
Request-Id
X-CST
X-Akam-SW-Version
X-Readtime
X-HW
X-Cache-Lookup
X-Response-Time
Accept-CH-Lifetime
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
X-Cloud-Trace-Context
Rating
X-Trace
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Url
X-Country
Cf-Edge-Cache
Fastly-Restarts
Accept-Ch-Lifetime
X-PC
X-Vname
X-TtlSet
X-Ruxit-JS-Agent
X-Mod-Pagespeed
X-Server-Name
X-MS-InvokeApp
X-Rack-Cache
X-Clacks-Overhead
Edge-Control
X-Content-Type
RTSS
X-Varnish-TTL
X-ESI
X-VARITI-CCR
Cache-Tag
X-Vcap-Request-Id
X-Px
X-B3-TraceId
X-Ac
X-Kinja-Build
X-Kinja-Revision
X-Kinja-Server
X-Use-Magma
X-Kinja
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Id
X-Exp-Variant
X-Amz-Rid
Public-Key-Pins
X-Cnection
X-Dw-Request-Base-Id
X-Element-Page-Cache
Verso
X-D2id
X-Cache-TTL
X-Amz-Server-Side-Encryption
X-Navigation-Version
X-RateLimit-Remaining
Accept-Ch
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
Service-Worker-Allowed
X-FastCGI-Cache
X-Sol
Display
X-Middleton-Display
Pagespeed
X-Country-Code
X-Ser
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Ruxit-Js-Agent
X-Version
X-NF-Request-ID
Access-Control-Request-Method
Response
X-Middleton-Response
X-Goog-Hash
X-Edge
X-Upstream
X-Correlation-Id
AR-SID
AR-PoweredBy
AR-Request-ID
AR-CACHE
AR-ATIME
X-Kinsta-Cache
X-Edge-Location-Klb
X-Ttl
X-Cached
X-Webkit-Csp
MS-Author-Via
X-TTL
X-LLID
SPIisLatency
X-Kraken-Loop-Name
X-Instrumentation
X-Server-Lifecycle-Phase
SPRequestDuration
Nginx-Cache
X-NWS-LOG-UUID
X-Powered-CMS
X-RateLimit-Limit
Edge-Cache-Tag
TCN
X-Cache-Key
X-Litespeed-Cache
Mrf-Cache-Status
MRF-Tech
X-MSEdge-Ref
X-Forwarded-For
SPRequestGuid
X-SharePointHealthScore
Content-MD5
X-Shield-Request-Id
X-Id
X-B3-TraceId-Primal
X-Content-Security-Policy-Report-Only
X-T
X-Daa-Tunnel
X-Recruiting
S
X-Mg-S
X-Protected-By
X-Language
X-HP-Trace-Id
X-Jurisdiction
X-Content-Digest
X-HP-Webp
X-Ua-Device
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Frontend
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Hub-Id
X-Content
Server-Node
X-Ab
X-Yandex-Sdch-Disable
X-Ua-Browser
X-Request-Processing-Time
Front-End-Https
X-Request-Received
X-Ezoic-Cdn
X-HS-Combine-CSS
Filters
X-TEC-API-ROOT
X-TEC-API-VERSION
X-TEC-API-ORIGIN
MicrosoftSharePointTeamServices
X-Grace
Fastcgi-Cache
X-Accel-Expires
X-DataDome
X-Mid
X-Server-ID
X-Template
X-ECACHE
X-Geo-Country
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
X-Hits
X-Ratelimit-Reset
X-Debug-Info
X-Origin-Server
TP-L2-Cache
TP-Cache
X-Distributor
X-Tt-Trace-Tag
X-Amzn-Trace-Id
X-Tt-Trace-Host
Charset
Cleartype
Host
X-Page-Id
X-Git-Hash
X-F-Cache
X-DIS-Request-ID
X-DynaTrace
X-B3-Sampled
X-Www-Served-By
Cross-Origin-Opener-Policy
X-MCACHE
Cache-Tags
ServerID
