Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
CF-RAY
Cf-Request-Id
CF-Cache-Status
X-XSS-Protection
Accept-Ranges
Link
Pragma
ETag
Expect-CT
X-Powered-By
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
X-Served-By
X-Timer
X-Download-Options
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Permitted-Cross-Domain-Policies
X-Check
X-Xss-Protection
X-Request-ID
X-Cache-Status
X-Generator
X-DNS-Prefetch-Control
X-Cacheable
Timing-Allow-Origin
X-Ua-Compatible
X-Content-Security-Policy
X-Iinfo
Content-Encoding
X-CDN
X-Envoy-Upstream-Service-Time
X-AspNetMvc-Version
Status
Feature-Policy
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
X-Via
Upgrade
Keep-Alive
X-Ws-Request-Id
X-Age
X-Turbo-Charged-By
X-AH-Environment
X-Robots-Tag
Request-Context
X-Proxy-Cache
EagleId
X-Cache-Group
Server-Timing
X-Backend
X-Hacker
Report-To
X-Amz-Request-Id
X-Server
Host-Header
X-Amz-Id-2
X-Server-Powered-By
Grace
X-Nginx-Cache-Status
X-UA-Device
X-Rq
X-Varnish-Cache
X-LiteSpeed-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Dns-Prefetch-Control
X-Page-Speed
Cf-Railgun
X-Pingback
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
NEL
X-Amz-Version-Id
X-Cache-Spec
X-WebKit-CSP
Xkey
Allow
X-Device
X-CST
X-Backend-Server
X-Vhost
X-Host
EagleEye-TraceId
X-Server-Id
Request-Id
Surrogate-Control
X-Dispatcher
X-Node
Content-Location
X-Response-Time
X-Akam-SW-Version
X-Ruxit-JS-Agent
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
Accept-CH
Accept-CH-Lifetime
P3p
X-ASPNET-VERSION
X-Ac
X-Template
X-Application-Context
X-Language
X-Country
X-Cache-Lookup
X-Mod-Pagespeed
X-Readtime
X-Cloud-Trace-Context
MS-Author-Via
X-B3-TraceId
X-Origin-Cache
Accept-Ch
Rating
X-Cnection
X-MS-InvokeApp
X-HW
Accept-Ch-Lifetime
X-Url
X-Vname
X-TtlSet
X-PC
X-ORACLE-DMS-ECID
X-Clacks-Overhead
X-GitHub-Request-Id
Edge-Control
X-ESI
X-Trace
X-Middleton-Display
X-Middleton-Response
X-Sol
Response
Display
Pagespeed
X-Content-Type
X-FastCGI-Cache
X-D2id
X-Vcap-Request-Id
X-Exp-Variant
X-Kinja-Server
X-Use-Magma
Arr-Disable-Session-Affinity
X-Kinja-Revision
X-Kinja-Build
X-Exp-Id
X-Kinja
X-Cdn-Fetch
X-GoogleNews-Bot
Verso
X-Goog-Hash
X-Buckets
X-Rack-Cache
X-ORACLE-DMS-RID
X-Country-Code
X-Server-Name
Service-Worker-Allowed
X-Navigation-Version
X-Varnish-TTL
X-VARITI-CCR
X-Abt-Application-Version
X-Amz-Rid
X-Fastly-Request-ID
X-Powered-By-Plesk
X-Webkit-CSP
X-Client-IP
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
X-Cache-TTL
X-Kinja-Server-Push
X-SharePointHealthScore
SPRequestGuid
X-Release
X-MSEdge-Ref
Fastly-Restarts
X-Dw-Request-Base-Id
X-Element-Page-Cache
SPIisLatency
SPRequestDuration
X-Oneagent-Js-Injection
X-Cached
X-NF-Request-ID
Public-Key-Pins
X-TTL
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
RTSS
AR-CACHE
