Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-Cache-Status
Link
Accept-Ranges
CF-RAY
ETag
Expect-CT
X-XSS-Protection
Pragma
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
Alt-Svc
X-UA-Compatible
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
X-Request-Id
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-DNS-Prefetch-Control
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Cache-Status
X-Check
X-Generator
X-Cacheable
Timing-Allow-Origin
X-Content-Security-Policy
X-Iinfo
Feature-Policy
Status
X-Envoy-Upstream-Service-Time
Content-Encoding
Access-Control-Expose-Headers
P3p
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-Request-ID
X-CDN
Upgrade
X-Via
CF-Ray
Report-To
X-Ws-Request-Id
Access-Control-Max-Age
Server-Timing
EagleId
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-UA-Device
Request-Context
X-Age
X-Backend
X-Proxy-Cache
X-Server-Powered-By
X-AH-Environment
X-Robots-Tag
X-Hacker
X-Server
X-Amz-Request-Id
Host-Header
NEL
X-Amz-Id-2
Grace
X-Rq
X-LiteSpeed-Cache
X-Swift-CacheTime
X-Swift-SaveTime
X-Varnish-Cache
X-Nginx-Cache-Status
Ali-Swift-Global-Savetime
X-WebKit-CSP
X-Page-Speed
X-Vhost
EagleEye-TraceId
X-Ua-Compatible
X-Amz-Version-Id
X-OneAgent-JS-Injection
X-Pingback
X-Dispatcher
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Device
Accept-CH
X-Cache-Spec
X-Host
X-Server-Id
Cf-Railgun
X-Node
X-Backend-Server
X-Readtime
Surrogate-Control
X-Akam-SW-Version
X-Dns-Prefetch-Control
Request-Id
X-Response-Time
X-HW
X-Application-Context
Xkey
Content-Location
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
Accept-Ch-Lifetime
Rating
X-Ruxit-JS-Agent
X-Country
X-B3-TraceId
X-Cloud-Trace-Context
X-Cache-Lookup
Accept-CH-Lifetime
X-Trace
Allow
X-Url
X-Ac
X-Content-Type
X-PC
X-Vname
X-TtlSet
X-Aws-Lambda-Call-Status
X-Varnish-TTL
X-Clacks-Overhead
Edge-Control
X-Server-Name
Fastly-Restarts
X-ESI
X-Mod-Pagespeed
Cache-Tag
X-Rack-Cache
Service-Worker-Allowed
X-FastCGI-Cache
X-VARITI-CCR
Verso
X-Element-Page-Cache
X-Vcap-Request-Id
X-Upstream
X-Amz-Rid
X-MS-InvokeApp
MS-Author-Via
Public-Key-Pins
X-GitHub-Request-Id
X-Dw-Request-Base-Id
X-Cached
X-Client-IP
X-Cache-TTL
X-Abt-Application-Version
X-D2id
RTSS
X-Cnection
X-Px
X-Exp-Variant
X-Exp-Id
X-Cdn-Fetch
X-GoogleNews-Bot
X-Kinja
X-Kinja-Revision
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Navigation-Version
X-TTL
Arr-Disable-Session-Affinity
Access-Control-Request-Method
X-Powered-By-Plesk
X-Country-Code
X-NF-Request-ID
