Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
ETag
Pragma
CF-RAY
Expect-CT
X-Powered-By
X-XSS-Protection
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Xss-Protection
X-Served-By
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
P3p
CF-Ray
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CONTENT-TYPE-OPTIONS
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
Allow
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
X-HW
Accept-CH-Lifetime
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-Trace
X-EdgeConnect-Origin-MEX-Latency
X-Country
Fastly-Restarts
X-MS-InvokeApp
Accept-Ch-Lifetime
X-Rack-Cache
X-Mod-Pagespeed
X-Vname
X-TtlSet
X-PC
X-Clacks-Overhead
X-Ruxit-JS-Agent
Accept-Ch
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-Varnish-TTL
Cache-Tag
X-Amz-Server-Side-Encryption
X-Content-Type
X-Vcap-Request-Id
X-B3-TraceId
X-Dw-Request-Base-Id
X-GoogleNews-Bot
X-Cdn-Fetch
X-Amz-Rid
X-Exp-Id
X-Exp-Variant
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Kinja
X-Kinja-Build
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-Edge
X-RateLimit-Remaining
X-Ac
X-Navigation-Version
X-FastCGI-Cache
X-Element-Page-Cache
Verso
X-Ser
X-Sol
Display
Pagespeed
X-Middleton-Display
X-Client-IP
X-Powered-By-Plesk
X-Abt-Application-Version
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Ttl
X-Country-Code
X-Middleton-Response
Response
X-NF-Request-ID
X-Ruxit-Js-Agent
X-Goog-Hash
Access-Control-Request-Method
X-Content-Security-Policy-Report-Only
SPIisLatency
SPRequestDuration
X-Correlation-Id
X-Kinsta-Cache
X-Cached
X-Edge-Location-Klb
AR-Request-ID
AR-CACHE
AR-SID
AR-PoweredBy
AR-ATIME
SPRequestGuid
X-SharePointHealthScore
X-Upstream
X-Powered-CMS
X-LLID
Edge-Cache-Tag
X-RateLimit-Limit
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-NWS-LOG-UUID
X-Forwarded-For
Nginx-Cache
X-Cache-Key
X-Litespeed-Cache
X-TTL
Content-MD5
X-Id
X-MSEdge-Ref
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
TCN
X-T
X-B3-TraceId-Primal
X-Recruiting
S
X-Daa-Tunnel
X-Content-Digest
X-DataDome
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Webkit-Csp
X-Mg-S
X-Jurisdiction
X-HP-Webp
X-SRCache-Store-Status
X-SRCache-Fetch-Status
MS-Author-Via
X-HP-Trace-Id
X-Ua-Device
X-Accel-Expires
X-ECACHE
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-Protected-By
X-HS-Content-Id
X-HS-Cache-Config
X-Grace
X-HS-Combine-CSS
X-HS-Hub-Id
X-Frontend
MicrosoftSharePointTeamServices
X-Content
X-Ua-Browser
X-Ab
X-Request-Received
X-Request-Processing-Time
Server-Node
Filters
Front-End-Https
X-Yandex-Sdch-Disable
TP-L2-Cache
TP-Cache
X-DynaTrace
X-PressLabs-Stats
X-Origin-Server
X-Server-ID
X-Distributor
Fastcgi-Cache
X-ORACLE-DMS-ECID
X-Mid
X-Geo-Country
X-ORACLE-DMS-RID
X-Hits
X-Microsite
X-Request-Handler-Origin-Region