AR-ATIME
AR-Request-ID
X-Edge
Ar-Sid
AR-PoweredBy
X-SRCache-Fetch-Status
X-SRCache-Store-Status
Access-Control-Request-Method
X-LLID
X-Origin-Upstream-Status
X-Powered-CMS
X-Ttl
X-Px
X-Ezoic-Cdn
Fusion-Content-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Source
Fusion-Component-Id
X-Upstream
Content-MD5
X-HP-Webp
X-Jurisdiction
Cache-Tag
X-ECACHE
X-Mid
X-MCACHE
S
X-Recruiting
X-Mg-S
X-Content-Digest
Charset
X-Version
X-Amz-Server-Side-Encryption
X-PressLabs-Stats
Fastcgi-Cache
X-Pinterest-Direct
MicrosoftSharePointTeamServices
X-Litespeed-Cache
TCN
X-T
X-Kinsta-Cache
Front-End-Https
X-Content-Security-Policy-Report-Only
X-Debug
Filters
X-Id
Cache-Tags
X-Grace
Edge-Cache-Tag
Server-Node
X-Accel-Expires
X-Logged-In
X-Forwarded-Proto
X-DynaTrace
X-Forwarded-For
X-Correlation-Id
X-Amzn-Trace-Id
Nginx-Cache
Server-Name
X-Yandex-Sdch-Disable
X-Kong-Upstream-Latency
Surrogate-Key
X-Kong-Proxy-Latency
TP-Cache
TP-L2-Cache
X-Varnish-Age
X-B3-Sampled
X-Request-Received
X-Request-Processing-Time
X-Request-Handler-Origin-Region
X-Microsite
X-Ser
X-Server-ID
X-Hits
X-Shield-Request-Id
X-Activity-Id
X-Az
X-DIS-Request-ID
X-AppVersion
X-Amz-Replication-Status
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Hub-Id
X-XRDS-LOCATION
X-XRDS-Location
X-GUploader-UploadID
X-F-Cache
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Generation
X-Goog-Metageneration
X-Goog-Storage-Class
Accept-Charset
X-Origin-Server
X-Cache-Key
Powered-By-ChinaCache
X-Git-Hash
X-Geo-Country
X-Respond-Thread
X-FTR-Request-ID
Cache
X-Rid
X-LB-Cache
X-Upgrade-Enabled
Section-Io-Cache
X-DataDome
Alternate-Protocol
X-Frontend
X-Ruxit-Js-Agent
Access-Control-Allow-Method
X-Hostname
Host
X-Mobile-URL
X-Cache-Age
X-Seen-By
Paypal-Debug-Id
MS-CV
Cleartype
X-Time
Healthy
X-IPLB-Instance
X-AOL-HN
X-Content-Options
X-Type
X-VCache
X-Varnish-Backend
X-Whom
ServerID
X-App-Environment
X-NWS-LOG-UUID
X-Is-Crawler
Payment
X-TT
X-Aspnet-Duration-Ms
X-Providence-Cookie
X-Route-Name
X-Cache-Action
X-Request-Guid
X-Flags
X-B-Cache
X-Signature
X-Debug-Info
X-Page-Id
X-Jobs
X-WebKit-CSP-Report-Only
Fastcgi-Useragent
X-Source
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Fastcgi-Cache
X-N
X-Load-Cache
X-Mobile
X-Daa-Tunnel
X-FB-Debug
X-Browser-Type
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Via-JSL
Nel
X-RateLimit-Remaining
Version
X-Cached-By
X-Akamai-Edgescape
X-Cache-Rule
X-Cache-Operation
Refresh
X-Response-Served-From
X-Original-Request-Id
X-Accel-Buffering
Viewport
X-Rule
DC
X-Proxy
X-Wix-Request-Id
X-Drupal-Cache-Tags
X-Cacheable-TTL
X-Framework
X-RemovedCookies
X-RTag
X-Zen-Fury
Access-Control-Request-Headers
X-ProcessESI
Ms-Operation-Id
X-Instance
DynaTrace
X-Real-IP
X-Contextid
X-Cache-Time
X-Region
X-HTML-Minification-Powered-By