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-LB-Cache
X-Forwarded-Proto
Access-Control-Allow-Method
X-PressLabs-Stats
Server-Name
X-Cache-Age
X-Seen-By
Realpath
X-Cluster-Name
X-Origin-Cache
X-WebKit-CSP-Report-Only
X-AppVersion
X-Activity-Id
X-Az
X-Varnish-Age
Accept-Charset
X-Aspnetmvc-Version
X-Rid
X-Content-Options
Filterid
X-Type
X-Request-Handler-Origin-Region
X-FB-Debug
X-Upgrade-Enabled
X-Microsite
X-Mobile-URL
X-App-Environment
Cache-Status
X-Via-JSL
X-Varnish-Grace
Country
X-User-Agent
Node
Viewport
X-Tb
X-Wix-Request-Id
X-Signature
X-Whom
X-Route-Name
X-Drupal-Cache-Tags
Paypal-Debug-Id
DC
X-B-Cache
X-Flags
X-Providence-Cookie
X-Is-Crawler
X-Request-Guid
X-Aspnet-Duration-Ms
X-TT
X-NWS-UUID-VERIFY
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Generation
X-Oracle-Dms-Ecid
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-VCache
X-GUploader-UploadID
X-Oracle-Dms-Rid
X-XRDS-LOCATION
Fastcgi-Useragent
Protected
X-Nginx-Upstream-Cache-Status
X-Fastly-Request-ID
Retry-After
X-Varnish-Backend
X-Contextid
X-Amz-Replication-Status
Payment
X-Cache-NGX
X-B
X-Fastly-Request-Id
X-N
X-Debug
X-Fastcgi-Cache
X-FW-Type
X-FW-Static
X-FW-Server
X-FW-Dynamic
X-FW-Serve
X-FW-Hash
X-Parallel-Accel
X-Logged-In
X-XRDS-Location
X-Hostname
WPO-Cache-Status
WPO-Cache-Message
X-Load-Cache
Surrogate-Key
X-B3-Traceid
Amp-Access-Control-Allow-Source-Origin
X-Cache-Control
X-Node-Name
X-Erf-Bev-Bev
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Buckets
X-Mobile
Count-Hit
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
X-Proxy
Akamai-GRN
X-Jobs
X-Akamai-Request-ID2
X-Cache-Rule
X-Zen-Fury
X-IPLB-Instance
X-Rendered-As
Uber-Trace-Id
VIX-Pulpo-Node
X-Is-Bot
VIX-Pulpo-Upstream-Status
X-Cache-Time
X-UUID
X-G
X-Revision
X-Http-Reason
X-Real-IP
X-Framework
Refresh
X-Page-View
Alternate-Protocol
Healthy
X-Cacheable-TTL
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Instance
X-Drupal-Cache-Contexts
X-Proxy-Cache-Status
X-Debug-IsPreview
NGB
X-Vgn-Hpd-Reason
X-Debug-IsConnected
Access-Control-Request-Headers
X-Cache-TTL-Remaining
X-Device-Type
From-Origin
X-Trace-Id
Content-Disposition
X-Adobe-Loc
X-Amz-Meta-S3cmd-Attrs
X-Adobe-Content
X-Source
Url
X-Cache-Expired-At
Version
X-Servername
X-Cache-Grace
Referer-Policy
X-Cache-Hit
Accept-Language
X-Varnish-Server
X-App-Server
X-Oneagent-Js-Injection
X-L-Path
X-Environment-Context
X-Ratelimit-Remaining
X-FW-Version
X-EdgeConnect-Cache-Status
X-Cache-Action
X-Mg-Request-UUID
Cross-Origin-Window-Policy
X-NGENIX-Cache
Permissions-Policy
MS-CV
X-RTag
Ms-Operation-Id
X-RemovedCookies
X-Hyper-Cache
X-ProcessESI
X-IPS-LoggedIn
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel-1
X-ECache
Countrycode
X-Restarts
CF-IPCountry
Backend
X-NYM-Debug-Backend
