Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
Accept-Ranges
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Report-To
NEL
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Request-ID
X-Generator
X-Check
X-Cacheable
P3p
Timing-Allow-Origin
X-FRAME-OPTIONS
Feature-Policy
X-Iinfo
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CDN
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
Upgrade
X-Ua-Compatible
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
EagleId
Keep-Alive
Request-Context
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
X-Proxy-Cache
Host-Header
X-Amz-Request-Id
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-Akamai-Path-Stats
X-LiteSpeed-Cache
X-Amz-Version-Id
CONTENT-SECURITY-POLICY
X-Dispatcher
X-WebKit-CSP
EagleEye-TraceId
X-Nginx-Cache-Status
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
X-Cache-Spec
X-Device
Cf-Railgun
Allow
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-Aws-Lambda-Call-Status
Accept-CH
X-CST
Surrogate-Control
X-Backend-Server
Request-Id
X-Akam-SW-Version
X-Readtime
X-Cache-Lookup
X-HW
X-Response-Time
X-Application-Context
Xkey
Accept-CH-Lifetime
Content-Location
X-ASPNET-VERSION
Cf-Edge-Cache
X-Cloud-Trace-Context
Rating
X-Trace
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Country
Fastly-Restarts
X-Ruxit-JS-Agent
Accept-Ch-Lifetime
X-Mod-Pagespeed
X-TtlSet
X-Vname
X-PC
X-MS-InvokeApp
X-Rack-Cache
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-ESI
X-Content-Type
X-B3-TraceId
X-VARITI-CCR
X-Varnish-TTL
X-Vcap-Request-Id
Cache-Tag
X-Exp-Id
X-Cdn-Fetch
X-Use-Magma
X-Kinja
X-Amz-Rid
X-Kinja-Server
X-GoogleNews-Bot
X-Kinja-Build
X-Exp-Variant
X-Kinja-Revision
X-Cnection
X-Ac
Public-Key-Pins
X-Dw-Request-Base-Id
X-Amz-Server-Side-Encryption
X-Element-Page-Cache
X-D2id
Verso
X-Px
X-Navigation-Version
Accept-Ch
X-Cache-TTL
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
X-FastCGI-Cache
Service-Worker-Allowed
X-RateLimit-Remaining
Pagespeed
Display
X-Middleton-Display
X-Sol
X-Ser
X-Country-Code
X-GitHub-Request-Id
X-Version
X-Edge
Arr-Disable-Session-Affinity
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Correlation-Id
X-Ttl
X-Upstream
AR-Request-ID
AR-SID
AR-PoweredBy
AR-CACHE
AR-ATIME
X-Kinsta-Cache
X-Ruxit-Js-Agent
X-Edge-Location-Klb
SPRequestDuration
SPIisLatency
X-Webkit-Csp
X-Cached
X-TTL
X-NWS-LOG-UUID
X-LLID
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Powered-CMS
Nginx-Cache
Edge-Cache-Tag
TCN
SPRequestGuid
