Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Pragma
X-Powered-By
Link
ETag
Expect-CT
X-XSS-Protection
Via
CF-RAY
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
P3P
X-Cache-Hits
X-Xss-Protection
Alt-Svc
X-Served-By
CF-Ray
X-Timer
X-Varnish
X-Download-Options
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Request-ID
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
Timing-Allow-Origin
X-DNS-Prefetch-Control
P3p
X-Iinfo
X-Content-Security-Policy
Status
X-AspNetMvc-Version
Content-Encoding
X-CDN
Upgrade
X-Drupal-Dynamic-Cache
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Access-Control-Expose-Headers
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Template
X-Language
X-Backend
X-Cache-Group
X-Hacker
X-Amz-Request-Id
X-Server
X-Dns-Prefetch-Control
X-Robots-Tag
X-Amz-Id-2
X-AH-Environment
X-UA-Device
EagleId
X-Proxy-Cache
Request-Context
X-Turbo-Charged-By
X-Server-Powered-By
Server-Timing
X-Nginx-Cache-Status
Grace
Host-Header
Report-To
Xkey
X-Page-Speed
X-Rq
X-Buckets
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Pingback
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-LiteSpeed-Cache
Cf-Railgun
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Amz-Version-Id
X-Vhost
X-WebKit-CSP
X-Host
X-Backend-Server
X-Dispatcher
NEL
X-Device
X-Server-Id
X-Node
Surrogate-Control
X-Ruxit-JS-Agent
Accept-CH-Lifetime
Content-Location
Request-Id
X-Response-Time
X-Cache-Lookup
Accept-CH
X-Origin-Cache
X-Akam-SW-Version
EagleEye-TraceId
Cf-Bgj
X-Ac
X-ASPNET-VERSION
X-Readtime
Rating
X-Country
X-HW
X-Mod-Pagespeed
Allow
X-Cloud-Trace-Context
X-Application-Context
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
Edge-Control
Pinterest-Generated-By
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-DataDome
X-Country-Code
X-Vname
X-TtlSet
X-PC
X-Cnection
X-Varnish-TTL
X-MS-InvokeApp
X-Origin-Upstream-Status
X-Content-Type
X-GitHub-Request-Id
X-Url
Fusion-Content-Id
Fusion-Content-Source
Fusion-Component-Id
Fusion-Template-Id
X-Clacks-Overhead
Fusion-Source
Fusion-Deployment-Id
X-D2id
X-Trace
Display
Pagespeed
X-Middleton-Response
X-Sol
X-Middleton-Display
Response
X-Pinterest-Rid
Pinterest-Version
X-Abt-Application-Version
X-Server-Name
X-Px
X-Vcap-Request-Id
X-Rack-Cache
X-Navigation-Version
Verso
MS-Author-Via
Service-Worker-Allowed
X-FTR-Request-ID
X-DynaTrace
X-CST
X-B3-TraceId
X-ESI
X-Webkit-CSP
X-Fastly-Request-ID
X-Cached
X-Element-Page-Cache
X-Client-IP
X-FastCGI-Cache
Arr-Disable-Session-Affinity
X-Cache-TTL
X-TTL
X-Dw-Request-Base-Id
X-Powered-By-Plesk
X-SharePointHealthScore
SPRequestGuid
X-Upstream
Fastly-Restarts
Content-MD5
X-NF-Request-ID
AR-Request-ID
AR-CACHE
AR-PoweredBy
AR-ATIME
X-Debug
Ar-Sid
X-VARITI-CCR
X-Exp-Variant
X-Exp-Id
X-GoogleNews-Bot
X-Kinja
X-Kinja-Build
X-Kinja-Revision
