Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
P3p
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CONTENT-TYPE-OPTIONS
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Backend
Request-Context
EagleId
X-Ua-Compatible
X-Akamai-Path-Stats
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
CONTENT-SECURITY-POLICY
Allow
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
X-Server-Id
Surrogate-Control
Request-Id
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
X-HW
Accept-CH-Lifetime
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Fastly-Restarts
X-MS-InvokeApp
Accept-Ch-Lifetime
X-Rack-Cache
X-Mod-Pagespeed
X-Vname
X-TtlSet
X-PC
X-Clacks-Overhead
X-Ruxit-JS-Agent
Accept-Ch
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-Varnish-TTL
X-Amz-Server-Side-Encryption
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
X-B3-TraceId
X-Dw-Request-Base-Id
X-Amz-Rid
X-Exp-Variant
X-Exp-Id
X-Cdn-Fetch
X-GoogleNews-Bot
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Kinja
X-Kinja-Build
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-Edge
X-Ac
X-RateLimit-Remaining
X-Navigation-Version
X-FastCGI-Cache
X-Element-Page-Cache
Verso
X-Ser
Display
X-Sol
X-Middleton-Display
Pagespeed
X-Client-IP
X-Powered-By-Plesk
X-Abt-Application-Version
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Ttl
X-Country-Code
X-Middleton-Response
Response
X-NF-Request-ID
X-Correlation-Id
X-Ruxit-Js-Agent
X-Goog-Hash
Access-Control-Request-Method
X-Content-Security-Policy-Report-Only
SPRequestDuration
SPIisLatency
X-Kinsta-Cache
X-Cached
X-Edge-Location-Klb
AR-SID
AR-ATIME
AR-CACHE
AR-Request-ID
AR-PoweredBy
SPRequestGuid
X-SharePointHealthScore
X-Upstream
X-Powered-CMS
Edge-Cache-Tag
X-LLID
X-RateLimit-Limit
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-NWS-LOG-UUID
X-Forwarded-For
X-Cache-Key
Nginx-Cache
X-Litespeed-Cache
X-TTL
Content-MD5
X-MSEdge-Ref
MRF-Tech
Mrf-Cache-Status
X-Shield-Request-Id
TCN
X-Id
X-T
X-B3-TraceId-Primal
X-Recruiting
X-Daa-Tunnel
X-Server-ID
S
X-Content-Digest
X-DataDome
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Webkit-Csp
X-Mg-S
X-Jurisdiction
X-HP-Webp
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-HP-Trace-Id
X-Ua-Device
MS-Author-Via
X-Accel-Expires
X-ECACHE
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-HS-Combine-CSS
X-Protected-By
X-HS-Cache-Config
X-HS-Hub-Id
X-HS-Content-Id
X-Content
X-Frontend
X-Grace
X-Ua-Browser
X-Ab
MicrosoftSharePointTeamServices
X-Request-Received
X-Request-Processing-Time
Server-Node
Filters
Front-End-Https
X-Yandex-Sdch-Disable
TP-Cache
TP-L2-Cache
X-DynaTrace
X-PressLabs-Stats
X-Origin-Server
Fastcgi-Cache
X-Distributor
X-ORACLE-DMS-ECID
X-Mid
X-ORACLE-DMS-RID
X-Geo-Country
X-Hits
X-Microsite
X-Request-Handler-Origin-Region