Realpath
Node
X-UUID
Referer-Policy
X-Page-View
X-Distributor
X-Yottaa-Optimizations
X-Tt-Trace-Tag
Eomportal-Instance
X-Tt-Trace-Host
X-Yottaa-Metrics
X-Drupal-Cache-Contexts
X-FW-Server
X-FW-Dynamic
X-FW-Serve
X-FW-Hash
X-FW-Static
Countrycode
X-FW-Type
X-Cache-Expired-At
X-Cluster-Name
X-B
X-L-Path
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Cache-Control
X-Environment-Context
X-Content-Powered-By
X-IPS-LoggedIn
X-Tumblr-Pixel-1
GEO-INFO
X-G
Liferay-Portal
X-Tumblr-Pixel
X-Tumblr-User
X-Tumblr-Pixel-0
X-Cache-Hit
Server-Info
X-User-Agent
X-Ratelimit-Limit
X-Node-Name
X-App-Server
X-Varnish-Ttl
X-Pass-Why
From-Origin
Webserver
X-Tumblr-Pixel-2
X-FireWall-Port
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
Section-Io-Origin-Status
Ec-Rule-Version
X-Protected-By
Protected
CF-IPCountry
X-Cache-Server
Xserver
SRV
X-Amz-Meta-S3cmd-Attrs
X-Revision
Frame-Options
X-Www-Served-By
X-Backend-Name
X-Endurance-Cache-Level
Meta-Geo
X-UPSTREAM-Address
X-Hl-Ver
X-RN-RSRV
X-ES-SERVER
X-Mode
X-Handled-By
X-Locale
X-Hyper-Cache
X-FB-TRIP-ID
X-Soup
X-Site-Version
Cache-Status
X-Forwarded-Host
X-Ratelimit-Remaining
X-NYM-Debug-Backend
X-Varnishpool
Country
X-Storage
X-Human
X-Web-Node
Cache-Tv-Group
X-Be
X-Cache-Grace
Azure-RegionName
Azure-SiteName
X-Redis-Cache
Azure-Version
X-Pubstack
Azure-SlotName
X-ProxyCache-Status
Cache-Name
X-Origin-Hint
X-Proto
X-Proxy-Build
Azure-InstanceId
X-ProxyCache-Key
X-Origin-Date
Decoy-Debug-TTL
TWC-Privacy
TWC-Locale-Group
TWC-GeoIP-LatLong
Webcakes-App-Name
Webcakes-App-Version
X-BYPASS-REASON
X-Labrador-Cache-Channel
Webcakes-Region
TWC-GeoIP-Country
TWC-Device-Class
Fastly-SSL
X-Request-Time
Decoy-Debug-Status
X-PHP-Host
Property-Id
TWC-Connection-Speed
Selected-Fe
Decoy-Debug-Key
X-Uri
X-TT-LOGID
Retry-After
X-UA-Device-Type
X-Timing-Wait
X-Say-TTL
X-PCL
X-TNCMS
X-Sql-Duration-Ms
X-Sql-Count
X-Say-Cacheable
X-WA-Info
X-Loop
X-Via-Fastly
X-No-Session
X-OCL
X-Adobe-Loc
X-Adobe-Content
X-Access
X-AIR-PT
X-Format
X-MP-GENERATED-AT
X-Hosted-By
X-SayCDN-TTL
X-S-Maxage
X-Section
X-FW-Version
X-Server-W
X-AWS-Id
X-ApacheServer
X-Status
X-LJ-Flow-ID
X-LAGOON
X-R9-Blue-Green-Version
X-VWS-Id
X-PERF
X-Shopify-Stage
X-Cluster
X-Sorting-Hat-PodId
Mn-Server-Ip
X-Storefront-Renderer-Rendered
X-Alternate-Cache-Key
X-ShopId
X-Cache-TTL-Remaining
X-Nginx-Cache
X-Sorting-Hat-ShopId
X-ShardId
X-Qloud-Router
X-Routing-Service
X-Zipkin-Id
X-Proxied
X-Via-CDN
X-CCM
X-Device-Type
X-Xfnlog-Site
X-Rendered-As
X-Is-Bot
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-DC
X-Debug-IsConnected
X-FTR-Cache-Status
X-FTR-Balancer
Cache-Hits
X-Tec-Api-Origin
X-FTR-Realm
X-Tec-Api-Version
S-Cnection
X-Tec-Api-Root
X-Debug-IsPreview
X-Country-Code-Real
X-Dc
AMP-Access-Control-Allow-Source-Origin
X-Info
