Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CONTENT-TYPE-OPTIONS
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Server
X-Robots-Tag
X-AH-Environment
X-Akamai-Path-Stats
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
X-Dns-Prefetch-Control
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-Dispatcher
EagleEye-TraceId
Allow
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-WebKit-CSP
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-CST
X-Server-Id
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Readtime
X-Akam-SW-Version
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Content-Location
Rating
Accept-CH-Lifetime
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
Accept-Ch-Lifetime
X-Country
Fastly-Restarts
X-Ruxit-JS-Agent
X-MS-InvokeApp
Accept-Ch
X-Rack-Cache
X-Mod-Pagespeed
X-TtlSet
X-PC
X-Vname
X-Clacks-Overhead
RTSS
X-Server-Name
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-ESI
Cache-Tag
X-Content-Type
X-B3-TraceId
X-Vcap-Request-Id
X-Amz-Server-Side-Encryption
X-Kinja-Build
X-Use-Magma
X-Kinja
X-Kinja-Server
X-Exp-Variant
X-Cdn-Fetch
X-Exp-Id
X-GoogleNews-Bot
X-Kinja-Revision
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Cnection
X-Ac
X-D2id
X-RateLimit-Remaining
X-Element-Page-Cache
X-Navigation-Version
Verso
X-Edge
X-Abt-Application-Version
X-FastCGI-Cache
X-Client-IP
X-Sol
X-Powered-By-Plesk
Display
Pagespeed
X-Middleton-Display
X-Ser
X-Cache-TTL
X-Version
Arr-Disable-Session-Affinity
Service-Worker-Allowed
X-GitHub-Request-Id
X-Country-Code
Response
X-Middleton-Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
SPIisLatency
SPRequestDuration
X-Correlation-Id
X-Kinsta-Cache
X-TTL
X-Edge-Location-Klb
AR-PoweredBy
AR-CACHE
AR-ATIME
AR-Request-ID
AR-SID
X-Ttl
X-Cached
X-Upstream
X-Content-Security-Policy-Report-Only
SPRequestGuid
X-SharePointHealthScore
X-Powered-CMS
X-NWS-LOG-UUID
X-Instrumentation
X-LLID
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-RateLimit-Limit
X-Ruxit-Js-Agent
Edge-Cache-Tag
X-Litespeed-Cache
Nginx-Cache
X-Forwarded-For
X-Cache-Key
Content-MD5
TCN
X-MSEdge-Ref
X-Id
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
X-B3-TraceId-Primal
X-Daa-Tunnel
X-T
X-Webkit-Csp
X-Recruiting
S
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Content-Digest
MS-Author-Via
X-Ua-Device
X-Mg-S
X-HP-Webp
X-Jurisdiction
X-HP-Trace-Id
X-ECACHE
X-Accel-Expires
MicrosoftSharePointTeamServices
X-Protected-By
X-SRCache-Fetch-Status
X-Ezoic-Cdn
X-SRCache-Store-Status
X-DataDome
X-Grace
X-Frontend
X-Ua-Browser
X-HS-Cache-Config
X-Content
X-Ab
X-HS-Content-Id
X-HS-Combine-CSS
X-HS-Hub-Id
Front-End-Https
X-Request-Processing-Time
X-Request-Received
Server-Node
X-Yandex-Sdch-Disable
Filters
X-Server-ID
X-PressLabs-Stats
TP-L2-Cache
TP-Cache
X-Mid
X-DynaTrace
Fastcgi-Cache