X-SharePointHealthScore
MS-Author-Via
X-Forwarded-For
X-Litespeed-Cache
Mrf-Cache-Status
MRF-Tech
X-MSEdge-Ref
X-RateLimit-Limit
X-Cache-Key
Content-MD5
X-B3-TraceId-Primal
X-Id
X-Shield-Request-Id
X-Content-Security-Policy-Report-Only
X-T
X-Daa-Tunnel
X-Recruiting
S
X-Mg-S
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Content-Digest
X-Protected-By
X-DataDome
X-Ua-Device
X-Jurisdiction
X-HP-Webp
X-HP-Trace-Id
X-SRCache-Store-Status
X-SRCache-Fetch-Status
MicrosoftSharePointTeamServices
X-Frontend
X-ORACLE-DMS-ECID
X-HS-Hub-Id
X-HS-Cache-Config
X-Ezoic-Cdn
X-HS-Content-Id
X-Yandex-Sdch-Disable
X-Ua-Browser
X-Ab
Server-Node
X-Content
Front-End-Https
X-Request-Received
X-HS-Combine-CSS
X-Request-Processing-Time
X-ORACLE-DMS-RID
X-Grace
X-Accel-Expires
Filters
X-Mid
Fastcgi-Cache
X-Server-ID
X-Hits
X-Geo-Country
X-PressLabs-Stats
X-Origin-Server
TP-L2-Cache
TP-Cache
X-Distributor
X-Ratelimit-Reset
X-Debug-Info
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Amzn-Trace-Id
X-ECACHE
Charset
Cleartype
X-DynaTrace
X-Page-Id
Host
X-DIS-Request-ID
X-F-Cache
X-Git-Hash
X-Www-Served-By
Cross-Origin-Opener-Policy
X-B3-Sampled
X-LB-Cache
X-Forwarded-Proto
Access-Control-Allow-Method
Cache-Tags
X-Cache-Age
ServerID
X-Seen-By
X-Microsite
X-Request-Handler-Origin-Region
X-Language
X-Kong-Upstream-Latency
X-AppVersion
X-Cluster-Name
X-Activity-Id
X-Az
X-Kong-Proxy-Latency
Server-Name
Accept-Charset
X-Varnish-Age
X-WebKit-CSP-Report-Only
X-Aspnetmvc-Version
X-XRDS-LOCATION
Cache-Status
Realpath
Filterid
X-Rid
X-Content-Options
X-Type
X-Mobile-URL
X-App-Environment
Viewport
X-Nginx-Upstream-Cache-Status
X-FB-Debug
X-User-Agent
X-Upgrade-Enabled
X-Varnish-Grace
Node
Country
X-Wix-Request-Id
X-Origin-Cache
X-Tb
X-Flags
X-Aspnet-Duration-Ms
Paypal-Debug-Id
X-Via-JSL
DC
X-Drupal-Cache-Tags
X-Request-Guid
X-Route-Name
X-Signature
X-Whom
X-Providence-Cookie
X-Is-Crawler
X-B-Cache
X-NWS-UUID-VERIFY
X-TT
X-VCache
X-Oracle-Dms-Ecid
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
Protected
X-Goog-Stored-Content-Encoding
Retry-After
X-Oracle-Dms-Rid
Fastcgi-Useragent
X-Fastly-Request-Id
X-Varnish-Backend
X-MCACHE
X-Cache-NGX
Payment
X-B
X-Amz-Replication-Status
X-Contextid
X-Debug
X-Fastly-Request-ID
X-Template
X-Fastcgi-Cache
X-Logged-In
X-Mcache
WPO-Cache-Message
WPO-Cache-Status
X-FW-Type
X-FW-Static
X-Load-Cache
X-FW-Hash
X-FW-Serve
X-FW-Dynamic
X-FW-Server
X-N
Surrogate-Key
X-Hostname
X-Cache-Control
X-ECache
Count-Hit
X-Node-Name
X-Trace-Id
