Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
P3p
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Backend
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Dns-Prefetch-Control
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-UA-Device
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
Allow
X-WebKit-CSP
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Request-Id
Surrogate-Control
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
Accept-CH-Lifetime
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Content-Location
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
Fastly-Restarts
X-Country
X-MS-InvokeApp
X-Rack-Cache
X-Ruxit-JS-Agent
X-Mod-Pagespeed
Accept-Ch
X-PC
X-TtlSet
X-Vname
Accept-Ch-Lifetime
X-Clacks-Overhead
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-Amz-Server-Side-Encryption
X-Varnish-TTL
Cache-Tag
X-B3-TraceId
X-Content-Type
X-Vcap-Request-Id
X-Dw-Request-Base-Id
X-Kinja-Build
X-Kinja-Server
X-Kinja
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Id
X-Exp-Variant
X-Use-Magma
X-Kinja-Revision
X-Amz-Rid
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-FastCGI-Cache
X-Edge
X-Ac
X-RateLimit-Remaining
X-Ser
X-Navigation-Version
X-Element-Page-Cache
Verso
Pagespeed
Display
X-Abt-Application-Version
X-Sol
X-Middleton-Display
X-Client-IP
X-Powered-By-Plesk
X-Ttl
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
Service-Worker-Allowed
X-Correlation-Id
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Content-Security-Policy-Report-Only
SPIisLatency
SPRequestDuration
X-Ruxit-Js-Agent
X-Kinsta-Cache
X-Ua-Device
X-Cached
AR-ATIME
AR-CACHE
X-Edge-Location-Klb
AR-Request-ID
AR-SID
AR-PoweredBy
X-SharePointHealthScore
SPRequestGuid
X-Powered-CMS
X-Upstream
Edge-Cache-Tag
X-Instrumentation
X-Server-Lifecycle-Phase
X-LLID
X-Kraken-Loop-Name
X-NWS-LOG-UUID
X-RateLimit-Limit
X-Litespeed-Cache
X-Forwarded-For
Nginx-Cache
X-Cache-Key
Content-MD5
X-MSEdge-Ref
X-Shield-Request-Id
MRF-Tech
X-TTL
Mrf-Cache-Status
X-Id
TCN
X-T
X-Recruiting
X-B3-TraceId-Primal
S
X-Daa-Tunnel
X-Content-Digest
X-ECACHE
X-TEC-API-ROOT
X-DataDome
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Mg-S
X-HP-Webp
X-HP-Trace-Id
X-Jurisdiction
X-Accel-Expires
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-Grace
X-HS-Cache-Config
X-Protected-By
X-HS-Hub-Id
MS-Author-Via
MicrosoftSharePointTeamServices
X-HS-Content-Id
X-HS-Combine-CSS
X-DynaTrace
X-Ab
X-Ua-Browser
X-Content
X-Frontend
X-Request-Processing-Time
X-Request-Received
X-Yandex-Sdch-Disable
Server-Node
TP-L2-Cache
TP-Cache
Front-End-Https
Filters
X-Server-ID
X-Origin-Server
X-Distributor
Fastcgi-Cache
X-PressLabs-Stats
X-Mid
X-Geo-Country
X-Hits
X-Webkit-Csp
X-Request-Handler-Origin-Region
X-Microsite
X-LB-Cache
