Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Pragma
Link
X-Powered-By
ETag
Expect-CT
X-XSS-Protection
CF-RAY
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
P3P
X-Cache-Hits
X-Xss-Protection
Alt-Svc
X-Served-By
CF-Ray
X-Timer
X-Download-Options
X-Varnish
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Request-ID
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Iinfo
P3p
X-Content-Security-Policy
Status
X-AspNetMvc-Version
Content-Encoding
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
Access-Control-Expose-Headers
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Template
X-Language
X-Backend
X-Cache-Group
X-Hacker
X-Amz-Request-Id
X-Server
X-Robots-Tag
X-Amz-Id-2
X-AH-Environment
X-UA-Device
EagleId
X-Dns-Prefetch-Control
X-Proxy-Cache
Request-Context
X-Turbo-Charged-By
X-Server-Powered-By
Server-Timing
X-Nginx-Cache-Status
Grace
Host-Header
Report-To
Xkey
X-Page-Speed
X-Rq
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Buckets
X-Pingback
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
Cf-Railgun
X-LiteSpeed-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Amz-Version-Id
X-Vhost
X-Host
X-WebKit-CSP
X-Backend-Server
NEL
X-Dispatcher
X-Device
X-Server-Id
X-Node
Surrogate-Control
X-Ruxit-JS-Agent
Accept-CH-Lifetime
Content-Location
Request-Id
X-Response-Time
Accept-CH
X-Cache-Lookup
X-Akam-SW-Version
X-Origin-Cache
EagleEye-TraceId
X-Ac
Cf-Bgj
X-ASPNET-VERSION
X-Readtime
Rating
X-HW
X-Mod-Pagespeed
Allow
X-Country
X-Cloud-Trace-Context
X-Application-Context
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
Edge-Control
Pinterest-Generated-By
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Country-Code
X-DataDome
X-TtlSet
X-PC
X-Vname
X-Cnection
X-Varnish-TTL
X-MS-InvokeApp
X-Origin-Upstream-Status
X-Content-Type
X-GitHub-Request-Id
X-Url
X-Clacks-Overhead
X-D2id
Fusion-Component-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Deployment-Id
Fusion-Source
Fusion-Template-Id
X-Trace
Display
Pagespeed
X-Middleton-Display
X-Sol
Response
X-Middleton-Response
X-Pinterest-Rid
Pinterest-Version
X-Webkit-CSP
X-Server-Name
X-Abt-Application-Version
X-Vcap-Request-Id
X-B3-TraceId
X-Px
X-CST
X-Rack-Cache
X-Navigation-Version
MS-Author-Via
Verso
Service-Worker-Allowed
X-DynaTrace
X-FTR-Request-ID
X-Fastly-Request-ID
X-Cached
X-Element-Page-Cache
X-Client-IP
X-ESI
Arr-Disable-Session-Affinity
X-Cache-TTL
X-FastCGI-Cache
X-Dw-Request-Base-Id
X-Powered-By-Plesk
X-SharePointHealthScore
SPRequestGuid
X-TTL
X-Upstream
X-VARITI-CCR
Fastly-Restarts
X-Use-Magma
X-Kinja-Build
X-Kinja
X-Exp-Id
X-Goog-Hash
AR-PoweredBy
X-Exp-Variant
X-Cdn-Fetch
X-NF-Request-ID
X-Kinja-Server
X-Kinja-Revision
AR-Request-ID
X-GoogleNews-Bot
AR-ATIME
AR-CACHE
Ar-Sid
Content-MD5
X-Debug
X-Version