X-Goog-Hash
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Sol
Display
Pagespeed
X-Middleton-Display
AR-ATIME
AR-CACHE
AR-Request-ID
AR-PoweredBy
AR-SID
X-Powered-CMS
X-Version
X-Origin-Cache
X-Middleton-Response
Response
X-LLID
X-MSEdge-Ref
X-CST
Nginx-Cache
TCN
X-Edge-Location-Klb
X-Kinsta-Cache
X-Amz-Server-Side-Encryption
MRF-Tech
Mrf-Cache-Status
X-B3-TraceId-Primal
X-Edge
X-Protected-By
X-RateLimit-Remaining
X-T
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-HP-Webp
X-Jurisdiction
X-Forwarded-For
X-HP-Trace-Id
X-Content-Security-Policy-Report-Only
X-Shield-Request-Id
X-Mg-S
X-Id
X-Aspnetmvc-Version
Edge-Cache-Tag
X-Language
S
Content-MD5
SPIisLatency
SPRequestDuration
Front-End-Https
Fastcgi-Cache
X-Mid
Realpath
X-Request-Received
Server-Node
X-Request-Processing-Time
X-Frontend
Pinterest-Generated-By
Filters
Pinterest-Version
X-Pinterest-Rid
X-Recruiting
Server-Name
X-Cache-Key
X-Content
X-Ua-Browser
X-Ab
X-Ser
X-NWS-LOG-UUID
X-Correlation-Id
X-MCACHE
X-HS-Hub-Id
X-HS-Content-Id
X-Template
X-HS-Cache-Config
X-DynaTrace
X-HS-Combine-CSS
X-Yandex-Sdch-Disable
X-Ruxit-Js-Agent
X-Ezoic-Cdn
SPRequestGuid
X-SharePointHealthScore
X-Hits
X-ECACHE
X-Parallel-Accel
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
MicrosoftSharePointTeamServices
X-Tt-Trace-Host
X-Tt-Trace-Tag
Cache-Tags
X-Page-Id
Charset
X-B3-Sampled
Cleartype
Host
X-Git-Hash
X-Daa-Tunnel
X-Www-Served-By
X-Debug-Info
X-Geo-Country
X-Content-Options
Alternate-Protocol
Accept-Ch
X-DIS-Request-ID
X-Ratelimit-Limit
Fusion-Content-Source
Fusion-Source
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Component-Id
X-Content-Digest
X-Amzn-Trace-Id
X-Ttl
X-Hostname
Cross-Origin-Opener-Policy
Filterid
X-Amz-Replication-Status
X-Varnish-Age
X-F-Cache
X-FB-Debug
X-Grace
X-DataDome
X-AppVersion
X-Az
X-Activity-Id
ServerID
X-VCache
X-Upgrade-Enabled
X-Accel-Expires
X-N
X-Nginx-Upstream-Cache-Status
X-Rid
X-Mobile-URL
X-Forwarded-Proto
X-Providence-Cookie
X-Route-Name
X-Is-Crawler
X-Request-Guid
Access-Control-Allow-Method
X-Origin-Server
X-Flags
X-Fastly-Request-ID
X-Aspnet-Duration-Ms
X-Type
X-LB-Cache
X-Server-ID
X-Whom
X-TT
X-Seen-By
X-Goog-Metageneration
X-Goog-Generation
X-App-Environment
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Tb
Payment
X-Goog-Stored-Content-Length
Viewport
X-GUploader-UploadID
X-FW-Static
X-WebKit-CSP-Report-Only
X-FW-Hash
X-FW-Serve
X-FW-Server
X-FW-Dynamic
X-Varnish-Grace
X-FW-Type
Node
Fastcgi-Useragent
X-Distributor