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-Amzn-Trace-Id
Charset
Cleartype
X-Debug-Info
Host
X-Page-Id
X-Git-Hash
X-B3-Sampled
X-F-Cache
Cross-Origin-Opener-Policy
X-Forwarded-Proto
X-Ratelimit-Reset
X-Cache-Age
X-DIS-Request-ID
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
Cache-Status
X-Seen-By
Access-Control-Allow-Method
X-Www-Served-By
Realpath
X-AppVersion
X-Activity-Id
X-Az
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
ServerID
Accept-Charset
X-Aspnetmvc-Version
X-Mcache
X-Oracle-Dms-Ecid
Cache-Tags
X-Fastly-Request-Id
X-Varnish-Age
X-Oracle-Dms-Rid
Filterid
X-Cluster-Name
X-Nginx-Upstream-Cache-Status
X-Rid
X-Content-Options
X-Type
X-Language
Retry-After
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-FB-Debug
X-App-Environment
Country
Server-Name
X-Tb
Viewport
X-Upgrade-Enabled
X-MCACHE
X-Varnish-Backend
Node
X-User-Agent
Paypal-Debug-Id
X-Varnish-Grace
DC
X-Drupal-Cache-Tags
X-Signature
X-TT
X-Whom
X-B-Cache
X-Wix-Request-Id
X-Origin-Cache
X-Oneagent-Js-Injection
X-Mobile-URL
X-Goog-Storage-Class
X-Goog-Generation
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Flags
X-Aspnet-Duration-Ms
X-XRDS-LOCATION
X-B
X-VCache
X-Route-Name
X-Request-Guid
X-Providence-Cookie
X-Is-Crawler
X-NWS-UUID-VERIFY
Permissions-Policy
Protected
X-Debug
X-Logged-In
Fastcgi-Useragent
X-Amz-Replication-Status
WPO-Cache-Status
X-Cache-NGX
X-Amz-Meta-S3cmd-Attrs
WPO-Cache-Message
X-N
X-Via-JSL
Payment
X-Load-Cache
Surrogate-Key
X-Cache-Control
X-Contextid
Amp-Access-Control-Allow-Source-Origin
Count-Hit
X-Webkit-CSP
Healthy
X-Node-Name
X-Browser-Type
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-FW-Serve
X-Template
X-FW-Hash
X-FW-Type
X-FW-Server
X-FW-Dynamic
X-FW-Static
X-XRDS-Location
X-Mobile
X-Response-Served-From
X-Original-Request-Id
SD-X-WS
Content-Disposition
X-Proxy
Refresh
Akamai-GRN
X-Trace-Id
X-Jobs
X-G
X-Restarts
X-Revision
X-Cache-Time
Url
X-Cache-TTL-Remaining
X-NGENIX-Cache
X-Akamai-Request-ID2
Uber-Trace-Id
X-Fastly-Request-ID
Alternate-Protocol
X-Real-IP
X-Framework
X-Zen-Fury
X-UUID
VIX-Pulpo-Node
X-Adobe-Content
X-Adobe-Loc
NGB
X-Cacheable-TTL
X-Servername
X-Debug-IsConnected
X-Is-Bot
X-Rendered-As
X-Drupal-Cache-Contexts
X-Device-Type
X-Debug-IsPreview
X-Proxy-Cache-Status
VIX-Pulpo-Upstream-Status
X-Hostname
X-Page-View
X-Cache-Grace
Access-Control-Request-Headers
X-Yottaa-Optimizations
X-COUNTRY
X-Instance
X-Yottaa-Metrics
X-Http-Reason
X-Mg-Request-UUID
X-ECache
X-Varnish-Server
X-Midtier
X-B3-Traceid
X-IPLB-Instance
Version
X-Environment-Context
X-L-Path
X-Source
X-EdgeConnect-Cache-Status
Accept-Language
X-HTML-Minification-Powered-By
Countrycode
Ms-Operation-Id
MS-CV
X-RTag
Frame-Options
X-Fastcgi-Cache
From-Origin
X-Cache-Hit
X-Cache-Rule
X-Cache-Expired-At
