Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
CF-RAY
Cf-Request-Id
CF-Cache-Status
X-XSS-Protection
Accept-Ranges
Link
Pragma
ETag
Expect-CT
X-Powered-By
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
X-Served-By
X-Timer
X-Download-Options
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Permitted-Cross-Domain-Policies
X-Check
X-Xss-Protection
X-Cache-Status
X-Request-ID
X-Generator
X-DNS-Prefetch-Control
X-Cacheable
Timing-Allow-Origin
X-Content-Security-Policy
X-Iinfo
X-Ua-Compatible
Content-Encoding
X-CDN
X-Envoy-Upstream-Service-Time
X-AspNetMvc-Version
Feature-Policy
Status
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
Upgrade
X-Via
Keep-Alive
X-Ws-Request-Id
X-Age
X-Turbo-Charged-By
X-AH-Environment
X-Robots-Tag
Request-Context
X-Proxy-Cache
EagleId
X-Cache-Group
Server-Timing
X-Backend
X-Hacker
X-Server
Report-To
X-Amz-Request-Id
Host-Header
X-Server-Powered-By
X-Amz-Id-2
Grace
X-Nginx-Cache-Status
X-UA-Device
X-Rq
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-LiteSpeed-Cache
X-Page-Speed
X-Dns-Prefetch-Control
Cf-Railgun
X-Pingback
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
NEL
X-Amz-Version-Id
X-Cache-Spec
X-WebKit-CSP
Xkey
X-Device
Allow
X-CST
X-Backend-Server
X-Vhost
X-Host
EagleEye-TraceId
X-Server-Id
Request-Id
Surrogate-Control
X-Dispatcher
X-Node
Content-Location
X-Response-Time
X-Ruxit-JS-Agent
Accept-CH
X-Akam-SW-Version
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
Accept-CH-Lifetime
X-Ac
P3p
X-ASPNET-VERSION
X-Application-Context
X-Template
X-Language
X-Cache-Lookup
X-Country
X-Mod-Pagespeed
X-Readtime
X-Cloud-Trace-Context
MS-Author-Via
X-B3-TraceId
X-Origin-Cache
Rating
X-Cnection
Accept-Ch
X-MS-InvokeApp
X-HW
X-PC
X-Vname
X-TtlSet
Accept-Ch-Lifetime
X-Url
X-Clacks-Overhead
X-GitHub-Request-Id
X-ORACLE-DMS-ECID
Edge-Control
X-Trace
X-ESI
X-FastCGI-Cache
Pagespeed
Display
X-Middleton-Display
Response
X-Middleton-Response
X-Sol
X-Content-Type
X-D2id
X-Use-Magma
Arr-Disable-Session-Affinity
X-Kinja-Server
X-Vcap-Request-Id
X-Kinja-Revision
X-GoogleNews-Bot
X-Exp-Variant
X-Exp-Id
X-Cdn-Fetch
X-Kinja
X-Kinja-Build
Verso
X-Goog-Hash
X-Buckets
X-Rack-Cache
X-Country-Code
X-ORACLE-DMS-RID
X-Server-Name
X-Varnish-TTL
Service-Worker-Allowed
X-Navigation-Version
X-VARITI-CCR
X-Abt-Application-Version
X-Amz-Rid
X-Fastly-Request-ID
X-Powered-By-Plesk
X-Client-IP
X-Cache-TTL
Pinterest-Generated-By
Pinterest-Version
X-Pinterest-Rid
X-Webkit-CSP
Fastly-Restarts
X-Release
X-SharePointHealthScore
SPRequestGuid
X-MSEdge-Ref
X-Dw-Request-Base-Id
X-Element-Page-Cache
SPRequestDuration
X-Kinja-Server-Push
SPIisLatency
X-Cached
X-NF-Request-ID
X-TTL
X-Oneagent-Js-Injection
Public-Key-Pins
X-B3-TraceId-Primal
MRF-Tech
Mrf-Cache-Status
RTSS
X-Edge
Access-Control-Request-Method
