Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Strict-Transport-Security
Content-Length
X-Content-Type-Options
Link
Last-Modified
Cf-Request-Id
CF-Cache-Status
CF-RAY
ETag
X-XSS-Protection
Accept-Ranges
Expect-CT
Pragma
X-Powered-By
X-Cache
Via
Age
Content-Security-Policy
Report-To
NEL
Alt-Svc
Referrer-Policy
Access-Control-Allow-Origin
Content-Language
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
X-Served-By
P3P
X-Download-Options
X-Xss-Protection
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Varnish
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
Content-Security-Policy-Report-Only
X-AspNet-Version
X-Runtime
P3p
X-DNS-Prefetch-Control
Accept-CH
Accept-CH-Lifetime
X-Cache-Status
X-Drupal-Cache
X-Check
X-Generator
X-Ua-Compatible
Server-Timing
X-Cacheable
X-Envoy-Upstream-Service-Time
Timing-Allow-Origin
X-Iinfo
X-Request-ID
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-Content-Security-Policy
Feature-Policy
Content-Encoding
X-CDN
Status
X-AspNetMvc-Version
Upgrade
Access-Control-Max-Age
X-Via
X-Amz-Request-Id
X-Amz-Id-2
Host-Header
CF-Ray
Cf-Edge-Cache
Allow
X-Backend
Request-Context
X-UA-Device
Keep-Alive
X-Robots-Tag
X-Server
X-Cache-Group
X-Hacker
X-AH-Environment
X-Turbo-Charged-By
X-Ws-Request-Id
X-Proxy-Cache
X-Age
X-Rq
Xkey
X-Vhost
EagleId
X-Dispatcher
X-Server-Powered-By
X-Amz-Version-Id
X-Varnish-Cache
Grace
Cf-Apo-Via
X-Page-Speed
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Cf-Railgun
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Device
Ali-Swift-Global-Savetime
X-WebKit-CSP
EagleEye-TraceId
X-LiteSpeed-Cache
X-Aws-Lambda-Call-Status
X-CST
X-Dns-Prefetch-Control
X-OneAgent-JS-Injection
X-Backend-Server
Permissions-Policy
X-Server-Id
X-Readtime
X-Response-Time
X-Host
X-Akam-SW-Version
Request-Id
Surrogate-Control
X-Litespeed-Cache
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-HW
X-Nginx-Upstream-Cache-Status
X-Cloud-Trace-Context
X-Node
X-Nginx-Cache-Status
X-Cache-Lookup
X-Application-Context
X-Country-Code
Content-Location
X-Ruxit-JS-Agent
X-Trace
X-Country
Service-Worker-Allowed
X-Url
X-Content-Type
X-Clacks-Overhead
X-Oneagent-Js-Injection
X-Origin-Cache-Key
X-Edge
Accept-Ch-Lifetime
X-Rack-Cache
X-Amz-Server-Side-Encryption
Cross-Origin-Opener-Policy
Cache-Tag
X-Mcache
X-FTR-Request-ID
X-Midtier
X-Mod-Pagespeed
X-MS-InvokeApp
Nginx-Cache
X-PC
X-Vname
X-TtlSet
X-ESI
X-Upstream
X-ECACHE
X-Powered-By-Plesk
Rating
Edge-Control
X-Server-Name
X-Browser-Type
X-D2id
X-Times
X-Element-Page-Cache
Verso
X-Exp-Id
X-Kinja-Revision
X-Kinja-Server
X-Kinja-Build
X-Kinja