X-Vgn-Hpd-Reason
Liferay-Portal
X-NYM-Debug-Backend
Referer-Policy
X-App-Server
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Backend
X-Tumblr-User
X-APP-VERSION
X-Datadome
X-IPS-LoggedIn
X-FW-Version
Content-Secure-Policy
X-Hosted-By
X-Cache-Server
X-Unique-Id
Upgrade-Insecure-Requests
Meta-Geo
X-RN-RSRV
X-UPSTREAM-Address
X-Parallel-Accel
Section-Io-Cache
X-Cache-Enabled
X-Ua
X-OCL
X-Redis-Cache
X-No-Session
X-FB-TRIP-ID
X-NewRelic-App-Data
X-Nginx-Cache
X-Generation-Time
X-PCL
X-Origin-Date
WP-Super-Cache
X-AOL-HN
S-Rt
X-Uri
Webcakes-App-Version
TWC-Privacy
Webcakes-App-Name
Mn-Server-Ip
Property-Id
X-Request-Time
TWC-Connection-Speed
X-Region
X-Server-W
X-UA-Device-Type
X-Section
Webcakes-Region
TWC-Device-Class
X-RemovedCookies
X-ProcessESI
X-PHP-Backend
X-Varnish-Cache-Hits
X-Be
Azure-RegionName
X-Via-Fastly
X-Origin-Hint
Apigw-Requestid
Azure-InstanceId
Azure-SiteName
X-Cluster-Node
X-Access
X-Format
Azure-Version
Azure-SlotName
TWC-GeoIP-Country
X-Akamai-Edgescape
TWC-GeoIP-LatLong
TWC-Locale-Group
X-Mode
CF-IPCountry
X-Content-Age
X-Generated-By
X-Forwarded-Host
X-Locale
X-PERF
X-ProxyCache-Key
X-Debug-Cache
X-Nginx-Cache-Key
X-Cache-Host
Eomportal-Instance
Cache-Tv-Group
Locale
X-ApacheServer
X-ProxyCache-Status
X-BYPASS-REASON
X-Content-Powered-By
X-Say-TTL
Fastly-SSL
X-Xfnlog-Site
X-Sql-Count
X-Sql-Duration-Ms
X-PHP-Host
X-Labrador-Cache-Channel
X-Urbn-Site-Id
X-Urbn-Context-Path
X-SayCDN-TTL
X-Sorting-Hat-ShopId
X-Site-Version
X-Status
X-Ratelimit-Remaining
X-Storage
X-Say-Cacheable
X-Human
X-Sorting-Hat-PodId
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-Shopify-Stage
X-Routing-Service
X-SaId
X-JoinUs
X-Detected-As
X-Backend-Name
X-Cache-Type
X-ServerID
X-Extlb
X-Hl-Ver
X-Tid
X-VC-Cache
X-Platform-Server
X-AWS-Id
X-LJ-Flow-ID
X-VWS-Id
X-Cms-Context
X-Cache-Tags
X-Varnishpool
X-Web-Node
X-Zipkin-Id
X-Adobe-Source
Ec-Rule-Version
X-Proxied
X-Cache-Action
X-GG-Cache-Date
X-Handled-By
X-Timing-Wait
CDN-RequestCountryCode
CDN-RequestId
Load-Balancing
CDN-EdgeStorageId
CDN-CachedAt
CDN-Uid
X-Proxy-Build
CDN-Cache
CDN-PullZone
Selected-Fe
X-Storefront-Renderer-Rendered
ServedBy
X-Edge-Location
X-Dc
Webserver
X-Proto
X-GeoCountry
X-GeoCode
SRV
Mime-Version
X-Hyper-Cache
X-LSADC-Cache
X-CDN-Forward
Fastly-Drupal-Html
Web-Mar-Node
X-Rule
Onion-Location
X-Cache-Operation
X-Cached-By
X-GEO
X-TT-LOGID
X-Cache-Remote
X-Varnish-Hostname
X-Rewrite-Enabled
SID
X-Cdn
Cache-Hits
X-App-Version
X-Soup
X-SRV
X-Varnish-Ttl
X-Cluster
Xserver
X-Accel-Buffering
X-Pubstack
X-Origin-CC
X-Reqid
X-Varnish-Hits
X-Origin-TTL
X-TA-CDN-Provider
X-Magnolia-Registration
Xet-Cookie
Country-Code
X-Ratelimit-Limit
X-Envoy-Decorator-Operation
X-Air-Hostname
X-Air-Source
LB
X-IPLB-Request-ID
X-Air-Trace-Id