X-Kinja-Server
X-Cdn-Fetch
X-Use-Magma
X-Forwarded-Proto
X-Goog-Hash
X-Version
X-T
X-MSEdge-Ref
X-Powered-CMS
X-Jurisdiction
Access-Control-Request-Method
X-XRDS-Location
SPRequestDuration
SPIisLatency
X-Release
X-Pinterest-Direct
X-Content-Digest
S
X-Edge
X-Amz-Rid
TP-L2-Cache
TP-Cache
TCN
X-Ttl
RTSS
Cache-Tag
Public-Key-Pins
X-Ezoic-Cdn
X-Node-Name
X-Cache-Key
X-Yandex-Sdch-Disable
X-Request-Received
Accept-Ch
X-Request-Processing-Time
Fastcgi-Cache
Server-Node
X-Mid
X-MCACHE
X-NWS-LOG-UUID
Front-End-Https
X-PressLabs-Stats
X-Accel-Expires
X-Amzn-Trace-Id
X-Ser
X-Recruiting
X-Kinsta-Cache
X-Mg-S
X-Request-Handler-Origin-Region
X-Microsite
X-B3-TraceId-Primal
Mrf-Cache-Status
MRF-Tech
X-SRCache-Fetch-Status
ServerID
X-SRCache-Store-Status
X-Logged-In
X-Origin-Server
X-Cache-Hit
X-Amz-Server-Side-Encryption
X-Ratelimit-Remaining
Accept-Charset
X-Grace
X-Page-Id
X-HP-Webp
X-Varnish-Age
Host
X-Content-Security-Policy-Report-Only
Nginx-Cache
X-B
X-DIS-Request-ID
X-ECACHE
X-Shield-Request-Id
Edge-Cache-Tag
X-Server-ID
X-Mobile-URL
Alternate-Protocol
X-Hostname
MicrosoftSharePointTeamServices
X-Ratelimit-Limit
X-Hits
X-Git-Hash
X-F-Cache
Realpath
X-FTR-Backend-Server
X-FTR-Backend
X-LB-Cache
X-FTR-Balancer
X-FTR-DC
X-FTR-Realm
X-Content-Options
X-Country-Code-Real
X-FTR-Cache-Status
X-N
X-Az
X-AppVersion
X-FTR-Expires
X-Activity-Id
X-Load-Cache
X-Forwarded-For
Cache-Tags
X-Seen-By
X-Type
X-FireWall-Port
X-App-Environment
Filterid
Paypal-Debug-Id
X-Request-Guid
X-Rid
X-Jobs
X-Varnish-Backend
Fastcgi-Useragent
X-Correlation-ID
DynaTrace
X-Cache-Age
X-Cached-By
X-Upgrade-Enabled
Cleartype
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Proxy
X-WebKit-CSP-Report-Only
X-Varnish-Grace
X-Zen-Fury
X-TEC-API-ROOT
Powered-By-ChinaCache
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Litespeed-Cache
Access-Control-Allow-Method
X-Respond-Thread
X-Amz-Meta-S3cmd-Attrs
X-Daa-Tunnel
X-Akamai-Edgescape
X-FB-Debug
X-HS-Hub-Id
X-HS-Cache-Config
X-HS-Content-Id
X-Goog-Metageneration
X-Goog-Storage-Class
X-HS-Combine-CSS
DC
X-Goog-Stored-Content-Encoding
X-Goog-Generation
X-Goog-Stored-Content-Length
X-App-Server
X-GUploader-UploadID
X-B3-Sampled
X-Geo-Country
X-IPLB-Instance
X-Host-Name
X-Cache-Rule
AMP-Access-Control-Allow-Source-Origin
X-Cache-Operation
X-Signature
X-User-Agent
X-B-Cache
X-Debug-Info
Healthy
MS-CV
X-AOL-HN
X-Id
X-Response-Served-From
X-Region
X-Original-Request-Id
X-Accel-Buffering
X-Whom
X-Mobile
X-Content-Powered-By
Content-Disposition
Accept-Ch-Lifetime
X-Instance
X-HTML-Minification-Powered-By
X-FW-Server
X-Frontend
X-Cache-Time
X-FW-Static
X-UUID
X-Rule
Payment
X-VCache
X-FW-Hash
X-Distributor
X-FW-Serve
X-Wix-Request-Id
X-FW-Type
X-FW-Dynamic
X-Tumblr-User
X-Tumblr-Pixel-2
Charset
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Cacheable-TTL