AR-PoweredBy
Ar-Sid
AR-Request-ID
AR-ATIME
AR-CACHE
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-LLID
X-Powered-CMS
X-Origin-Upstream-Status
X-Ezoic-Cdn
X-Px
X-Upstream
X-Ttl
Content-MD5
Fusion-Content-Source
Fusion-Source
Fusion-Deployment-Id
Fusion-Component-Id
Fusion-Content-Id
Fusion-Template-Id
X-Litespeed-Cache
Cache-Tag
X-Jurisdiction
X-HP-Webp
X-Mid
X-MCACHE
X-ECACHE
S
X-Version
X-Recruiting
X-Mg-S
Charset
X-Content-Digest
X-Amz-Server-Side-Encryption
X-PressLabs-Stats
Fastcgi-Cache
X-T
TCN
X-Kinsta-Cache
MicrosoftSharePointTeamServices
X-Content-Security-Policy-Report-Only
Front-End-Https
Filters
X-Pinterest-Direct
Cache-Tags
X-Debug
X-Grace
Edge-Cache-Tag
Server-Node
X-Accel-Expires
X-Logged-In
X-Id
X-Forwarded-Proto
X-Correlation-Id
X-DynaTrace
Server-Name
X-Amzn-Trace-Id
Nginx-Cache
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Forwarded-For
TP-Cache
TP-L2-Cache
X-Yandex-Sdch-Disable
Surrogate-Key
X-Varnish-Age
X-B3-Sampled
X-Request-Processing-Time
X-Request-Received
X-Microsite
X-Request-Handler-Origin-Region
X-XRDS-Location
X-Ser
X-Shield-Request-Id
X-Hits
X-AppVersion
X-Activity-Id
X-Az
X-Amz-Replication-Status
X-DIS-Request-ID
X-Server-ID
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Hub-Id
X-HS-Content-Id
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-F-Cache
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Cache-Key
X-Origin-Server
Accept-Charset
X-XRDS-LOCATION
X-Geo-Country
X-Git-Hash
X-Respond-Thread
Powered-By-ChinaCache
X-FTR-Request-ID
Cache
X-Rid
X-LB-Cache
Alternate-Protocol
Section-Io-Cache
X-Upgrade-Enabled
X-Frontend
X-DataDome
X-Hostname
Host
Access-Control-Allow-Method
X-Mobile-URL
X-Cache-Age
X-Seen-By
MS-CV
Cleartype
Paypal-Debug-Id
X-IPLB-Instance
X-AOL-HN
Healthy
X-Ruxit-Js-Agent
X-NWS-LOG-UUID
X-Type
X-Content-Options
X-Varnish-Backend
X-VCache
X-Whom
ServerID
X-App-Environment
X-Flags
X-Providence-Cookie
X-Is-Crawler
X-Request-Guid
X-Route-Name
X-Cache-Action
X-WebKit-CSP-Report-Only
X-TT
Payment
X-Aspnet-Duration-Ms
X-Page-Id
X-Signature
X-B-Cache
X-Debug-Info
X-Jobs
Fastcgi-Useragent
X-Time
X-N
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Source
X-Load-Cache
X-Mobile
X-Fastcgi-Cache
X-Daa-Tunnel
X-RateLimit-Remaining
X-FB-Debug
X-Browser-Type
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Via-JSL
Nel
Version
X-Cache-Rule
Refresh
X-Cached-By
X-Cache-Operation
X-Akamai-Edgescape
X-Rule
X-Response-Served-From
X-Original-Request-Id
Viewport
X-Accel-Buffering
X-Cacheable-TTL
DC
X-Framework
X-Wix-Request-Id
X-Proxy
X-Drupal-Cache-Tags
X-RemovedCookies
X-Contextid
X-RTag
X-Zen-Fury
X-ProcessESI
Access-Control-Request-Headers
Ms-Operation-Id
Realpath
Node
X-Instance
X-Real-IP
X-HTML-Minification-Powered-By
DynaTrace
X-Cache-Time
X-UUID
X-Region
X-Drupal-Cache-Contexts