X-Forwarded-Proto
X-MSEdge-Ref
X-T
X-Powered-CMS
Access-Control-Request-Method
X-XRDS-Location
X-Jurisdiction
SPRequestDuration
SPIisLatency
X-Pinterest-Direct
X-Release
X-Amz-Rid
X-Ttl
S
X-Content-Digest
X-Edge
TP-L2-Cache
TP-Cache
TCN
RTSS
Cache-Tag
X-Ezoic-Cdn
Public-Key-Pins
X-Node-Name
X-Cache-Key
X-Yandex-Sdch-Disable
Fastcgi-Cache
X-MCACHE
X-Mid
X-Request-Received
X-Request-Processing-Time
Server-Node
Front-End-Https
Accept-Ch
X-NWS-LOG-UUID
X-Accel-Expires
X-Amzn-Trace-Id
X-Recruiting
X-Ser
X-Kinsta-Cache
X-B3-TraceId-Primal
X-Mg-S
Mrf-Cache-Status
MRF-Tech
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Microsite
X-Request-Handler-Origin-Region
X-PressLabs-Stats
X-Amz-Server-Side-Encryption
ServerID
X-Logged-In
X-Origin-Server
X-Grace
Accept-Charset
X-Ratelimit-Remaining
X-Cache-Hit
X-Page-Id
X-Litespeed-Cache
X-HP-Webp
X-Varnish-Age
Host
X-ECACHE
X-DIS-Request-ID
X-Content-Security-Policy-Report-Only
Nginx-Cache
X-B
X-Shield-Request-Id
Edge-Cache-Tag
X-Hostname
X-Mobile-URL
MicrosoftSharePointTeamServices
Alternate-Protocol
X-Hits
X-Server-ID
X-Ratelimit-Limit
Realpath
X-F-Cache
X-LB-Cache
X-Content-Options
X-Git-Hash
X-Activity-Id
X-AppVersion
X-Az
Cache-Tags
X-FTR-Realm
X-Country-Code-Real
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-Cache-Status
X-FTR-DC
X-FTR-Balancer
X-N
X-FTR-Expires
X-Load-Cache
X-Seen-By
X-Type
X-Cache-Age
X-Jobs
Paypal-Debug-Id
X-Request-Guid
X-App-Environment
X-Rid
X-Varnish-Backend
Cleartype
DynaTrace
X-Cached-By
Powered-By-ChinaCache
X-FireWall-Port
X-Forwarded-For
Fastcgi-Useragent
X-Upgrade-Enabled
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-TEC-API-VERSION
Filterid
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-WebKit-CSP-Report-Only
Access-Control-Allow-Method
X-Proxy
X-Amz-Meta-S3cmd-Attrs
X-Correlation-ID
X-Respond-Thread
X-Zen-Fury
X-Varnish-Grace
X-Akamai-Edgescape
X-FB-Debug
X-Goog-Generation
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Goog-Metageneration
X-Daa-Tunnel
X-HS-Cache-Config
X-HS-Content-Id
X-HS-Hub-Id
X-HS-Combine-CSS
X-B3-Sampled
X-App-Server
DC
X-IPLB-Instance
X-Host-Name
X-Signature
X-B-Cache
X-Id
X-Cache-Rule
X-Debug-Info
X-AOL-HN
X-Cache-Operation
X-Geo-Country
X-Region
X-Whom
Healthy
MS-CV
X-User-Agent
X-Original-Request-Id
X-Response-Served-From
X-Mobile
X-Accel-Buffering
Charset
AMP-Access-Control-Allow-Source-Origin
X-Content-Powered-By
X-Frontend
X-VCache
Payment
X-HTML-Minification-Powered-By
X-Instance
Filters
Content-Disposition
X-FW-Serve
X-UUID
X-Distributor
X-FW-Server
X-Cache-Time
X-FW-Type
X-Rule
X-Cacheable-TTL
X-FW-Hash
X-FW-Dynamic
X-FW-Static
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Wix-Request-Id
X-Tumblr-User
Liferay-Portal
Refresh
Surrogate-Key
Accept-Ch-Lifetime
X-Is-Bot