X-Tumblr-Pixel-1
Refresh
X-Is-Bot
X-Rendered-As
X-Acc-Debug-Context
Surrogate-Key
X-Protected-By
X-Amz-Apigw-Id
Liferay-Portal
X-Amzn-RequestId
Viewport
Datacenter
X-Via-JSL
X-Ua
Filters
X-Endurance-Cache-Level
S-Cnection
Akamai-Age-Ms
X-XRDS-LOCATION
X-App-Version
Nel
NGB
X-Backend-Name
PB-PID
X-URL
Arc-Version
PB-RID
X-Cache-Expired-At
X-Hyper-Cache
X-Ah-Environment
X-Amz-Replication-Status
GEO-INFO
X-Tec-Api-Version
X-Oneagent-Js-Injection
X-Tec-Api-Root
X-Tec-Api-Origin
X-Cache-Server
X-Varnish-Server
X-Cache-Action
Section-Io-Cache
Countrycode
X-Sucuri-ID
Retry-After
Version
X-Unique-Id
X-Source
Referer-Policy
X-EdgeConnect-Cache-Status
X-Air-Hostname
X-Azure-Ref
X-Cache-Control
X-PHP-Backend
X-Proxy-Cache-Status
X-Environment-Context
X-ProcessESI
X-RemovedCookies
X-Framework
X-L-Path
X-Esi
X-Revision
Eomportal-Instance
X-WA-Info
X-Real-IP
Server-Name
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-NewRelic-App-Data
Ms-Operation-Id
X-RTag
X-Cache-Var
X-RN-RSRV
Frame-Options
Meta-Geo
X-Cache-Var-Map
X-GeoIP
X-ES-SERVER
X-Mode
X-Drupal-Cache-Contexts
X-From
X-ProxyCache-Key
DB-Nickname
X-Sucuri-Cache
Cache-Tv-Group
X-Cache-Host
X-Qloud-Router
X-R9-Blue-Green-Version
X-Time-Microsecs
X-ProxyCache-Status
X-Xfnlog-Site
X-BYPASS-REASON
X-Cache-TTL-Remaining
X-AWS-Id
X-Amzn-Remapped-Content-Length
Webcakes-Region
X-Cluster
X-DynaTrace-JS-Agent
X-Labrador-Cache-Channel
X-Handled-By
X-FW-Version
Webcakes-App-Version
Webcakes-App-Name
TWC-Connection-Speed
Property-Id
Mn-Server-Ip
Ec-Rule-Version
TWC-Device-Class
TWC-GeoIP-Country
TWC-Privacy
TWC-Locale-Group
TWC-GeoIP-LatLong
X-LJ-Flow-ID
X-Human
X-PCL
X-VWS-Id
X-Server-W
X-Origin-Hint
X-PHP-Host
X-OCL
X-NYM-Debug-Backend
X-Status
X-Site-Version
X-ServerID
X-CDN-Forward
X-TNCMS
X-Zipkin-Id
X-Redis-Cache
X-Access
Uber-Trace-Id
X-Hl-Ver
X-Routing-Service
X-Format
X-Hosted-By
X-Locale
X-Section
X-FB-TRIP-ID
X-Loop
X-Be
X-Proxied
X-Proto
X-Drupal-Cache-Tags
X-Via-Fastly
X-No-Session
X-Debug-Cache
CACHE
X-Detected-As
X-Device-Type
FSS-Cache
Cross-Origin-Window-Policy
X-Contextid
X-BCube-Filmed-By
X-Generated-By
Selected-Fe
X-ATG-Version
X-Timing-Wait
Powered
X-Proxy-Build
X-Cache-PHP
X-Ratelimit-Reset
Webserver
X-NC
X-Varnish-Cache-Hits
X-Time
X-Fastcgi-Cache
From-Origin
X-FTR-Cache-Host
X-CSRF-Token
X-SaId
X-Adobe-Content
X-AIR-PT
X-JoinUs
X-Adobe-Loc
Cache
X-TIME
X-Pinterest-Sli-Endpoint-Name
X-Correlation-Id
X-NCache
X-Pinterest-Sli-Response-Type
CF-Cached-On
X-Pinterest-Sli-Latency-Threshold
X-Oss-Server-Time
Azure-SlotName
Azure-Version
Azure-RegionName
X-Oss-Object-Type
X-Origin
X-Oss-Storage-Class
Azure-InstanceId
Azure-SiteName
X-Oss-Hash-Crc64ecma
X-Oss-Request-Id
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Tt-Trace-Tag
X-Hp-Webp
X-Tt-Trace-Host