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-LB-Cache
X-Amzn-Trace-Id
Charset
Host
X-Debug-Info
Cleartype
X-Ratelimit-Reset
X-F-Cache
X-Page-Id
X-Git-Hash
X-B3-Sampled
X-Forwarded-Proto
Cross-Origin-Opener-Policy
X-Cache-Age
X-DIS-Request-ID
Realpath
Access-Control-Allow-Method
Cache-Status
Pinterest-Generated-By
X-Pinterest-Rid
X-Seen-By
X-Www-Served-By
Pinterest-Version
ServerID
X-Az
X-Activity-Id
X-AppVersion
X-Fastly-Request-Id
Accept-Charset
Filterid
Cache-Tags
X-Varnish-Age
X-XRDS-LOCATION
X-Cluster-Name
X-Aspnetmvc-Version
X-Mcache
X-Nginx-Upstream-Cache-Status
X-Language
X-Rid
X-Content-Options
X-Type
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-App-Environment
Retry-After
X-MCACHE
Server-Name
Country
X-FB-Debug
X-Upgrade-Enabled
Viewport
Paypal-Debug-Id
DC
X-Varnish-Backend
X-Origin-Cache
Node
X-Tb
X-Varnish-Grace
X-User-Agent
X-Drupal-Cache-Tags
X-Signature
X-B-Cache
X-Whom
X-Oracle-Dms-Ecid
X-Mobile-URL
X-GUploader-UploadID
X-Goog-Generation
X-Wix-Request-Id
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-TT
X-Providence-Cookie
X-Aspnet-Duration-Ms
X-Flags
X-Is-Crawler
X-Request-Guid
X-VCache
X-Route-Name
X-Oracle-Dms-Rid
X-B
X-NWS-UUID-VERIFY
Protected
X-Oneagent-Js-Injection
Permissions-Policy
Fastcgi-Useragent
X-Debug
X-Logged-In
WPO-Cache-Status
X-Amz-Replication-Status
WPO-Cache-Message
Payment
X-Via-JSL
X-N
X-Cache-NGX
X-Amz-Meta-S3cmd-Attrs
X-Load-Cache
Surrogate-Key
X-Contextid
X-Cache-Control
Count-Hit
X-Template
X-Node-Name
Healthy
X-ECache
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Erf-Bev-Bev
Amp-Access-Control-Allow-Source-Origin
X-B3-Traceid
X-FW-Serve
X-FW-Hash
X-FW-Dynamic
X-Webkit-CSP
X-FW-Server
X-FW-Static
X-FW-Type
X-Mobile
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
X-Proxy
Refresh
Akamai-GRN
Content-Disposition
X-Trace-Id
X-XRDS-Location
X-Revision
X-Cache-Time
X-Jobs
X-G
X-Framework
X-Akamai-Request-ID2
Uber-Trace-Id
X-Real-IP
X-Cache-TTL-Remaining
X-UUID
X-Zen-Fury
VIX-Pulpo-Upstream-Status
X-Fastcgi-Cache
X-Is-Bot
Url
X-Rendered-As
X-Restarts
X-Cacheable-TTL
VIX-Pulpo-Node
X-Hostname
X-Debug-IsPreview
X-Debug-IsConnected
X-Drupal-Cache-Contexts
X-Adobe-Loc
X-Adobe-Content
X-Proxy-Cache-Status
X-Page-View
Alternate-Protocol
X-Http-Reason
X-Device-Type
X-Instance
Access-Control-Request-Headers
X-NGENIX-Cache
NGB
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Servername
X-Fastly-Request-ID
X-Cache-Grace
X-Varnish-Server
X-IPLB-Instance
X-Mg-Request-UUID
Version
X-Environment-Context
X-EdgeConnect-Cache-Status
X-L-Path
X-Source
X-Midtier
Accept-Language
X-HTML-Minification-Powered-By
Countrycode
Ms-Operation-Id
MS-CV
X-RTag
Frame-Options
X-Cache-Rule
X-Cache-Hit
X-Cache-Expired-At
X-Vgn-Hpd-Reason
From-Origin
Liferay-Portal