X-User-Agent
Paypal-Debug-Id
DC
X-Ratelimit-Reset
X-Wix-Request-Id
Accept-Charset
TP-L2-Cache
TP-Cache
Country
X-XRDS-LOCATION
X-Fastly-Request-Id
X-App-Server
X-Cache-Rule
X-Litespeed-Cache
X-Webkit-Csp
X-Cache-Control
X-Tec-Api-Root
X-Tec-Api-Version
X-Tec-Api-Origin
X-Via-JSL
X-NGENIX-Cache
X-Cluster-Name
X-Fastcgi-Cache
X-Drupal-Cache-Tags
Version
X-Contextid
X-Signature
X-Microsite
X-Buckets
X-Request-Handler-Origin-Region
X-B-Cache
Referer-Policy
X-Origin-Upstream-Status
Amp-Access-Control-Allow-Source-Origin
X-Oracle-Dms-Ecid
Cache-Status
X-Node-Name
X-Oracle-Dms-Rid
X-Logged-In
Refresh
X-Mobile
X-Cache-Age
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Response-Served-From
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Original-Request-Id
SD-X-WS
X-Browser-Type
X-Page-View
X-Real-IP
X-Cache-Expired-At
X-Jobs
X-IPLB-Instance
X-Vgn-Hpd-Reason
X-Load-Cache
X-Is-Bot
X-Rendered-As
X-Cacheable-TTL
NGB
X-ProcessESI
X-Proxy-Cache-Status
X-B
X-Varnish-Backend
Access-Control-Request-Headers
X-Debug
X-Revision
X-RemovedCookies
X-UUID
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Proxy
X-Rule
X-Cache-Action
X-Instance
X-Device-Type
Akamai-GRN
X-G
Surrogate-Key
X-Framework
X-Drupal-Cache-Contexts
X-Debug-IsPreview
X-FW-Version
X-Cache-Time
X-Debug-IsConnected
CF-IPCountry
X-Accel-Buffering
SID
GEO-INFO
X-Air-Source
X-Air-Hostname
X-Air-Trace-Id
X-Oneagent-Js-Injection
X-Cache-NGX
X-Ratelimit-Remaining
Count-Hit
X-PressLabs-Stats
X-Nginx-Cache
X-Cache-Operation
Uber-Trace-Id
X-Source
X-Azure-Ref
X-Presslabs-Stats
X-Zen-Fury
X-XRDS-Location
DynaTrace
X-Ms-Request-Id
X-Ms-Version
Protected
X-EdgeConnect-Cache-Status
Liferay-Portal
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-APP-VERSION
X-TEC-API-ROOT
Frame-Options
X-CDN-Forward
WPO-Cache-Status
X-RTag
Ms-Operation-Id
WPO-Cache-Message
MS-CV
X-Cache-Hit
X-Servername
X-Hyper-Cache
Ec-Rule-Version
X-Backend-Name
X-Cache-TTL-Remaining
Cross-Origin-Window-Policy
Countrycode
X-IPS-LoggedIn
X-RateLimit-Limit
Healthy
X-Environment-Context
X-L-Path
X-Tumblr-User
Xserver
X-Mode
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Adobe-Loc
Backend
X-Varnish-Server
Content-Disposition
X-Adobe-Content
X-Trace-Id
X-RN-RSRV
X-Rewrite-Enabled
X-SaId
Meta-Geo
X-UPSTREAM-Address
X-Tid
X-Content-Age
X-Detected-As
X-JoinUs
LB
X-ShardId
X-Cache-Grace
Decoy-Debug-Key
X-Proxied
X-Uri
Country-Code
X-Zipkin-Id
Apigw-Requestid
X-Hosted-By
Decoy-Debug-Status
Url
X-Routing-Service
X-Redis-Cache