OT-Force-Account-Verify
X-TT
X-Providence-Cookie
X-Is-Crawler
X-Flags
X-Aspnet-Duration-Ms
X-Route-Name
X-GoCache-CacheStatus
X-NWS-UUID-VERIFY
Upgrade-Insecure-Requests
X-Akamai-Transformed
X-Adobe-Source
SD-X-WS
X-IP
Access-Control-Request-Headers
X-CCM
X-Backend-Host
X-Cache-2
X-IPS-LoggedIn
X-Backend-TTL
X-TA-CDN-Provider
X-ECache
X-LAGOON
X-Cache-Enabled
X-APP-VERSION
X-PERF
X-Ruxit-Js-Agent
X-ApacheServer
X-Cache-Grace
X-Bc-Bl
X-Pubstack
X-Soup
X-Forwarded-Host
X-Say-TTL
X-Cluster-Name
X-Tumblr-Pixel-3
X-Say-Cacheable
X-SayCDN-TTL
X-UPSTREAM-Address
X-Storage
Fastly-SSL
Cache-Status
Decoy-Debug-Status
X-Web-Node
Decoy-Debug-Key
X-EIG-Tracking-Id
Decoy-Debug-TTL
X-EC-Lua
X-ShopId
X-G
X-Sorting-Hat-PodId
Node
X-Varnishpool
Country
X-Alternate-Cache-Key
X-Viewer-Country
X-B3-Traceid
X-Cdn
X-ShardId
X-Sorting-Hat-ShopId
X-Storefront-Renderer-Rendered
X-Shopify-Stage
X-A-Dgt
X-A-Dcw
X-A-Wwc
X-A-Dam
X-A
Rendered-Blocks
MD5-Digest
X-Aed
X-A-Ccd
Machine
X-CF-Lambda-Fn
X-Destination
X-B-Cookie
X-D
X-Connection-Hash
X-CF-Lambda-Version
X-Cache-NE
Meta-Geo-Continent
Mobile-Detection-Method
X-ARC
X-Application
X-Vtex-Processado-Em
X-PBS-Appsvrname
X-Processor
X-RCS-CacheZone
X-PAYTM-SRV-ID
X-Transaction
X-External-Request-Id
X-Twitter-Response-Tags
X-Trv-Group
Fastcgi-X-Cache-Version
DCR-Processing-Time-Ms
DCR-Decision-By
X-S
X-S-Cookie
X-Rojux
X-Rewrite-Enabled
X-TX-ID
X-Request-UUID
Host-ID
X-Cache-Backend
Apple-News-Services-Handled
X-Vtex-Remote-Cache
X-VG-WebServer
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Xc-Version
X-Worker
Apple-News-Services-Request-Url
X-VG-WebCache
X-ScT
X-Vdms-Version
X-Vdms-Path
X-Cache-Config
CDN-RequestCountryCode
Is-Eu
CDN-Cache
CDN-CachedAt
Gh-Request-Id
Adler-Geo
CloudFront-Viewer-Country
CDN-PullZone
CDN-Uid
CDN-RequestId
CDN-EdgeStorageId
Fastly-SIE
Fastly-SWR
X-Micro-Cache
X-Fmm-Version
X-Generation-Time
X-Fastly-Cache
X-Envoy-Decorator-Operation
X-Varnish-CookieINHashed-On
X-DPWN-IS-SECURE
X-Variation
X-Servername
X-Ms-Request-Id
X-Ms-Version
X-Platform-Server
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
Platform
X-Varnish-Remaining-TTL
X-Varnish-CookieHashed-On
X-VG-TLSProxy
X-Cache-Bucket
X-WADP-Cache
X-DefHash
X-Clara-WADP
X-Cms-Context
X-DefElseHash
X-CUA
X-UA
X-Wikidot-Static-Cache
X-Policy
X-Core-Value
X-Platform
X-Owner
X-Wikidot-Backend
X-Microcachable
X-Request-Start
X-Varnish-Cacheable
X-OVcl-Cache
X-Skip-Cache
X-Render-Time
Fastly-Backend-Name
X-Webstats-RespID
X-LI-UUID
L
X-Cache-Id
X-Developers
X-Dispatcher-Server
X-Esi-Check
NM-Fastcgi-Cache
Origin
Wxu-Next-Commit
Wxu-Next-Region
X-Auto-Login
X-Backend-State
X-Gzip
X-Has-Esi
X-Method
CacheControlHeader
X-Minions-Version
X-Old-Content-Length
X-Li-Pop
X-Li-Fabric
X-HS-Content-Campaign-Id
X-Irp-Debug
X-Is-Gdpr
X-JWT-State
X-OVcl