Server-Info
X-Microcachable
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
X-Buckets
Decoy-Debug-TTL
Decoy-Debug-Key
Decoy-Debug-Status
DB-Nickname
Cache
X-Request-Host
Source
X-Tt-Logid
X-Ms-Version
X-Ms-Request-Id
X-CSRF-Token
X-Newrelic-Synthetics
X-Amz-Apigw-Id
X-Amzn-RequestId
X-Tx-Id
X-Endurance-Cache-Level
X-B3-SpanId
DCR-Processing-Time-Ms
DCR-Decision-By
MD5-Digest
Lang
Meta-Geo-Continent
Host-ID
Fastcgi-X-Cache-Version
Cmsid
Cdncip
X-ScT
Cdnsip
Expiry
BehaviorPad-Version
A
X-S-Cookie
X-Origin-Response-Time
Xc-Version
X-Via-NSCOPI
Cmstype
T-Server
X-Developer
X-Session-Fingerprint
X-Ec-Fail
X-SD-PageType
X-Rojux
X-Ec-GeoHdr
X-Destination
X-Shop-Environment
X-Conf
X-Tenant
X-Connection-Hash
X-SRCache-Key
X-D
X-Epic-Correlation-Id
X-Esi-Check
X-NAPM-TraceId
X-Ig-Push-State
X-Orig-Expires
X-PAYTM-SRV-ID
X-Processor
X-PBS-Appsvrname
X-HS-Content-Campaign-Id
X-Hash
X-Forwarded-Path
X-External-Request-Id
X-Ftr-Request-Id
X-Geo-Header
X-Gzip
X-CF-Lambda-Version
X-TIM-N
Sslversion
X-S
Surrogated-Key
X-Vdms-Version
X-A
X-Vdms-Path
X-VG-WebCache
Rendered-Blocks
NM-Fastcgi-Cache
X-Vtex-Remote-Cache
Odigeo-Trace-Id
X-Vtex-Processado-Em
Pramga
X-A-Dam
X-A-Dcw
X-B-Cookie
X-ARC
X-Cache-Id
X-Cache-NE
X-CF-Lambda-Fn
X-Cdn-Srv
X-Application
X-AK-Request-ID
X-A-Wwc
X-A-Dgt
X-User
X-TrackingId
X-Aed
Mobile-Detection-Method
X-A-Ccd
X-RCS-CacheZone
X-NCache
X-Bc-Bl
X-CacheTTL
X-WADP-Cache
X-Cache-Info
X-Cache-Bucket
X-Amzn-Remapped-Content-Length
X-Cache-Backend
X-Ckpd-Fst-Backend
X-Clara-WADP
X-DefHash
X-Developers
X-DefElseHash
X-Core-Value
X-Core-Mission
X-Worker
Wxu-Next-Region
Mail-Subject
Memcached
Machine
Is-Eu
Fastly-GeoIP-CountryCode
Platform
Producers
Wxu-Next-Commit
Wxu-Next-Hostname
We-Hiring
State
Server-Host
X-Device-Os
X-DPWN-IS-SECURE
X-Sigma
X-Sigma-Backend
X-Server-IP
X-Scheme
X-SB
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
X-Varnish-CookieHashed-On
X-Variation
X-V-Cache
X-Rocket-Build-Number
X-Origin-Time
X-Fmm-Version
X-Gdpr
X-Fetched-On
X-Fastly-Cache
Environment
X-GeoIP
X-Irp-Debug
X-Nyt-Route
X-Origin-Expires
X-NodeID
X-Node-Id
X-Mvc-Supplant-Cachable
X-Via-Ucdn
X-Origin
Adler-Geo
X-Skip-Cache
AKAMAI
CDN
Cache-Name
X-Azure-Ref
X-Time
X-Varnish-Beresp-Grace
X-Sn-Servicetimems
Apple-News-Services-Handled
X-Slack-Backend
X-Served-From
DynaTrace
X-Request-URI
X-Rocket-Nginx-Serving-Static
X-CGP
X-SIPLIST1
X-ZONE
X-Cdn-Origin
Apple-News-Services-Host
X-VG-TLSProxy
X-HN
Apple-News-Services-Request-Url
X-Viewer-Country
X-R9-Blue-Green-Version
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Auto-Login
X-VarnishDD-TTL
X-Csrf-Jwt
X-Cache-Date
Apple-News-Services-Parsed-Url
X-Branch-Name
X-BBC-Edge-Cache-Status
X-Block-Status
X-Thinkindot-L3
X-Datadog-Sampling-Priority
X-Forwarded-Site