X-Origin-Server
X-Hits
X-Geo-Country
X-Distributor
X-WebKit-CSP-Report-Only
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Microsite
X-Request-Handler-Origin-Region
X-Amzn-Trace-Id
X-Debug-Info
Cleartype
X-Tt-Trace-Tag
Charset
X-Tt-Trace-Host
X-LB-Cache
Host
X-Page-Id
X-F-Cache
X-Git-Hash
X-DIS-Request-ID
Cross-Origin-Opener-Policy
X-B3-Sampled
X-Ratelimit-Reset
X-Forwarded-Proto
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
X-Cache-Age
X-Www-Served-By
Access-Control-Allow-Method
ServerID
X-Seen-By
Cache-Status
X-AppVersion
X-Az
X-Activity-Id
Realpath
X-Aspnetmvc-Version
Cache-Tags
X-MCACHE
Accept-Charset
X-Varnish-Age
X-Cluster-Name
X-Rid
Filterid
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Content-Options
X-Language
X-Nginx-Upstream-Cache-Status
X-Type
Server-Name
Retry-After
X-Oracle-Dms-Ecid
X-Varnish-Grace
Node
Country
X-App-Environment
Viewport
X-Oracle-Dms-Rid
X-Tb
X-Origin-Cache
X-Whom
X-User-Agent
X-Upgrade-Enabled
X-FB-Debug
X-Signature
X-Is-Crawler
X-Route-Name
X-Request-Guid
X-Varnish-Backend
X-Providence-Cookie
X-Mobile-URL
DC
X-Flags
Paypal-Debug-Id
X-Wix-Request-Id
X-B-Cache
X-Drupal-Cache-Tags
X-Aspnet-Duration-Ms
X-NWS-UUID-VERIFY
X-TT
X-VCache
X-Goog-Stored-Content-Encoding
Protected
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-GUploader-UploadID
X-XRDS-LOCATION
X-Goog-Stored-Content-Length
Fastcgi-Useragent
X-B
X-Fastly-Request-Id
X-Debug
X-N
X-Amz-Replication-Status
X-Fastly-Request-ID
WPO-Cache-Status
WPO-Cache-Message
X-Logged-In
X-Via-JSL
X-Cache-NGX
Payment
X-Mcache
X-Contextid
X-Load-Cache
X-Amz-Meta-S3cmd-Attrs
X-Webkit-CSP
Surrogate-Key
Permissions-Policy
Count-Hit
Amp-Access-Control-Allow-Source-Origin
X-Cache-Control
X-FW-Serve
X-FW-Dynamic
X-FW-Static
X-FW-Hash
X-FW-Type
X-Node-Name
X-FW-Server
Healthy
X-Template
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Erf-Bev-Bev
X-XRDS-Location
X-Fastcgi-Cache
X-Original-Request-Id
X-Response-Served-From
X-G
SD-X-WS
Refresh
X-Proxy
X-Cache-Time
X-Mobile
Content-Disposition
X-Jobs
X-Akamai-Request-ID2
X-Is-Bot
Akamai-GRN
X-Cacheable-TTL
X-Real-IP
X-Trace-Id
X-Zen-Fury
X-Rendered-As
Uber-Trace-Id
X-UUID
X-Hostname
X-Adobe-Loc
X-Cache-TTL-Remaining
X-Http-Reason
X-Proxy-Cache-Status
X-Page-View
X-Revision
X-Adobe-Content
X-Framework
Access-Control-Request-Headers
Alternate-Protocol
VIX-Pulpo-Node
NGB
X-Drupal-Cache-Contexts
Url
X-Instance
X-Device-Type
X-Debug-IsPreview
VIX-Pulpo-Upstream-Status
X-Debug-IsConnected
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Servername
X-IPLB-Instance
X-Cache-Grace
X-ECache
Version
X-B3-Traceid
X-Mg-Request-UUID
X-Varnish-Server
X-Restarts
X-NGENIX-Cache
X-Source
X-L-Path
X-Environment-Context
Accept-Language
X-Oneagent-Js-Injection
From-Origin
X-Cache-Rule
X-Cache-Hit
X-Vgn-Hpd-Reason
X-EdgeConnect-Cache-Status