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Variant
X-Cnection
SPRequestDuration
SPIisLatency
X-Ac
X-B3-TraceId
AR-SID
AR-PoweredBy
AR-ATIME
AR-Request-ID
X-Ruxit-Js-Agent
X-SharePointHealthScore
SPRequestGuid
X-Navigation-Version
X-Abt-Application-Version
X-Vcap-Request-Id
X-Ser
X-NF-Request-ID
X-Dw-Request-Base-Id
X-GitHub-Request-Id
X-RateLimit-Remaining
X-NWS-LOG-UUID
AR-CACHE
Pinterest-Generated-By
Pinterest-Version
X-Pinterest-Rid
X-VARITI-CCR
X-Mg-S
S
X-Sol
Display
Pagespeed
X-Middleton-Display
X-Client-IP
X-Ttl
Edge-Cache-Tag
X-Cache-Key
RTSS
Fastly-Restarts
X-Amzn-Trace-Id
X-Amz-Rid
X-Cache-TTL
X-Powered-CMS
X-Kraken-Loop-Name
X-Goog-Hash
X-Server-Lifecycle-Phase
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Instrumentation
Cache-Status
X-Edge-Location-Klb
X-Kinsta-Cache
X-Version
Accept-Ch
Access-Control-Request-Method
X-Erf-Stays-Pdp-Viaduct-Migration-Web-V2
X-Recruiting
X-Server-ID
X-Varnish-TTL
X-ARC
Origin-Trial
X-Content-Digest
Response
X-TraceId
X-Middleton-Response
X-Forwarded-For
X-T
Arr-Disable-Session-Affinity
X-Content-Security-Policy-Report-Only
X-MSEdge-Ref
X-SRCache-Fetch-Status
X-SRCache-Store-Status
Content-MD5
MicrosoftSharePointTeamServices
X-Accel-Expires
TP-Cache
X-Daa-Tunnel
X-Shield-Request-Id
X-Hits
Cross-Origin-Resource-Policy
X-Cached
Front-End-Https
Public-Key-Pins
X-Id
X-FastCGI-Cache
X-FTR-Balancer
X-Country-Code-Real
MS-Author-Via
X-FTR-Cache-Status
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-Expires
X-Request-Processing-Time
X-HS-Cache-Config
X-HS-Hub-Id
X-HS-Content-Id
X-Request-Received
X-Ua-Browser
Server-Node
X-HS-Combine-CSS
X-ORACLE-DMS-RID
X-DIS-Request-ID
Payment
X-Frontend
X-Forwarded-Proto
X-LLID
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
Realpath
X-Webkit-Csp
X-Protected-By
X-GUploader-UploadID
TP-L2-Cache
X-LB-Cache
X-Fastcgi-Cache
X-Ratelimit-Limit
Cache-Tags
X-Distributor
X-ORACLE-DMS-ECID
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Origin-Server
X-XRDS-LOCATION
X-Microsite
X-Request-Handler-Origin-Region
Count-Hit
X-Hostname
Referer-Policy
X-Page-Id
X-Kong-Proxy-Latency
X-Az
X-AppVersion
X-Geo-Country
X-Kong-Upstream-Latency
X-Activity-Id
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
X-Cluster-Name
X-Debug-Info
X-RateLimit-Limit
X-Varnish-Backend
X-Www-Served-By
X-Correlation-Id
X-F-Cache
Accept-Charset
Fastcgi-Cache
Host
X-NGENIX-Cache
X-App-Server
X-Envoy-Decorator-Operation
X-Varnish-Server
X-PressLabs-Stats
X-Fastly-Request-Id
X-FB-Debug
X-Goog-Metageneration
X-Ua-Device
X-TTL
Access-Control-Allow-Method
X-RateLimit-Reset
X-Git-Hash
Retry-After