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-LB-Cache
X-Amzn-Trace-Id
Charset
X-Debug-Info
Cleartype
X-Ratelimit-Reset
Host
X-Page-Id
X-Git-Hash
X-B3-Sampled
X-F-Cache
Cross-Origin-Opener-Policy
X-Forwarded-Proto
X-DIS-Request-ID
X-Www-Served-By
X-Cache-Age
Cache-Status
Access-Control-Allow-Method
Realpath
X-Seen-By
X-Activity-Id
X-AppVersion
ServerID
X-Az
X-Fastly-Request-Id
Pinterest-Generated-By
X-Pinterest-Rid
Pinterest-Version
Accept-Charset
Filterid
Cache-Tags
X-Varnish-Age
X-Cluster-Name
X-Aspnetmvc-Version
X-Mcache
X-Nginx-Upstream-Cache-Status
X-Rid
X-Language
X-Content-Options
X-Type
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-MCACHE
Retry-After
X-App-Environment
X-XRDS-LOCATION
X-FB-Debug
Server-Name
Country
X-Upgrade-Enabled
Viewport
X-Varnish-Grace
Paypal-Debug-Id
DC
X-Tb
X-User-Agent
X-Varnish-Backend
X-Origin-Cache
X-Drupal-Cache-Tags
X-Signature
X-B-Cache
X-GUploader-UploadID
X-Mobile-URL
Node
X-Wix-Request-Id
X-Whom
X-Goog-Stored-Content-Length
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-Goog-Storage-Class
X-Oracle-Dms-Ecid
X-Aspnet-Duration-Ms
X-Oracle-Dms-Rid
X-Flags
X-Request-Guid
X-Is-Crawler
X-Providence-Cookie
X-Route-Name
X-VCache
X-TT
X-NWS-UUID-VERIFY
Protected
X-Oneagent-Js-Injection
X-B
X-Debug
Fastcgi-Useragent
Permissions-Policy
X-Logged-In
X-Amz-Replication-Status
WPO-Cache-Message
WPO-Cache-Status
X-Via-JSL
Payment
X-N
X-Amz-Meta-S3cmd-Attrs
X-Cache-NGX
X-Load-Cache
Surrogate-Key
X-Contextid
X-Cache-Control
X-XRDS-Location
Count-Hit
X-Node-Name
X-ECache
X-Template
Healthy
X-Erf-Bev-Bev-Is-Generated
X-B3-Traceid
Amp-Access-Control-Allow-Source-Origin
X-Browser-Type
X-Erf-Bev-Bev
X-FW-Serve
X-FW-Server
X-FW-Type
X-FW-Hash
X-FW-Static
X-FW-Dynamic
X-Webkit-CSP
X-Mobile
X-Trace-Id
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
X-Proxy
Refresh
Content-Disposition
Akamai-GRN
X-Jobs
Uber-Trace-Id
X-Cache-TTL-Remaining
X-Cache-Time
X-Revision
X-Zen-Fury
X-Real-IP
X-Framework
X-UUID
X-Rendered-As
X-G
NGB
Alternate-Protocol
X-Akamai-Request-ID2
X-Device-Type
X-Is-Bot
X-Proxy-Cache-Status
X-Hostname
X-Fastcgi-Cache
X-Restarts
X-NGENIX-Cache
Url
X-Page-View
X-Drupal-Cache-Contexts
X-Instance
X-Cacheable-TTL
X-Yottaa-Metrics
X-Http-Reason
X-Yottaa-Optimizations
X-Servername
Access-Control-Request-Headers
X-Adobe-Loc
VIX-Pulpo-Upstream-Status
X-Adobe-Content
X-Debug-IsConnected
VIX-Pulpo-Node
X-Debug-IsPreview
X-Cache-Grace
X-Fastly-Request-ID
X-IPLB-Instance
X-Mg-Request-UUID
X-Varnish-Server
X-EdgeConnect-Cache-Status
Version
X-Midtier
X-L-Path
X-Source
X-Environment-Context
Accept-Language
X-HTML-Minification-Powered-By
Countrycode
X-RTag
MS-CV
Ms-Operation-Id
X-Cache-Rule
Frame-Options
X-Cache-Hit
X-Cache-Expired-At
From-Origin
X-Vgn-Hpd-Reason