Referer-Policy
X-App-Server
X-NYM-Debug-Backend
Cross-Origin-Window-Policy
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-Tumblr-User
Backend
X-Tumblr-Pixel-0
X-Nginx-Cache
X-IPS-LoggedIn
X-FW-Version
X-APP-VERSION
X-Parallel-Accel
X-COUNTRY
Content-Secure-Policy
X-Hosted-By
X-Datadome
X-Unique-Id
Upgrade-Insecure-Requests
X-UPSTREAM-Address
X-Cache-Server
X-RN-RSRV
Meta-Geo
X-Ua
X-PCL
X-No-Session
X-OCL
X-Redis-Cache
Section-Io-Cache
X-ProcessESI
X-Generation-Time
X-RemovedCookies
S-Rt
TWC-Connection-Speed
X-Varnish-Cache-Hits
X-Format
X-Cluster-Node
TWC-Locale-Group
Azure-Version
X-Request-Time
X-Cache-Enabled
Azure-SiteName
TWC-GeoIP-Country
X-Access
X-Content-Age
Azure-InstanceId
X-Server-W
X-Section
X-PHP-Backend
X-FB-TRIP-ID
Webcakes-App-Version
Webcakes-Region
X-Origin-Hint
Azure-SlotName
Property-Id
Webcakes-App-Name
Azure-RegionName
X-UA-Device-Type
TWC-GeoIP-LatLong
Mn-Server-Ip
X-Uri
WP-Super-Cache
Apigw-Requestid
X-Region
TWC-Privacy
TWC-Device-Class
CF-IPCountry
X-Mode
X-BYPASS-REASON
X-ApacheServer
X-ShardId
X-Cache-Host
X-Content-Powered-By
X-Locale
X-Human
Locale
Fastly-SSL
X-Sorting-Hat-PodId
X-Shopify-Stage
X-Sorting-Hat-ShopId
Cache-Tv-Group
X-Nginx-Cache-Key
Eomportal-Instance
X-ShopId
X-ProxyCache-Key
X-Via-Fastly
X-Urbn-Site-Id
X-Xfnlog-Site
X-Akamai-Edgescape
X-Origin-Date
X-Be
X-Urbn-Context-Path
X-Storage
X-ProxyCache-Status
X-Alternate-Cache-Key
X-Site-Version
X-Sql-Count
X-Status
X-Sql-Duration-Ms
X-PERF
X-AOL-HN
X-Cache-Action
X-Zipkin-Id
X-Forwarded-Host
X-Varnishpool
X-Tid
X-ServerID
X-Generated-By
Ec-Rule-Version
X-Cache-Type
X-SayCDN-TTL
X-Say-TTL
X-Say-Cacheable
X-SaId
X-Routing-Service
X-Extlb
X-Backend-Name
X-Detected-As
X-Hl-Ver
X-JoinUs
X-NewRelic-App-Data
X-Labrador-Cache-Channel
X-Proxied
X-PHP-Host
X-Handled-By
X-Adobe-Source
X-Web-Node
X-Cache-Tags
X-Platform-Server
X-AWS-Id
X-VWS-Id
X-LJ-Flow-ID
CDN-PullZone
X-Timing-Wait
X-GG-Cache-Date
X-Proxy-Build
X-Debug-Cache
Selected-Fe
X-Ratelimit-Remaining
CDN-CachedAt
CDN-RequestId
CDN-EdgeStorageId
CDN-Uid
CDN-RequestCountryCode
CDN-Cache
X-Cms-Context
X-Dc
ServedBy
X-VC-Cache
X-Storefront-Renderer-Rendered
X-Edge-Location
Load-Balancing
X-Hyper-Cache
X-Proto
X-LSADC-Cache
SRV
X-Rule
X-CDN-Forward
Web-Mar-Node
X-Cache-Operation
Onion-Location
X-GeoCountry
X-TT-LOGID
Webserver
X-GeoCode
Mime-Version
X-Cached-By
Fastly-Drupal-Html
SID
X-App-Version
X-Cache-Remote
X-Rewrite-Enabled
X-Soup
X-Varnish-Hostname
X-TA-CDN-Provider
X-GEO
Cache-Hits
X-Accel-Buffering
Xserver
X-Pubstack
X-Cluster
X-Cdn
X-Varnish-Ttl
X-Reqid
X-Origin-TTL
X-Origin-CC
X-Varnish-Hits
Country-Code
X-Envoy-Decorator-Operation
Xet-Cookie
X-Microcachable
X-Buckets
X-Air-Hostname
X-Air-Source
Server-Info
X-Air-Trace-Id
Decoy-Debug-Status
Decoy-Debug-TTL
X-SRV
Decoy-Debug-Key