Wxu-Next-Hostname
AKAMAI
X-Page-View
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
Akamai-GRN
X-Varnish-Beresp-Ttl
X-Varnish-Ttl
Backend
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
PFcat
X-Accel-Expires-Debug
X-Bip
X-Cache-NGX
C-Via
X-Amz-Meta-Cb-Modifiedtime
X-Branch-Name
X-Geo-Header
X-HN
X-Generated-On
X-Cache-Date
X-CGP
Rt-Fastcgi-Cache
Surrogated-Key
X-Core-Mission
X-Thanos
X-Fastly-Backend
X-Hash
X-SN
X-CS
X-Slack-Backend
X-Reqid
X-Eu-Site
X-Csrf-Jwt
X-Mvc-Supplant-Cachable
X-Date
X-Level-Front-Cache
X-Request-Host
X-Clientip
X-Cache-Tags
X-Session-Fingerprint
L5d-Success-Class
HA-Ipaddr
X-Cache-Debug
Country-Code
Ha-Gx-Prefs
X-VarnishDD-TTL
Fastly-Drupal-HTML
X-Location
X-COUNTRY
X-NGENIX-Cache
X-Content-Age
FSS-Proxy
X-Up
SRV
X-Wa
X-Edge-Location
X-B3-Spanid
Pagetype
UCS
X-Gamma-Serve
X-Req
X-DC
Time
X-GEO
X-Cache-URL
Group
X-Cdn-Srv
Mail-Subject
Memcached
We-Hiring
Now
X-Refresh
Ufe-Result
X-NODE
X-LB-ID
X-LLID
X-Proxy-Upstream
X-PF-Uncompressing
X-Aicache-OS
X-ID
X-Via-CDN
X-RateLimit-Remaining
Hostname
X-Via-Poph
X-Mvc-Supplant-OutputCached
X-Via-Popn
X-Debug-Cache-Fetch
X-ZONE
X-Debug-Cache-Store
NGX
X-Agile-Age
X-BC
X-Agile-Id
X-LI-Proto
X-Servedbyhost
X-Agile
X-Datadome
X-Ftr-Cache-Host
X-Sql-Duration-Ms
X-Sql-Count
X-Ua-Device
HostName
X-FORWARDED-FOR
X-Dc
X-CACHE-AGE
M-TraceId
X-SRV
X-FPC
X-Nginx-Cache
X-Cache-Remote
X-NU-AKA-ACS-Version
X-Varnish-Hostname
X-SERVER
X-Check-Cacheable
X-Presslabs-Stats
X-Request-Time
XServer
X-LiteSpeed-Cache-Control
X-Www-Served-By
X-VCL-Version
X-SERVER-NAME
Arc-Country
X-S-Maxage
Xserver
X-CSRF-TOKEN
Cache-Hits
Geoip-Latitude
Cdn-Request-Time
X-Cluster-Node
X-NGINX-Cache
GeoIp-Country-Code
On-Server
X-APP
Cdn-Host
ServedBy
X-Via-SSL
X-Via-Edge
X-CF-Powered-By
WebServer
VivaBuild
Viewtype
X-Zone
X-Edge-Server
X-Svr
Edge-Copy-Time
X-Bc
X-UnsetCookies
SID
X-RunCloud-Cache
X-Cdn-Forward
X-Cs
X-Action
X-Via-Ucdn
NtCoent-Length
X-Dynatrace-Js-Agent
X-MP-GENERATED-AT
X-HS-Status
Srv
X-DB
X-Oss-Cdn-Auth
X-Erf-Stays-Bingo-Pdp-Web
X-DSS
X-DI
X-Srv
X-RPM
X-RPS
X-DW
Memory
X-RSL
X-Via-Popv
WWW-Authenticate
T-Server
Ohc-File-Size
X-Pass-Why
X-We-Are-Hiring
X-Vgn-Hpd-Ssi
ProcessTime
Apigw-Requestid
User-Agent
X-MSEdge-Flight
N-Cache
X-Instart-Request-ID
W
Protected
Processtime
Server-Host
X-MSEdge-Features
X-Cache-Spec
Pics-Label
Server-Info
X-Varnish-Hits
X-Geo
LB
X-VC
WZWS-RAY
Sid
X-SB
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
Magicmarker
CF-IPCountry
X-Acc-Rdl
X-Hit
X-Vcache
X-HOST
X-Uri
X-Akamai-Request-ID2
X-Info
CDN
GeoIP-Latitude
S-Rt
GeoIP-Country-Code
X-Tb
Ohc-Cache-HIT
X-HITS
Actual-Object-TTL
X-ORACLE-APMCS-REQUEST-ID
X-Cache-Hfrom
X-Cache-Hm
X-Pjax-Url
X-Newrelic-App-Data
Geo-Info
X-Envoy-Upstream-Healthchecked-Cluster
X-Vcl-Version
Cteonnt-Length
X-Unique-ID