X-Minions-Version
X-Gamma-Serve
X-Planisys-CDN-Cache
X-Eu-Site
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Loc
X-Gen-Mode
X-Httpd
X-Hnp-Log
X-GeoIP-City
X-LAGOON
X-Level-Front-Cache
X-Generated-On
X-Platform
X-Pod-Name
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
X-Rebelmouse-Surrogate-Control
X-Datadog-Trace-Id
X-Datadog-Parent-Id
X-Xrds-Location
X-RateLimit-Limit-Second
X-Qloud-Router
X-Policy
X-Ec-Custom-Error
X-Pool
X-Dispatcher-Number
X-Proxy-Upstream
X-Proxy-Cache-Info
X-Region-Sid
X-Aicache-OS
IsBot
X-TNCMS
HA-Ipaddr
Req-Svc-Chain
X-Wix-Viewer-Type
X-Loop
Ssr
Fastly-SWR
Svr
X-Is-Gdpr
X-JWT-State
N-Cache
Release
PFcat
Ha-Gx-Prefs
Origin-EX
Origin-CC
Origin
Gh-Request-Id
Cluster
Redirect-Candidate
Cache-Key
CloudFront-Viewer-Country
Candidate-Md5Url
X-Has-Esi
TDXMobile
User-Cache-Control
Ohc-File-Size
X-BCube-Filmed-By
Kp-EeAlive
V-Age
Vix-Hermes-Req-Id
Web-Mar-Region
CDCHOST
L5d-Success-Class
Fastcgi-Cache-TTL
L
Thinkindot-Control
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Datacenter
Fastly-SIE
Traceparent
X-Cache-Status-Check
X-SplitTest
X-From
VNS-Age
X-Optimistic-Header
CPC-Age
CPC-Cache
VNS-Cache
X-Owner
X-VServer
DSUID
GEO-INFO
Server-Ext
NGX
X-Webstats-RespID
Server-Hostname
X-Scale
Sever-Int
XM
X-Ad-Defer-Variation
X-Tec-Api-Origin
X-Tec-Api-Version
HostName
X-Tec-Api-Root
Fastly-Backend-Name
X-Parent-Response-Time
X-Location
X-Refresh
X-CS
X-WA-Info
Pics-Label
X-WP-CF-Super-Cache
X-WP-CF-Super-Cache-Cache-Control
X-Tb-Optimization-Total-Bytes-Saved
X-CACHE-KEY
X-Micro-Cache
X-Ah-Environment
X-NC
Env
X-Cache-ASPX
X-AIR-PT
X-Contensis-Viewer-Groups
Locid
X-EC-Lua
X-VC
X-TIME
Ms-Author-Via
X-Men
X-Varnish-Authentication
X-LB-NoCache
X-Response-By
Servername
X-Udemy-Cache-App-Namespace
X-Edge-Pop
Arc-Country
AMP-Access-Control-Allow-Source-Origin
Memory
Time
X-Servedbyhost
X-Old-Content-Length
Path
X-Amz-Meta-Cb-Modifiedtime
X-TraceId
Lb
X-DSS
X-DW
X-Generated-In
X-Srv
X-RSL
X-RPM
X-RPS
X-DB
X-Mvc-Supplant-OutputCached
X-Via-Poph
X-Via-Popn
X-Via-Popv
Ngx.Var.Host
X-DI
Cache-Host
Ohc-Cache-HIT
GeoIp-Country-Code
X-Date
ITXSESSIONID
X-Accel-Expires-Debug
X-Presslabs-Stats
X-Akamai-Transformed
XkeyRZ
X-Vc
X-Api-Version
X-RateLimit-Reset
X-Proxy-CacheRZ
X-VCL-Version
True-Client-IP
X-Varnish-Beresp-TTL
X-S-Maxage
Client
X-GeoIP-Region-Code
X-GeoIP-Country-Code
X-HA-Backend
Geoip-Latitude
FSS-Cache
X-API-Version
X-Clientip
X-Cache-Debug
Hostname
X-Cs
X-VHOST
X-Trace-ID
X-DC
Server-ID
Fusion-Source
Fusion-Deployment-Id
Fusion-Template-Id
Fusion-Content-Id
Fusion-Component-Id
Fusion-Content-Source
CacheControlHeader
X-Fpc
True-Client-Country-4JS
X-FireWall-Port
X-TH-Server
X-Dmc
X-Action
X-Zone
X-Webkit-Csp-Report-Only
X-Render-Time
X-Backend-TTL
X-MSEdge-Flight
X-MSEdge-Features