X-Cache-Server
X-Sorting-Hat-ShopId
X-Format
X-Debug-Cache
Decoy-Debug-TTL
X-Extlb
X-Sql-Duration-Ms
X-Shopify-Stage
X-Region
X-Alternate-Cache-Key
Eomportal-Instance
X-Generation-Time
X-ShopId
X-Sorting-Hat-PodId
X-Sql-Count
X-FB-TRIP-ID
X-PCL
X-PERF
X-Origin-Date
X-No-Session
X-NCache
X-Human
X-Microcachable
CDN-Cache
CDN-Uid
Mn-Server-Ip
X-Forwarded-Host
Fastly-SSL
CDN-RequestId
CDN-RequestCountryCode
X-Access
CDN-CachedAt
CDN-EdgeStorageId
CDN-PullZone
X-ApacheServer
X-OCL
X-ServerID
X-Via-Fastly
X-Site-Version
Cache-Name
X-UA-Device-Type
X-Varnish-Beresp-Grace
X-Section
X-Status
TWC-Locale-Group
TWC-Privacy
TWC-GeoIP-LatLong
Cache-Tv-Group
TWC-Device-Class
TWC-GeoIP-Country
Selected-Fe
X-Server-W
X-Timing-Wait
X-PHP-Backend
Property-Id
Webcakes-App-Name
TWC-Connection-Speed
Webcakes-App-Version
X-ProxyCache-Key
X-BYPASS-REASON
X-Cache-Type
X-ProxyCache-Status
X-Web-Node
X-Cache-Host
X-SayCDN-TTL
X-Proxy-Build
X-Origin-Hint
X-Say-TTL
X-Say-Cacheable
X-Generated-By
X-Content-Powered-By
Webcakes-Region
X-Storage
X-Cluster-Node
X-NYM-Debug-Backend
X-Pubstack
X-Akamai-Edgescape
X-Soup
Retry-After
X-Varnishpool
X-Hl-Ver
Section-Io-Cache
X-R9-Blue-Green-Version
X-Be
Azure-SlotName
Azure-Version
Azure-SiteName
Azure-InstanceId
Content-Secure-Policy
Azure-RegionName
X-Nginx-Cache-Key
X-Webkit-CSP
X-LSADC-Cache
X-Ua
X-NewRelic-App-Data
X-TIME
X-Unique-Id
DB-Nickname
X-Cache-Remote
X-Cached-By
X-TT-LOGID
X-Platform-Server
X-Bc-Bl
OT-Force-Account-Verify
X-Azure-Ref-OriginShield
Cache
X-Xfnlog-Site
X-Auto-Login
Source
X-Dc
X-Akamai-Transformed
X-Cache-Tags
X-GEO
Upgrade-Insecure-Requests
ServedBy
X-Cdn
From-Origin
SRV
X-LAGOON
X-Varnish-Cache-Hits
Xet-Cookie
HostName
X-Origin-TTL
X-Origin-CC
X-AOL-HN
X-Request-Time
Mime-Version
X-CSRF-Token
X-Loop
X-TNCMS
X-Varnish-Hits
Cache-Hits
X-NWS-UUID-VERIFY
X-HTML-Minification-Powered-By
X-App-Version
X-Varnish-Hostname
X-EC-Lua
X-S-Maxage
X-SRV
X-Time
WP-Super-Cache
X-Request-Host
Onion-Location
Webserver
X-ECache
X-FireWall-Port
X-Xrds-Location
X-Handled-By
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
Web-Mar-Node
X-Cache-Enabled
X-B3-SpanId
S-Rt
N-Cache
X-Endurance-Cache-Level
X-Proto
X-Correlation-ID
Ms-Author-Via
X-Adobe-Source
Nel
X-Akamai-Request-ID2
X-Http-Reason
X-RCS-CacheZone
X-Origin-Response-Time
X-Reqid
X-Tenant
X-PBS-Appsvrname
X-Processor
Redirect-Candidate
Pramga
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-Connection-Hash
X-Planisys-CDN-Cache
X-PAYTM-SRV-ID