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Distributor
Referer-Policy
Eomportal-Instance
X-Page-View
X-Tt-Trace-Host
X-Tt-Trace-Tag
Countrycode
X-Cache-Expired-At
X-FW-Hash
X-FW-Server
X-FW-Static
X-FW-Serve
X-FW-Dynamic
X-Cluster-Name
X-FW-Type
X-B
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-Cache-Control
X-Content-Powered-By
X-IPS-LoggedIn
GEO-INFO
X-L-Path
X-Environment-Context
X-Cache-Hit
Liferay-Portal
X-G
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-User
Server-Info
X-Pass-Why
X-App-Server
X-User-Agent
X-Node-Name
X-FireWall-Port
Webserver
From-Origin
X-Tumblr-Pixel-2
Section-Io-Origin-Status
Section-Origin-Responded
Section-Io-Id
Section-Io-Origin-Time-Seconds
X-Ratelimit-Limit
Ec-Rule-Version
X-Varnish-Ttl
X-Protected-By
Protected
CF-IPCountry
SRV
X-Cache-Server
X-Www-Served-By
Frame-Options
X-Amz-Meta-S3cmd-Attrs
X-Backend-Name
X-Revision
X-Mode
X-Handled-By
X-RN-RSRV
X-Endurance-Cache-Level
X-UPSTREAM-Address
Xserver
X-ES-SERVER
Meta-Geo
X-Hl-Ver
X-Locale
X-Soup
X-Hyper-Cache
X-FB-TRIP-ID
X-Site-Version
Cache-Status
X-Cache-Grace
Cache-Tv-Group
Country
X-NYM-Debug-Backend
X-Be
X-Web-Node
X-Forwarded-Host
X-Human
X-Varnishpool
X-Storage
Fastly-SSL
Decoy-Debug-TTL
Decoy-Debug-Status
X-Redis-Cache
Decoy-Debug-Key
Property-Id
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Device-Class
Selected-Fe
X-Request-Time
X-Pubstack
Cache-Name
X-Proto
Azure-RegionName
Azure-InstanceId
X-Origin-Hint
X-Origin-Date
Azure-SiteName
X-Proxy-Build
Azure-Version
Azure-SlotName
X-ProxyCache-Status
X-ProxyCache-Key
TWC-Locale-Group
TWC-Connection-Speed
X-PHP-Host
Webcakes-Region
X-Uri
X-BYPASS-REASON
X-Labrador-Cache-Channel
Retry-After
X-Timing-Wait
Webcakes-App-Version
X-UA-Device-Type
X-TT-LOGID
Webcakes-App-Name
TWC-Privacy
X-AIR-PT
X-Format
X-PCL
X-SayCDN-TTL
X-No-Session
X-OCL
X-TNCMS
X-Say-TTL
X-Adobe-Loc
X-MP-GENERATED-AT
X-S-Maxage
X-Say-Cacheable
X-Server-W
X-FW-Version
X-Loop
X-Sql-Count
X-Sql-Duration-Ms
X-WA-Info
X-Hosted-By
X-Via-Fastly
X-Adobe-Content
X-Section
X-Access
X-LAGOON
X-AWS-Id
X-LJ-Flow-ID
X-ApacheServer
X-PERF
X-VWS-Id
X-R9-Blue-Green-Version
X-Status
X-Nginx-Cache
X-Ratelimit-Remaining
X-ShopId
X-ShardId
X-Cache-TTL-Remaining
X-Sorting-Hat-PodId
Mn-Server-Ip
X-Shopify-Stage
X-Cluster
X-Alternate-Cache-Key
X-Storefront-Renderer-Rendered
X-Sorting-Hat-ShopId
X-Device-Type
X-Routing-Service
X-Proxied
X-Zipkin-Id
X-CCM
X-Xfnlog-Site
X-Is-Bot
X-Debug-IsPreview
X-Debug-IsConnected
X-Qloud-Router
X-Rendered-As
X-Via-CDN
X-FTR-Realm
Cache-Hits
S-Cnection
X-FTR-Cache-Status
X-FTR-Balancer
X-FTR-Backend
X-Country-Code-Real
X-FTR-DC
X-FTR-Backend-Server
X-Info
Apigw-Requestid
X-Tec-Api-Root
X-SRV
X-FTR-Expires
X-Varnish-Grace
X-Tec-Api-Origin
X-Tec-Api-Version