Referer-Policy
X-NYM-Debug-Backend
X-App-Server
Liferay-Portal
Cross-Origin-Window-Policy
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
Backend
X-Tumblr-User
X-Tumblr-Pixel
X-IPS-LoggedIn
X-FW-Version
X-Parallel-Accel
X-COUNTRY
X-Datadome
Content-Secure-Policy
X-Nginx-Cache
X-UPSTREAM-Address
Upgrade-Insecure-Requests
X-Cache-Server
Meta-Geo
X-Unique-Id
X-RN-RSRV
X-Hosted-By
X-PCL
X-RemovedCookies
X-Redis-Cache
X-No-Session
Section-Io-Cache
X-OCL
X-Generation-Time
X-ProcessESI
X-Request-Time
X-Via-Fastly
Azure-SiteName
Azure-Version
Azure-SlotName
X-Content-Age
Mn-Server-Ip
X-UA-Device-Type
X-Server-W
X-Region
X-Varnish-Cache-Hits
X-PHP-Backend
Webcakes-App-Name
Webcakes-App-Version
Webcakes-Region
X-Access
TWC-GeoIP-Country
WP-Super-Cache
X-Ua
TWC-Locale-Group
TWC-GeoIP-LatLong
X-Cluster-Node
X-Format
X-FB-TRIP-ID
X-Cache-Enabled
Azure-RegionName
S-Rt
TWC-Device-Class
X-Section
X-Origin-Hint
TWC-Privacy
Azure-InstanceId
Property-Id
TWC-Connection-Speed
X-Mode
CF-IPCountry
X-Site-Version
X-Origin-Date
X-Uri
X-Shopify-Stage
X-AOL-HN
X-Be
Fastly-SSL
X-ShopId
X-BYPASS-REASON
X-Sql-Duration-Ms
X-Alternate-Cache-Key
X-Xfnlog-Site
X-Status
X-ApacheServer
X-Sorting-Hat-PodId
X-Storage
X-Sql-Count
X-ShardId
X-Sorting-Hat-ShopId
X-ProxyCache-Status
X-Content-Powered-By
X-Human
Apigw-Requestid
X-ProxyCache-Key
X-Nginx-Cache-Key
X-PERF
X-Locale
Eomportal-Instance
X-Debug-Cache
X-Say-Cacheable
X-Say-TTL
X-APP-VERSION
X-Forwarded-Host
X-NewRelic-App-Data
X-Generated-By
X-SayCDN-TTL
Locale
X-Extlb
X-Detected-As
X-Zipkin-Id
Ec-Rule-Version
X-Hl-Ver
X-Proxied
X-JoinUs
X-Urbn-Context-Path
X-Routing-Service
X-Cache-Host
X-Backend-Name
X-Urbn-Site-Id
X-Cache-Type
X-Varnishpool
X-SaId
X-Akamai-Edgescape
Cache-Tv-Group
X-Cache-Tags
X-Web-Node
X-Platform-Server
X-Labrador-Cache-Channel
X-ServerID
X-AWS-Id
X-PHP-Host
X-Cms-Context
X-Cache-Action
X-Handled-By
X-Tid
X-VWS-Id
X-LJ-Flow-ID
X-Adobe-Source
X-Proxy-Build
X-GG-Cache-Date
X-Timing-Wait
Selected-Fe
X-Ratelimit-Remaining
ServedBy
CDN-CachedAt
CDN-EdgeStorageId
X-VC-Cache
X-Dc
CDN-PullZone
CDN-Cache
CDN-RequestCountryCode
CDN-Uid
CDN-RequestId
X-App-Version
X-Storefront-Renderer-Rendered
X-Edge-Location
Load-Balancing
X-Hyper-Cache
SRV
X-CDN-Forward
X-Proto
X-LSADC-Cache
X-Rule
Web-Mar-Node
X-Cache-Operation
Onion-Location
X-GeoCountry
X-TT-LOGID
X-GeoCode
Webserver
Fastly-Drupal-Html
X-Cache-Remote
X-Cached-By
Mime-Version
X-Rewrite-Enabled
X-Soup
X-Varnish-Hostname
SID
Cache-Hits
X-TA-CDN-Provider
X-GEO
Xserver
X-Accel-Buffering
X-Cdn
X-Pubstack
X-Varnish-Ttl
X-Cluster
X-Reqid
X-Origin-CC
X-Varnish-Hits
X-Origin-TTL
X-SRV
Country-Code
X-Envoy-Decorator-Operation
X-Microcachable
Xet-Cookie
X-Air-Trace-Id
X-Air-Source
Server-Info
LB
X-Air-Hostname
Decoy-Debug-Key
Decoy-Debug-TTL