X-CSRF-Token
X-TEC-API-ROOT
X-Upgrade-Enabled
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Load-Cache
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-Content-Options
Server-Name
X-Seen-By
X-Contextid
X-Revision
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Px
X-Datadog-Parent-Id
Charset
X-Request-Guid
TCN
X-Amz-Meta-S3cmd-Attrs
X-Cache-Control
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Varnish-Ttl
X-Type
X-Grace
DC
X-Trace-Id
Section-Io-Cache
X-Kinja-CCPA
Paypal-Debug-Id
Cleartype
X-TT
X-B3-Sampled
X-B
X-Signature
X-App-Environment
X-Fb-Rlafr
X-B-Cache
X-Whom
Healthy
X-Newrelic-App-Data
X-Wix-Request-Id
X-Node-Name
Frame-Options
X-Mobile
X-Origin-Cache
X-Magnolia-Registration
X-Amz-Replication-Status
X-Rid
X-Azure-Ref
X-EdgeConnect-Cache-Status
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Proxy
X-Route-Name
X-Flags
X-Is-Crawler
X-Logged-In
X-Providence-Cookie
X-Aspnet-Duration-Ms
X-N
Filterid
X-Language
X-Oracle-Dms-Ecid
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-Air-Pt
X-Ratelimit-Remaining
Backend
Content-Disposition
Akamai-GRN
X-Response-Served-From
X-Original-Request-Id
X-Time
Upgrade-Insecure-Requests
NGB
VIX-Pulpo-Node
X-Oracle-Dms-Rid
VIX-Pulpo-Upstream-Status
X-Proxy-Cache-Info
X-Cache-Age
X-Template
X-Rendered-As
X-Unique-Id
X-Tumblr-User
X-Tumblr-Pixel-1
Refresh
X-Tumblr-Pixel-0
X-RemovedCookies
X-Varnish-Grace
X-Fastly-Request-ID
X-Debug-IsConnected
X-Debug-IsPreview
SD-X-WS
X-Yottaa-Optimizations
X-Datadog-Sampled
X-Tumblr-Pixel
X-Yottaa-Metrics
X-Is-Bot
X-ProcessESI
X-Adobe-Loc
X-Instance
X-IPS-LoggedIn
X-Adobe-Content
X-UUID
Ms-Operation-Id
Viewport
MS-CV
Liferay-Portal
X-Servername
X-RTag
X-Amzn-Remapped-Content-Length
X-FW-Static
X-FW-Server
X-FW-Type
X-FW-Version
X-Cache-Grace
X-Cacheable-TTL
X-FW-Serve
X-G
X-FW-Dynamic
X-Debug
X-FW-Hash
X-Region
X-User-Agent
From-Origin
Fastly-SIE
X-L-Path
Fastly-SWR
X-Environment-Context
X-Backend-Name
X-Rule
X-Hl-Ver
X-NYM-Debug-Backend
X-App-Version
X-Device-Type
Country
X-Cache-Hit
X-Status
X-Jobs
Url
ServerID
X-Via-JSL
X-CCDN-Origin-Time
X-B3-SpanId
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
Countrycode
X-Origin-CC
X-VC-Cache
X-Origin-TTL
WPO-Cache-Message
WPO-Cache-Status
X-INCAP-ABP
X-Page-View
X-Webkit-CSP
Alternate-Protocol
Version
X-Cache-Status-Check
Surrogate-Key
X-Air-Trace-Id
X-Air-Hostname
X-Hosted-By
X-Air-Source
X-HTML-Minification-Powered-By
X-Akamai-Request-ID2
X-Content-Powered-By
X-Source
GEO-INFO
X-NODE
Protected
X-WP-CF-Super-Cache-Active
CDN-RequestId
X-Akamai-Edgescape
X-Rocket-Nginx-Serving-Static
X-Storage