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Server
X-Dc
X-Detected-As
X-Cdn
X-Cache-Enabled
X-Cache-Host
X-GG-Cache-Date
X-Amzn-Remapped-Content-Length
X-Unique-Id
X-EdgeConnect-Cache-Status
X-Content-Age
X-Microcachable
X-Amz-Apigw-Id
X-Air-Hostname
X-Amzn-RequestId
X-Platform
X-Cache-Var
X-Cache-Var-Map
Uber-Trace-Id
X-Azure-Ref
Amp-Access-Control-Allow-Source-Origin
Tracecode
X-Backend-Host
SD-X-WS
X-Aspnetmvc-Version
X-Proxy-Cache-Status
X-GEO
X-Time-Microsecs
X-Backend-TTL
X-NWS-UUID-VERIFY
X-DynaTrace-JS-Agent
X-CSRF-Token
X-ServerID
Akamai-GRN
X-ATG-Version
X-Oss-Server-Time
X-Tb
X-Trace-Id
X-Oss-Storage-Class
X-Oss-Request-Id
X-Oss-Object-Type
X-Cache-Backend
X-Oss-Hash-Crc64ecma
X-BCube-Filmed-By
Backend
DSUID
X-Akamai-Transformed
ServedBy
X-Varnish-Hostname
X-RCS-CacheZone
X-ID
X-Oracle-Dms-Rid
X-App-Version
X-Correlation-ID
X-Cache-PHP
X-Cache-NGX
X-TA-CDN-Provider
T-Server
Path
Release
SR-User-Adfree
Rendered-Blocks
Lfy
Expiry
Thinkindot-CacheControl
DCR-Processing-Time-Ms
DCR-Decision-By
X-Debug-Cache
BehaviorPad-Version
Fastcgi-X-Cache-Version
Instruction
Meta-Geo-Continent
Mobile-Detection-Method
MD5-Digest
Machine
X-Varnish-Cache-Hits
Odigeo-Trace-Id
X-ARC
X-Rewrite-Enabled
X-Request-UUID
X-Rojux
X-S
X-S-Cookie
X-Processor
X-PBS-Appsvrname
X-Matched-Rule
X-Origin-CC
X-Origin-TTL
X-PAYTM-SRV-ID
X-ScT
X-Session-Fingerprint
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-VG-WebCache
X-Vdms-Version
X-SRCache-Key
X-Thinkindot-L3
X-Trv-Group
X-Vdms-Path
X-Location
X-Level-Front-Cache
X-A-Wwc
X-Aed
X-Application
X-B-Cookie
X-A-Dgt
X-A-Dcw
Thinkindot-Control
X-A
X-A-Ccd
X-A-Dam
X-Cache-NE
X-CF-Lambda-Fn
X-Fetched-On
X-From
X-Generated-On
X-GeoIP-City
X-External-Request-Id
X-Device-Os
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-Destination
Thinkindot-CacheControl-Type
X-Generation-Time
X-APP-VERSION
X-Dynatrace
Arc-Version
X-Magnolia-Registration
PB-RID
PB-PID
X-Sucuri-ID
X-Erf-Stays-Bingo-Pdp-Web
X-NewRelic-App-Data
X-Owner
Cf-Device-Type
X-HS-Content-Campaign-Id
X-Mvc-Supplant-Cachable
X-Micro-Cache
X-Is-Gdpr
C-Via
X-Has-Esi
Cache-Host
CacheControlHeader
X-JWT-State
X-FC-Vary-Parameters
X-Azure-Ref-OriginShield
X-Bip
UCS
Pagetype
Ssr
X-Cache-Bucket
X-Cdn-Origin
AKAMAI
X-Geo-Header
Fastly-Backend-Name
Gh-Request-Id
Host-ID
X-GeoIP
X-Irp-Debug
X-TrackingId
X-Thanos
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Tumblr-Pixel-3
X-VServer
X-Ms-Version
X-Ms-Request-Id
X-Node-Id
X-Sn-Servicetimems
X-Swa-Ws
X-OVcl-Cache
X-OVcl
X-Origin-Response-Time
X-Reqid
X-Skip-Cache
HostName
X-Cache-Tags
X-Cache-Info
Server-Ext
X-NAPM-TraceId
X-Adobe-Source
X-Backend-State
X-VarnishDD-TTL
Wxu-Next-Region
Sever-Int
X-Wikidot-Static-Cache
Server-Host
X-Varnish-Hits
Wxu-Next-Commit
DB-Nickname
Server-Hostname
Wxu-Next-Hostname
X-Wikidot-Backend