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
SD-X-WS
X-Original-Request-Id
Refresh
X-Response-Served-From
X-Amz-Meta-S3cmd-Attrs
X-Proxy
Healthy
Akamai-GRN
X-Mobile
VIX-Pulpo-Upstream-Status
X-Real-IP
X-Rendered-As
X-Revision
X-Cache-Time
X-G
X-Is-Bot
X-Jobs
X-XRDS-Location
X-Parallel-Accel
X-UUID
Uber-Trace-Id
X-Akamai-Request-ID2
VIX-Pulpo-Node
X-Zen-Fury
X-Page-View
X-Http-Reason
X-Cache-TTL-Remaining
X-Cacheable-TTL
Alternate-Protocol
X-Framework
Amp-Access-Control-Allow-Source-Origin
X-Instance
X-Drupal-Cache-Contexts
X-Device-Type
X-Proxy-Cache-Status
NGB
X-Yottaa-Optimizations
X-Yottaa-Metrics
Content-Disposition
X-Debug-IsConnected
X-Debug-IsPreview
X-Adobe-Content
X-Adobe-Loc
Access-Control-Request-Headers
X-Ratelimit-Remaining
X-Cache-Rule
X-IPLB-Instance
From-Origin
Url
X-Source
X-Servername
X-Vgn-Hpd-Reason
Permissions-Policy
Version
X-Cache-Grace
X-B3-Traceid
X-Cache-Expired-At
X-Varnish-Server
Accept-Language
X-Cache-Hit
X-L-Path
X-Environment-Context
Referer-Policy
X-Mg-Request-UUID
X-Oneagent-Js-Injection
X-EdgeConnect-Cache-Status
Countrycode
X-Restarts
X-RTag
Ms-Operation-Id
MS-CV
X-FW-Version
X-App-Server
X-NGENIX-Cache
Cross-Origin-Window-Policy
X-Cache-Action
X-Tumblr-User
Backend
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-IPS-LoggedIn
X-Tumblr-Pixel
X-NYM-Debug-Backend
Liferay-Portal
Frame-Options
X-ProcessESI
X-RemovedCookies
X-Nginx-Cache
CF-IPCountry
X-HTML-Minification-Powered-By
X-COUNTRY
X-Hyper-Cache
Content-Secure-Policy
WP-Super-Cache
Section-Io-Cache
X-Ratelimit-Limit
X-OCL
X-RN-RSRV
X-UPSTREAM-Address
X-Redis-Cache
X-Cache-Server
X-APP-VERSION
Upgrade-Insecure-Requests
Ec-Rule-Version
X-TT-LOGID
Meta-Geo
X-PCL
X-No-Session
X-Generation-Time
X-Ua
X-Content-Age
Apigw-Requestid
X-FB-TRIP-ID
X-Detected-As
Cache-Tv-Group
X-Section
X-Access
X-Format
X-Cluster-Node
X-Cache-Enabled
X-Rule
X-Request-Time
X-Say-Cacheable
X-PHP-Backend
X-Human
X-Origin-Date
X-SayCDN-TTL
X-Server-W
X-Storage
X-Sql-Duration-Ms
X-Sql-Count
X-Site-Version
X-Hosted-By
X-Be
Azure-RegionName
Azure-InstanceId
Azure-SiteName
Azure-SlotName
Azure-Version
Fastly-SSL
Locale
X-UA-Device-Type
X-AOL-HN
X-Akamai-Edgescape
S-Rt
X-Generated-By
X-Say-TTL
TWC-Locale-Group
X-Region
TWC-GeoIP-LatLong
X-Origin-Hint
TWC-Device-Class
X-Urbn-Context-Path
X-PERF
Webcakes-Region
X-ApacheServer
Webcakes-App-Version
Webcakes-App-Name
TWC-Privacy
TWC-Connection-Speed
TWC-GeoIP-Country
X-Varnish-Cache-Hits
X-Via-Fastly
X-Uri
X-Urbn-Site-Id