X-D
Rendered-Blocks
X-ND-Cache
X-Ftr-Request-Id
X-Hnp-Log
X-Ig-Push-State
X-Forwarded-Path
A
Fastcgi-X-Cache-Version
X-GG-Cache-Date
BehaviorPad-Version
X-Gen-Mode
Expiry
X-External-Request-Id
X-AWS-Id
Mobile-Detection-Method
X-Destination
DCR-Decision-By
X-Orig-Expires
Meta-Geo-Continent
DCR-Processing-Time-Ms
X-Epic-Correlation-Id
X-Developer
X-B-Cookie
X-NAPM-TraceId
Odigeo-Trace-Id
X-VWS-Id
X-Vdms-Path
X-V-Cache
X-Vdms-Version
X-VG-WebCache
X-A
X-Conf
X-TIM-N
X-SRCache-Key
User-Cache-Control
V-Age
Vix-Hermes-Req-Id
X-LJ-Flow-ID
X-A-Ccd
X-Aed
X-A-Wwc
X-Backend-TTL
X-Application
X-ARC
X-A-Dgt
Xc-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
X-A-Dam
X-A-Dcw
X-Slack-Backend
X-Block-Status
X-ScT
Surrogated-Key
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-S
X-SD-PageType
X-Session-Fingerprint
X-Shop-Environment
X-Cache-NE
X-Rojux
X-S-Cookie
X-Cluster
X-Amz-Meta-S3cmd-Attrs
X-Ckpd-Fst-Backend
Sslversion
X-MP-GENERATED-AT
X-Mg-Request-UUID
X-Magnolia-Registration
Server-Info
X-Time-Microsecs
X-Edge-Location
Cmsid
X-Forwarded-Site
State
DSUID
X-Aicache-OS
Cmstype
X-Geo-Header
X-Core-Mission
Fastcgi-Cache-TTL
X-Accel-Expires-Debug
X-Gdpr
X-Fetched-On
X-Cache-Bucket
Origin
Origin-CC
X-Cdn-Srv
X-Cache-Date
X-Date
Traceparent
True-Client-Country-4JS
X-Device-Os
Wxu-Next-Commit
X-Fastly-Cache
X-Cache-Info
Svr
Host-ID
Wxu-Next-Region
Origin-EX
Wxu-Next-Hostname
Gh-Request-Id
X-Mvc-Supplant-Cachable
X-Origin-Expires
X-Origin-Time
X-Policy
X-Request-URI
X-Origin
X-Old-Content-Length
X-Location
X-Men
X-NodeID
X-Nyt-Route
X-Rocket-Nginx-Serving-Static
X-Scheme
X-Viewer-Country
X-VServer
X-Webstats-RespID
X-Fastly-Backend
X-VG-TLSProxy
X-SVT-ORM-VERSION
X-Server-IP
X-Sucuri-Cache
X-Sucuri-ID
X-SVT-ORM-RULES
X-LI-UUID
X-Proxy-Upstream
X-GeoIP-Region-Code
CacheControlHeader
X-GeoIP-Country-Code
X-Hash
Arc-Country
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
AKAMAI
CDCHOST
X-Locale
X-Li-Pop
X-Li-Fabric
X-Via-NSCOPI
Environment
CloudFront-Viewer-Country
X-Generated-On
X-JWT-State
X-Storefront-Renderer-Rendered
X-Backend-State
X-Cache-Debug
X-TH-Server
X-Restarts
X-Sn-Servicetimems
X-Thinkindot-L3
X-Is-Gdpr
X-GeoIP
X-Has-Esi
X-Cdn-Origin
X-Cache-Id
X-BBC-Edge-Cache-Status
X-Branch-Name
X-TrackingId
X-UnsetCookies
X-Varnish-Beresp-Status
X-FC-Vary-Parameters
X-Served-From
X-HS-Content-Campaign-Id
X-Datadog-Trace-Id
X-Owner
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Irp-Debug
X-Labrador-Cache-Channel
X-Eu-Site