Content-Secure-Policy
X-Rule
Liferay-Portal
X-Nginx-Cache
Ec-Rule-Version
X-COUNTRY
WP-Super-Cache
X-Datadome
X-OCL
X-Cache-Server
X-PCL
X-Redis-Cache
X-RN-RSRV
X-UPSTREAM-Address
Meta-Geo
Upgrade-Insecure-Requests
X-Unique-Id
X-Format
X-Access
Apigw-Requestid
X-Content-Age
X-Generation-Time
X-HTML-Minification-Powered-By
X-Mcache
X-No-Session
Cache-Tv-Group
X-Mode
X-Cache-Enabled
X-Section
X-Detected-As
X-FB-TRIP-ID
Frame-Options
X-Ua
X-Cluster-Node
Azure-InstanceId
Azure-SlotName
Azure-RegionName
Azure-SiteName
TWC-Locale-Group
X-Request-Time
X-Urbn-Context-Path
X-Region
X-PHP-Backend
X-Be
X-Say-Cacheable
X-Akamai-Edgescape
X-AOL-HN
X-ApacheServer
X-PERF
X-Origin-Hint
X-Origin-Date
X-Human
X-Hosted-By
X-Web-Node
X-Via-Fastly
X-Urbn-Site-Id
X-Uri
X-Varnish-Cache-Hits
X-Say-TTL
X-SayCDN-TTL
X-Site-Version
TWC-Device-Class
TWC-GeoIP-Country
TWC-GeoIP-LatLong
S-Rt
Property-Id
Fastly-SSL
Locale
Mn-Server-Ip
X-Generated-By
TWC-Privacy
X-Storage
X-Server-W
X-UA-Device-Type
X-Sql-Duration-Ms
X-Sql-Count
Webcakes-App-Name
Webcakes-App-Version
Webcakes-Region
Azure-Version
TWC-Connection-Speed
Section-Io-Cache
X-Accel-Buffering
X-APP-VERSION
X-Cache-Operation
X-Platform-Server
X-BYPASS-REASON
X-ProxyCache-Key
X-Nginx-Cache-Key
Eomportal-Instance
X-Forwarded-Host
X-ProxyCache-Status
X-Debug-Cache
X-Cache-Host
CDN-Cache
CDN-Uid
X-Status
X-Cache-Type
X-Xfnlog-Site
CDN-RequestId
CDN-RequestCountryCode
X-Content-Powered-By
CDN-CachedAt
CDN-EdgeStorageId
CDN-PullZone
X-Cache-Tags
X-Backend-Name
X-Alternate-Cache-Key
X-Hl-Ver
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Tid
X-Varnishpool
X-Zipkin-Id
X-Shopify-Stage
X-ShopId
X-Routing-Service
X-Proxied
X-SaId
X-ServerID
X-ShardId
X-JoinUs
X-Extlb
X-Webkit-CSP
ServedBy
X-Cache-Remote
X-Adobe-Source
X-Rewrite-Enabled
SID
Xserver
X-NewRelic-App-Data
X-Ratelimit-Limit
X-Handled-By
LB
X-Timing-Wait
Selected-Fe
X-Proxy-Build
Webserver
X-TT-LOGID
X-GG-Cache-Date
X-Pubstack
X-Soup
SRV
X-PHP-Host
X-Labrador-Cache-Channel
X-Locale
X-LSADC-Cache
X-AWS-Id
X-Dc
X-VWS-Id
X-LJ-Flow-ID
X-Cached-By
X-VC-Cache
Mime-Version
Fastly-Drupal-Html
Country-Code
Decoy-Debug-Key
Decoy-Debug-Status
Decoy-Debug-TTL
X-CDN-Forward
X-Microcachable
X-Request-Host
X-GEO
X-Edge-Location
X-Reqid
X-Proto
Web-Mar-Node
X-Storefront-Renderer-Rendered
Xet-Cookie
X-App-Version
X-Ms-Request-Id
Onion-Location
X-Ms-Version
X-Origin-TTL
X-Origin-CC
X-Tec-Api-Root
Server-Info
X-Tec-Api-Version
X-Tec-Api-Origin
X-NCache
X-Varnish-Hostname
X-TA-CDN-Provider
X-Air-Hostname
X-Air-Source
X-Air-Trace-Id
X-Tumblr-Pixel-3
X-TIME
X-R9-Blue-Green-Version
DynaTrace
Cache-Hits
X-SRV
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
X-Bc-Bl
X-Cms-Context
X-Cluster
Cache-Name
X-Varnish-Beresp-Grace