X-FTR-Expires
X-Cdn
Apigw-Requestid
X-Detected-As
X-SRV
X-Varnish-Grace
X-Varnish-Server
X-Cache-Host
X-Cache-Enabled
X-Amz-Apigw-Id
X-Microcachable
X-Cache-Var-Map
X-EdgeConnect-Cache-Status
X-Amzn-Remapped-Content-Length
X-Amzn-RequestId
X-Air-Hostname
X-Cache-Var
X-GG-Cache-Date
X-Content-Age
X-Aspnetmvc-Version
X-Platform
X-Unique-Id
Tracecode
X-Azure-Ref
SD-X-WS
Uber-Trace-Id
X-DynaTrace-JS-Agent
X-Backend-Host
X-Time-Microsecs
X-CSRF-Token
X-Backend-TTL
X-GEO
X-Proxy-Cache-Status
Amp-Access-Control-Allow-Source-Origin
X-Cache-Backend
X-ServerID
Akamai-GRN
X-NWS-UUID-VERIFY
X-Oss-Hash-Crc64ecma
X-Oss-Request-Id
X-Oss-Server-Time
X-ATG-Version
X-Oss-Object-Type
X-Oss-Storage-Class
X-Tb
X-Correlation-ID
Backend
X-BCube-Filmed-By
DSUID
X-Oracle-Dms-Rid
X-Trace-Id
X-APP-VERSION
X-Dynatrace
X-Erf-Stays-Bingo-Pdp-Web
X-Akamai-Transformed
ServedBy
X-RCS-CacheZone
X-Varnish-Hostname
X-NewRelic-App-Data
X-Varnish-Cache-Hits
T-Server
BehaviorPad-Version
X-Cache-NGX
X-Cache-PHP
Release
Rendered-Blocks
SR-User-Adfree
Path
Mobile-Detection-Method
Instruction
Meta-Geo-Continent
Lfy
MD5-Digest
Thinkindot-CacheControl
Odigeo-Trace-Id
DCR-Decision-By
DCR-Processing-Time-Ms
Expiry
Fastcgi-X-Cache-Version
Machine
X-ARC
X-Rewrite-Enabled
X-Request-UUID
X-Rojux
X-S
X-S-Cookie
X-Processor
X-PBS-Appsvrname
X-Matched-Rule
X-Origin-CC
X-Origin-TTL
X-PAYTM-SRV-ID
X-ScT
X-Session-Fingerprint
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-VG-WebCache
X-Vdms-Version
X-SRCache-Key
X-Thinkindot-L3
X-Trv-Group
X-Vdms-Path
X-Location
X-Level-Front-Cache
X-A-Wwc
X-Aed
X-Application
X-B-Cookie
X-A-Dgt
X-A-Dcw
Thinkindot-Control
X-A
X-A-Ccd
X-A-Dam
X-Cache-NE
X-CF-Lambda-Fn
X-Fetched-On
X-From
X-Generated-On
X-GeoIP-City
X-External-Request-Id
X-Device-Os
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-Destination
Thinkindot-CacheControl-Type
X-Generation-Time
PB-PID
X-Magnolia-Registration
Arc-Version
X-Sucuri-ID
PB-RID
X-TA-CDN-Provider
HostName
X-Debug-Cache
X-Micro-Cache
X-Has-Esi
X-GeoIP
Fastly-Backend-Name
C-Via
X-HS-Content-Campaign-Id
X-Irp-Debug
X-Geo-Header
CacheControlHeader
Cache-Host
X-Mvc-Supplant-Cachable
X-JWT-State
Cf-Device-Type
X-App-Version
X-Azure-Ref-OriginShield
Pagetype
Pramga
UCS
Ssr
X-Bip
X-Cache-Bucket
X-Node-Id
Gh-Request-Id
Host-ID
X-Cdn-Origin
X-B3-Traceid
X-FC-Vary-Parameters
X-Is-Gdpr
X-Thanos
X-Swa-Ws
X-SVT-ORM-RULES
X-Sn-Servicetimems
X-Ms-Request-Id
X-TrackingId
X-VServer
X-Tumblr-Pixel-3
X-Ms-Version
X-Skip-Cache
X-SVT-ORM-VERSION
X-OVcl-Cache
X-OVcl
X-Origin-Response-Time
X-Reqid
AKAMAI
X-Owner
X-B3-SpanId
X-Cache-Date
X-VarnishDD-TTL
Wxu-Next-Hostname
X-Cache-Info
X-Varnish-Hits
X-Varnish-Beresp-Grace
X-Wikidot-Backend
X-Cache-Tags
X-Wikidot-Static-Cache
X-NAPM-TraceId
X-Adobe-Source
X-CGP
Wxu-Next-Commit