X-Rendered-As
X-Acc-Debug-Context
Viewport
X-Protected-By
X-Via-JSL
X-Amz-Apigw-Id
X-Amzn-RequestId
S-Cnection
Akamai-Age-Ms
X-Endurance-Cache-Level
X-Ua
Datacenter
X-App-Version
X-Backend-Name
X-Amz-Replication-Status
X-Cache-Expired-At
X-Hyper-Cache
GEO-INFO
PB-PID
PB-RID
Arc-Version
X-Esi
X-XRDS-LOCATION
Nel
X-URL
NGB
Section-Io-Cache
X-Cache-Server
X-Cache-Action
Countrycode
Version
X-Ah-Environment
Retry-After
X-Oneagent-Js-Injection
X-Tec-Api-Root
X-Tec-Api-Origin
X-Sucuri-ID
X-Tec-Api-Version
X-Varnish-Server
X-Source
X-Unique-Id
X-Air-Hostname
X-EdgeConnect-Cache-Status
Server-Name
Referer-Policy
Eomportal-Instance
X-RemovedCookies
X-Environment-Context
X-ProcessESI
X-Framework
X-Real-IP
X-L-Path
X-Yottaa-Metrics
X-WA-Info
Frame-Options
X-Azure-Ref
X-Cache-Control
X-Revision
X-Yottaa-Optimizations
CACHE
X-Fastcgi-Cache
X-Proxy-Cache-Status
X-RTag
Ms-Operation-Id
X-GeoIP
X-RN-RSRV
X-Cache-Var-Map
X-PHP-Backend
X-NewRelic-App-Data
X-Drupal-Cache-Contexts
X-Cache-Var
X-ES-SERVER
Meta-Geo
X-Mode
X-Sucuri-Cache
X-From
X-Cache-Host
X-R9-Blue-Green-Version
X-Time-Microsecs
X-Cache-TTL-Remaining
DB-Nickname
X-Xfnlog-Site
X-Qloud-Router
X-ProxyCache-Status
Cache-Tv-Group
X-ProxyCache-Key
X-BYPASS-REASON
X-CDN-Forward
X-DynaTrace-JS-Agent
X-AWS-Id
X-Amzn-Remapped-Content-Length
Webcakes-Region
Webcakes-App-Version
X-FW-Version
X-Labrador-Cache-Channel
X-Hosted-By
X-Handled-By
Webcakes-App-Name
X-Cluster
TWC-Privacy
Property-Id
Mn-Server-Ip
Ec-Rule-Version
Cross-Origin-Window-Policy
TWC-Connection-Speed
TWC-Device-Class
TWC-Locale-Group
TWC-GeoIP-LatLong
TWC-GeoIP-Country
X-LJ-Flow-ID
X-Human
X-PCL
X-Server-W
X-PHP-Host
X-TNCMS
X-Status
X-VWS-Id
X-Origin-Hint
X-Loop
X-OCL
X-NYM-Debug-Backend
X-Site-Version
X-ServerID
X-Redis-Cache
X-Timing-Wait
X-Zipkin-Id
X-Hl-Ver
Selected-Fe
X-Access
X-Detected-As
X-FB-TRIP-ID
X-Format
X-Drupal-Cache-Tags
X-Be
X-Proto
X-Proxy-Build
X-Proxied
X-Locale
X-Routing-Service
X-Section
X-Via-Fastly
Uber-Trace-Id
X-No-Session
X-Debug-Cache
X-Pinterest-Sli-Response-Type
X-Pinterest-Sli-Endpoint-Name
X-Pinterest-Sli-Latency-Threshold
X-Contextid
X-Device-Type
X-Cache-PHP
X-Ratelimit-Reset
X-ATG-Version
X-BCube-Filmed-By
X-Generated-By
FSS-Cache
Powered
X-Time
X-Correlation-Id
X-NC
X-Varnish-Cache-Hits
From-Origin
Webserver
X-Adobe-Loc
X-Adobe-Content
X-CSRF-Token
X-AIR-PT
X-FTR-Cache-Host
X-JoinUs
X-SaId
Azure-SlotName
VIX-Pulpo-Node
Cache
X-TIME
VIX-Pulpo-Upstream-Status
X-NCache
Azure-RegionName
X-TT
CF-Cached-On
Azure-InstanceId
Azure-SiteName
Azure-Version
X-Providence-Cookie
X-Is-Crawler
X-Route-Name
X-Aspnet-Duration-Ms
X-Oss-Hash-Crc64ecma
X-Origin
X-Oss-Object-Type
X-Oss-Request-Id
X-Oss-Storage-Class
X-Oss-Server-Time
X-Flags
OT-Force-Account-Verify
X-Tt-Trace-Tag
X-Tt-Trace-Host