X-B3-SpanId
X-CSRF-Token
X-Varnish-Hits
X-Azure-Ref
X-Amz-Apigw-Id
DB-Nickname
X-Amzn-RequestId
X-Endurance-Cache-Level
X-RCS-CacheZone
X-Origin-Response-Time
Pramga
X-GeoCode
X-Cache-Id
X-Cache-NE
X-AK-Request-ID
X-Aed
X-Cache-Bucket
Cdnsip
X-GeoCountry
Cdncip
Cmstype
X-External-Request-Id
X-Esi-Check
X-ARC
Expiry
X-Application
Fastcgi-X-Cache-Version
X-B-Cookie
X-A-Wwc
Load-Balancing
DCR-Decision-By
DCR-Processing-Time-Ms
X-Epic-Correlation-Id
Cmsid
X-Cdn-Srv
Mobile-Detection-Method
X-A
Sslversion
X-Envoy-Decorator-Operation
X-A-Ccd
A
Host-ID
X-D
X-Destination
Lang
Surrogated-Key
Meta-Geo-Continent
X-Developer
NM-Fastcgi-Cache
X-A-Dam
X-CF-Lambda-Fn
X-Ec-Fail
T-Server
X-A-Dgt
X-Ec-GeoHdr
X-CF-Lambda-Version
Odigeo-Trace-Id
X-A-Dcw
X-Connection-Hash
X-Conf
Rendered-Blocks
X-Forwarded-Path
BehaviorPad-Version
X-LAGOON
X-NodeID
X-From
X-Session-Fingerprint
X-Rojux
X-NAPM-TraceId
X-User
X-SRCache-Key
X-Men
X-Tenant
X-Vdms-Version
X-PAYTM-SRV-ID
X-PBS-Appsvrname
X-TrackingId
X-Processor
X-TIM-N
X-Presslabs-Stats
X-Vdms-Path
X-Orig-Expires
X-S
X-VG-WebCache
X-Ftr-Request-Id
X-S-Cookie
X-Hash
X-Magnolia-Registration
X-Gzip
X-Shop-Environment
X-Webstats-RespID
X-Vtex-Remote-Cache
X-Via-NSCOPI
X-Vtex-Processado-Em
Xc-Version
X-Ig-Push-State
X-SD-PageType
X-ScT
X-HS-Content-Campaign-Id
X-Geo-Header
Environment
X-Tx-Id
X-SVT-ORM-RULES
X-Block-Status
X-Slack-Backend
X-Amzn-Remapped-Content-Length
X-TNCMS
X-Sigma-Backend
X-SVT-ORM-VERSION
X-Sigma
Wxu-Next-Hostname
State
X-Viewer-Country
Svr
User-Cache-Control
Ssr
X-WADP-Cache
X-Worker
X-Wix-Viewer-Type
Server-Host
V-Age
Vix-Hermes-Req-Id
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-Variation
Wxu-Next-Region
Wxu-Next-Commit
We-Hiring
X-VG-TLSProxy
Web-Mar-Region
X-V-Cache
X-Rocket-Build-Number
X-Loop
X-DW
X-Location
Platform
X-Mvc-Supplant-Cachable
X-Node-Id
X-DPWN-IS-SECURE
X-Nyt-Route
X-DSS
X-JWT-State
X-Is-Gdpr
X-Gdpr
X-Fastly-Cache
X-Fetched-On
X-Fmm-Version
X-Gen-Mode
X-GeoIP
X-Irp-Debug
X-Hnp-Log
X-Has-Esi
X-DI
X-Device-Os
X-Clara-WADP
X-Request-URI
X-Core-Mission
X-Core-Value
X-Ckpd-Fst-Backend
X-RPM
X-Cache-Info
X-RSL
X-RPS
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Origin-Expires
X-Origin
X-Old-Content-Length
X-Developers
X-Origin-Time
X-DefHash
X-Planisys-CDN-Cache
X-DB
X-DefElseHash
X-Scheme
X-Cache-Backend
Fastly-GeoIP-CountryCode
AKAMAI
Apple-News-Services-Handled
Adler-Geo
Mail-Subject
X-Varnish-Ttl
Machine
Is-Eu
Apple-News-Services-Host
Memcached
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
CDN
Cache
X-Gamma-Serve
X-Thinkindot-L3
X-Eu-Site
CDCHOST
X-HN
CloudFront-Viewer-Country
X-Generated-On
X-Cache-Date
X-Datadog-Sampling-Priority
X-Cdn-Origin
X-Httpd
Arc-Country
Source
X-Csrf-Jwt
X-Datadog-Trace-Id
X-CGP