X-Var-Ttl
X-IP
X-HN
X-Generated-In
X-Generated-By
X-Scheme
X-Request-Host
X-Nginx-Cache-Key
X-Origin-Expires
X-Policy
X-Fastly-Cache
X-Fastly-Backend
X-Varnish-Beresp-Grace
X-Csrf-Jwt
X-Core-Value
X-Cms-Context
X-CUA
X-Developer
X-Eu-Site
X-User
X-Developers
X-CGP
X-Clientip
X-B3-Traceid
L5d-Success-Class
Location
Locid
NGX
Magicmarker
L
CloudFront-Viewer-Country
Ha-Gx-Prefs
Pramga
On-Server
HA-Ipaddr
Content-Disposition
PFcat
User-Cache-Control
X-CS
X-B3-SpanId
X-Clara-WADP
Adler-Geo
V-Age
Is-Eu
NM-Fastcgi-Cache
Cf-Bgj
X-Varnish-CookieHashed-On
CDCHOST
X-Origin
X-Cache-Id
X-WADP-Cache
X-Method
X-Loc
X-Branch-Name
X-Hnp-Log
IsBot
Fastly-SIE
X-Variation
Fastly-Drupal-HTML
Rt-Fastcgi-Cache
X-Fmm-Version
X-Gen-Mode
Fastly-SWR
X-Envoy-Decorator-Operation
X-Hash
Platform
X-Goog-Meta-Goog-Reserved-File-Mtime
X-GoCache-CacheStatus
X-Cdn-Forward
X-Cache-Date
X-Cache-Expires
X-Esi-Check
X-Servername
X-DefHash
X-Gzip
X-Li-Pop
X-Li-Fabric
X-SIPLIST1
X-Slack-Backend
Origin
Web-Mar-Node
X-DPWN-IS-SECURE
X-Dispatcher-Server
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
X-Request-URI
X-LI-UUID
X-Block-Status
X-DefElseHash
X-TX-ID
X-NU-AKA-ACS-Version
X-Old-Content-Length
X-Gamma-Serve
X-Varnish-CookieINHashed-On
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Platform-Server
X-Ratelimit-Reset
X-Varnish-Remaining-TTL
Apple-News-Services-Host
X-VG-TLSProxy
Apple-News-Services-Handled
Vix-Hermes-Req-Id
Apple-News-Services-Parsed-Url
True-Client-Country-4JS
Apple-News-Services-Request-Url
X-Core-Mission
X-Cache-Debug
X-EC-Lua
CDN-PullZone
CDN-EdgeStorageId
CDN-Cache
CDN-CachedAt
CDN-RequestId
CDN-RequestCountryCode
CDN-Uid
X-Mvc-Supplant-OutputCached
X-Request-Start
X-LB-ID
X-Aicache-OS
X-NCache
Url
X-Refresh
Sid
X-Cache-Remote
X-Varnish-Url
X-PF-Uncompressing
X-NC
X-Via-Popn
X-Via-Poph
Esi-Enabled
X-Via-Popv
X-URL
X-CACHE-GROUP
X-Nc
S-Rt
X-Varnish-Cacheable
X-Response-By
Pics-Label
X-B3-Spanid
Who
X-CACHE-KEY
X-Proxy-Cachei7
Country-Code
X-Epic-Correlation-Id
Xkeyi7
X-Esi
X-FireWall-Protection
X-Host-Name
N-Cache
X-BBXSRF
X-TraceId
Req-Svc-Chain
X-Unique-ID
X-Tb-Optimization-Total-Bytes-Saved
Content-Secure-Policy
X-Webkit-Csp
Cross-Origin-Window-Policy
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-RateLimit-Limit
X-Planisys-CDN-Cache
X-DC
Ohc-File-Size
X-Error
Source
X-Cache-2
X-Srv
GeoIp-Country-Code
X-Varnish-Authentication
D-Cc-Upstream
X-HS-Status
X-Contensis-Viewer-Groups
X-Cache-ASPX
X-Sucuri-Cache
X-CDN-Forward
X-Cc-Via
Server-Ttl
Geoip-Latitude
X-Cc-Req-Id
X-Webkit-CSP-Report-Only
X-Svr
Cteonnt-Length
HitType
Kp-EeAlive
MIME-Version
Cmsid
Cmstype
X-LiteSpeed-Cache-Control
X-CLOUD-TRACE-CONTEXT
CACHE
X-Servedbyhost
X-Wa
Geo-Info
X-Server-IP
X-Served-From
Svr
X-Cs
X-Cache-Config
X-Nyt-Route
X-Origin-Time
X-Gdpr