X-Mode
X-Unique-Id
X-Web-Node
Property-Id
Mn-Server-Ip
Eomportal-Instance
CDN-RequestCountryCode
CDN-PullZone
X-Status
CDN-RequestId
CDN-Uid
CDN-EdgeStorageId
X-Xfnlog-Site
X-Cache-Type
X-Platform-Server
X-ProxyCache-Key
X-ProxyCache-Status
CDN-CachedAt
X-Forwarded-Host
X-Debug-Cache
X-BYPASS-REASON
X-Cache-Host
X-Cache-Tags
X-Content-Powered-By
Webserver
X-Nginx-Cache-Key
CDN-Cache
X-JoinUs
X-ShopId
X-ShardId
X-SaId
X-Alternate-Cache-Key
X-Sorting-Hat-ShopId
X-ServerID
X-Shopify-Stage
X-Hl-Ver
X-Sorting-Hat-PodId
X-Backend-Name
X-Zipkin-Id
X-Tid
X-Extlb
X-Varnishpool
X-Proxied
X-Routing-Service
X-Adobe-Source
X-Timing-Wait
X-Cache-Operation
X-Webkit-CSP
X-Accel-Buffering
X-Proxy-Build
ServedBy
X-Handled-By
Selected-Fe
X-Cache-Remote
X-Dc
X-Labrador-Cache-Channel
X-PHP-Host
X-Locale
X-GG-Cache-Date
X-VWS-Id
X-LJ-Flow-ID
X-AWS-Id
X-LSADC-Cache
SID
Xserver
X-Rewrite-Enabled
X-VC-Cache
X-Datadome
X-Pubstack
X-Cached-By
X-NewRelic-App-Data
X-Soup
X-Buckets
Fastly-Drupal-Html
Mime-Version
X-Edge-Location
X-Proto
Web-Mar-Node
X-Storefront-Renderer-Rendered
Country-Code
X-GEO
X-Request-Host
Decoy-Debug-TTL
Decoy-Debug-Status
Decoy-Debug-Key
SRV
X-Varnish-Ttl
X-Reqid
X-CDN-Forward
X-TA-CDN-Provider
Onion-Location
X-Microcachable
LB
X-Cms-Context
X-App-Version
X-Varnish-Hostname
Server-Info
X-Origin-CC
X-Origin-TTL
X-Ms-Version
Xet-Cookie
X-Ms-Request-Id
Cache-Hits
X-Midtier
X-Cluster
X-NCache
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
X-SRV
X-CSRF-Token
Load-Balancing
X-Tumblr-Pixel-3
X-GeoCode
X-GeoCountry
X-Varnish-Hits
DynaTrace
X-Bc-Bl
X-Air-Hostname
X-Air-Trace-Id
X-Air-Source
X-Varnish-Beresp-Grace
X-Amzn-RequestId
X-Envoy-Decorator-Operation
Cache-Name
X-Amz-Apigw-Id
X-Origin-Response-Time
X-Endurance-Cache-Level
X-RCS-CacheZone
X-Azure-Ref
Pramga
Rendered-Blocks
Mobile-Detection-Method
Odigeo-Trace-Id
NM-Fastcgi-Cache
Cmsid
X-Webstats-RespID
Cmstype
Cdnsip
Cdncip
A
BehaviorPad-Version
DB-Nickname
DCR-Decision-By
Lang
Meta-Geo-Continent
Host-ID
Fastcgi-X-Cache-Version
DCR-Processing-Time-Ms
Expiry
Xc-Version
X-ScT
X-Ig-Push-State
X-Cdn-Srv
X-HS-Content-Campaign-Id
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Hash
X-LAGOON
X-Men
X-NodeID
X-B-Cookie
X-Cache-Bucket
X-NAPM-TraceId
X-Cache-NE
X-Cache-Id
X-Gzip
X-Geo-Header
X-Esi-Check
X-External-Request-Id
X-Developer
X-Epic-Correlation-Id
X-Ec-Fail
X-Ec-GeoHdr
X-Destination
X-Forwarded-Path
X-Ftr-Request-Id
X-Conf
X-From
X-Connection-Hash
X-D
X-ARC
X-Application