X-Datadog-Parent-Id
X-Date
X-Loc
X-Rocket-Nginx-Serving-Static
X-VarnishDD-TTL
X-Response-By
X-Region-Sid
X-Rebelmouse-Surrogate-Control
X-Akamai-Transformed
Origin-EX
X-Skip-Cache
X-Sn-Servicetimems
GEO-INFO
X-Server-IP
X-Served-From
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
X-Platform
X-Pod-Name
Producers
X-Minions-Version
Cluster
X-Policy
X-Proxy-Cache-Info
X-RateLimit-Limit-Second
X-VServer
X-Qloud-Router
X-Proxy-Upstream
X-Level-Front-Cache
X-Forwarded-Site
Fastly-SWR
X-Branch-Name
X-Aicache-OS
L5d-Success-Class
Fastcgi-Cache-TTL
Fastly-SIE
Req-Svc-Chain
Thinkindot-CacheControl-Type
N-Cache
TDXMobile
Gh-Request-Id
Thinkindot-CacheControl
X-Accel-Expires-Debug
Locid
Redirect-Candidate
Origin-CC
L
HA-Ipaddr
PFcat
Ha-Gx-Prefs
Traceparent
Thinkindot-Control
X-Auto-Login
Kp-EeAlive
X-BBC-Edge-Cache-Status
Origin
X-TraceId
Fusion-Template-Id
Fusion-Content-Id
X-EC-Lua
Fusion-Source
Fusion-Component-Id
Fusion-Content-Source
Fusion-Deployment-Id
X-Optimistic-Header
X-SB
X-GeoIP-Country-Code
NGX
HostName
DSUID
X-GeoIP-Region-Code
Release
X-GeoIP-City
X-CS
X-Midtier
X-Parent-Response-Time
X-Ec-Custom-Error
X-NC
X-Pool
AMP-Access-Control-Allow-Source-Origin
X-Owner
X-Tt-Logid
Pics-Label
MD5-Digest
X-Tb-Optimization-Total-Bytes-Saved
X-WP-CF-Super-Cache
X-Srv
Env
X-CacheTTL
X-Cache-Debug
X-API-Version
X-Refresh
X-WP-CF-Super-Cache-Cache-Control
X-LB-NoCache
CacheControlHeader
X-Ah-Environment
Servername
X-Mvc-Supplant-OutputCached
X-Udemy-Cache-App-Namespace
X-Dispatcher-Number
Time
Memory
X-Newrelic-Synthetics
Ms-Author-Via
X-ZONE
Sever-Int
X-Scale
IsBot
X-SIPLIST1
X-Via-Ucdn
True-Client-Country-4JS
X-Generated-In
Server-Ext
X-Edge-Pop
X-Action
X-TH-Server
X-Time
Server-Hostname
Geo-Info
X-Backend-TTL
X-Via-Poph
X-VC
X-Via-Popv
X-Via-Popn
GeoIp-Country-Code
X-Xrds-Location
X-Vc
X-Servedbyhost
Ohc-File-Size
X-Wikidot-Static-Cache
X-Wikidot-Backend
FSS-Cache
X-HA-Backend
X-S-Maxage
X-IPLB-Request-ID
X-Req
Cache-Key
Datacenter
X-Ad-Defer-Variation
Client
Candidate-Md5Url
X-BCube-Filmed-By
Edge-Cache
X-Amz-Meta-Cb-Modifiedtime
X-CACHE-KEY
X-RateLimit-Reset
X-Zone
X-Trace-ID
X-Cache-ASPX
CPC-Age
VNS-Age
X-Contensis-Viewer-Groups
My-App
X-Origin-Upstream-Status
CPC-Cache
Geoip-Latitude
XM
VNS-Cache
X-SplitTest
X-Varnish-Beresp-TTL
X-VCL-Version
X-DC
ITXSESSIONID
X-Dynatrace
X-Varnish-Authentication
X-WA-Info
X-Provided-By
Fastly-Backend-Name
Server-ID
DataCenter
X-Cs
Hostname
X-VHOST
X-Up
X-Micro-Cache
Path
X-AIR-PT
X-Cache-Status-Check
X-LB-ID
Ohc-Cache-HIT
X-FireWall-Port
Cache-Host
OT-Force-Account-Verify
X-Fpc
X-TX-ID
NtCoent-Length
X-Pass-Why
X-Li-Fabric
X-LI-UUID
X-Li-Pop
True-Client-IP
X-Webkit-Csp-Report-Only
Ngx.Var.Host
Test
X-UnsetCookies
X-B3-Spanid
X-FPC
X-Varnish-Beresp-Ttl