X-B3-Traceid
X-Accel-Version
OT-Force-Account-Verify
AMP-Access-Control-Allow-Source-Origin
X-Tec-Api-Version
X-Tec-Api-Origin
X-Framework
Access-Control-Request-Headers
X-VC
X-Tec-Api-Root
X-Real-IP
X-Nginx-Cache
Amp-Access-Control-Allow-Source-Origin
X-Edge-Location
X-Http-Reason
Front
X-Cache-Rule
X-Mode
X-ServerID
Xet-Cookie
SRV
Filters
Meta-Geo
X-Upstream-Ht
X-Upstream-Ct
X-Rewrite-Enabled
X-UPSTREAM-Address
Webserver
X-Cache-Time
X-Httpd
X-Cache-Operation
X-Xfnlog-Site
X-Rn-Rsrv
X-Soup
X-Tumblr-Pixel-3
X-JoinUs
X-Timing-Wait
X-Proxy-Build
Accept-Language
X-Varnish-Cache-Hits
X-Origin
X-Director
X-SaId
Selected-Fe
X-Served-From
X-Tumblr-Pixel-2
X-Say-TTL
X-Cache-Debug
X-Detected-As
ServedBy
X-Logging-Id
X-Handled-By
X-Labrador-Cache-Channel
X-PHP-Host
X-Adobe-Source
X-Redis-Cache
X-Web-Node
X-Worker
X-Use-Mantle
X-Say-Cacheable
X-SayCDN-TTL
X-Endurance-Cache-Level
Node
X-Varnish-Age
Property-Id
X-AB
DB-Nickname
X-Browser-Name
X-Loop
X-VCT
X-Geo-Region
X-Is-Desktop
Azure-SlotName
X-Varnish-Beresp-Grace
X-GeoCountry
Azure-Version
X-Is-Mobile
Azure-SiteName
X-Is-Tablet
X-GeoCode
X-Is-Supported-Browser
Azure-InstanceId
Azure-RegionName
Apigw-Requestid
Xserver
X-BYPASS-REASON
X-ProxyCache-Key
X-Tncms
X-Origin-Hint
X-Cms-Context
Webcakes-Region
X-RM-Cache-TTL
X-Server-W
TWC-Connection-Speed
X-ProxyCache-Status
X-Skip-Cache
X-S
X-Tcp-Rtt
X-Restarts
Section-Io-Id
X-No-Session
TWC-Privacy
Web-Mar-Node
Webcakes-App-Version
TWC-GeoIP-LatLong
TWC-Device-Class
TWC-GeoIP-Country
X-CDN-Forward
TWC-Locale-Group
Webcakes-App-Name
X-Lambda-Id
X-Format
X-Fetched-On
X-DynaTrace
X-IPLB-Request-ID
X-AWS-Id
X-Generation-Time
X-LJ-Flow-ID
X-Tb
X-Locale
X-IPLB-Instance
X-Git-Commit
X-Cache-Host
X-R9-Blue-Green-Version
X-Container-Uri
X-Vercel-Id
X-VWS-Id
CF-IPCountry
Mn-Server-Ip
Cross-Origin-Embedder-Policy
X-Vercel-Cache
X-Site-Version
X-Cache-Server
X-RCS-CacheZone
X-Platform-Router
X-Extlb
X-Platform-Cluster
X-Platform-Processor
X-Ms-Request-Id
X-Zipkin-Id
X-Ms-Version
X-Cluster
X-Reqid
X-Routing-Service
X-Provided-By
X-Proxied
X-Uri
X-TT-LOGID
X-Frame-Option
X-Forwarded-Host
X-Vcache
X-MP-GENERATED-AT
X-Webstats-RespID
X-Drupal-Cache-Tags
X-Drupal-Cache-Contexts
WP-Super-Cache
X-Origin-Date
X-Storefront-Renderer-Rendered
X-Alternate-Cache-Key
CDN-Cache
X-Shopify-Stage
CDN-EdgeStorageId
CDN-Uid
Cache-Tv-Group
CDN-RequestPullSuccess
CDN-RequestPullCode
CDN-PullZone
CDN-RequestCountryCode
CDN-CachedAt
Source
Fastcgi-Useragent
X-Sucuri-Cache
Priority
X-XRDS-Location
X-Vcl-Version
Content-Secure-Policy
X-Sql-Duration-Ms
X-Sql-Count
X-FB-TRIP-ID
X-Sucuri-ID
