Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Xss-Protection
X-UA-Compatible
X-Served-By
Alt-Svc
X-Varnish
X-Timer
X-Request-Id
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-DNS-Prefetch-Control
X-Kinja-Server-Push
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Ua-Compatible
X-Iinfo
X-Buckets
Status
X-Content-Security-Policy
Content-Encoding
X-Request-ID
Access-Control-Expose-Headers
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-AH-Environment
X-Backend
X-Age
X-Server
X-Turbo-Charged-By
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Hacker
X-Page-Speed
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
X-Pingback
Grace
Server-Timing
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
X-LiteSpeed-Cache
P3p
Ali-Swift-Global-Savetime
Report-To
X-Amz-Version-Id
X-Server-Id
Cf-Railgun
X-Rq
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-OneAgent-JS-Injection
EagleEye-TraceId
X-Dns-Prefetch-Control
X-Origin-Cache
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Readtime
X-Ac
X-Cache-Lookup
X-Backend-Server
X-Node
X-Dispatcher
NEL
X-Origin-Upstream-Status
Content-Location
X-HW
Fusion-Component-Id
Fusion-Content-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Source
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-ORACLE-DMS-RID
X-Country
Allow
X-Ruxit-JS-Agent
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Cloud-Trace-Context
Accept-CH
Rating
X-Country-Code
X-Cnection
Accept-CH-Lifetime
X-Rack-Cache
Edge-Control
X-Url
RTSS
X-Clacks-Overhead
X-Px
MS-Author-Via
X-FTR-Request-ID
X-TtlSet
X-PC
X-Vname
X-Goog-Hash
Verso
X-Powered-By-Plesk
Host-Header
Service-Worker-Allowed
X-Varnish-TTL
X-GoogleNews-Bot
X-Cdn-Fetch
X-Kinja
X-Exp-Id
X-Exp-Variant
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-B3-TraceId
Public-Key-Pins
X-GitHub-Request-Id
Arr-Disable-Session-Affinity
X-MS-InvokeApp
X-Amz-Server-Side-Encryption
X-Ttl
X-Forwarded-Proto
Response
X-Middleton-Response
X-Sol
Display
Pagespeed
X-Middleton-Display
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-Cdn
X-D2id
X-Amz-Rid
X-NF-Request-ID
TCN
X-CST
X-Vcap-Request-Id
X-Abt-Application-Version
X-Cached
X-VARITI-CCR
Pinterest-Generated-By
AR-PoweredBy
AR-Request-ID
AR-ATIME
Ar-Sid
AR-CACHE
X-ESI
X-Version
X-Navigation-Version
X-Powered-CMS
X-Upstream
Cache-Tag
X-Fastly-Request-ID
X-Server-Name
X-Grace
X-Debug
X-Instart-Request-ID
Access-Control-Request-Method
X-XRDS-Location
Charset
X-MSEdge-Ref
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
Nginx-Cache
Content-MD5
X-Element-Page-Cache
Mrf-Cache-Status
MRF-Tech
X-Mrf-Item-Lastmod
X-Mrf-Section-Lastmod
X-B3-TraceId-Primal
X-Accel-Expires
Realpath
X-Ezoic-Cdn
X-DynaTrace-JS-Agent