X-Ratelimit-Limit
Decoy-Debug-Status
X-Magnolia-Registration
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
X-Buckets
X-IPLB-Request-ID
DB-Nickname
X-Request-Host
X-Ms-Version
X-Ms-Request-Id
X-CSRF-Token
X-Amz-Apigw-Id
Cache
X-Amzn-RequestId
X-Endurance-Cache-Level
Source
X-NCache
X-VG-WebCache
X-Origin-Response-Time
Cdnsip
X-Geo-Header
X-Vdms-Version
X-Cache-NE
X-Tenant
A
X-SRCache-Key
X-Via-NSCOPI
X-TIM-N
X-TrackingId
X-Shop-Environment
X-Ig-Push-State
X-User
X-Vdms-Path
Sslversion
X-A
Meta-Geo-Continent
MD5-Digest
X-Vtex-Remote-Cache
X-Ftr-Request-Id
Surrogated-Key
Xc-Version
Cdncip
T-Server
X-A-Ccd
X-A-Dam
X-AK-Request-ID
X-Application
X-ARC
X-B-Cookie
X-Aed
X-Vtex-Processado-Em
X-A-Dcw
X-A-Dgt
X-A-Wwc
X-Cdn-Srv
X-Session-Fingerprint
X-Destination
X-Developer
X-Newrelic-Synthetics
Expiry
X-D
X-Rojux
X-Connection-Hash
Mobile-Detection-Method
X-S
Odigeo-Trace-Id
X-Processor
X-PBS-Appsvrname
X-Bc-Bl
Lang
X-Ec-Fail
X-Ec-GeoHdr
X-NAPM-TraceId
Host-ID
X-PAYTM-SRV-ID
Fastcgi-X-Cache-Version
X-Orig-Expires
X-HS-Content-Campaign-Id
X-S-Cookie
X-Epic-Correlation-Id
Rendered-Blocks
X-Time
X-SD-PageType
X-External-Request-Id
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-RCS-CacheZone
X-ScT
X-Forwarded-Path
DCR-Processing-Time-Ms
BehaviorPad-Version
Pramga
X-Conf
DCR-Decision-By
X-Tt-Logid
X-Hash
X-Tx-Id
X-B3-SpanId
Machine
Memcached
Cmstype
Fastly-GeoIP-CountryCode
We-Hiring
Cmsid
NM-Fastcgi-Cache
State
Mail-Subject
X-Esi-Check
X-Nyt-Route
X-Origin-Time
X-Rocket-Build-Number
X-Node-Id
X-Mvc-Supplant-Cachable
X-Gzip
X-Irp-Debug
X-SB
X-Scheme
X-SVT-ORM-VERSION
X-Via-Ucdn
X-WADP-Cache
X-SVT-ORM-RULES
X-Sigma-Backend
X-Server-IP
X-Sigma
X-Gdpr
X-Fmm-Version
X-Cache-Id
X-Cache-Info
X-CacheTTL
X-Cache-Bucket
X-Cache-Backend
Wxu-Next-Hostname
X-Amzn-Remapped-Content-Length
X-Ckpd-Fst-Backend
X-Clara-WADP
X-Fastly-Cache
X-Fetched-On
X-Device-Os
X-Developers
X-Core-Mission
X-Core-Value
Wxu-Next-Commit
Wxu-Next-Region
AKAMAI
X-Varnish-Beresp-Grace
X-Skip-Cache
X-ZONE
Cache-Name
X-R9-Blue-Green-Version
X-Azure-Ref
DynaTrace
X-Eu-Site
Svr
X-Ec-Custom-Error
X-Dispatcher-Number
TDXMobile
X-Forwarded-Site
X-Gamma-Serve
X-HN
X-Hnp-Log
X-Has-Esi
X-Generated-On
X-Gen-Mode
X-Csrf-Jwt
Thinkindot-CacheControl
X-Auto-Login
Thinkindot-Control
Traceparent
CDN
Web-Mar-Region
X-BBC-Edge-Cache-Status
X-Block-Status
Thinkindot-CacheControl-Type
X-CGP
X-Cache-Date
X-Is-Gdpr
User-Cache-Control
X-Level-Front-Cache
X-TNCMS
X-V-Cache
X-Thinkindot-L3
X-Slack-Backend
X-Rocket-Nginx-Serving-Static
X-Served-From
X-VarnishDD-TTL
X-VG-TLSProxy
X-Origin-Expires
X-Worker
X-GeoIP
X-Wix-Viewer-Type
X-Viewer-Country
X-Request-URI
X-Region-Sid
X-NodeID
X-Origin
X-Minions-Version
X-Loop
X-LAGOON
Ssr
X-Platform
X-Pod-Name
Apple-News-Services-Parsed-Url