Upgrade-Insecure-Requests
Access-Control-Request-Headers
X-Akamai-Transformed
X-GoCache-CacheStatus
X-COUNTRY
X-Hp-Webp
X-Cache-2
SD-X-WS
X-Adobe-Source
X-NWS-UUID-VERIFY
X-CCM
X-IP
X-Backend-Host
X-Backend-TTL
X-ShardId
X-LAGOON
X-IPS-LoggedIn
X-ShopId
X-Sorting-Hat-PodId
X-Alternate-Cache-Key
X-Shopify-Stage
X-Storefront-Renderer-Rendered
X-Sorting-Hat-ShopId
X-PERF
X-Pubstack
X-Forwarded-Host
X-Soup
X-Cache-Grace
X-ApacheServer
X-Cache-Enabled
X-SayCDN-TTL
X-Web-Node
X-Storage
X-Varnishpool
Decoy-Debug-Key
Cache-Status
Decoy-Debug-Status
Decoy-Debug-TTL
Fastly-SSL
X-Say-TTL
X-TA-CDN-Provider
X-Say-Cacheable
X-Cluster-Name
X-UPSTREAM-Address
X-EC-Lua
Node
X-Tumblr-Pixel-3
Country
X-ECache
X-APP-VERSION
X-TX-ID
X-Ruxit-Js-Agent
X-Viewer-Country
X-G
X-Bc-Bl
X-Aed
Mobile-Detection-Method
X-A-Dgt
X-A-Dam
X-A-Dcw
X-A
X-A-Wwc
X-ARC
X-Destination
X-D
X-CF-Lambda-Fn
X-CF-Lambda-Version
Rendered-Blocks
X-Cache-NE
X-Connection-Hash
X-B-Cookie
X-External-Request-Id
X-Application
Apple-News-Services-Parsed-Url
DCR-Decision-By
X-Trv-Group
X-Vtex-Remote-Cache
Host-ID
X-Processor
X-A-Ccd
X-RCS-CacheZone
X-EIG-Tracking-Id
X-Vtex-Processado-Em
X-VG-WebServer
X-PAYTM-SRV-ID
X-Vdms-Version
X-Vdms-Path
X-PBS-Appsvrname
X-Cache-Backend
X-VG-WebCache
Meta-Geo-Continent
X-Worker
Apple-News-Services-Request-Url
X-ScT
X-Request-UUID
Fastcgi-X-Cache-Version
X-S-Cookie
X-S
X-Rewrite-Enabled
X-Rojux
Machine
MD5-Digest
Apple-News-Services-Host
DCR-Processing-Time-Ms
Apple-News-Services-Handled
Xc-Version
X-Cache-Config
X-Cdn
X-Varnish-Remaining-TTL
CDN-CachedAt
CloudFront-Viewer-Country
X-Servername
CDN-EdgeStorageId
X-Variation
CDN-Uid
CDN-PullZone
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
CDN-RequestId
X-Platform-Server
X-Transaction
X-Page-View
X-Varnish-CookieHashed-On
CDN-RequestCountryCode
X-Twitter-Response-Tags
X-Varnish-CookieINHashed-On
X-Cache-Bucket
X-DefHash
X-Varnish-Beresp-Status
X-DefElseHash
Is-Eu
X-WADP-Cache
CDN-Cache
X-DPWN-IS-SECURE
X-Envoy-Decorator-Operation
X-Fmm-Version
X-Generation-Time
X-Varnish-Beresp-Ttl
X-Fastly-Cache
Platform
X-Micro-Cache
X-CUA
Fastly-SWR
X-Ms-Version
X-VG-TLSProxy
Fastly-SIE
X-Auto-Login
X-Clara-WADP
Adler-Geo
X-Varnish-Beresp-Grace
Gh-Request-Id
X-Ms-Request-Id
X-Cms-Context
Backend
NM-Fastcgi-Cache
Origin
Fastly-Backend-Name
Wxu-Next-Hostname
Fastly-Drupal-HTML
Wxu-Next-Commit
Rt-Fastcgi-Cache
L
X-Irp-Debug
X-Old-Content-Length
X-OVcl
X-OVcl-Cache
X-Owner
X-Minions-Version
X-Webstats-RespID
X-Wikidot-Static-Cache
X-Method
X-Wikidot-Backend
X-Platform
X-Varnish-Cacheable
X-Request-Start
X-Skip-Cache
X-Slack-Backend
X-Request-Host
X-Render-Time
X-Policy
X-Thanos
X-SN
X-LI-UUID
X-Li-Pop
X-Core-Mission
X-Developers
X-Dispatcher-Server
X-Esi-Check
X-Clientip
X-Cache-NGX
X-Backend-State