X-Sorting-Hat-ShopId
X-ShardId
X-Sorting-Hat-PodId
X-ShopId
X-Cdn-Origin
Sid
X-Generated-By
Onion-Location
X-SRV
Cross-Origin-Embedder-Policy-Report-Only
X-Newrelic-Synthetics
X-Urbn-Context-Path
X-Urbn-Site-Id
X-Content-Age
Locale
X-Pass-Why
X-Buckets
X-ECache
WZWS-RAY
X-Cluster-Node
Atl-Traceid
S-Rt
X-Thinkindot-L3
X-Scope-Id
TDXMobile
X-Shield-Cache-Expires
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Thinkindot-Control
X-CMSURLCustom
Cache
X-DataDome
X-Cache-Action
HostName
Cross-Origin-Window-Policy
X-Use-Magma
X-LSADC-Cache
X-Proxy-Cache-Status
X-Cache-Expired-At
X-GEO
X-Ua
X-WP-CF-Super-Cache-Cookies-Bypass
X-Xrds-Location
X-Optimistic-Header
X-Dc
X-Via-Edge
Edge-Copy-Time
X-Via-CDN
X-Via-SSL
X-Varnish-Beresp-Ttl
Ngx.Var.Host
Rendered-Blocks
Redirect-Candidate
Origin-Agent-Cluster
Origin
Ngx-Var-Key
Req-ID
Gannett-Cam-Experience-Id
CDCHOST
DCR-Processing-Time-Ms
Lang
MD5-Digest
DCR-Decision-By
Meta-Geo-Continent
Candidate-Md5Url
X-A-Dgt
X-External-Request-Id
X-PAYTM-SRV-ID
X-Platform
X-Request-Start
X-Epic-Correlation-Id
X-Ec-GeoHdr
X-Dispatcher-Server
X-Ec-Custom-Error
X-Ec-Fail
X-Rojux
X-S-Cookie
X-Vdms-Path
X-Vdms-Version
X-Viewer-Country
X-Vtex-Remote-Cache
X-Varnish-Hostname
X-TIM-N
X-Scheme
X-ScT
X-SRCache-Key
X-Developer
X-Destination
X-A
X-A-Ccd
X-A-Dam
X-A-Dcw
Vix-Hermes-Req-Id
Type
Sslversion
Surrogated-Key
T-Server
X-Aed
X-Application
X-Cache-NE
X-Conf
X-D
X-Cache-Bucket
X-Bl-Debug
X-B-Cookie
X-Bc-Bl
X-BCube-Filmed-By
Server-Host
X-A-Wwc
X-Request-URI
Expiry
User-Cache-Control
X-Connection-Hash
X-GeoIP-Country-Code
X-GeoIP-Region-Code
X-Gdpr
X-Fastly-Cache
X-Forwarded-Site
X-Gzip
X-Loc
X-Node-Id
X-Nyt-Route
X-NMSegId
X-Mly-Id
X-Level-Front-Cache
X-Esi-Check
X-Human
X-Debug-Cache-Fetch
Ssr
V-Age
X-TA-CDN-Provider
X-Correlation-ID
Release
NM-Fastcgi-Cache
Pramga
X-VCache
X-Bip
X-Core-Value
X-Origin-Time
X-Clientip
X-Cache-Info
X-Branch-Name
X-Cache-Id
X-Debug-Cache-Store
X-Pool
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
L
Apple-News-Services-Host
Apple-News-Services-Handled
X-We-Are-Hiring
A
Server-Ext
Server-Hostname
X-SB
X-Section
X-Op-Id-All
X-Instance-Name
Sever-Int
X-Access
X-WA-Info
X-Mg-Request-UUID
X-SD-PageType
X-Sigma
X-Sigma-Backend
X-Rocket-Build-Number
X-Request-Time
X-Proxied-Request
X-Pubstack
X-TH-Server
X-Thanos
X-VG-WebCache
X-VServer
X-VG-TLSProxy
X-Varnishpool
X-Varnish-Beresp-Status
X-Varnish-Director
Magicmarker
X-Generated-On
Fastly-SSL
Content-Script-Type
Fastly-GeoIP-CountryCode
Cluster
Environment
Content-Style-Type
DSUID
Host-ID
X-Origin-Response-Time
X-TimeS
X-Datadome
X-Service