X-Envoy-Decorator-Operation
X-Developers
X-Node-Id
X-Level-Front-Cache
X-PHP-Host
X-Platform
X-Rocket-Build-Number
X-Gzip
X-CGP
X-Sigma
X-Sigma-Backend
X-Req
X-Region-Sid
X-GeoIP-City
X-Csrf-Jwt
X-Core-Value
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Skip-Cache
X-Esi-Check
Fastly-GeoIP-CountryCode
Req-Svc-Chain
Release
X-Amz-Apigw-Id
X-Amzn-RequestId
TDXMobile
Ssr
X-Varnish-Beresp-Ttl
Mail-Subject
L
HA-Ipaddr
Ha-Gx-Prefs
L5d-Success-Class
Locid
Fastly-Drupal-Html
Machine
Thinkindot-CacheControl
Server-Host
Web-Mar-Region
Thinkindot-CacheControl-Type
Thinkindot-Control
X-ATG-Version
We-Hiring
X-Pod-Name
X-Zone
X-Variation
X-Cache-Var
X-Varnish-Remaining-TTL
X-Worker
X-Gamma-Serve
X-HN
X-VarnishDD-TTL
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
Cf-Device-Type
X-DPWN-IS-SECURE
X-DefHash
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
X-Loc
X-Qloud-Router
X-DefElseHash
X-Response-By
Fastly-SIE
X-NU-AKA-ACS-Version
Is-Eu
Platform
X-Cache-Var-Map
Adler-Geo
Fastly-SWR
NM-Fastcgi-Cache
X-Amzn-Remapped-Content-Length
PFcat
Magicmarker
Accept-Language
X-Trace-ID
X-Tx-Id
X-Ua-Device
X-RPM
X-Action
X-DSS
X-DI
X-NC
NGX
X-RPS
X-DW
X-CS
Memcached
Edge-Cache
X-Cache-Backend
X-RSL
AMP-Access-Control-Allow-Source-Origin
X-Wix-Viewer-Type
X-DB
Kp-EeAlive
X-Request-Start
X-Up
X-TraceId
X-Mvc-Supplant-OutputCached
X-VC-Cache
CDN
X-LB-ID
X-Srv
X-LB-NoCache
X-Optimistic-Header
X-Thanos
X-Minions-Version
Pics-Label
X-CacheTTL
X-Bip
X-Generated-In
X-Qnm-Cache
X-M-Log
X-M-Reqid
X-Tb-Optimization-Total-Bytes-Saved
Locale
X-URL
Env
X-Urbn-Context-Path
X-Urbn-Site-Id
X-API-Version
Memory
Time
X-Refresh
X-Varnish-Ttl
WebServer
X-Cache-Config
X-DC
X-Via-Popv
X-Via-Popn
X-Via-Poph
X-Tt-Logid
X-HA-Backend
X-Edge-Pop
Datacenter
GeoIp-Country-Code
X-CACHE-KEY
X-User
X-Ec-Fail
X-Ec-GeoHdr
X-Parent-Response-Time
X-TA-CDN-Provider
X-DynaTrace-JS-Agent
NtCoent-Length
X-Servedbyhost
X-Esi
Server-ID
Candidate-Md5Url
X-ZONE
X-Dynatrace
X-MSEdge-Flight
X-MSEdge-Features
X-Cs
X-Webkit-Csp-Report-Only
X-CLOUD-TRACE-CONTEXT
Cdnsip
X-AK-Request-ID
Cdncip
WWW-Authenticate
On-Server
X-Vc
X-TX-ID
X-Datadome
X-Varnish-Beresp-TTL
My-App
X-Fmm-Version
Cluster
X-WADP-Cache
Esi-Enabled
X-Clara-WADP
X-VCL-Version
Tracecode
X-CUA
X-Var-Ttl
X-Cache-Ttl
X-LI-Proto
Geoip-Latitude
X-App
X-Fpc
X-Traceid
X-Pass-Why
X-From
T-Server
X-Cache-PHP
C-Via
X-Li-Proto
X-Unique-ID
X-Service
Lfy
DataCenter
X-VC
X-Fragments
X-FPC
Lang
X-B3-Spanid
X-Newrelic-Synthetics
X-NODE