X-Bip
X-Cache-Id
X-Fastly-Backend
X-Gzip
X-JWT-State
X-Li-Fabric
X-Core-Value
X-Is-Gdpr
X-Microcachable
X-Has-Esi
X-Hash
X-HS-Content-Campaign-Id
X-Amz-Meta-Cb-Modifiedtime
Wxu-Next-Region
C-Via
Akamai-GRN
AKAMAI
CacheControlHeader
Country-Code
X-CS
X-DC
X-UA
X-LLID
X-Session-Fingerprint
X-Branch-Name
X-Eu-Site
X-Gamma-Serve
X-Csrf-Jwt
X-Content-Age
X-Location
X-Cache-Date
X-Cache-Tags
X-Mvc-Supplant-Cachable
X-CGP
X-Varnish-Ttl
SRV
X-Level-Front-Cache
X-Reqid
Ha-Gx-Prefs
X-Geo-Header
HA-Ipaddr
L5d-Success-Class
X-Cache-Debug
PFcat
X-HN
X-VarnishDD-TTL
X-Generated-On
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
X-GEO
X-Wa
X-Date
X-Accel-Expires-Debug
Surrogated-Key
UCS
Pagetype
X-Presslabs-Stats
X-NGENIX-Cache
X-Via-CDN
FSS-Proxy
X-Up
X-Edge-Location
X-B3-Spanid
X-LB-ID
X-Refresh
X-Req
Time
We-Hiring
Group
Now
X-Cdn-Srv
X-PF-Uncompressing
X-Via-Poph
Ufe-Result
X-Cache-URL
Memcached
Mail-Subject
X-Via-Popn
X-NODE
X-FORWARDED-FOR
X-ID
X-Aicache-OS
X-Proxy-Upstream
X-Mvc-Supplant-OutputCached
Hostname
X-Ftr-Cache-Host
X-LI-Proto
NGX
X-Nginx-Cache
X-Servedbyhost
X-B3-Traceid
X-RateLimit-Remaining
X-Sql-Duration-Ms
X-Sql-Count
X-ZONE
X-Agile-Id
X-Debug-Cache-Store
X-Agile-Age
X-Debug-Cache-Fetch
X-SRV
X-Cache-Remote
X-BC
X-Agile
X-Cache-Spec
HostName
X-Datadome
X-Varnish-Hostname
X-Ua-Device
X-NU-AKA-ACS-Version
X-CACHE-AGE
X-Dc
X-Check-Cacheable
X-Request-Time
M-TraceId
X-Www-Served-By
X-FPC
X-SERVER
Xserver
WebServer
X-Via-SSL
X-VCL-Version
Edge-Copy-Time
Cache-Hits
X-S-Maxage
XServer
X-LiteSpeed-Cache-Control
X-Via-Edge
SID
X-Erf-Stays-Bingo-Pdp-Web
X-SERVER-NAME
X-CSRF-TOKEN
On-Server
Arc-Country
X-Svr
ServedBy
X-Cluster-Node
VivaBuild
Geoip-Latitude
X-CF-Powered-By
Viewtype
NtCoent-Length
GeoIp-Country-Code
X-APP
X-Edge-Server
Cdn-Request-Time
X-Bc
X-Zone
X-Via-Popv
Cdn-Host
Protected
X-UnsetCookies
X-Pass-Why
X-Cdn-Forward
X-Dynatrace-Js-Agent
ProcessTime
X-Cs
X-Action
X-Via-Ucdn
T-Server
X-HS-Status
X-MP-GENERATED-AT
X-RunCloud-Cache
Srv
Ohc-File-Size
X-NGINX-Cache
Apigw-Requestid
Memory
X-RSL
X-RPS
X-RPM
WWW-Authenticate
X-DB
X-Oss-Cdn-Auth
X-Srv
X-DI
X-DSS
X-DW
Server-Host
X-Erf-Bev-Bev
X-We-Are-Hiring
N-Cache
Pics-Label
X-Erf-Bev-Bev-Is-Generated
X-Vgn-Hpd-Ssi
X-Acc-Rdl
X-Varnish-Hits
User-Agent
X-SB
W
X-MSEdge-Features
Processtime
WZWS-RAY
X-Uri
X-Instart-Request-ID
Magicmarker
X-VC
X-MSEdge-Flight
CF-IPCountry
Server-Info
X-Geo
LB
Amp-Access-Control-Allow-Source-Origin
X-Tb
S-Rt
X-Info
GeoIP-Latitude
GeoIP-Country-Code
Sid
X-Hit
Ohc-Cache-HIT
X-Newrelic-App-Data
X-HOST
X-Vcache
Cteonnt-Length
X-Akamai-Request-ID2
CDN
X-TT-LOGID
X-Newrelic-Synthetics
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
Section-Io-Id
DSUID
X-HITS
X-ORACLE-APMCS-REQUEST-ID
Odigeo-Trace-Id
Section-Io-Origin-Status