X-Gen-Mode
Canary
X-FC-Vary-Parameters
X-GeoIP
X-GoCache-CacheStatus
X-HS-Content-Campaign-Id
X-GeoIP-City
X-Geo-Header
X-From
X-DPWN-IS-SECURE
X-Contensis-Viewer-Groups
X-Req
C-Via
X-Cache-Date
X-Nginx-Cache-Key
X-NCache
X-Moov-T
X-Irp-Debug
X-Moov-Xdn-Version
X-Device-Os
Req-Svc-Chain
X-Mvc-Supplant-Cachable
X-Server-IP
Wxu-Next-Region
X-Acquia-Purge-Cdn-Unconfigured
X-Amz-Meta-Cb-Modifiedtime
X-Request-Host
Wxu-Next-Hostname
X-SVT-ORM-RULES
X-Var-Ttl
X-Varnish-Authentication
X-V-Cache
Wxu-Next-Commit
X-SVT-ORM-VERSION
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Cache-TTL-Remaining
X-Old-Content-Length
Adler-Geo
X-Mvc-Supplant-OutputCached
X-Micro-Cache
X-Org
X-Block-Status
X-B3-Trace-ID
X-Auto-Login
X-Policy
X-PERF
X-BBC-Edge-Cache-Status
X-Men
X-Hnp-Log
X-Ad-Load-Variation
X-Cache-Aspx
X-Aicache-OS
Is-Eu
X-ApacheServer
True-Client-Country-4JS
Uber-Trace-Id
We-Hiring
Web-Mar-Region
X-Zen-Fury
Esi-Enabled
Machine
X-UA-Device-Type
Cache-Provider
On-Server
Producers
Mail-Subject
Gh-Request-Id
Platform
Fastly-Drupal-HTML
Tube-Got-Results
Cdnsip
X-Test
Yak-Timeinfo
Cdn-Host
X-Fmm-Version
X-Slack-Backend
Cdncip
X-Sn-Servicetimems
X-Slack-Shared-Secret-Outcome
X-Up
Cdn-Request-Time
X-Proto
X-AK-Request-ID
X-Wikidot-Backend
AKAMAI
X-Wikidot-Static-Cache
Cache-Key
Proxy-Firewall
Tube-Return
X-Cdn-Srv
W
X-Hash
RNT-Time
RNT-Machine
X-Edge-Server
Locid
X-Region-Sid
Click-Count-Error
Country-Code
X-Fastly-Backend
Click-Count-Action-Start
Cf-Device-Type
Tube-Got-Eval
X-ND-Cache
X-App-Name
Tube-Get-Contents
X-Azure-Ref-OriginShield
X-Parent-Response-Time
X-Owner
X-Date
L5d-Success-Class
NGX
X-Core-Mission
X-Amz-Storage-Class
X-CacheTTL
X-Eu-Site
X-Csrf-Jwt
X-CGP
X-Accel-Expires-Debug
PFcat
X-HN
Ha-Gx-Prefs
HA-Ipaddr
Fastly-Backend-Name
X-VarnishDD-TTL
X-NGINX-Cache
X-Ah-Environment
X-Tx-Id
X-LB-ID
X-Backend-Instance
X-ZONE
X-DynaTrace-JS-Agent
Pics-Label
IsBot
XM
X-COUNTRY
X-SIPLIST1
X-DC
LB
X-CACHE-GROUP
X-Tb-Optimization-Total-Bytes-Saved
X-HA-Backend
X-Varnish-Hits
X-Via-Popv
X-Servedbyhost
NtCoent-Length
X-Qloud-Router
X-Via-Popn
X-Via-Poph
X-Refresh
X-Origin-Expires
X-Cache-Backend
X-API-Version
X-Lagoon
Datacenter
X-Ratelimit-Reset
X-RID
Expect-Staple
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-CDN-Cache-Status
N-Cache
GeoIp-Country-Code
Cdn
X-VHOST
X-UA
X-Cache-Type
RATING
X-Orig-Expires
X-Shop-Environment
X-Forwarded-Path
Xc-Version
X-LB-NoCache
X-Tenant
Cdn-Requestid
CloudFront-Viewer-Country
X-Gamma-Serve
Cmstype
X-Nananana
Cmsid
X-Srv
CPC-Cache
X-Wa
X-Zone
CPC-Age
X-Nc
Server-ID
Cross-Origin-Opener-Policy-Report-Only
SID
