Threat Level: green Handler on Duty: Russ McRee

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Request-ID
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
Host-Header
X-Amz-Request-Id
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
X-Rq
Grace
X-Dns-Prefetch-Control
X-Akamai-Path-Stats
X-Swift-SaveTime
X-Swift-CacheTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Ua-Compatible
X-Dispatcher
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-OneAgent-JS-Injection
X-Nginx-Cache-Status
Allow
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-Trace
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Country
Accept-Ch-Lifetime
Fastly-Restarts
X-Ruxit-JS-Agent
X-Mod-Pagespeed
X-MS-InvokeApp
X-Rack-Cache
X-PC
X-TtlSet
X-Vname
X-Server-Name
X-Clacks-Overhead
RTSS
Edge-Control
X-ESI
X-VARITI-CCR
X-B3-TraceId
X-Content-Type
Cache-Tag
X-Varnish-TTL
X-Vcap-Request-Id
Accept-Ch
X-Kinja-Revision
X-GoogleNews-Bot
X-Kinja-Build
X-Exp-Variant
X-Cdn-Fetch
X-Exp-Id
X-Kinja-Server
X-Kinja
X-Use-Magma
X-Amz-Server-Side-Encryption
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Cnection
X-Ac
X-D2id
X-Px
X-Element-Page-Cache
Verso
X-Navigation-Version
X-Abt-Application-Version
X-Cache-TTL
X-Client-IP
X-Powered-By-Plesk
Display
Pagespeed
X-Sol
X-Middleton-Display
X-Edge
X-Ser
X-RateLimit-Remaining
X-FastCGI-Cache
Service-Worker-Allowed
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Correlation-Id
X-Ttl
X-Kinsta-Cache
SPIisLatency
X-Ruxit-Js-Agent
SPRequestDuration
AR-Request-ID
AR-CACHE
AR-ATIME
AR-PoweredBy
AR-SID
X-Edge-Location-Klb
X-Upstream
X-Webkit-Csp
X-NWS-LOG-UUID
X-TTL
X-LLID
X-Cached
X-Instrumentation
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Powered-CMS
X-SharePointHealthScore
Edge-Cache-Tag
SPRequestGuid
Nginx-Cache
X-Forwarded-For
X-Content-Security-Policy-Report-Only
X-Litespeed-Cache
TCN
Content-MD5
X-RateLimit-Limit
X-MSEdge-Ref
Mrf-Cache-Status
MRF-Tech
X-Cache-Key
X-Id
X-Shield-Request-Id
MS-Author-Via
X-B3-TraceId-Primal
X-Daa-Tunnel
X-T
X-Recruiting
S
X-Content-Digest
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
X-Mg-S
X-DataDome
X-Ua-Device
X-Protected-By
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Ezoic-Cdn
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Hub-Id
X-HS-Combine-CSS
X-Accel-Expires
MicrosoftSharePointTeamServices
Server-Node
X-Grace
X-Request-Received
X-Frontend
X-Request-Processing-Time
X-Ab
X-Content
X-Ua-Browser
Front-End-Https
Filters
X-Yandex-Sdch-Disable
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
Fastcgi-Cache
X-Server-ID
X-PressLabs-Stats
X-Mid
X-DynaTrace
X-Origin-Server
X-ECACHE
X-Hits
X-Geo-Country
TP-Cache
TP-L2-Cache
X-Distributor
X-Ratelimit-Reset
X-Debug-Info
X-Amzn-Trace-Id
X-Tt-Trace-Host
X-Tt-Trace-Tag
Cleartype
Charset
X-Page-Id
X-DIS-Request-ID
Host
X-F-Cache
X-Git-Hash