Actual-Object-TTL
X-Cache-Hfrom
Tracecode
Cache-Name
X-UA-Device-Type
X-Pjax-Url
X-Vcl-Version
X-Envoy-Upstream-Healthchecked-Cluster
X-Unique-ID
User-Cache-Control
X-Cache-Hm
X-Epic-Correlation-Id
Geo-Info
X-Webkit-CSP-Report-Only
X-Origin-Date
A
X-FC-Vary-Parameters
X-Fpc
X-Fastly-Country-Code
Accept-Language
X-CACHE-KEY
Lb
X-Magnolia-Registration
Lfy
Esi-Enabled
Cdn
Ssr
X-Mobile-Rewrite
X-Provided-By
CountryCode
Thinkindot-Control
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
X-BBC-Edge-Cache-Status
SR-User-Adfree
Web-Mar-Node
V-Age
True-Client-Country-4JS
X-BBXSRF
Vix-Hermes-Req-Id
X-API-Version
Release
CDCHOST
FNAC-ModuleRouting
X-Amzn-Remapped-Date
X-Cc-Via
D-Cc-Upstream
X-Cc-Req-Id
Instruction
IsBot
Server-Hostname
Server-ID
Server-Ext
Path
Locid
MIME-Version
Sever-Int
X-Cache-Info
X-Server-IP
X-SIPLIST1
X-SRCache-Key
X-SD-PageType
X-Response-By
X-Origin-TTL
X-Request-URI
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Varnish-Url
X-VServer
X-Varnish-Authentication
X-User
X-Thinkindot-L3
X-Traceid
X-Origin-Time
X-Origin-Expires
X-Gdpr
X-Gen-Mode
X-GeoIP-City
X-Developer
X-Contensis-Viewer-Groups
X-Cache-ASPX
X-Cache-Expires
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Hnp-Log
X-Nyt-Route
X-Origin-CC
X-Node-Id
X-Nginx-Cache-Key
X-Loc
X-Matched-Rule
X-Block-Status
X-Scheme
X-Via-NSCOPI
X-Nc
X-Key
X-Amzn-Remapped-Connection
X-Device-Os
X-Generated-In
X-ServedByHost
Pramga
X-Azure-Ref-OriginShield
X-Cdn-Origin
X-NodeID
X-Trace-Id
X-Var-Ttl
X-Swa-Ws
X-Sn-Servicetimems
Kp-EeAlive
X-StackifyID
X-Li-Proto
X-Fetched-On
Cache-Host
X-Men
X-Dynatrace
X-B3-SpanId
X-Cache-Tag
Origin-Cache-Control
X-Rocket-Build-Number
X-Dispatch
X-Instart-Info
X-Geo-Region
Cache-Key
X-Akamai-Pragma-Client-IP
Proxy-Firewall
X-TH-Server
Origin-Edge-Control
X-Sigma-Backend
X-Sigma
Server-Ttl
X-Served-From
X-Via-PopH
Powered-By
X-Via-PopN
X-Via-PopV
X-Parent-Response-Time
Cf-Device-Type
Cache-Provider
X-Lb-Id
Source
X-RAMCache
X-No-Cache
X-Apw-Access-Token
Fastcgi-Cache-TTL
X-LiteSpeed-Tag
X-WA
X-RateLimit-Limit-Second
X-VC-Cache
X-ServiceProvider
X-Tt-Logid
X-Agile-Brick-Ok
X-Batcache
HitType
X-ElasticPress-Query
X-Apw-Access-Object
X-Apw-Access-Action
X-RateLimit-Remaining-Second
X-Apw-Hits
Tcn
Content-Script-Type
Cf-Alt-Svc
Content-Style-Type
Expiry
X-Origin-Response-Time
Req-Svc-Chain
Vha6-Origin
X-Request-URL
Xet-Cookie
X-Varnish-Beresp-TTL
X-HostName
X-Pf-Uncompressing
X-MiniProfiler-Ids
X-Generated
X-RateLimit-Limit
X-PJAX-URL
Who
BehaviorPad-Version
X-Yottaa-OS
X-TrackingId
X-Selected-Scheme
X-Selected-Host-Header
X-Selected-Name
Pragrma
X-B3-Parentspanid
X-Snapshot-Date
Dnion-Transfer-Encoding
Resin-Trace
PICS-Label
X-BBC-Origin-Response-Status
Inserted-Into-Cache-At
X-Vgn-Hpd-Reason
Mime-Version
X-C
X-Dw-Trace-Id