X-Akamai-Transformed
X-Via-Fastly
X-Vmg-Version
X-B3-Parentspanid
X-Cdn-Diag
X-TX-ID
Cache-Hits
GeoIP-Latitude
DataCenter
Uri
X-Hit
X-Fpc
Resin-Trace
User-Agent
X-Proxy-CacheRZ
X-Nf-Request-Id
X-Location
X-Ig-Origin-Region
X-Tt-Logid
XkeyRZ
X-Client-Ip
Fusion-Template-Id
X-CS
Fusion-Content-Id
CacheControlHeader
Fusion-Content-Source
X-URL
Cf-Ipcountry
X-Presslabs-Stats
Fusion-Component-Id
Fusion-Source
X-Variation
X-LAGOON
Fusion-Deployment-Id
Srv
Fastly-Drupal-Html
X-Cloudmap
X-Cdn-Forward
X-DataCenter
X-Fastly-Country-Code
X-TIME
True-Client-IP
Powered-By
X-Api-Version
Mime-Version
X-Amz-Meta-Opti
X-Info
Tcn
X-CUA
Origin-EX
X-Jungle-Id
Origin-CC
Lb
True-Client-Ip
X-Datacenter
X-B3-Spanid
X-NewRelic-App-Data
X-Varnish-Beresp-TTL
X-HostName
X-User
X-IAuth-Set-Uid
X-Geo
VNS-Cache
X-LiteSpeed-Tag
VNS-Age
MIME-Version
X-Cached-By
X-CACHE-AGE
X-Dynatrace-Js-Agent
X-NWS-UUID-VERIFY
Debug
X-Segment-20210421
Load-Balancing
CDN
X-Render-Time
X-HOST
X-Vc
X-LiteSpeed-Cache-Control
X-VTEX-Cache-Time
X-VTEX-Cache-Server
X-Powered-By-VTEX-Cache
X-FPC
X-AIR-PT
Cache-Name
X-Dispatcher-Number
Hostname
X-Webkit-Csp-Report-Only
Server-Id
X-Wormhole-Sdk
X-Auth-Group-Type
Ohc-File-Size
Edge-Cache
Cl-Cache
X-CSRF-TOKEN
X-WA
X-MCACHE
X-NC
X-APP-VERSION
Ohc-Cache-HIT
X-Esi
GeoIP-Country-Code
X-Mid
X-Ig-Push-State
X-Lb-Nocache
X-Dispatch
X-Litespeed-Tag
Odigeo-Trace-Id
X-NodeID
X-Oracle-DMS-ECID
X-Cdn-Cache-Status
X-Custom-Header
X-Vgn-Hpd-Reason
X-ServedByHost
BehaviorPad-Version
X-Cs
X-Cache-Ttl
X-Cache-Enabled
X-Via-PopV
X-Via-PopH
X-Ha-Backend
X-Via-PopN
X-PHP-Backend
X-Fastly-Backend-Reqs
X-Pad
X-Depends
CountryCode
X-Litespeed-Cache-Control
X-VCL-Version
Ms-Author-Via
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-Cdn-Request-ID
X-MiniProfiler-Ids
X-Akamai-Pragma-Client-IP
X-Varnish-Remaining-TTL
X-MSEdge-Flight
Server-Info
Xkeylog
Xkey-La3
X-Proxy-Cache-La3
X-DefHash
YJS-ID
X-DefElseHash
X-MSEdge-Features
X-Lb-Id
PICS-Label
X-Acquia-Site
X-M-Reqid
Warning
X-M-Log
X-VC-TTL
X-IN-APIGATEWAYSSL
My-App
Location
Srvid
Ngx
X-IN-APIGATEWAY
X-Acquia-Purge-Tags
OriginIP
X-Snapshot-Date
X-FL-EDGE
FSS-Cache
X-Acquia-Application-UUID
X-Acquia-Application-Trace
Time
X-FL-QIT-DEBUG
Memory
Memcached
X-Cache-Version
X-Sorting-Hat-Podid
X-Sorting-Hat-Shopid
X-Shopid
X-Shardid
X-Service-Response-Time
X-Serial
X-Dw-Trace-Id
X-Web-Server
X-Mg-Cache
CF-Cached-On
X-Internal-Host
X-Check-Cacheable
X-Lsadc-Cache
X-Fastly-Cache-Hits
X-RequestId
X-Udemy-Cache-App-Namespace
Akamai-Cache-Status
Geoip-Latitude
X-Wp-Cf-Super-Cache-Cookies-Bypass
Sm-Log-Id
X-Sucuri-Id
X-Th-Server
CF-Ctrl