Countrycode
X-RTag
Ms-Operation-Id
MS-CV
X-Cache-Expired-At
X-HTML-Minification-Powered-By
X-Datadome
X-Parallel-Accel
Frame-Options
X-App-Server
Liferay-Portal
X-NYM-Debug-Backend
Referer-Policy
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-Pixel-1
Cross-Origin-Window-Policy
X-FW-Version
X-COUNTRY
X-IPS-LoggedIn
X-Midtier
Backend
X-Nginx-Cache
Content-Secure-Policy
X-RemovedCookies
X-ProcessESI
X-Cache-Action
X-UPSTREAM-Address
Cache-Tv-Group
Upgrade-Insecure-Requests
Section-Io-Cache
X-RN-RSRV
Meta-Geo
X-Cache-Server
X-FB-TRIP-ID
X-Redis-Cache
X-Content-Age
X-Web-Node
X-PCL
X-APP-VERSION
X-Generation-Time
X-No-Session
X-UA-Device-Type
X-Region
CF-IPCountry
X-Hosted-By
X-OCL
X-Ua
X-Detected-As
X-Generated-By
X-Mode
X-Unique-Id
X-Human
X-AOL-HN
TWC-GeoIP-Country
Webcakes-App-Version
WP-Super-Cache
TWC-Locale-Group
TWC-GeoIP-LatLong
X-Cluster-Node
X-Cache-Enabled
TWC-Privacy
Webcakes-App-Name
X-Access
X-Format
Webcakes-Region
Fastly-SSL
X-Server-W
X-Request-Time
X-Say-Cacheable
Ec-Rule-Version
Mn-Server-Ip
X-Storage
X-Via-Fastly
X-Sql-Count
X-Say-TTL
X-Sql-Duration-Ms
X-SayCDN-TTL
X-Be
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Akamai-Edgescape
Apigw-Requestid
X-PHP-Backend
Locale
X-Nginx-Cache-Key
S-Rt
X-Origin-Date
X-Section
X-Origin-Hint
TWC-Device-Class
TWC-Connection-Speed
Property-Id
X-Site-Version
X-Varnish-Cache-Hits
X-ShardId
X-ApacheServer
X-Alternate-Cache-Key
X-Adobe-Source
Eomportal-Instance
Azure-InstanceId
X-Sorting-Hat-PodId
Azure-SlotName
Azure-SiteName
X-Shopify-Stage
X-ShopId
Azure-Version
Azure-RegionName
X-Sorting-Hat-ShopId
X-PERF
X-Xfnlog-Site
X-Forwarded-Host
X-BYPASS-REASON
X-Ratelimit-Remaining
X-ProxyCache-Status
X-Platform-Server
X-ProxyCache-Key
X-Uri
X-Cache-Host
X-Debug-Cache
X-Content-Powered-By
X-Cache-Tags
CDN-EdgeStorageId
CDN-PullZone
CDN-RequestCountryCode
CDN-RequestId
X-Zipkin-Id
X-Status
X-Tid
X-Varnishpool
X-Locale
X-Routing-Service
CDN-Uid
CDN-CachedAt
X-Hl-Ver
X-Proxied
X-SaId
X-JoinUs
CDN-Cache
X-Handled-By
X-Extlb
X-Backend-Name
X-ServerID
X-NewRelic-App-Data
X-Cache-Type
X-Hyper-Cache
X-Labrador-Cache-Channel
X-PHP-Host
X-Timing-Wait
X-TT-LOGID
X-Proxy-Build
X-AWS-Id
Selected-Fe
X-VWS-Id
X-LJ-Flow-ID
X-VC-Cache
X-Cms-Context
ServedBy
X-Edge-Location
X-GG-Cache-Date
Webserver
X-Cache-Operation
X-Storefront-Renderer-Rendered
X-Dc
X-Rule
X-LSADC-Cache
X-Proto
Fastly-Drupal-Html
SRV
Load-Balancing
X-Cached-By
Web-Mar-Node
X-Rewrite-Enabled
X-GeoCountry
X-GeoCode
X-Accel-Buffering
SID
X-CDN-Forward
Onion-Location
X-App-Version
X-Soup
Mime-Version
X-GEO
X-Cache-Remote
X-TA-CDN-Provider
Xserver
X-Varnish-Hostname
X-Cdn
Cache-Hits
X-Pubstack
X-Reqid
Country-Code
X-Request-Host
X-Origin-CC
X-Cluster
X-Origin-TTL
X-Buckets
X-Varnish-Hits
X-Ratelimit-Limit
X-Microcachable