Powered-By
X-TX-ID
X-NGINX-Cache
X-Traceid
X-PX
X-B3-Spanid
X-INCAP-ABP
NtCoent-Length
X-CSRF-TOKEN
X-Service
Test
Edge-Cache
X-Gateway-Skip-Cache
X-Gateway-Request-Id
Geo-Info
X-Req
Rip
X-Gateway-Cache-Key
Tcn
X-DynaTrace-JS-Agent
X-Gateway-Cache-Status
C-Via
X-M-Reqid
Click-Count-Error
Tube-Return
Tube-Got-Eval
Tube-Get-Contents
Tube-Got-Results
Esi-Enabled
X-HS-Status
X-Cdn-Request-ID
X-Pass-Why
HIT
X-M-Log
X-FPC
My-App
X-Qnm-Cache
Click-Count-Action-Start
X-Correlation-ID
X-Origin-Upstream-Status
X-Webkit-CSP-Report-Only
X-Beluga-Cache-Status
X-Beluga-Record
X-Beluga-Trace
X-Beluga-Response-Time
X-Beluga-Node
X-Beluga-Status
On-Server
Server-Id
User-Agent
X-Alfa-Service
X-Provided-By
X-Vcl-Version
X-Ha-Backend
Cf-Int-Pingora-Origin-Digest
X-Up
OT-Force-Account-Verify
X-TRACE-ID
X-Varnish-Beresp-Ttl
X-Via-PopV
Resin-Trace
Proxy-Connection
X-Proxy-Cache-Hk
X-URL
X-Via-PopH
Uri
X-LB-ID
X-Via-PopN
Srvid
X-CLOUD-TRACE-CONTEXT
X-Check-Cacheable
Sid
X-APP
GeoIP-Latitude
GeoIP-Country-Code
X-Edge-Origin-Shield-Bytes
X-Akamai-Pragma-Client-IP
Epwk-X-Cache
X-ServedByHost
X-CCDN-CacheTTL
Cdn
X-CCDN-Origin-Time
X-Hcs-Proxy-Type
X-Li-Fabric
X-Edge-Origin-Shield-Region
X-LI-Proto
X-UnsetCookies
Srv
X-LI-UUID
X-Li-Pop
X-RAMCache
WebServer
X-Geo
DataCenter
X-Cdn-Forward
M-TraceId
X-Time-Microsecs
X-Fetch-By
WZWS-RAY
X-Backend-Host
Server-Ttl
X-ND-Cache
Warning
X-ID
X-Esi
MIME-Version
X-B3-Traceid-Primal
X-Fastly-Backend-Reqs
XServer
X-CUA
X-App
Cf-Device-Type
X-Edge-POP
ENV
X-Lb-Nocache
ServerName
Fastly-Drupal-HTML
Dt-Hot-News
X-MG-S
X-HostName
X-Request-Url
X-Newrelic-App-Data
X-Yottaa-OS
PICS-Label
X-Fragments
X-Platform-Processor
Target-Params
Tracecode
X-HITS
Section-Origin-Responded
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
X-ElasticPress-Query
X-ATG-Version
Section-Io-Id
X-Platform-Router
X-Azure-Ref-OriginShield
CF-Cached-On
X-Platform-Cluster
X-Request-URL
D-Url-Rewrites
Cf-Ipcountry
Inserted-Into-Cache-At
X-CF-Powered-By
X-Vcache
Lfy
X-Fastly-Backend
X-Thanos
X-Iplb-Instance
X-LiteSpeed-Cache-Control
X-Nc
X-Var-Ttl
X-Sucuri-ID
X-Sucuri-Cache
X-Iplb-Request-Id
X-FC-Vary-Parameters
X-Bip
X-Akamai-Request-ID
X-Serial
X-Dw-Trace-Id
Servedby
Cdn-Edgestorageid
Cdn-Cachedat
Cdn-Cache
Wp-Super-Cache
DT-Hot-News
Cdn-Requestid
Cdn-Uid
Cdn-Requestcountrycode
Cdn-Pullzone
URI
X-IN-APIGATEWAY
X-Vercel-Id
X-Vercel-Cache
X-IN-APIGATEWAYSSL
Vha6-Origin
X-Wp-Cf-Super-Cache-Cache-Control
True-Client-Ip
X-Th-Server
X-Varnish-Beresp-Status
X-Cache-Expires
X-Snapshot-Date
X-Release
X-BBC-Origin-Response-Status
Cneonction
X-Dist-Code
CountryCode
Content-Script-Type
X-NU-AKA-ACS-Version
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Storefront-Renderer-Verified
Ngx
Content-Style-Type
X-Back
X-Wp-Cf-Super-Cache