DB-Nickname
Wxu-Next-Region
Server-Host
X-Backend-State
X-Eu-Site
X-HN
X-Cdn-Forward
X-Generated-In
X-Generated-By
X-IP
Sever-Int
X-Nginx-Cache-Key
X-Request-Host
X-Scheme
X-Fastly-Cache
X-Fastly-Backend
X-CUA
X-Csrf-Jwt
X-Core-Value
X-Cms-Context
X-Developer
X-Developers
X-User
X-Var-Ttl
X-Origin-Expires
X-Clientip
X-Policy
Locid
X-TX-ID
Magicmarker
Content-Disposition
On-Server
NGX
Location
L5d-Success-Class
Server-Hostname
CloudFront-Viewer-Country
Ha-Gx-Prefs
HA-Ipaddr
L
Server-Ext
PFcat
User-Cache-Control
X-ID
X-Rebelmouse-Cache-Control
IsBot
X-Ratelimit-Reset
X-CS
X-Envoy-Decorator-Operation
Rt-Fastcgi-Cache
X-Rebelmouse-Surrogate-Control
X-Slack-Backend
X-Varnish-Beresp-Status
X-SIPLIST1
X-Servername
X-Request-URI
X-Varnish-CookieINHashed-On
X-Platform-Server
X-Fmm-Version
X-Goog-Meta-Goog-Reserved-File-Mtime
X-GoCache-CacheStatus
X-Method
X-Hash
X-Hnp-Log
X-Loc
Cf-Bgj
Fastly-Drupal-HTML
X-NU-AKA-ACS-Version
X-Gamma-Serve
X-Gen-Mode
Fastly-SWR
CDCHOST
Fastly-SIE
X-Varnish-Beresp-Ttl
X-Clara-WADP
X-Block-Status
X-DPWN-IS-SECURE
Platform
NM-Fastcgi-Cache
X-Esi-Check
Web-Mar-Node
X-Dispatcher-Server
X-DefElseHash
X-Branch-Name
Origin
X-DefHash
V-Age
X-Cache-Id
X-Varnish-Remaining-TTL
X-Cache-Expires
X-Variation
Adler-Geo
X-WADP-Cache
X-Varnish-CookieHashed-On
X-Gzip
X-Origin
X-Li-Fabric
X-Old-Content-Length
X-Li-Pop
Is-Eu
X-LI-UUID
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
CDN-Uid
X-VG-TLSProxy
CDN-RequestCountryCode
Apple-News-Services-Host
X-Request-Start
CDN-PullZone
CDN-EdgeStorageId
CDN-Cache
X-Core-Mission
CDN-RequestId
CDN-CachedAt
Apple-News-Services-Handled
X-Cache-Debug
Vix-Hermes-Req-Id
True-Client-Country-4JS
X-EC-Lua
X-LB-ID
X-NCache
X-Aicache-OS
X-Mvc-Supplant-OutputCached
Sid
X-PF-Uncompressing
X-Cache-Remote
X-NC
X-Varnish-Url
X-CACHE-GROUP
Url
X-Refresh
X-Via-Popv
X-Via-Popn
Esi-Enabled
X-Varnish-Cacheable
X-Response-By
S-Rt
X-Via-Poph
X-CACHE-KEY
Pics-Label
Xkeyi7
X-Host-Name
X-FireWall-Protection
X-Proxy-Cachei7
X-Nc
X-B3-Spanid
X-Epic-Correlation-Id
Who
X-BBXSRF
X-Tb-Optimization-Total-Bytes-Saved
N-Cache
X-Unique-ID
Country-Code
Req-Svc-Chain
X-Cache-2
X-Webkit-Csp
Content-Secure-Policy
Cross-Origin-Window-Policy
X-Error
Ohc-File-Size
X-Srv
X-TraceId
X-Contensis-Viewer-Groups
X-Varnish-Authentication
Source
Server-Ttl
X-Sucuri-Cache
D-Cc-Upstream
X-Cc-Req-Id
X-Cc-Via
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Cache-ASPX
X-Planisys-CDN-TTL
X-Webkit-CSP-Report-Only
Geo-Info
X-CLOUD-TRACE-CONTEXT
X-Svr
Geoip-Latitude
X-DC
Cteonnt-Length
GeoIp-Country-Code
HitType
CACHE
X-HS-Status
X-RateLimit-Limit
X-CDN-Forward
X-Server-IP
X-Servedbyhost
Cmstype
Cmsid
X-LiteSpeed-Cache-Control
X-Wa
MIME-Version
Kp-EeAlive
X-URL
X-Cs
X-Gdpr
X-Served-From
X-Nyt-Route
X-FPC