Cf-Int-Pingora-Origin-Digest
Fastly-Drupal-HTML
X-Webkit-CSP-Report-Only
Geo-Info
Test
Proxy-Connection
X-Vcl-Version
Target-Params
X-Mcache
X-WP-CF-Super-Cache-Cache-Control
M-TraceId
X-WP-CF-Super-Cache
X-Cache-Status-Check
Resin-Trace
X-Render-Time
X-Provided-By
Server-Id
X-LiteSpeed-Cache-Control
X-RAMCache
X-Api-Version
X-CSRF-TOKEN
Permissions-Policy
X-ID
X-Ha-Backend
GeoIP-Country-Code
MIME-Version
Hostname
X-Clientip
WZWS-RAY
X-Edge-POP
Servername
X-ServedByHost
X-Httpd
X-Proxy-Cache-Info
Hit
X-Dynatrace-Js-Agent
X-Geo
Producers
X-Via-PopV
X-Pad
FSS-Cache
X-Cdn-Forward
X-Via-PopN
X-Via-PopH
X-SB
X-Fastly-Backend-Reqs
X-Platform-Router
X-Edge-Cache
X-LiteSpeed-Tag
X-Udemy-Cache-App-Namespace
Cache-Host
ENV
X-Pool
HIT
X-Platform-Cluster
X-Oss-Request-Id
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-Platform-Processor
X-Oss-Storage-Class
X-Oss-Server-Time
X-NGINX-Cache
UCS
Section-Io-Origin-Time-Seconds
X-AIR-PT
Section-Io-Origin-Status
X-Ucs
Section-Io-Id
X-ElasticPress-Query
X-Ec-Custom-Error
S-Cnection
X-Scale
X-Info
Section-Origin-Responded
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-Dispatcher-Number
X-UP
X-Acquia-Purge-Tags
URI
PICS-Label
MD5-Digest
Server-Ext
Server-Hostname
Sever-Int
X-Cache-CFC
X-Lb-Nocache
Uri
X-Cache-Expires
X-BBC-Origin-Response-Status
ServerName
X-Acquia-Site
Cneonction
X-HS-Status
X-Check-Cacheable
X-GoCache-CacheStatus
X-Srcache-Fetch-Status
X-Srcache-Store-Status
Ohc-File-Size
X-Cdn-Request-ID
X-Nc
X-CACHE-AGE
Server-Ttl
Cteonnt-Length
X-Fastly-Cache-Hits
User-Agent
Fastly-Backend-Name
X-Lb-Id
X-Micro-Cache
X-Swift-Error
X-SIPLIST1
X-Via-Ucdn
Tcn
X-RateLimit-Reset
IsBot
X-Release
X-Dw-Trace-Id
CF-Cached-On
X-Cms-Context
X-B3-ParentSpanId
Wpo-Cache-Message
Vha6-Origin
X-Akamai-ERRuleID
X-Akamai-ERPolicy
X-Vcache
X-Backend-Host
Cf-Ipcountry
X-Newrelic-App-Data
Wpo-Cache-Status
X-Snapshot-Date
Ngx
X-Yottaa-OS
Load-Balancing
Sid
X-HostName
X-Cache-Ngx
X-ServerName
X-Air-Pt
GeoIP-Latitude
X-UA
X-Logging-Id
X-Shopify-Generated-Cart-Token
X-Via-CDN
X-Fetch-By
X-Sentry-ID
X-Varnish-Authentication
X-IN-APIGATEWAY
X-Litespeed-Cache-Control
X-B3-Parentspanid
X-IN-APIGATEWAYSSL
Inserted-Into-Cache-At
X-Akamai-Pragma-Client-IP
X-Http-Count
X-Last-Modified
X-Apw-Access-Action
X-Http-Duration-Ms
EpKe-Alive
X-Te-Duration-Ms
X-Cache-ASPX
Req-ID
X-CacheKey
X-BCube-Filmed-By
X-Akamai-Request-ID
X-Te-Count
Shield-Pop
CountryCode
X-APP
X-Apw-Access-Object
X-Apw-Access-Token
X-Apw-Hits
X-Contensis-Viewer-Groups