X-WebKit-CSP-Report-Only
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
Cross-Origin-Opener-Policy
X-Microsite
X-Request-Handler-Origin-Region
X-B3-Sampled
X-LB-Cache
X-Www-Served-By
Access-Control-Allow-Method
ServerID
X-Cache-Age
X-Forwarded-Proto
X-Seen-By
Cache-Tags
X-Az
X-AppVersion
X-Activity-Id
Cache-Status
X-Language
X-Cluster-Name
Accept-Charset
X-Varnish-Age
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-XRDS-LOCATION
Realpath
Filterid
X-MCACHE
X-Aspnetmvc-Version
X-Rid
Server-Name
X-Content-Options
X-Type
X-Nginx-Upstream-Cache-Status
X-App-Environment
X-Varnish-Grace
Country
Node
X-User-Agent
Retry-After
X-NWS-UUID-VERIFY
X-Origin-Cache
Viewport
X-Mobile-URL
X-Tb
X-Upgrade-Enabled
X-Request-Guid
X-Drupal-Cache-Tags
X-Aspnet-Duration-Ms
Paypal-Debug-Id
DC
X-Flags
X-Is-Crawler
X-Signature
X-FB-Debug
X-B-Cache
X-Route-Name
X-Whom
X-Providence-Cookie
X-Wix-Request-Id
X-TT
X-Goog-Stored-Content-Encoding
X-Varnish-Backend
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Metageneration
X-Oracle-Dms-Ecid
X-GUploader-UploadID
Protected
X-Goog-Generation
X-Oracle-Dms-Rid
X-Fastly-Request-Id
Fastcgi-Useragent
X-VCache
X-Via-JSL
X-N
X-B
X-Cache-NGX
X-Amz-Replication-Status
X-Debug
Payment
X-Contextid
X-Logged-In
X-Fastly-Request-ID
X-Fastcgi-Cache
X-Template
X-Load-Cache
WPO-Cache-Status
WPO-Cache-Message
Surrogate-Key
X-FW-Static
X-FW-Type
X-Mcache
X-FW-Server
X-FW-Hash
X-FW-Serve
X-FW-Dynamic
X-Cache-Control
X-Amz-Meta-S3cmd-Attrs
X-Trace-Id
Count-Hit
X-Node-Name
X-ECache
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Browser-Type
Healthy
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
Refresh
X-Proxy
Content-Disposition
X-UUID
X-Cache-Time
X-Akamai-Request-ID2
X-Jobs
X-G
X-XRDS-Location
X-Revision
X-Rendered-As
Permissions-Policy
X-Is-Bot
X-Real-IP
Akamai-GRN
X-Adobe-Loc
X-Adobe-Content
X-Hostname
X-Page-View
Uber-Trace-Id
X-Mobile
X-Framework
X-Http-Reason
Amp-Access-Control-Allow-Source-Origin
X-Cacheable-TTL
X-Zen-Fury
Alternate-Protocol
X-Proxy-Cache-Status
NGB
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Drupal-Cache-Contexts
X-Device-Type
X-Debug-IsPreview
X-Debug-IsConnected
X-Instance
X-Cache-TTL-Remaining
X-Yottaa-Optimizations
X-Yottaa-Metrics
Access-Control-Request-Headers
X-IPLB-Instance
Url
X-Source
X-Ratelimit-Remaining
X-Cache-Grace
X-Servername
From-Origin
Version
X-Cache-Rule
X-B3-Traceid
X-Mg-Request-UUID
X-Varnish-Server
X-Parallel-Accel
X-Environment-Context
X-Restarts
X-L-Path
X-NGENIX-Cache
X-Cache-Hit
X-Vgn-Hpd-Reason
Accept-Language
X-EdgeConnect-Cache-Status
X-Oneagent-Js-Injection
X-Cache-Expired-At
Countrycode
Ms-Operation-Id
Referer-Policy
X-RTag
MS-CV
X-App-Server
X-FW-Version
Frame-Options
X-HTML-Minification-Powered-By
X-NYM-Debug-Backend
Liferay-Portal
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel
X-IPS-LoggedIn
Backend
X-Nginx-Cache
X-Cache-Action
X-RemovedCookies
Content-Secure-Policy
X-COUNTRY
X-ProcessESI
X-APP-VERSION
X-TT-LOGID
WP-Super-Cache
CF-IPCountry
Section-Io-Cache
X-Cache-Server
X-Redis-Cache
Upgrade-Insecure-Requests
X-UPSTREAM-Address
X-RN-RSRV
Meta-Geo
X-Cache-Enabled
X-No-Session
X-OCL
X-Ua
X-Generation-Time
X-Detected-As
X-PCL
X-Content-Age
Ec-Rule-Version
Cache-Tv-Group
X-FB-TRIP-ID
X-Akamai-Edgescape
X-Origin-Date
Apigw-Requestid
X-Ratelimit-Limit
X-Via-Fastly
X-Datadome
X-Hosted-By
X-Urbn-Site-Id
X-Generated-By
Fastly-SSL
X-Site-Version
X-Uri
X-Format
X-Access
Locale
X-Mode
Azure-RegionName
X-Sql-Duration-Ms
X-Say-Cacheable
X-Hyper-Cache
Azure-Version
X-Say-TTL
X-SayCDN-TTL
X-AOL-HN
X-Section
X-Varnish-Cache-Hits
X-Sql-Count
X-Cluster-Node
Azure-SlotName
Azure-SiteName
X-UA-Device-Type
Azure-InstanceId
X-PHP-Backend
X-Urbn-Context-Path
X-Server-W
S-Rt
X-Be
X-Web-Node
X-Human
X-Request-Time
X-Cache-Tags
CDN-Cache
CDN-CachedAt
CDN-PullZone
CDN-RequestCountryCode
X-Debug-Cache
X-Cache-Host
CDN-RequestId
X-Platform-Server
X-ProxyCache-Key
X-Content-Powered-By
X-BYPASS-REASON
X-Storage
X-Nginx-Cache-Key
X-Region
CDN-EdgeStorageId
TWC-Locale-Group
X-ProxyCache-Status
Eomportal-Instance
TWC-Privacy
Webcakes-App-Name
TWC-GeoIP-Country
TWC-Device-Class
Webcakes-Region
X-Adobe-Source
X-Origin-Hint
TWC-GeoIP-LatLong
Mn-Server-Ip
Property-Id
TWC-Connection-Speed
Webcakes-App-Version
CDN-Uid
X-ServerID
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Shopify-Stage
X-ShopId
X-Status
X-Tid
X-Varnishpool
X-Xfnlog-Site
X-Zipkin-Id
X-Unique-Id
X-ShardId
X-SaId
X-Handled-By
X-Forwarded-Host
X-Extlb
X-ApacheServer
X-Hl-Ver
X-JoinUs
X-Routing-Service
X-Proxied
X-PERF
X-Alternate-Cache-Key
X-Backend-Name
X-Cache-Type
X-Rule
X-Webkit-CSP
X-NewRelic-App-Data
X-Locale
X-Proxy-Build
X-Labrador-Cache-Channel
X-PHP-Host
X-GG-Cache-Date
Selected-Fe
X-Timing-Wait
ServedBy
X-Midtier
X-VWS-Id
X-Dc
X-LJ-Flow-ID
X-AWS-Id
Webserver
X-VC-Cache
X-Accel-Buffering
X-Cache-Operation
X-Cache-Remote
X-Rewrite-Enabled
SID
X-LSADC-Cache
X-Cms-Context
X-Proto
X-Cached-By
X-Edge-Location
X-Storefront-Renderer-Rendered
X-Soup
Mime-Version
Fastly-Drupal-Html
X-TA-CDN-Provider
Web-Mar-Node
Onion-Location
X-Pubstack
SRV
X-Buckets
X-GEO
Xserver
X-Reqid
X-GeoCountry
X-App-Version
X-GeoCode
Load-Balancing
Country-Code
X-CDN-Forward
X-Varnish-Hostname
X-Request-Host
X-Cdn
X-Microcachable
X-Varnish-Ttl
Decoy-Debug-TTL
Decoy-Debug-Key
X-Origin-TTL
X-Origin-CC
Decoy-Debug-Status
Cache-Hits
X-Cluster
Server-Info
X-Ms-Version
X-Time
X-Varnish-Hits
X-Tumblr-Pixel-3
X-SRV
X-Tumblr-Pixel-2
X-Ms-Request-Id
Xet-Cookie
X-MP-GENERATED-AT
X-CSRF-Token
LB
X-Magnolia-Registration
X-Envoy-Decorator-Operation
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
X-Bc-Bl
DynaTrace