X-Tenant
Surrogated-Key
T-Server
X-SRCache-Key
X-A
X-Shop-Environment
X-TIM-N
X-TrackingId
X-VG-WebCache
X-Vtex-Processado-Em
X-Vdms-Version
X-Vdms-Path
Sslversion
X-User
X-Session-Fingerprint
X-A-Ccd
X-Processor
X-A-Wwc
X-PBS-Appsvrname
X-AK-Request-ID
X-Orig-Expires
X-PAYTM-SRV-ID
X-A-Dgt
X-Rojux
X-A-Dcw
X-A-Dam
X-SD-PageType
X-S-Cookie
X-S
X-Vtex-Remote-Cache
X-Aed
X-B3-SpanId
X-R9-Blue-Green-Version
X-Magnolia-Registration
X-Via-NSCOPI
Producers
Platform
X-Loop
X-Mvc-Supplant-Cachable
X-Location
X-JWT-State
Server-Host
X-Hnp-Log
X-Irp-Debug
X-Is-Gdpr
X-Planisys-CDN-TTL
X-Node-Id
X-Origin-Time
Memcached
Machine
X-Planisys-CDN-Cache
X-Origin-Expires
X-Origin
X-Planisys-CDN-Rules
X-Has-Esi
X-Nyt-Route
X-Old-Content-Length
AMP-Access-Control-Allow-Source-Origin
State
X-Core-Value
X-Core-Mission
X-DefElseHash
X-DefHash
Web-Mar-Region
X-Clara-WADP
X-Ckpd-Fst-Backend
X-Block-Status
X-Cache-Backend
X-Cache-Info
X-Amzn-Remapped-Content-Length
We-Hiring
Vix-Hermes-Req-Id
X-Gdpr
X-Fmm-Version
X-Gen-Mode
Svr
Is-Eu
X-Fetched-On
X-Fastly-Cache
V-Age
User-Cache-Control
X-Device-Os
X-DPWN-IS-SECURE
X-GeoIP
Mail-Subject
AKAMAI
X-Varnish-CookieINHashed-On
Adler-Geo
X-Varnish-Remaining-TTL
Source
X-Varnish-CookieHashed-On
X-V-Cache
X-Time
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-TNCMS
X-VG-TLSProxy
X-Viewer-Country
Wxu-Next-Commit
Apple-News-Services-Request-Url
Wxu-Next-Hostname
Wxu-Next-Region
X-Developers
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
X-WADP-Cache
X-Wix-Viewer-Type
X-Worker
Apple-News-Services-Handled
X-Slack-Backend
X-Variation
X-Scheme
X-Server-IP
X-SB
Environment
X-Request-URI
X-Rocket-Build-Number
X-Sigma
Fastly-GeoIP-CountryCode
X-Sigma-Backend
HostName
CDN
X-Policy
X-Datadog-Parent-Id
X-Csrf-Jwt
X-Datadog-Sampling-Priority
X-Datadog-Trace-Id
X-Pod-Name
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
Locid
X-Pool
X-Cdn-Origin
X-Proxy-Upstream
X-Cache-Date
X-Proxy-Cache-Info
X-Branch-Name
X-RateLimit-Limit-Second
X-Rebelmouse-Surrogate-Control
X-CGP
X-Ec-Custom-Error
X-Region-Sid
X-Generated-On
X-Minions-Version
X-Skip-Cache
X-Gamma-Serve
X-Served-From
X-Qloud-Router
X-HN
X-Httpd
X-GeoIP-City
X-Forwarded-Site
X-Rocket-Nginx-Serving-Static
X-VServer
X-BBC-Edge-Cache-Status
X-Level-Front-Cache
X-Loc
X-Response-By
X-VarnishDD-TTL
X-Sn-Servicetimems
X-Eu-Site
X-Thinkindot-L3
X-Platform
Ssr
TDXMobile
Fastly-SWR
Gh-Request-Id
Req-Svc-Chain
Ha-Gx-Prefs
CloudFront-Viewer-Country
Thinkindot-CacheControl
Cluster