X-RateLimit-Remaining-Second
X-Proxy-Upstream
X-Pool
X-Policy
X-JWT-State
X-RateLimit-Limit-Second
L5d-Success-Class
L
HA-Ipaddr
N-Cache
Origin
PFcat
Origin-EX
Origin-CC
Ha-Gx-Prefs
Gh-Request-Id
Apple-News-Services-Handled
CDCHOST
Apple-News-Services-Host
CloudFront-Viewer-Country
Cluster
Fastcgi-Cache-TTL
Environment
Apple-News-Services-Request-Url
Redirect-Candidate
Kp-EeAlive
Req-Svc-Chain
Server-Host
Release
Sever-Int
X-Sn-Servicetimems
Vix-Hermes-Req-Id
IsBot
X-Optimistic-Header
Ohc-File-Size
X-Httpd
Datacenter
X-GeoIP-City
Fastly-SWR
Producers
V-Age
X-Cdn-Origin
Is-Eu
X-Datadog-Trace-Id
X-From
X-DefElseHash
Adler-Geo
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
NGX
X-VServer
X-DefHash
X-Webstats-RespID
X-DPWN-IS-SECURE
X-Planisys-CDN-Cache
X-Varnish-CookieINHashed-On
X-Rebelmouse-Surrogate-Control
Cache-Key
X-Aicache-OS
X-Varnish-CookieHashed-On
X-Varnish-Remaining-TTL
X-Wikidot-Backend
X-BCube-Filmed-By
X-SIPLIST1
DSUID
X-Wikidot-Static-Cache
X-Rebelmouse-Cache-Control
HostName
X-Planisys-CDN-TTL
Server-Ext
X-Branch-Name
X-Planisys-CDN-Rules
Candidate-Md5Url
Fastly-SIE
Platform
X-Variation
Server-Hostname
X-Qloud-Router
X-Proxy-Cache-Info
X-Loc
X-Cache-Status-Check
X-Tec-Api-Root
X-Tec-Api-Version
X-Parent-Response-Time
XM
X-Refresh
X-Scale
GEO-INFO
X-Owner
X-SplitTest
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-Location
VNS-Age
VNS-Cache
Pics-Label
CPC-Age
CPC-Cache
X-Tec-Api-Origin
AMP-Access-Control-Allow-Source-Origin
X-NC
X-CS
X-VC
X-WA-Info
X-Ad-Defer-Variation
Fastly-Backend-Name
X-Tb-Optimization-Total-Bytes-Saved
X-CACHE-KEY
X-LB-NoCache
X-Contensis-Viewer-Groups
X-Cache-ASPX
X-Men
X-Ah-Environment
Arc-Country
Env
X-Micro-Cache
Servername
X-Edge-Pop
X-AIR-PT
Locid
X-EC-Lua
X-TIME
Ms-Author-Via
X-TraceId
X-Response-By
X-Varnish-Authentication
Time
X-Udemy-Cache-App-Namespace
X-Srv
X-Old-Content-Length
Memory
X-RPM
X-RPS
X-DSS
X-DI
X-Generated-In
X-DB
X-RSL
X-Mvc-Supplant-OutputCached
X-Servedbyhost
Path
X-DW
X-Amz-Meta-Cb-Modifiedtime
Lb
X-Xrds-Location
X-Api-Version
Ngx.Var.Host
Cache-Host
X-Akamai-Transformed
X-Accel-Expires-Debug
GeoIp-Country-Code
X-Date
X-Via-Popn
X-Via-Popv
X-Via-Poph
Ohc-Cache-HIT
X-HA-Backend
X-Varnish-Beresp-TTL
ITXSESSIONID
X-S-Maxage
X-GeoIP-Region-Code
X-GeoIP-Country-Code
XkeyRZ
X-Vc
X-Proxy-CacheRZ
X-RateLimit-Reset
Client
X-Cs
Geoip-Latitude
True-Client-IP
FSS-Cache
X-Cache-Debug
X-VCL-Version
X-Clientip
X-API-Version
Hostname
X-VHOST
Fusion-Source
Fusion-Content-Source
Fusion-Template-Id
Fusion-Content-Id
Fusion-Component-Id
Fusion-Deployment-Id
X-DC
X-Trace-ID
CacheControlHeader
Server-ID
True-Client-Country-4JS
X-Action
X-TH-Server
X-Presslabs-Stats
X-FireWall-Port
X-Fpc
X-Backend-TTL
X-Dmc
X-Zone
X-TX-ID
Geo-Info
X-B3-Spanid
X-Webkit-Csp-Report-Only