X-Epic-Correlation-Id
Amp-Access-Control-Allow-Source-Origin
X-TT-LOGID
X-Webkit-CSP-Report-Only
Tracecode
X-Fastly-Country-Code
Odigeo-Trace-Id
User-Cache-Control
A
Accept-Language
Section-Io-Origin-Time-Seconds
DSUID
Section-Io-Id
Section-Origin-Responded
X-Newrelic-Synthetics
X-UA-Device-Type
X-CACHE-KEY
Section-Io-Origin-Status
X-Fpc
Esi-Enabled
X-FC-Vary-Parameters
Cdn
Cache-Name
Lb
Ssr
X-Mobile-Rewrite
X-Provided-By
CountryCode
X-Magnolia-Registration
X-Nc
Lfy
X-Amzn-Remapped-Connection
X-Via-NSCOPI
X-Origin-Date
X-Amzn-Remapped-Date
X-Key
Server-Ext
Release
X-Cache-ASPX
CDCHOST
X-Cache-Info
IsBot
Path
Locid
Instruction
X-Contensis-Viewer-Groups
X-Cache-Expires
X-User
FNAC-ModuleRouting
X-Varnish-Authentication
Thinkindot-Control
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
X-API-Version
Web-Mar-Node
V-Age
Vix-Hermes-Req-Id
X-VServer
SR-User-Adfree
Server-Hostname
X-Men
True-Client-Country-4JS
X-BBC-Edge-Cache-Status
X-Varnish-Url
Sever-Int
X-Block-Status
X-Gen-Mode
X-Nyt-Route
X-Thinkindot-L3
X-ServedByHost
X-Node-Id
X-Matched-Rule
X-Nginx-Cache-Key
X-StackifyID
X-Origin-CC
X-SD-PageType
X-SRCache-Key
X-Response-By
X-Request-URI
X-Origin-Time
X-Origin-TTL
X-Li-Proto
MIME-Version
X-Gdpr
X-SIPLIST1
X-GeoIP-City
X-Hnp-Log
X-Loc
X-Developer
X-Dynatrace
X-Cache-Tag
X-Server-IP
Pramga
X-Swa-Ws
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Sn-Servicetimems
X-Sigma-Backend
X-Cdn-Origin
Server-ID
X-Sigma
X-Fetched-On
X-NodeID
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Azure-Ref-OriginShield
X-Trace-Id
X-BBXSRF
X-Generated-In
X-Var-Ttl
X-Device-Os
X-Traceid
X-Origin-Expires
X-Rocket-Build-Number
X-Served-From
Server-Ttl
Origin-Edge-Control
X-TH-Server
X-Dispatch
Cache-Key
X-Akamai-Pragma-Client-IP
X-Lb-Id
Kp-EeAlive
Origin-Cache-Control
X-Geo-Region
Proxy-Firewall
X-Cc-Req-Id
X-Cc-Via
X-Scheme
X-Instart-Info
D-Cc-Upstream
Cache-Host
Cache-Provider
X-B3-SpanId
X-Via-PopN
X-Via-PopV
X-Via-PopH
Powered-By
X-RAMCache
X-Parent-Response-Time
X-No-Cache
X-Batcache
Cf-Device-Type
X-RateLimit-Limit-Second
X-Agile-Brick-Ok
X-LiteSpeed-Tag
X-ServiceProvider
HitType
X-VC-Cache
X-RateLimit-Remaining-Second
Fastcgi-Cache-TTL
X-WA
X-Tt-Logid
Source
X-ElasticPress-Query
Tcn
Xet-Cookie
X-Apw-Access-Action
X-RateLimit-Limit
X-TrackingId
X-MiniProfiler-Ids
X-Apw-Access-Object
X-Apw-Hits
X-HostName
X-Apw-Access-Token
X-Generated
X-Yottaa-OS
X-Pf-Uncompressing
Cf-Alt-Svc
Req-Svc-Chain
X-Request-URL
X-Varnish-Beresp-TTL
Who
BehaviorPad-Version
X-PJAX-URL
X-Selected-Host-Header
X-Selected-Scheme
X-Selected-Name
X-BBC-Origin-Response-Status
Dnion-Transfer-Encoding
X-Snapshot-Date
X-B3-Parentspanid
X-Origin-Response-Time
Expiry
Resin-Trace
X-Dw-Trace-Id
Inserted-Into-Cache-At
X-C
X-Vgn-Hpd-Reason
Vha6-Origin
Pragrma
PICS-Label
Mime-Version