X-Magnolia-Registration
X-CSRF-Token
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-Ratelimit-Limit
X-MP-GENERATED-AT
X-IPLB-Request-ID
X-Request-Host
LB
DB-Nickname
X-Ms-Version
X-Ms-Request-Id
X-Amzn-RequestId
X-Amz-Apigw-Id
Cache
X-Endurance-Cache-Level
Source
X-Bc-Bl
X-External-Request-Id
X-Esi-Check
Surrogated-Key
MD5-Digest
X-SD-PageType
X-Ec-Fail
X-Ec-GeoHdr
X-Epic-Correlation-Id
X-VG-WebCache
X-Gzip
X-Geo-Header
X-A-Ccd
X-TIM-N
X-Hash
X-RCS-CacheZone
X-A-Dam
X-Orig-Expires
X-Developer
X-A-Dcw
X-Ftr-Request-Id
X-User
Meta-Geo-Continent
X-Forwarded-Path
X-A-Wwc
Cmsid
Cmstype
DCR-Decision-By
X-Cache-Id
Cdnsip
X-Cache-NE
Cdncip
DCR-Processing-Time-Ms
X-Application
X-Vtex-Processado-Em
X-B-Cookie
X-ARC
Fastcgi-X-Cache-Version
Expiry
Host-ID
BehaviorPad-Version
X-Cdn-Srv
X-Aed
X-Connection-Hash
Lang
X-D
X-A-Dgt
X-A
X-Conf
X-Origin-Response-Time
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-AK-Request-ID
A
X-Via-NSCOPI
Xc-Version
X-Destination
Mobile-Detection-Method
X-NCache
T-Server
X-SRCache-Key
X-Shop-Environment
X-TrackingId
X-ScT
X-Ig-Push-State
X-Vtex-Remote-Cache
X-Tenant
X-Vdms-Version
X-PAYTM-SRV-ID
X-NAPM-TraceId
Rendered-Blocks
X-Newrelic-Synthetics
Pramga
X-Vdms-Path
X-Tt-Logid
X-PBS-Appsvrname
Odigeo-Trace-Id
X-Processor
X-Time
NM-Fastcgi-Cache
X-S-Cookie
Sslversion
X-S
X-Rojux
X-HS-Content-Campaign-Id
X-Session-Fingerprint
X-B3-SpanId
X-Tx-Id
X-Amzn-Remapped-Content-Length
X-Varnish-Beresp-Grace
X-Core-Value
AKAMAI
X-SVT-ORM-VERSION
X-Clara-WADP
X-WADP-Cache
X-Sigma
X-Skip-Cache
Wxu-Next-Commit
We-Hiring
X-Origin
Environment
X-Mvc-Supplant-Cachable
Fastly-GeoIP-CountryCode
X-Server-IP
X-Cache-Backend
X-Cache-Bucket
X-SB
X-Cache-Info
X-Scheme
X-SVT-ORM-RULES
X-Origin-Time
X-CacheTTL
X-Core-Mission
State
X-Irp-Debug
X-NodeID
X-V-Cache
X-Node-Id
Memcached
X-Nyt-Route
Server-Host
X-Fmm-Version
X-Fetched-On
X-Fastly-Cache
X-Via-Ucdn
Mail-Subject
Wxu-Next-Region
X-Rocket-Build-Number
Wxu-Next-Hostname
Machine
X-Gdpr
X-Developers
X-Sigma-Backend
X-Device-Os
X-Azure-Ref
X-R9-Blue-Green-Version
DynaTrace
X-ZONE
HostName
CDN
Cache-Name
Vix-Hermes-Req-Id
V-Age
Thinkindot-CacheControl
User-Cache-Control
Thinkindot-CacheControl-Type
TDXMobile
Thinkindot-Control
Web-Mar-Region
Traceparent
X-Auto-Login
X-Served-From
X-Loop
X-Request-URI
X-TNCMS
X-Region-Sid
X-VarnishDD-TTL
X-Level-Front-Cache
X-JWT-State
X-LAGOON
X-VG-TLSProxy
X-RateLimit-Remaining-Second
X-Thinkindot-L3
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-Platform
X-Pod-Name
X-Slack-Backend
X-Policy
X-RateLimit-Limit-Second
X-Planisys-CDN-Cache
X-Pool
X-Is-Gdpr
X-Rocket-Nginx-Serving-Static
X-Csrf-Jwt
X-Viewer-Country
X-Datadog-Parent-Id
X-Datadog-Sampling-Priority
X-Ckpd-Fst-Backend
X-CGP
X-Block-Status
X-Branch-Name
X-Cache-Date