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
Server-Info
X-Envoy-Decorator-Operation
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
Xet-Cookie
X-CSRF-Token
X-SRV
LB
X-Ms-Request-Id
X-Magnolia-Registration
X-Ms-Version
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
X-Amz-Apigw-Id
Cache
DB-Nickname
X-Amzn-RequestId
X-Time
X-Endurance-Cache-Level
X-Tx-Id
X-RCS-CacheZone
X-NCache
X-CF-Lambda-Fn
X-NAPM-TraceId
X-Device-Os
X-Ec-Fail
X-Orig-Expires
X-Ec-GeoHdr
X-Epic-Correlation-Id
Fastcgi-X-Cache-Version
X-Developer
X-Aed
X-Destination
MD5-Digest
X-Cache-NE
Pramga
X-Core-Mission
X-Cdn-Srv
X-D
X-PAYTM-SRV-ID
X-Connection-Hash
Host-ID
Lang
Meta-Geo-Continent
Mobile-Detection-Method
Expiry
Surrogated-Key
A
X-Geo-Header
X-Fetched-On
Rendered-Blocks
X-Ftr-Request-Id
BehaviorPad-Version
Cdnsip
X-CF-Lambda-Version
Sslversion
X-Forwarded-Path
Odigeo-Trace-Id
NM-Fastcgi-Cache
X-External-Request-Id
X-Hash
T-Server
Cdncip
DCR-Processing-Time-Ms
DCR-Decision-By
Cmsid
X-Conf
Cmstype
Source
X-Ig-Push-State
X-PBS-Appsvrname
X-IPLB-Request-ID
X-A
X-VG-WebCache
X-A-Dcw
X-A-Dgt
X-A-Wwc
X-TrackingId
X-ARC
X-User
X-Rojux
X-Vdms-Version
X-Session-Fingerprint
X-ScT
X-SD-PageType
X-A-Dam
X-S-Cookie
X-Vdms-Path
X-Shop-Environment
X-S
X-Vtex-Processado-Em
X-Application
Xc-Version
X-SVT-ORM-VERSION
X-Bc-Bl
X-Vtex-Remote-Cache
X-SVT-ORM-RULES
X-B-Cookie
X-SRCache-Key
X-A-Ccd
X-TIM-N
X-B3-SpanId
X-AK-Request-ID
X-Tenant
DynaTrace
X-Processor
X-Varnish-Ttl
X-Varnish-Beresp-Grace
X-Varnish-CookieINHashed-On
X-V-Cache
X-Esi-Check
X-Cache-Date
X-TNCMS
X-Varnish-Remaining-TTL
X-Thinkindot-L3
Environment
X-Cache-Bucket
X-Varnish-CookieHashed-On
X-Variation
CloudFront-Viewer-Country
Is-Eu
X-Ckpd-Fst-Backend
X-Wix-Viewer-Type
X-Webstats-RespID
X-CacheTTL
Origin-CC
Origin-EX
Producers
Platform
Cache-Name
X-Worker
X-VServer
Memcached
X-R9-Blue-Green-Version
X-Developers
X-Dispatcher-Number
X-DPWN-IS-SECURE
X-DefHash
X-DefElseHash
Mail-Subject
X-Core-Value
Server-Host
X-Cache-Id
X-Ec-Custom-Error
X-Gdpr
We-Hiring
Thinkindot-CacheControl
X-Loop
Thinkindot-CacheControl-Type
Thinkindot-Control
TDXMobile
X-LAGOON
X-Cache-Backend
Wxu-Next-Commit
Web-Mar-Region
X-JWT-State
User-Cache-Control
X-Node-Id
X-Origin-Time
Release
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Origin-Response-Time
X-Origin-Expires
X-NodeID
X-Nyt-Route
Traceparent
X-Origin
Wxu-Next-Hostname
X-Is-Gdpr
X-Gen-Mode
X-Skip-Cache
X-Sigma-Backend
X-Sigma
X-Irp-Debug
Adler-Geo
AKAMAI
X-From
X-Slack-Backend
State
X-Planisys-CDN-Cache
X-Server-IP
X-GeoIP
X-HS-Content-Campaign-Id
X-Block-Status
Wxu-Next-Region
X-Rocket-Build-Number
X-Hnp-Log
X-SB
X-Amzn-Remapped-Content-Length
X-Gzip
X-Has-Esi
X-Scheme
X-Azure-Ref
X-Aicache-OS
X-Branch-Name
X-Auto-Login
X-BBC-Edge-Cache-Status
X-Cache-Info
X-Location