Cache-Key
X-API-Version
X-FPC
Filterid
A
Viewtype
VivaBuild
Hostname
M-TraceId
X-Vcl-Version
X-SN
X-LI-Proto
X-RAMCache
Server-ID
Resin-Trace
X-VC
SID
XServer
Ohc-Cache-HIT
X-Li-Proto
X-NodeID
X-SB
X-Vgn-Hpd-Reason
Server-Id
Arc-Country
X-VCL-Version
X-TIME
X-Air-Source
TDXMobile
X-Webstats-RespID
Cross-Origin-Opener-Policy
X-NGINX-Cache
X-HOST
X-HostName
NtCoent-Length
X-Check-Cacheable
NGB
X-Viewer-Country
X-SD-PageType
Tcn
Request-ID
X-UA
X-DW
X-RPM
X-RPS
X-DSS
X-Internal-Host
X-DB
X-DI
X-RSL
X-Render-Time
X-Hcs-Proxy-Type
X-TIM-N
X-Vc
X-CCDN-CacheTTL
X-CCDN-Origin-Time
Cache-Provider
X-FORWARDED-FOR
X-Newrelic-Synthetics
GeoIP-Latitude
GeoIP-Country-Code
Mime-Version
EpKe-Alive
X-WA
Srv
X-ServedByHost
X-Service
X-App
X-BBC-Edge-Cache-Status
X-Ua
X-COUNTRY
Processtime
X-PHP-Backend
X-Action
ProcessTime
X-NGENIX-Cache
X-JoinUs
X-SaId
X-Auto-Login
X-CF-Powered-By
Upgrade-Insecure-Requests
X-Worker
X-Edge-Location
Datacenter
X-Extlb
X-Geo
X-CSRF-TOKEN
X-Dynatrace-Js-Agent
X-FTR-Cache-Host
FSS-Cache
X-Forwarded-Site
X-Via-NSCOPI
X-Fpc
X-Oss-Cdn-Auth
X-Presslabs-Stats
DataCenter
X-Ftr-Cache-Host
X-Provided-By
X-Cdn-Request-ID
CDN
Proxy-Connection
X-Cluster-Node
W
X-Swift-Error
X-HITS
CF-Cached-On
X-Region-Sid
X-PJAX-URL
X-Date
X-Bc-Bl
X-Req
X-Depends-On
X-MSEdge-Flight
X-BACKEND-TTL
X-BBC-Origin-Response-Status
X-Fastly-Backend-Reqs
X-Parent-Response-Time
X-Proxy-Upstream
Surrogated-Key
We-Hiring
X-Accel-Expires-Debug
X-MSEdge-Features
Memcached
X-Dw-Trace-Id
Cdn
LB
Mail-Subject
X-VC-Cache
X-Client-Ip
X-CACHE-AGE
X-Sigma
X-Sigma-Backend
X-Rocket-Build-Number
X-ABtesting
X-RateLimit-Limit-Second
X-Pad
X-RateLimit-Remaining-Second
X-Hello
X-UnsetCookies
X-Flog
Env
X-Pf-Uncompressing
X-Fastly-Request-Id
X-IN-APIGATEWAY
PICS-Label
OT-Force-Account-Verify
X-IN-APIGATEWAYSSL
Dnion-Transfer-Encoding
X-Cache-Tag
X-ZONE
X-Akamai-Pragma-Client-IP
X-Acquia-Application-UUID
X-Oracle-DMS-ECID
Media-Length
X-Acquia-Site
X-Acquia-Purge-Tags
X-Acquia-Application-Trace
X-Zone
X-APP
X-Via-PopH
Vha6-Origin
X-ND-Cache
X-Via-PopV
X-Via-PopN
X-Air-Trace-Id
X-Men
VNS-Age
VNS-Cache
WZWS-RAY
Time
Epwk-X-Cache
CPC-Age
CPC-Cache
Memory
X-MiniProfiler-Ids
X-Lb-Id
X-LiteSpeed-Tag
Cf-Ipcountry
X-Request-Url
Xet-Cookie
X-Varnish-Beresp-TTL
X-Ms-Meta-Staticbatchstarttime
X-Csrf-Token
X-Akamai-ERPolicy
X-Vcache
X-Varnish-URL
X-Snapshot-Date
X-ElasticPress-Search
X-Ms-Meta-Originalurl
X-Akamai-ERRuleID
X-Request-URL
X-ElasticPress-Query
URI
X-Tx-Id
CountryCode
X-C
Ohc-Response-Time
X-Amz-Meta-Cb-Modifiedtime
X-Storefront-Renderer-Verified
Content-Style-Type
Content-Script-Type
X-Litespeed-Cache-Control
X-Redis-Duration-Ms
NnCoection
Environment
X-Traceid
X-Redis-Count
X-Debug-Cache-Fetch
Inserted-Into-Cache-At
X-ServerName
X-Tid
Phost
X-B3-Parentspanid
X-Debug-Cache-Store