SPRequestDuration
SPIisLatency
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Shield-Request-Id
S
X-SharePointHealthScore
SPRequestGuid
Pinterest-Version
X-Pinterest-Rid
X-Hp-Webp
X-Jurisdiction
Accept-Ch
X-Pass-Why
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Recruiting
X-Id
X-Kinsta-Cache
X-Trace
X-T
Fastcgi-Cache
X-Client-IP
X-Content-Digest
X-Node-Name
X-Logged-In
Accept-Ch-Lifetime
X-Cache-Key
X-NWS-LOG-UUID
TP-L2-Cache
X-Mobile-URL
TP-Cache
X-Oneagent-Js-Injection
X-FastCGI-Cache
X-Hostname
X-Request-Received
X-Cache-Hit
Server-Node
X-Request-Processing-Time
X-Frontend
ServerID
X-Cache-Age
Front-End-Https
X-Amzn-Trace-Id
Fastly-Restarts
X-FTR-Realm
X-FTR-DC
X-FTR-Cache-Status
X-FTR-Backend-Server
X-FTR-Backend
X-FTR-Balancer
X-Country-Code-Real
X-TTL
Edge-Cache-Tag
X-Forwarded-For
X-FTR-Expires
X-Yandex-Sdch-Disable
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-GUploader-UploadID
Powered
Server-Name
PB-PID
Arc-Version
PB-RID
X-Ruxit-Js-Agent
X-Request-Handler-Origin-Region
X-Microsite
X-Content-Security-Policy-Report-Only
X-Revision
X-User-Agent
X-DIS-Request-ID
X-Page-Id
X-Hits
Filters
X-Jobs
X-LB-Cache
X-F-Cache
X-Akamai-Edgescape
X-Zen-Fury
DynaTrace
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Erf-Bev-Bev-Is-Generated
X-ORACLE-APMCS-REQUEST-ID
X-Erf-Bev-Bev
X-ORACLE-APMCS-TAG
X-Mobile-Rewrite
X-Fastcgi-Cache
X-HS-Combine-CSS
Alternate-Protocol
X-Content-Powered-By
X-HS-Hub-Id
X-HS-Content-Id
X-HS-Cache-Config
X-Origin-Server
X-Geo-Country
Accept-Charset
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Age
X-Correlation-Id
X-N
X-FTR-Cache-Host
X-Daa-Tunnel
X-B
Cache-Tags
X-Varnish-Backend
X-Rid
Retry-After
X-Varnish-Grace
X-Type
X-Esi
X-Amz-Replication-Status
X-WebKit-CSP-Report-Only
Surrogate-Key
DC
Host
X-Content-Options
Section-Io-Cache
X-Whom
X-Git-Hash
X-B-Cache
X-Signature
X-Request-Guid
X-TT
X-Server-ID
Paypal-Debug-Id
X-App-Environment
X-Via-JSL
X-RateLimit-Remaining
X-Activity-Id
X-AppVersion
X-Edge
X-Az
X-FB-Debug
MicrosoftSharePointTeamServices
X-Status
X-ATS-Timestamp
Backend-Timing
X-Ser
X-Debug-Info
Frame-Options
Fastcgi-Useragent
Actual-Object-TTL
X-IPLB-Instance
X-ATG-Version
X-Webkit-CSP
Healthy
Nel
X-Endurance-Cache-Level
X-App-Server
X-HTML-Minification-Powered-By
Srv
X-AOL-HN
X-Contextid
X-Cache-Action
X-Amzn-RequestId
X-Seen-By
X-ECACHE
X-Pinterest-Direct
X-B3-Sampled
Refresh
From-Origin
Access-Control-Allow-Method
X-Amz-Apigw-Id
X-Cache-Rule
X-Accel-Buffering
X-Response-Served-From
X-Protected-By
X-Upgrade-Enabled
X-Tumblr-Pixel
X-Drupal-Cache-Tags
Content-Disposition
X-Tumblr-User
X-Cache-Operation
X-Host-Name
X-Tumblr-Pixel-0
X-ProcessESI
X-RemovedCookies
VIX-Pulpo-Upstream-Status