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Region-Sid
X-Request-URI
X-Qloud-Router
X-Proxy-Upstream
X-Policy
X-Pool
X-Proxy-Cache-Info
X-Rocket-Nginx-Serving-Static
X-Served-From
X-Viewer-Country
X-WADP-Cache
X-Via-NSCOPI
X-Via-Ucdn
X-VG-TLSProxy
X-SIPLIST1
X-Sn-Servicetimems
X-VarnishDD-TTL
X-Pod-Name
X-Platform
X-Datadog-Trace-Id
X-Eu-Site
X-Fastly-Cache
X-Fmm-Version
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-CGP
HostName
X-Csrf-Jwt
X-Forwarded-Site
X-Gamma-Serve
X-Loc
X-Minions-Version
X-Mvc-Supplant-Cachable
X-Level-Front-Cache
X-Httpd
X-Generated-On
X-GeoIP-City
X-HN
X-Cdn-Origin
X-Clara-WADP
Req-Svc-Chain
Redirect-Candidate
Fastly-SWR
Server-Ext
Server-Hostname
L
X-Xrds-Location
L5d-Success-Class
Apple-News-Services-Parsed-Url
PFcat
Apple-News-Services-Host
Apple-News-Services-Handled
CDN
N-Cache
NGX
Ohc-File-Size
Origin
Apple-News-Services-Request-Url
Sever-Int
CDCHOST
Vix-Hermes-Req-Id
V-Age
Cluster
DSUID
Fastly-SIE
Fastly-GeoIP-CountryCode
Fastcgi-Cache-TTL
Gh-Request-Id
X-ZONE
Kp-EeAlive
Svr
IsBot
Machine
Ha-Gx-Prefs
HA-Ipaddr
Ssr
X-Newrelic-Synthetics
X-Owner
X-RateLimit-Remaining-Second
X-WP-CF-Super-Cache
X-WP-CF-Super-Cache-Cache-Control
X-RateLimit-Limit-Second
X-Scale
X-Optimistic-Header
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-Ad-Defer-Variation
X-BCube-Filmed-By
Candidate-Md5Url
Datacenter
X-Parent-Response-Time
Arc-Country
X-Men
X-Srv
X-CS
X-VC
X-Refresh
Pics-Label
Locid
X-CACHE-KEY
X-Tb-Optimization-Total-Bytes-Saved
X-Ah-Environment
X-Contensis-Viewer-Groups
X-Old-Content-Length
CPC-Age
X-NC
X-SplitTest
VNS-Cache
XM
VNS-Age
CPC-Cache
X-Cache-ASPX
GEO-INFO
X-EC-Lua
X-Response-By
Cache-Key
X-Tt-Logid
X-TraceId
X-Cache-Status-Check
Ms-Author-Via
Env
X-DW
AMP-Access-Control-Allow-Source-Origin
X-WA-Info
X-RateLimit-Reset
Servername
X-LB-NoCache
X-Tec-Api-Version
X-RPM
X-Tec-Api-Root
X-Varnish-Authentication
X-RPS
X-RSL
X-Tec-Api-Origin
X-DB
X-Edge-Pop
X-DSS
X-DI
X-Udemy-Cache-App-Namespace
X-Date
Fastly-Backend-Name
Time
X-Amz-Meta-Cb-Modifiedtime
X-Mvc-Supplant-OutputCached
Memory
X-Accel-Expires-Debug
X-TIME
X-Akamai-Transformed
Lb
X-Via-Popv
X-Generated-In
X-GeoIP-Country-Code
X-Micro-Cache
X-AIR-PT
X-GeoIP-Region-Code
X-Via-Poph
X-Servedbyhost
X-Via-Popn
Path
Ohc-Cache-HIT
X-HA-Backend
X-Cache-Debug
ITXSESSIONID
GeoIp-Country-Code
X-S-Maxage
Ngx.Var.Host
Client
X-API-Version
Cache-Host
FSS-Cache
Fusion-Content-Source
Fusion-Deployment-Id
Fusion-Source
Fusion-Template-Id
Fusion-Content-Id
X-Api-Version
Fusion-Component-Id
X-VCL-Version
Geoip-Latitude
X-Varnish-Beresp-TTL
True-Client-IP
CacheControlHeader
X-Vc
X-VHOST
X-Cs
XkeyRZ
X-Proxy-CacheRZ
X-Trace-ID
Geo-Info
Server-ID
X-TH-Server
X-DC
X-Clientip
True-Client-Country-4JS
X-Action
Hostname
X-Presslabs-Stats
X-Backend-TTL
X-Correlation-ID
X-Zone
X-FireWall-Port
X-Fpc