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Endurance-Cache-Level
X-NCache
DB-Nickname
Meta-Geo-Continent
Lang
Odigeo-Trace-Id
Rendered-Blocks
Pramga
NM-Fastcgi-Cache
Mobile-Detection-Method
Cmstype
BehaviorPad-Version
Cdncip
Source
A
Sslversion
Cdnsip
Cmsid
Fastcgi-X-Cache-Version
Expiry
DCR-Processing-Time-Ms
DCR-Decision-By
Host-ID
X-Connection-Hash
X-Processor
X-PBS-Appsvrname
X-Rojux
X-S
X-ScT
X-S-Cookie
X-PAYTM-SRV-ID
X-Origin-Response-Time
X-HS-Content-Campaign-Id
X-Hash
X-Ig-Push-State
X-NAPM-TraceId
X-Orig-Expires
X-SD-PageType
X-Session-Fingerprint
X-VG-WebCache
X-Vdms-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Vdms-Path
X-User
X-SRCache-Key
X-Shop-Environment
X-Tenant
X-TIM-N
X-TrackingId
X-Gzip
X-Geo-Header
X-AK-Request-ID
X-Aed
X-Application
X-ARC
X-Cache-Id
X-Cache-Bucket
X-A-Wwc
X-A-Dgt
X-A
T-Server
X-A-Ccd
X-A-Dam
X-A-Dcw
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-External-Request-Id
X-Esi-Check
X-Forwarded-Path
X-From
X-Ftr-Request-Id
X-Epic-Correlation-Id
X-Ec-GeoHdr
X-D
X-Conf
X-Destination
X-Developer
X-Ec-Fail
Surrogated-Key
X-B-Cookie
X-ZONE
X-R9-Blue-Green-Version
X-B3-SpanId
X-Varnish-Beresp-Grace
Cache-Name
X-RCS-CacheZone
Cache
X-Azure-Ref
CDN
X-Scheme
X-Server-IP
X-Cdn-Srv
X-Slack-Backend
X-Loop
X-Fetched-On
X-SB
X-Cache-NE
X-Core-Value
X-V-Cache
Memcached
X-TNCMS
X-Device-Os
X-Core-Mission
X-Ckpd-Fst-Backend
Platform
X-Clara-WADP
Is-Eu
Mail-Subject
Machine
X-Ec-Custom-Error
X-Sigma-Backend
Web-Mar-Region
We-Hiring
X-Origin-Time
User-Cache-Control
X-Planisys-CDN-Cache
X-Amzn-Remapped-Content-Length
X-Rocket-Build-Number
X-Planisys-CDN-TTL
X-CACHE-KEY
X-Planisys-CDN-Rules
X-Origin-Expires
X-Origin
Server-Host
X-Node-Id
X-NodeID
Producers
X-Gen-Mode
State
X-Sigma
X-Block-Status
X-Cache-Backend
X-Nyt-Route
X-Mvc-Supplant-Cachable
X-Location
X-Webstats-RespID
X-Wix-Viewer-Type
X-Worker
X-Is-Gdpr
Adler-Geo
X-JWT-State
X-DPWN-IS-SECURE
AKAMAI
X-Irp-Debug
X-SVT-ORM-VERSION
X-Fmm-Version
X-GeoIP
X-Gdpr
X-Fastly-Cache
MD5-Digest
Fastly-GeoIP-CountryCode
X-Hnp-Log
X-Has-Esi
X-LAGOON
X-WADP-Cache
X-SVT-ORM-RULES
X-Varnish-CookieINHashed-On
X-Variation
X-VG-TLSProxy
X-Varnish-CookieHashed-On
X-DefElseHash
Environment
X-DefHash
X-Varnish-Remaining-TTL
X-Cache-Info
HostName
AMP-Access-Control-Allow-Source-Origin
X-GeoIP-City
X-Forwarded-Site
X-Datadog-Parent-Id
X-Generated-On
X-Platform
X-Served-From
X-Csrf-Jwt
X-Gamma-Serve
X-Thinkindot-L3
X-Auto-Login
X-Aicache-OS
X-VServer
X-Branch-Name
X-CGP
X-Rocket-Nginx-Serving-Static
X-Level-Front-Cache
X-Cdn-Origin
X-Developers
X-Skip-Cache
X-Datadog-Trace-Id
X-Eu-Site
X-Minions-Version
X-Httpd
X-Datadog-Sampling-Priority
Thinkindot-CacheControl-Type
X-Region-Sid
Cluster
Thinkindot-Control
X-Cache-Date
X-BBC-Edge-Cache-Status
Traceparent
Fastcgi-Cache-TTL
Fastly-SIE
Ha-Gx-Prefs
HA-Ipaddr
Gh-Request-Id
X-CacheTTL
Fastly-SWR