X-Datadog-Trace-Id
X-Dispatcher-Number
X-Generated-On
X-Has-Esi
X-HN
X-Hnp-Log
X-Gen-Mode
X-Gamma-Serve
X-Ec-Custom-Error
X-Eu-Site
X-Forwarded-Site
X-BBC-Edge-Cache-Status
Adler-Geo
X-Origin-Expires
Fastcgi-Cache-TTL
Svr
Cluster
Gh-Request-Id
Ha-Gx-Prefs
L
Kp-EeAlive
Is-Eu
HA-Ipaddr
CloudFront-Viewer-Country
CDCHOST
X-DefHash
X-DefElseHash
Producers
Platform
Apple-News-Services-Handled
Apple-News-Services-Host
X-GeoIP
X-DPWN-IS-SECURE
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
L5d-Success-Class
X-Wix-Viewer-Type
X-Varnish-CookieINHashed-On
Origin-CC
X-Varnish-Remaining-TTL
Origin-EX
X-Worker
PFcat
X-Varnish-CookieHashed-On
Origin
Req-Svc-Chain
Ssr
Redirect-Candidate
X-Variation
N-Cache
Release
X-Proxy-Upstream
X-Wikidot-Static-Cache
X-Wikidot-Backend
Candidate-Md5Url
X-BCube-Filmed-By
IsBot
X-Aicache-OS
X-Cdn-Origin
Cache-Key
X-Scale
X-Httpd
X-Sn-Servicetimems
X-Rebelmouse-Cache-Control
X-SIPLIST1
X-Minions-Version
X-Rebelmouse-Surrogate-Control
X-Qloud-Router
X-Proxy-Cache-Info
X-Owner
Ohc-File-Size
Datacenter
X-Loc
X-GeoIP-City
X-From
X-Webstats-RespID
Server-Ext
X-VServer
DSUID
Fastly-SWR
Server-Hostname
NGX
Sever-Int
Fastly-SIE
X-Cache-Status-Check
X-Tec-Api-Version
X-Parent-Response-Time
X-Ad-Defer-Variation
X-Tec-Api-Root
X-Optimistic-Header
XM
X-WP-CF-Super-Cache
X-Location
VNS-Age
X-Tec-Api-Origin
X-WP-CF-Super-Cache-Cache-Control
CPC-Cache
VNS-Cache
CPC-Age
X-Refresh
GEO-INFO
X-SplitTest
Pics-Label
AMP-Access-Control-Allow-Source-Origin
X-NC
X-WA-Info
X-VC
Fastly-Backend-Name
X-Srv
X-CS
X-CACHE-KEY
X-Tb-Optimization-Total-Bytes-Saved
X-Ah-Environment
X-Micro-Cache
X-LB-NoCache
X-Contensis-Viewer-Groups
X-Cache-ASPX
Env
Servername
X-Men
X-AIR-PT
X-Edge-Pop
Arc-Country
Locid
X-TIME
Lb
X-EC-Lua
Ms-Author-Via
Time
X-Old-Content-Length
Memory
X-TraceId
X-Varnish-Authentication
X-Udemy-Cache-App-Namespace
X-Response-By
X-Generated-In
X-Mvc-Supplant-OutputCached
X-Amz-Meta-Cb-Modifiedtime
X-RSL
X-DW
X-DI
X-RPS
X-RPM
X-Servedbyhost
Path
X-DB
X-DSS
X-Api-Version
X-Xrds-Location
X-Date
Ngx.Var.Host
X-Via-Popv
X-Via-Poph
X-Via-Popn
Cache-Host
X-Accel-Expires-Debug
X-Akamai-Transformed
GeoIp-Country-Code
Ohc-Cache-HIT
X-HA-Backend
X-GeoIP-Region-Code
X-GeoIP-Country-Code
X-S-Maxage
X-Varnish-Beresp-TTL
ITXSESSIONID
X-Proxy-CacheRZ
XkeyRZ
X-Vc
X-RateLimit-Reset
Geoip-Latitude
X-Cs
True-Client-IP
FSS-Cache
X-Cache-Debug
Client
X-API-Version
X-VCL-Version
X-Clientip
X-VHOST
Fusion-Content-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Source
Fusion-Component-Id
Fusion-Deployment-Id
CacheControlHeader
Server-ID
X-DC
X-Trace-ID
Hostname
X-FireWall-Port
X-Presslabs-Stats
X-TH-Server
True-Client-Country-4JS
X-Correlation-ID
X-Action
X-TX-ID
X-Fpc
X-Zone
X-Dmc
X-Backend-TTL
Geo-Info
X-B3-Spanid
Powered-By