X-Cache-Config
Svr
X-Origin-Time
X-API-Version
X-SN
Viewtype
VivaBuild
X-VC
Cache-Key
A
X-Esi
X-Vcl-Version
Ohc-Cache-HIT
Resin-Trace
X-RAMCache
Server-ID
X-Webstats-RespID
X-Li-Proto
M-TraceId
Server-Id
X-NodeID
X-LI-Proto
X-SB
Hostname
X-HOST
X-NGINX-Cache
NtCoent-Length
Filterid
X-HostName
X-Vgn-Hpd-Reason
TDXMobile
Cross-Origin-Opener-Policy
Request-ID
X-Air-Source
X-SD-PageType
Tcn
SID
X-VCL-Version
Arc-Country
X-Check-Cacheable
X-UA
X-RSL
X-TIM-N
X-DW
X-RPM
X-RPS
X-Render-Time
XServer
Cache-Provider
X-Hcs-Proxy-Type
X-DB
X-Internal-Host
X-CCDN-Origin-Time
X-Viewer-Country
X-DI
X-DSS
X-CCDN-CacheTTL
X-TIME
X-WA
X-Vc
Mime-Version
NGB
X-BBC-Edge-Cache-Status
X-Ua
GeoIP-Country-Code
GeoIP-Latitude
EpKe-Alive
X-ServedByHost
Srv
X-Newrelic-Synthetics
X-Worker
X-CF-Powered-By
X-App
X-Action
ProcessTime
X-Auto-Login
X-Service
Processtime
X-FTR-Cache-Host
X-Geo
X-Fpc
Upgrade-Insecure-Requests
X-Oss-Cdn-Auth
X-JoinUs
X-PHP-Backend
X-SaId
DataCenter
X-Dynatrace-Js-Agent
X-Ftr-Cache-Host
X-NGENIX-Cache
X-Extlb
X-Via-NSCOPI
X-Edge-Location
Proxy-Connection
X-FORWARDED-FOR
FSS-Cache
X-Forwarded-Site
X-Cluster-Node
Datacenter
X-CSRF-TOKEN
CDN
CF-Cached-On
X-HITS
X-Cdn-Request-ID
X-Dw-Trace-Id
Cdn
X-BACKEND-TTL
X-Provided-By
X-Fastly-Backend-Reqs
W
X-Parent-Response-Time
X-BBC-Origin-Response-Status
X-MSEdge-Flight
X-MSEdge-Features
X-CACHE-AGE
X-Swift-Error
X-Client-Ip
X-Date
X-Hello
X-Depends-On
We-Hiring
X-PJAX-URL
X-Flog
X-Accel-Expires-Debug
OT-Force-Account-Verify
PICS-Label
Memcached
X-Bc-Bl
X-Fastly-Request-Id
X-ABtesting
X-Proxy-Upstream
X-IN-APIGATEWAYSSL
X-VC-Cache
X-Req
Dnion-Transfer-Encoding
X-Cache-Tag
X-IN-APIGATEWAY
Surrogated-Key
X-Region-Sid
Mail-Subject
LB
X-Akamai-Pragma-Client-IP
X-RateLimit-Limit-Second
X-Rocket-Build-Number
X-Presslabs-Stats
X-Via-PopV
X-Pad
X-Via-PopH
X-Via-PopN
X-APP
X-Sigma
X-Pf-Uncompressing
Vha6-Origin
X-ND-Cache
X-Zone
X-RateLimit-Remaining-Second
X-Sigma-Backend
X-UnsetCookies
Media-Length
X-Oracle-DMS-ECID
Env
Epwk-X-Cache
X-MiniProfiler-Ids
X-Acquia-Application-Trace
X-ZONE
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Acquia-Site
X-Men
Time
X-LiteSpeed-Tag
X-Air-Trace-Id
X-Lb-Id
WZWS-RAY
Memory
Cf-Ipcountry
CPC-Age
VNS-Cache
X-Varnish-URL
CPC-Cache
VNS-Age
X-Vcache
X-Request-Url
X-ElasticPress-Query
X-Request-URL
X-Akamai-ERRuleID
X-Akamai-ERPolicy
URI
X-Csrf-Token
X-Snapshot-Date
X-Varnish-Beresp-TTL
X-Ms-Meta-Originalurl
X-Ms-Meta-Staticbatchstarttime
X-ElasticPress-Search
Xet-Cookie
CountryCode
X-Debug-Cache-Store
X-Amz-Meta-Cb-Modifiedtime
X-Debug-Cache-Fetch
X-B3-Parentspanid
X-Traceid
X-Litespeed-Cache-Control
Phost
X-C
X-Tid
Inserted-Into-Cache-At
Ohc-Response-Time
Environment
X-Redis-Duration-Ms
X-Storefront-Renderer-Verified
X-ServerName
NnCoection
X-Redis-Count