X-MCACHE
X-Is-Bot
X-Cacheable-TTL
VIX-Pulpo-Node
X-Region
X-Instance
X-Mid
X-Rendered-As
Odigeo-Trace-Id
X-WA-Info
X-UUID
X-Environment-Context
X-L-Path
X-Release
Payment
Eomportal-Instance
X-FW-Dynamic
X-FW-Static
X-FW-Type
X-Rule
X-Varnish-Server
X-FW-Server
X-FW-Serve
X-FW-Hash
X-Adobe-Loc
X-Cache-Time
X-Adobe-Content
Countrycode
MS-CV
X-Litespeed-Cache
Datacenter
Uber-Trace-Id
Source
X-Time
X-Proxy
X-Cached-By
X-Load-Cache
X-Akamai-Request-ID2
X-EdgeConnect-Cache-Status
X-Cache-Control
X-Cache-Server
X-UnsetCookies
X-Mobile
Xserver
X-Correlation-ID
Cache-Status
X-GeoIP
X-PHP-Backend
X-SERVER-NAME
X-Azure-Ref
Access-Control-Request-Headers
X-Akamai-Transformed
X-Yottaa-Optimizations
X-NewRelic-App-Data
X-Yottaa-Metrics
Accept-Language
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Origin-Response-Time
X-PressLabs-Stats
X-Air-Hostname
Version
X-Handled-By
X-Mode
X-Wix-Request-Id
Filterid
X-NGENIX-Cache
X-Backend-Name
Liferay-Portal
X-NWS-UUID-VERIFY
X-Cache-NGX
X-VCache
X-Cluster
X-Framework
X-URL
X-IPS-LoggedIn
Server-Info
X-APP-VERSION
Load-Balancing
X-Routing-Service
X-UPSTREAM-Address
X-Via-Fastly
X-AWS-Id
X-RN-RSRV
NGB
X-ES-SERVER
X-Tumblr-Pixel-2
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-VWS-Id
Meta-Geo
X-Locale
X-Proxied
X-Zipkin-Id
X-Cache-Var
X-CCM
X-Cache-Remote
X-Path-Route
X-Adobe-Source
X-FireWall-Port
X-UA-Device-Type
X-Cache-Var-Map
X-ApacheServer
X-LJ-Flow-ID
X-PERF
X-Viewer-Country
X-Qloud-Router
DSUID
Cache
X-Www-Served-By
X-Site-Version
X-MP-GENERATED-AT
X-Real-IP
X-Cache-Status-Check
ServedBy
X-Detected-As
Cache-Hits
Mn-Server-Ip
X-TX-ID
Akamai-GRN
Decoy-Debug-Key
Cache-Name
Cache-Tv-Group
X-Say-TTL
X-Web-Node
X-Access
X-Section
X-OCL
X-PCL
X-Cache-Config
X-IP
X-Info
X-Human
X-Format
X-SayCDN-TTL
Section-Origin-Responded
Now
X-Redis-Cache
X-R9-Blue-Green-Version
X-Storage
Section-Io-Id
X-Say-Cacheable
X-NCache
X-Pubstack
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
Decoy-Debug-Status
Decoy-Debug-TTL
Webcakes-Region
Webcakes-App-Version
Webserver
X-ServerID
X-Bc-Bl
TWC-Privacy
TWC-Locale-Group
TWC-Connection-Speed
S-Rt
TWC-Device-Class
TWC-GeoIP-Country
TWC-GeoIP-LatLong
X-BYPASS-REASON
X-Cache-Enabled
X-FC-Vary-Parameters
X-PHP-Host
X-FW-Version
X-Origin-Hint
X-Labrador-Cache-Channel
X-EIG-Tracking-Id
X-Device-Type
X-Cache-Host
X-ProxyCache-Status
X-ProxyCache-Key
X-CS
Property-Id
Webcakes-App-Name
X-CSRF-Token
Fastly-SSL
X-Varnish-Cache-Hits
X-Unique-Id
Cleartype
X-SaId
X-Content-Age
X-ShardId
X-ShopId
X-Shopify-Stage
X-Proxy-Build
X-Alternate-Cache-Key
X-From
X-Loop
X-NYM-Debug-Backend
X-No-Session
X-Ua
X-JoinUs
X-Hl-Ver
X-Hosted-By
X-Origin
X-FB-TRIP-ID
X-BCube-Filmed-By
X-Time-Microsecs