X-Tx-Id
Fastcgi-Cache-TTL
Thinkindot-Control
Thinkindot-CacheControl-Type
HA-Ipaddr
Release
L
N-Cache
Arc-Country
Cache
L5d-Success-Class
Origin
Origin-CC
CDCHOST
Redirect-Candidate
Kp-EeAlive
PFcat
Origin-EX
Traceparent
Fastly-SIE
X-Auto-Login
X-Aicache-OS
X-ZONE
X-TraceId
X-RPS
X-RSL
X-EC-Lua
MD5-Digest
X-RPM
X-CACHE-KEY
X-DSS
DSUID
X-DB
X-DW
X-Optimistic-Header
X-DI
NGX
X-Tec-Api-Root
X-Tec-Api-Version
X-VC
X-Tec-Api-Origin
X-Parent-Response-Time
X-CacheTTL
X-Owner
X-Date
X-TIME
X-WP-CF-Super-Cache
X-NC
X-WP-CF-Super-Cache-Cache-Control
X-Dispatcher-Number
GEO-INFO
X-Accel-Expires-Debug
X-Tb-Optimization-Total-Bytes-Saved
X-Scale
IsBot
X-SIPLIST1
X-Via-Ucdn
X-Srv
Server-Ext
X-CS
Server-Hostname
Env
X-Akamai-Transformed
X-Refresh
X-GeoIP-Region-Code
Sever-Int
X-GeoIP-Country-Code
X-Newrelic-Synthetics
X-Edge-Pop
Memory
Pics-Label
X-Mvc-Supplant-OutputCached
X-Ah-Environment
Time
X-Udemy-Cache-App-Namespace
Ms-Author-Via
X-Wikidot-Static-Cache
X-LB-NoCache
Ohc-File-Size
X-Wikidot-Backend
X-Cache-Debug
X-API-Version
Servername
X-IPLB-Request-ID
Fusion-Content-Id
Fusion-Component-Id
Fusion-Content-Source
Fusion-Source
Fusion-Deployment-Id
Fusion-Template-Id
X-Via-Poph
X-BCube-Filmed-By
Cache-Key
Candidate-Md5Url
CacheControlHeader
X-Generated-In
X-Ad-Defer-Variation
GeoIp-Country-Code
Datacenter
X-Via-Popv
X-Amz-Meta-Cb-Modifiedtime
Geo-Info
X-Via-Popn
X-Tt-Logid
X-Xrds-Location
X-TH-Server
X-S-Maxage
X-SplitTest
X-HA-Backend
X-Contensis-Viewer-Groups
CPC-Age
CPC-Cache
VNS-Age
VNS-Cache
XM
X-Action
True-Client-Country-4JS
X-Cache-ASPX
X-Servedbyhost
X-WA-Info
X-Varnish-Authentication
X-Backend-TTL
ITXSESSIONID
Fastly-Backend-Name
Geoip-Latitude
X-RateLimit-Reset
X-PX
Path
X-Cache-Status-Check
X-Cs
Client
X-Micro-Cache
X-Varnish-Beresp-TTL
FSS-Cache
X-Presslabs-Stats
X-AIR-PT
X-Vc
X-VCL-Version
X-Req
Lb
Edge-Cache
X-Dynatrace
X-Provided-By
X-VHOST
My-App
X-DC
Server-ID
Cache-Host
X-Trace-ID
X-TX-ID
X-Zone
True-Client-IP
Ngx.Var.Host
Hostname
X-Pass-Why
X-Origin-Upstream-Status
Ohc-Cache-HIT
X-Up
X-FireWall-Port
DataCenter
X-B3-Spanid
X-Webkit-Csp-Report-Only
X-Api-Version
X-Clientip
NtCoent-Length
X-Proxy-CacheRZ
XkeyRZ
X-LB-ID
X-Fpc
X-FPC
Powered-By
X-Varnish-Beresp-Ttl
Test
X-Traceid
X-LI-UUID
OT-Force-Account-Verify
X-Cdn-Request-ID
X-Li-Pop
X-Li-Fabric
X-NGINX-Cache
Cf-Int-Pingora-Origin-Digest
X-Vcl-Version
Server-Id
X-ND-Cache
X-CSRF-TOKEN
X-UnsetCookies
X-Correlation-ID
X-Beluga-Response-Time
X-MSEdge-Features
X-MSEdge-Flight