X-MSEdge-Features
Powered-By
X-MSEdge-Flight
X-Render-Time
NtCoent-Length
X-INCAP-ABP
X-PX
X-NGINX-Cache
X-Req
Edge-Cache
X-Traceid
X-DynaTrace-JS-Agent
X-Gateway-Cache-Status
C-Via
My-App
X-Pass-Why
X-Gateway-Cache-Key
Test
Rip
Tcn
X-Gateway-Skip-Cache
X-FPC
X-Gateway-Request-Id
X-CSRF-TOKEN
X-Service
X-M-Reqid
Tube-Return
Click-Count-Error
Tube-Get-Contents
X-Cdn-Request-ID
Tube-Got-Results
Tube-Got-Eval
Click-Count-Action-Start
X-M-Log
Server-Id
Esi-Enabled
HIT
X-HS-Status
X-Qnm-Cache
X-Correlation-ID
X-Origin-Upstream-Status
X-Provided-By
OT-Force-Account-Verify
X-Beluga-Record
X-Beluga-Node
X-Beluga-Response-Time
X-Beluga-Cache-Status
X-Beluga-Trace
X-Vcl-Version
X-Webkit-CSP-Report-Only
User-Agent
On-Server
X-Up
X-Beluga-Status
Cf-Int-Pingora-Origin-Digest
X-Ha-Backend
X-Alfa-Service
X-Via-PopH
X-Via-PopN
X-Varnish-Beresp-Ttl
X-LB-ID
X-Via-PopV
Sid
X-TRACE-ID
Uri
X-Proxy-Cache-Hk
Proxy-Connection
Resin-Trace
X-URL
Srvid
WebServer
X-Check-Cacheable
X-CLOUD-TRACE-CONTEXT
X-LI-UUID
X-Li-Pop
X-APP
X-Geo
X-Li-Fabric
X-RAMCache
X-UnsetCookies
DataCenter
GeoIP-Country-Code
GeoIP-Latitude
X-Akamai-Pragma-Client-IP
X-Edge-Origin-Shield-Bytes
MIME-Version
X-ServedByHost
Epwk-X-Cache
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
X-CCDN-CacheTTL
Srv
Cdn
X-Edge-Origin-Shield-Region
X-Fetch-By
X-LI-Proto
WZWS-RAY
X-ND-Cache
X-Time-Microsecs
X-Cdn-Forward
M-TraceId
ENV
X-CUA
Fastly-Drupal-HTML
X-Fastly-Backend-Reqs
X-Backend-Host
Server-Ttl
Warning
X-Esi
X-Platform-Cluster
X-Platform-Router
X-Platform-Processor
X-Fragments
X-App
X-ATG-Version
X-Dynatrace
X-B3-Traceid-Primal
Target-Params
Tracecode
ServerName
X-Lb-Nocache
X-Edge-POP
Cf-Device-Type
XServer
Dt-Hot-News
X-MG-S
X-HostName
X-ID
Inserted-Into-Cache-At
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
X-ElasticPress-Query
X-Azure-Ref-OriginShield
X-Yottaa-OS
X-Request-Url
X-Fastly-Backend
X-FC-Vary-Parameters
Lfy
Section-Origin-Responded
X-Sucuri-ID
PICS-Label
X-HITS
X-Var-Ttl
CF-Cached-On
X-Newrelic-App-Data
X-Sucuri-Cache
X-Akamai-Request-ID
X-Iplb-Request-Id
Cf-Ipcountry
X-Iplb-Instance
X-Thanos
X-LiteSpeed-Cache-Control
X-Vcache
X-Cache-Expires
X-Varnish-Beresp-Status
X-Bip
X-Request-URL
X-CF-Powered-By
D-Url-Rewrites
X-Serial
X-Dw-Trace-Id
X-Nc
Cdn-Pullzone
Servedby
Cdn-Uid
Cdn-Requestid
Cdn-Cache
Cdn-Requestcountrycode
Cdn-Cachedat
DT-Hot-News
Wp-Super-Cache
Cdn-Edgestorageid
X-Wp-Cf-Super-Cache
X-Vercel-Id
X-Wp-Cf-Super-Cache-Cache-Control
X-Vercel-Cache
X-Fastly-Cache-Hits
True-Client-Ip
X-Back
X-Dist-Code
X-BBC-Origin-Response-Status
X-Release
Cneonction
Ngx
X-Snapshot-Date
X-NU-AKA-ACS-Version
CountryCode
Content-Script-Type
Magicmarker
X-Backend-State
X-Li-Proto
X-Storefront-Renderer-Verified
Content-Style-Type
X-Th-Server
Fastcgi-Cache-Ttl