X-Sorting-Hat-ShopId
Selected-Fe
X-Timing-Wait
X-Sorting-Hat-PodId
X-TNCMS
X-Amzn-Remapped-Content-Length
X-Hyper-Cache
DB-Nickname
X-RTag
X-RateLimit-Limit
Origin-Cache-Control
Ms-Operation-Id
X-Generated
X-Presslabs-Stats
Azure-SlotName
Azure-InstanceId
Azure-Version
Ec-Rule-Version
X-XRDS-LOCATION
Azure-SiteName
Azure-RegionName
X-Geo
X-Cache-2
Apigw-Requestid
X-Drupal-Cache-Contexts
X-Cache-TTL-Remaining
X-Urbn-Context-Path
Time
Locale
Origin-Edge-Control
X-Xfnlog-Site
X-Urbn-Site-Id
SD-X-WS
X-Vcache
X-RequestSource
Country
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Pad
X-EC-Lua
X-Source
X-Old-Content-Length
Geo-Info
User-Agent
X-CDN-Forward
X-Cluster-Node
X-Varnish-Hostname
X-Debug-Cache
X-Soup
X-Backend-TTL
Upgrade-Insecure-Requests
X-Akamai-Request-ID
X-Cache-NE
X-Parent-Response-Time
X-RCS-CacheZone
X-Proto
X-Tb
X-SRV
X-Cache-Backend
X-Storefront-Renderer-Rendered
X-Cache-PHP
X-App-Version
Proxy-Connection
X-NC
X-TA-CDN-Provider
X-DC
X-Cache-Grace
FilterID
X-Proxy-Cache-Status
X-FORWARDED-FOR
Cache-Key
X-Forwarded-Host
X-Origin-CC
X-Origin-TTL
ServerName
Meta-Geo-Continent
MD5-Digest
Rendered-Blocks
Mobile-Detection-Method
N-Cache
T-Server
Viewtype
X-Transaction
Who
UCS
X-Trv-Group
Machine
True-Client-Country-4JS
X-Twitter-Response-Tags
X-Vdms-Version
AsisCache
BehaviorPad-Version
Content-Script-Type
X-Vtex-Processado-Em
Arc-Country
Xc-Version
X-Vtex-Remote-Cache
X-App
Content-Style-Type
X-VG-WebServer
FNAC-ModuleRouting
GEO-REGION-INFO
IsBot
X-Vdms-Path
Fastcgi-X-Cache-Version
X-VG-WebCache
X-A
M-TraceId
X-Trace-Id
X-Destination
X-Response-By
X-Region-Sid
X-Processor
X-Date
X-D
X-Rojux
X-Rewrite-Enabled
X-Connection-Hash
X-Developer
X-PAYTM-SRV-ID
X-Geo-Header
X-External-Request-Id
X-G
X-Method
X-Nginx-Cache-Key
X-NodeID
X-DevSite-Last-Modified
X-Dispatch
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-Swa-Ws
X-SRCache-Key
X-SIPLIST1
X-Accel-Expires-Debug
X-A-Wwc
X-A-Dam
X-A-Dcw
X-A-Dgt
X-Aed
X-Session-Fingerprint
X-S-Cookie
X-S
X-B-Cookie
X-Scheme
X-ARC
X-SD-PageType
X-Application
X-ScT
X-A-Ccd
VivaBuild
X-AIR-PT
LB
X-Uri
User-Cache-Control
X-Magnolia-Registration
X-Tumblr-Pixel-3
Server-Hostname
Server-Ext
RNT-Time
Server-Host
Sever-Int
X-LAGOON
V-Age
Thinkindot-Control
Thinkindot-CacheControl-Type
X-Level-Front-Cache
Thinkindot-CacheControl
X-Loc
X-Logging-Id
X-Policy
X-Owner
X-Newrelic-Synthetics
Mail-Subject
X-RateLimit-Limit-Second
Magicmarker
X-Node-Id
NGX
X-Matched-Rule
Viewport
Release
X-Micro-Cache
NM-Fastcgi-Cache
Pagetype
RNT-Machine
We-Hiring
X-Cache-FS-Status
X-Cache-Info
X-Cache-Bucket
X-Block-Status
X-Backend-State
X-Bip
X-Cache-URL
X-Dispatcher-Server
X-Cms-Context
X-Compress-Hint
X-Clara-WADP
X-Developers