WZWS-RAY
X-Beluga-Node
X-Time-Microsecs
X-Beluga-Status
X-Webkit-CSP-Report-Only
X-CUA
User-Agent
X-Beluga-Trace
X-Dmc
X-Beluga-Cache-Status
X-Beluga-Record
Target-Params
Uri
Proxy-Connection
Tracecode
X-ServedByHost
X-Fragments
X-Render-Time
X-INCAP-ABP
X-RAMCache
Cf-Device-Type
X-Azure-Ref-OriginShield
X-CLOUD-TRACE-CONTEXT
X-Via-PopH
X-URL
X-Platform-Processor
X-Via-PopV
X-Ha-Backend
X-Platform-Router
X-Var-Ttl
X-ATG-Version
Lfy
X-HS-Status
X-Platform-Cluster
X-Via-PopN
X-Sucuri-ID
Resin-Trace
X-Sucuri-Cache
X-FC-Vary-Parameters
C-Via
Rip
X-Fastly-Backend
Srvid
X-Check-Cacheable
X-Cdn-Forward
X-Geo
X-Akamai-Pragma-Client-IP
X-Gateway-Request-Id
X-Gateway-Cache-Status
X-Service
X-Gateway-Skip-Cache
GeoIP-Country-Code
GeoIP-Latitude
Tube-Got-Results
Click-Count-Action-Start
Sid
Tube-Got-Eval
Tube-Get-Contents
X-Gateway-Cache-Key
Tube-Return
Click-Count-Error
MIME-Version
Srv
X-Varnish-Beresp-Status
X-M-Reqid
X-M-Log
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
X-CCDN-Origin-Time
X-Qnm-Cache
X-Proxy-Cache-Hk
Esi-Enabled
HIT
X-DynaTrace-JS-Agent
X-Li-Proto
X-NU-AKA-ACS-Version
Epwk-X-Cache
X-Alfa-Service
X-LI-Proto
X-Fetch-By
Fastly-Drupal-HTML
X-TRACE-ID
ServerName
X-Lb-Nocache
PICS-Label
Section-Io-Origin-Status
X-Fastly-Backend-Reqs
Section-Origin-Responded
On-Server
X-Backend-State
X-Backend-Host
Magicmarker
Section-Io-Origin-Time-Seconds
ENV
Section-Io-Id
X-Esi
Cdn
X-B3-Traceid-Primal
XServer
X-Request-Start
X-Cache-Expires
X-Edge-POP
X-APP
X-Cache-CFC
X-Srcache-Store-Status
X-MG-S
X-LiteSpeed-Cache-Control
X-Srcache-Fetch-Status
Server-Ttl
X-Newrelic-App-Data
X-Bip
X-App
X-ElasticPress-Query
X-Yottaa-OS
Tcn
CF-Cached-On
X-Thanos
Wpo-Cache-Message
X-Nc
X-BBC-Origin-Response-Status
X-Vcache
X-Serial
D-Url-Rewrites
X-Iplb-Request-Id
X-Iplb-Instance
Wpo-Cache-Status
Cf-Ipcountry
X-Acquia-Site
Inserted-Into-Cache-At
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-HostName
Warning
Servedby
X-Akamai-ERRuleID
X-Release
X-Wp-Cf-Super-Cache-Cache-Control
X-Akamai-ERPolicy
X-Swift-Error
Cneonction
X-B3-Parentspanid
X-Cache-Config
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Snapshot-Date
X-Wp-Cf-Super-Cache
X-Request-URL
Content-Style-Type
X-Back
X-Litespeed-Cache-Control
Content-Script-Type
X-Akamai-Request-ID
M-TraceId
Ngx
X-Dw-Trace-Id
X-Th-Server
X-Request-Url
X-IN-APIGATEWAY
CountryCode
X-LiteSpeed-Tag
X-IN-APIGATEWAYSSL
X-CF-Powered-By
X-Dist-Code
X-Storefront-Renderer-Verified
X-Shopify-Generated-Cart-Token