Edge-Cache
X-Webkit-Csp-Report-Only
Powered-By
X-Req
X-TX-ID
X-B3-Spanid
X-Pass-Why
X-Dmc
X-Traceid
X-PX
My-App
X-MSEdge-Flight
X-FPC
NtCoent-Length
X-MSEdge-Features
X-INCAP-ABP
X-Render-Time
Test
X-Provided-By
X-Origin-Upstream-Status
X-NGINX-Cache
X-Up
X-CSRF-TOKEN
C-Via
X-Cdn-Request-ID
X-Varnish-Beresp-Ttl
Cf-Int-Pingora-Origin-Digest
Tube-Got-Eval
Tube-Get-Contents
X-LB-ID
X-Beluga-Cache-Status
X-Gateway-Request-Id
X-Gateway-Skip-Cache
X-DynaTrace-JS-Agent
X-Service
Tube-Got-Results
User-Agent
X-Beluga-Record
Tube-Return
X-Gateway-Cache-Key
X-Webkit-CSP-Report-Only
X-Beluga-Status
X-Beluga-Trace
Click-Count-Error
X-HS-Status
X-Beluga-Response-Time
X-Beluga-Node
Server-Id
X-Gateway-Cache-Status
Rip
Click-Count-Action-Start
HIT
Tcn
Proxy-Connection
X-Vcl-Version
OT-Force-Account-Verify
X-TRACE-ID
X-M-Reqid
DataCenter
X-Ha-Backend
X-Via-PopN
X-Via-PopV
X-Via-PopH
Uri
GeoIP-Latitude
GeoIP-Country-Code
X-Qnm-Cache
X-UnsetCookies
X-LI-UUID
X-Li-Fabric
On-Server
X-M-Log
X-URL
Resin-Trace
Esi-Enabled
X-Li-Pop
Srvid
X-Alfa-Service
X-Dynatrace
X-CLOUD-TRACE-CONTEXT
X-ND-Cache
X-ServedByHost
X-RAMCache
X-Time-Microsecs
Sid
WZWS-RAY
X-Akamai-Pragma-Client-IP
X-Check-Cacheable
Epwk-X-Cache
X-Proxy-Cache-Hk
X-CUA
Cdn
X-CCDN-CacheTTL
X-Hcs-Proxy-Type
MIME-Version
X-Geo
Srv
X-Fetch-By
X-APP
X-LI-Proto
X-CCDN-Origin-Time
X-Cdn-Forward
X-ATG-Version
X-Fastly-Backend-Reqs
X-Fragments
X-Platform-Cluster
Cf-Device-Type
X-Platform-Router
X-Backend-Host
X-Platform-Processor
Target-Params
Tracecode
X-Esi
X-Edge-Origin-Shield-Bytes
X-App
X-B3-Traceid-Primal
X-Sucuri-Cache
X-Edge-POP
Lfy
X-FC-Vary-Parameters
ENV
X-Fastly-Backend
X-Var-Ttl
X-Sucuri-ID
ServerName
X-Lb-Nocache
XServer
Fastly-Drupal-HTML
WebServer
X-HostName
X-Srcache-Store-Status
X-Edge-Origin-Shield-Region
X-Srcache-Fetch-Status
X-MG-S
M-TraceId
X-ElasticPress-Query
PICS-Label
CF-Cached-On
X-Nc
X-Yottaa-OS
Server-Ttl
Section-Io-Id
X-Azure-Ref-OriginShield
X-Varnish-Beresp-Status
X-Cache-Expires
Warning
X-Newrelic-App-Data
Section-Io-Origin-Status
Inserted-Into-Cache-At
Section-Origin-Responded
Section-Io-Origin-Time-Seconds
X-NU-AKA-ACS-Version
X-Iplb-Instance
X-Iplb-Request-Id
X-Li-Proto
X-Serial
X-Backend-State
X-Dw-Trace-Id
Magicmarker
X-Vcache
Cf-Ipcountry
X-Request-Url
X-LiteSpeed-Cache-Control
X-CF-Powered-By
D-Url-Rewrites
DT-Hot-News
Servedby
X-Release
X-Storefront-Renderer-Verified
X-Wp-Cf-Super-Cache-Cache-Control
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-Acquia-Application-Trace
X-Acquia-Application-UUID
Dt-Hot-News
True-Client-Ip
X-Acquia-Site
X-Vercel-Id
X-Vercel-Cache
X-Dist-Code
Ngx
X-Acquia-Purge-Tags
Content-Script-Type
CountryCode
Content-Style-Type
X-Back
Cneonction
X-Litespeed-Cache-Control
Fastcgi-Cache-Ttl
X-Th-Server
X-Snapshot-Date
X-BBC-Origin-Response-Status
X-Request-URL