X-Device-Os
X-Fmm-Version
X-Gen-Mode
Wxu-Next-Commit
Wxu-Next-Hostname
X-Hash
Web-Mar-Node
Vix-Hermes-Req-Id
X-RateLimit-Remaining-Second
Wxu-Next-Region
X-Generation-Time
X-Agile-Id
X-Generated-In
X-Agile-Age
X-Agile
X-Generated-On
X-Hnp-Log
On-Server
CacheControlHeader
X-Thanos
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-Idcheck
CDCHOST
X-SN
X-ServiceProvider
X-WADP-Cache
X-User
Cache-Cookie-Set-From
X-Thinkindot-L3
Apple-News-Services-Host
Apple-News-Services-Handled
AKAMAI
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
Referer-Policy
X-VC-Cache
X-Varnish-Cacheable
X-Servername
X-Skip-Cache
X-SVT-ORM-VERSION
X-Reqid
Kp-EeAlive
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-SVT-ORM-RULES
X-Worker
X-Req
OT-Force-Account-Verify
X-Srv
X-B3-Traceid
X-Hit
X-VG-TLSProxy
X-Variation
X-Var-Ttl
X-VServer
X-CGP
X-Clientip
X-Cluster-Name
X-Edge-Location
X-Core-Value
X-Core-Mission
X-Key
X-BBXSRF
X-Cache-Id
X-Distil-CS
X-We-Are-Hiring
X-Distributor
X-Envoy-Decorator-Operation
Node
X-Epic-Correlation-Id
X-Cache-Tags
X-Webstats-RespID
X-Fastly-Cache
X-Eu-Site
X-Esi-Check
X-Auto-Login
W
X-Request-UUID
X-Mvc-Supplant-Cachable
Gh-Request-Id
Platform
X-Server-W
Fastly-Drupal-HTML
Fastly-SWR
X-Request-Host
Ha-Gx-Prefs
Is-Eu
L5d-Success-Class
X-Rebelmouse-Cache-Control
HA-Ipaddr
X-Origin-Expires
X-NU-AKA-ACS-Version
X-Origin-Date
Rt-Fastcgi-Cache
Fastly-SIE
X-Irp-Debug
C-Via
X-Location
X-Rebelmouse-Surrogate-Control
X-TrackingId
Adler-Geo
X-Gzip
X-Has-Esi
X-JWT-State
X-Is-Gdpr
X-Slack-Backend
X-TH-Server
X-Be
X-GoCache-CacheStatus
Pragrma
X-Reboot
X-Varnish-Authentication
X-Contensis-Viewer-Groups
X-LI-Proto
X-Li-Pop
X-LI-UUID
X-Li-Fabric
X-Cache-ASPX
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
Memcached
X-Backend-Host
Sid
GEO-INFO
X-Nc
MIME-Version
X-ZONE
X-Wa
X-Configured-By
X-Branch-Name
X-BC
X-Dc
S-Cnection
X-Cache-Debug
Cf-Ipcountry
X-Via-PopV
X-Refresh
X-Via-PopH
Fastly-Backend-Name
X-Instart-Info
X-Varnish-URL
X-Up
X-Via-CDN
HostName
X-Microcachable
X-UA
X-Servedbyhost
X-Batcache
X-Minions-Version
X-Envoy-Upstream-Healthchecked-Cluster
X-Platform-Server
X-Ua-Device
X-Ms-Version
X-Ms-Request-Id
X-Mvc-Supplant-OutputCached
X-ElasticPress-Query
X-TT-TIMESTAMP
CACHE
X-TIME
X-Cdn-Forward
X-MSEdge-Features
Memory
X-MSEdge-Flight
X-Aicache-OS
X-Nginx-Cache
X-Vgn-Hpd-Reason
X-VCL-Version
WPE-Backend
X-ND-Cache
Esi-Enabled
NR-ENABLED
X-Sucuri-ID
NtCoent-Length
X-Debug-Panamera-Host
X-Debug-Panamera-Sitecode
L
DCR-Decision-By
DCR-Processing-Time-Ms
Server-ID
X-App-Name
Pramga
X-Pjax-Url
Powered-By-ChinaCache
X-PF-Uncompressing
Hostname
X-COUNTRY
X-GEO
X-FPC
X-Fastly-Cache-Status
Cache-Host
X-Server-IP
X-Client-Ip
X-Bc
X-Zone
Location