X-Traceid
X-ND-Cache
X-CSRF-TOKEN
X-Clientip
XkeyRZ
Lb
X-CUA
X-Proxy-CacheRZ
X-Time-Microsecs
Cf-Int-Pingora-Origin-Digest
X-NGINX-Cache
X-RAMCache
Tracecode
X-Api-Version
Cf-Device-Type
Target-Params
Powered-By
X-Fragments
X-Correlation-ID
X-Azure-Ref-OriginShield
X-FC-Vary-Parameters
X-Fastly-Backend
Lfy
X-ATG-Version
Proxy-Connection
X-Cdn-Request-ID
User-Agent
X-Vcl-Version
Server-Id
X-Webkit-CSP-Report-Only
X-Var-Ttl
X-Sucuri-ID
X-Sucuri-Cache
X-Beluga-Status
X-Beluga-Trace
X-Beluga-Cache-Status
X-Beluga-Record
X-Beluga-Node
X-Beluga-Response-Time
X-MSEdge-Features
X-MSEdge-Flight
X-CLOUD-TRACE-CONTEXT
X-DynaTrace-JS-Agent
X-Li-Proto
X-URL
X-M-Log
X-INCAP-ABP
X-Via-PopH
Uri
X-M-Reqid
X-Ha-Backend
X-Via-PopN
X-Via-PopV
X-Dmc
GeoIP-Latitude
X-Varnish-Beresp-Status
WZWS-RAY
X-ServedByHost
X-Platform-Processor
X-B3-Traceid-Primal
X-Platform-Cluster
X-NU-AKA-ACS-Version
X-Qnm-Cache
Resin-Trace
X-Platform-Router
X-Geo
X-Backend-State
X-Cdn-Forward
X-HS-Status
Sid
X-Fastly-Backend-Reqs
Magicmarker
X-Render-Time
GeoIP-Country-Code
X-Check-Cacheable
X-Akamai-Pragma-Client-IP
MIME-Version
X-Alfa-Service
C-Via
X-Fetch-By
X-Proxy-Cache-Hk
Srvid
X-Backend-Host
X-CCDN-CacheTTL
Rip
X-CCDN-Origin-Time
X-Request-Start
X-Hcs-Proxy-Type
Epwk-X-Cache
X-LI-Proto
Fastly-Drupal-HTML
X-TRACE-ID
X-Gateway-Request-Id
X-Gateway-Cache-Key
X-Bip
X-Gateway-Cache-Status
X-Thanos
Tube-Got-Results
Tube-Return
X-Newrelic-App-Data
Tube-Get-Contents
ENV
Click-Count-Action-Start
Click-Count-Error
X-Service
Tube-Got-Eval
X-Gateway-Skip-Cache
X-Esi
Cdn
X-LiteSpeed-Cache-Control
X-Edge-POP
X-ElasticPress-Query
PICS-Label
X-Cache-CFC
X-Lb-Nocache
Esi-Enabled
X-App
XServer
ServerName
X-Cache-Expires
WebServer
Server-Ttl
X-MG-S
X-Srcache-Fetch-Status
X-Srcache-Store-Status
CountryCode
Tcn
CF-Cached-On
X-Yottaa-OS
Section-Io-Origin-Time-Seconds
HIT
On-Server
Section-Io-Origin-Status
Section-Origin-Responded
X-Cache-Config
M-TraceId
Section-Io-Id
X-Acquia-Site
X-Acquia-Purge-Tags
X-Vcache
X-Acquia-Application-UUID
D-Url-Rewrites
Cf-Ipcountry
X-Acquia-Application-Trace
X-BBC-Origin-Response-Status
Wpo-Cache-Status
X-Serial
Srv
Inserted-Into-Cache-At
X-Nc
Wpo-Cache-Message
Servedby
Warning
X-HostName
Hit
X-APP
X-Wp-Cf-Super-Cache
X-Wp-Cf-Super-Cache-Cache-Control
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Release
Ngx
Cneonction
X-Akamai-Request-ID
X-Snapshot-Date
X-Akamai-ERRuleID
X-Litespeed-Cache-Control
X-IN-APIGATEWAYSSL
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
X-B3-Parentspanid
X-IN-APIGATEWAY
X-Akamai-ERPolicy
X-Request-Url
X-Back
X-Th-Server
X-Storefront-Renderer-Verified
X-CF-Powered-By
Content-Style-Type
Content-Script-Type
Cteonnt-Length
X-Dist-Code
X-Swift-Error
X-Dw-Trace-Id
X-Request-URL