X-MSEdge-Features
X-Webkit-Csp-Report-Only
X-Render-Time
X-MSEdge-Flight
X-Traceid
X-INCAP-ABP
NtCoent-Length
Edge-Cache
X-PX
X-Req
X-DynaTrace-JS-Agent
X-Gateway-Request-Id
X-Gateway-Skip-Cache
X-Service
X-Gateway-Cache-Status
X-FPC
X-Pass-Why
My-App
X-Gateway-Cache-Key
Rip
C-Via
Tcn
Test
X-M-Reqid
X-NGINX-Cache
X-HS-Status
Esi-Enabled
X-Cdn-Request-ID
X-CSRF-TOKEN
HIT
Server-Id
X-Qnm-Cache
X-M-Log
X-Origin-Upstream-Status
X-Provided-By
Tube-Get-Contents
User-Agent
OT-Force-Account-Verify
X-Beluga-Cache-Status
Click-Count-Error
Tube-Got-Eval
Click-Count-Action-Start
Tube-Got-Results
X-Beluga-Record
X-Beluga-Response-Time
X-Beluga-Status
X-Up
X-Beluga-Trace
X-Beluga-Node
On-Server
X-Vcl-Version
Tube-Return
X-Webkit-CSP-Report-Only
X-Alfa-Service
X-Varnish-Beresp-Ttl
X-Via-PopN
X-Via-PopH
X-Ha-Backend
Cf-Int-Pingora-Origin-Digest
X-LB-ID
X-Via-PopV
X-TRACE-ID
Srvid
Resin-Trace
Proxy-Connection
X-URL
X-Proxy-Cache-Hk
Uri
WebServer
X-CLOUD-TRACE-CONTEXT
X-Check-Cacheable
DataCenter
X-RAMCache
X-LI-UUID
X-APP
X-UnsetCookies
X-Geo
GeoIP-Latitude
Sid
X-Li-Fabric
X-Li-Pop
GeoIP-Country-Code
X-Edge-Origin-Shield-Bytes
X-Akamai-Pragma-Client-IP
MIME-Version
X-ServedByHost
X-CCDN-Origin-Time
Epwk-X-Cache
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
WZWS-RAY
X-ND-Cache
Srv
X-Edge-Origin-Shield-Region
X-Time-Microsecs
X-LI-Proto
X-Fetch-By
Cdn
X-Cdn-Forward
X-Backend-Host
Server-Ttl
M-TraceId
X-Fastly-Backend-Reqs
X-CUA
Fastly-Drupal-HTML
ENV
Warning
X-Esi
Tracecode
XServer
X-Platform-Cluster
X-Fragments
ServerName
X-Lb-Nocache
X-ATG-Version
X-Platform-Processor
X-Platform-Router
X-Edge-POP
X-B3-Traceid-Primal
Cf-Device-Type
X-App
X-Dynatrace
Target-Params
X-HostName
X-MG-S
Dt-Hot-News
X-Var-Ttl
X-Request-Url
Inserted-Into-Cache-At
X-Sucuri-ID
X-HITS
X-Yottaa-OS
Section-Io-Origin-Time-Seconds
X-Newrelic-App-Data
CF-Cached-On
Lfy
X-FC-Vary-Parameters
X-Fastly-Backend
Section-Origin-Responded
PICS-Label
Section-Io-Origin-Status
Section-Io-Id
X-ElasticPress-Query
X-Sucuri-Cache
X-Azure-Ref-OriginShield
D-Url-Rewrites
X-Request-URL
X-Varnish-Beresp-Status
X-LiteSpeed-Cache-Control
X-Bip
X-Akamai-Request-ID
X-Serial
X-Thanos
X-Cache-Expires
X-Iplb-Instance
X-Dw-Trace-Id
Cf-Ipcountry
X-Nc
X-Vcache
X-Iplb-Request-Id
X-CF-Powered-By
Cdn-Pullzone
Cdn-Requestid
Cdn-Uid
DT-Hot-News
Servedby
Cdn-Requestcountrycode
Wp-Super-Cache
Cdn-Cache
Cdn-Cachedat
Cdn-Edgestorageid
True-Client-Ip
X-Wp-Cf-Super-Cache
X-Vercel-Id
X-Wp-Cf-Super-Cache-Cache-Control
X-Snapshot-Date
X-Fastly-Cache-Hits
X-Vercel-Cache
X-BBC-Origin-Response-Status
Content-Script-Type
Content-Style-Type
Magicmarker
CountryCode
X-Backend-State
X-Li-Proto
X-Back
X-Th-Server
Ngx
Fastcgi-Cache-Ttl
Cneonction
X-Dist-Code
X-Release
X-Storefront-Renderer-Verified
X-NU-AKA-ACS-Version