GeoIP-Country-Code
X-CF-Powered-By
X-Oss-Server-Time
X-Oss-Storage-Class
X-Oss-Hash-Crc64ecma
X-Oss-Object-Type
X-Svr
Ohc-File-Size
HitType
X-Cdn-Srv
X-Oss-Request-Id
X-BACKEND-TTL
X-Varnishpool
FSS-Cache
X-Ratelimit-Reset
X-BE
Server-Cache-Control
X-Generated-By
Server-Surrogate-Control
GeoIP-Latitude
X-Unique-ID
X-S-Maxage
X-Sucuri-Cache
X-Check-Cacheable
Resin-Trace
Tracecode
X-LB-ID
X-Azure-Ref-OriginShield
Ohc-Response-Time
X-Original-Request-Id
X-Varnish-Ttl
X-Rocket-Nginx-Bypass
X-OVcl-Cache
X-OVcl
PFcat
X-VarnishDD-TTL
Cteonnt-Length
X-VCT
X-Instart-Isnd
X-Fastly-Backend-Reqs
X-Fastly-Country-Code
X-Ratelimit-Remaining
Cdn-Request-Time
X-Render-Time
Request-Country
Request-EU
X-CSRF-TOKEN
Cdn-Host
X-Platform
X-PJAX-URL
X-Edge-Server
Heartbleed
X-Vgn-Hpd-Ssi
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
Locid
X-Cache-Expired-At
X-VHOST
X-Varnish-Hits
X-Fpc
X-HS-Status
X-Newrelic-App-Data
X-Request-URI
GeoIp-Country-Code
Geoip-Latitude
CF-Cached-On
X-CUA
Lfy
X-Tec-Api-Root
Amp-Access-Control-Allow-Source-Origin
X-Tec-Api-Version
X-Tec-Api-Origin
SRV
Pics-Label
X-Gamma-Serve
X-Pf-Uncompressing
X-Vcl-Version
Epwk-X-Cache
X-Ratelimit-Limit
X-NGINX-Cache
XServer
X-CACHE-AGE
SN
X-Oracle-Dms-Rid
X-CLOUD-TRACE-CONTEXT
X-Shopify-Generated-Cart-Token
WWW-Authenticate
X-CACHE-KEY
Backend
X-RunCloud-Cache
X-WebServer
Backend-Name
X-ECache
URI
Product
X-Csrf-Jwt
X-Amzn-Remapped-Connection
X-Proxy-Upstream
X-StackifyID
X-Amzn-Remapped-Date
WZWS-RAY
X-Varnish-Url
X-ServedByHost
X-Ftr-Cache-Host
X-Via-Popv
My-App
Lb
X-Cdn-Origin
X-Sn-Servicetimems
X-Fastly-Request-Id
X-Oss-Cdn-Auth
CloudFront-Viewer-Country
X-Fetched-On
X-Via-Poph
Mime-Version
X-Rocket-Build-Number
X-Sigma-Backend
X-Sigma
X-Debug-Cache-Fetch
X-GeoIP-Country-Code
X-Request-Time
X-Debug-Cache-Store
X-Nananana
A
Cloudfront-Viewer-Country
X-Cache-Tag
Server-Ttl
Host-ID
CF-IPCountry
PICS-Label
X-LiteSpeed-Cache-Control
X-Debug-Cache-String
SID
X-Debug-Xas-Auth
X-Debug-Ysi-Auth
X-Debug-Cache-Status
X-Debug-Cache-Bypass
Dt-Cache-Category
Ohc-Cache-HIT
X-Tb-Optimization-Total-Bytes-Saved
X-B3-Spanid
X-B3-SpanId
X-Debug-Do-Not-Cache-Uri
X-Cache-Version
X-Apw-Access-Token
X-Acquia-Application-Trace
X-Apw-Access-Object
X-Apw-Hits
X-Request-Start
X-Varnish-Beresp-TTL
DataCenter
X-Apw-Access-Action
X-DPWN-IS-SECURE
X-WA
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
Proxy-Firewall
X-Acquia-Site
Cneonction
X-APP
X-IN-APIGATEWAYSSL
Group
X-Lb-Id
Country-Code
FSS-Proxy
X-Served-From
Dnion-Transfer-Encoding
X-IN-APIGATEWAY
X-Request-URL
X-Html-Edge-Cache
X-WR-MODIFICATION
Cf-Alt-Svc
X-Dw-Trace-Id
X-SB
X-VC
X-ElasticPress-Search
Warning
Inserted-Into-Cache-At
X-Swift-Error
Cdn
X-Snapshot-Date