X-Viewer-Country
Arc-Country
Release
Req-Svc-Chain
Kp-EeAlive
Origin-EX
Origin-CC
CloudFront-Viewer-Country
X-Tx-Id
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
Origin
L5d-Success-Class
X-Proxy-Upstream
V-Age
X-Qloud-Router
X-RateLimit-Limit-Second
Thinkindot-CacheControl
Vix-Hermes-Req-Id
Wxu-Next-Commit
X-Pool
X-Policy
X-Proxy-Cache-Info
Wxu-Next-Region
Wxu-Next-Hostname
X-RateLimit-Remaining-Second
X-Rebelmouse-Cache-Control
Ssr
N-Cache
X-Sn-Servicetimems
X-Dispatcher-Number
X-Loc
X-Rebelmouse-Surrogate-Control
Redirect-Candidate
TDXMobile
Svr
Server-Hostname
Sever-Int
Server-Ext
X-SIPLIST1
X-IPLB-Request-ID
X-Men
X-Scale
X-Request-URI
X-Optimistic-Header
X-Pod-Name
X-VarnishDD-TTL
X-HN
L
IsBot
DSUID
X-Via-NSCOPI
NGX
X-EC-Lua
X-Via-Ucdn
Locid
CDCHOST
PFcat
X-Tec-Api-Origin
X-Tec-Api-Version
X-TraceId
X-Tec-Api-Root
X-VC
X-Owner
X-Response-By
X-Refresh
X-WP-CF-Super-Cache-Cache-Control
X-Old-Content-Length
X-NC
X-WP-CF-Super-Cache
Ohc-File-Size
Time
X-CS
X-Parent-Response-Time
X-Tb-Optimization-Total-Bytes-Saved
Memory
X-RPM
Pics-Label
X-RSL
X-DSS
X-DW
X-RPS
X-DI
X-DB
X-Srv
X-Udemy-Cache-App-Namespace
X-Akamai-Transformed
X-Accel-Expires-Debug
Candidate-Md5Url
X-BCube-Filmed-By
Env
X-Ad-Defer-Variation
X-Newrelic-Synthetics
X-Edge-Pop
Cache-Key
Datacenter
X-Mvc-Supplant-OutputCached
X-Date
X-Ah-Environment
Ms-Author-Via
X-SplitTest
X-Wikidot-Backend
X-GeoIP-Country-Code
X-LB-NoCache
X-Generated-In
Servername
CPC-Age
X-Cache-ASPX
GEO-INFO
VNS-Age
CPC-Cache
X-GeoIP-Region-Code
X-Wikidot-Static-Cache
X-Contensis-Viewer-Groups
VNS-Cache
X-Cache-Status-Check
X-Via-Popn
X-Via-Popv
X-Via-Poph
GeoIp-Country-Code
Fastly-Backend-Name
X-WA-Info
XM
Lb
Geo-Info
X-Varnish-Authentication
X-Amz-Meta-Cb-Modifiedtime
X-Cache-Debug
X-Xrds-Location
X-TIME
X-Tt-Logid
X-HA-Backend
X-Micro-Cache
Path
X-S-Maxage
X-API-Version
Fusion-Component-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Source
X-Servedbyhost
ITXSESSIONID
CacheControlHeader
Geoip-Latitude
X-AIR-PT
Ohc-Cache-HIT
X-RateLimit-Reset
X-TH-Server
Cache-Host
True-Client-Country-4JS
X-Action
Client
X-PX
X-Cs
Ngx.Var.Host
True-Client-IP
X-Varnish-Beresp-TTL
X-VCL-Version
X-Backend-TTL
X-Vc
X-VHOST
XkeyRZ
X-DC
Server-ID
X-Trace-ID
X-Proxy-CacheRZ
X-Api-Version
FSS-Cache
X-TX-ID
Edge-Cache
Hostname
X-Clientip
X-Presslabs-Stats
X-Req
My-App
X-FireWall-Port
X-Provided-By
Powered-By
X-FPC
X-Fpc
X-B3-Spanid
X-Pass-Why
X-Webkit-Csp-Report-Only
X-Origin-Upstream-Status
X-Zone
X-Up
NtCoent-Length
Test
X-Traceid
X-Dmc
X-MSEdge-Features
X-LB-ID
X-MSEdge-Flight
X-Varnish-Beresp-Ttl
X-NGINX-Cache
DataCenter
Cf-Int-Pingora-Origin-Digest
X-CSRF-TOKEN
X-Vcl-Version
Server-Id
X-Render-Time
X-Dynatrace
X-HS-Status
X-INCAP-ABP
X-Cdn-Request-ID
X-Correlation-ID
User-Agent
X-Li-Fabric
X-UnsetCookies
X-Webkit-CSP-Report-Only
X-Beluga-Trace
X-Beluga-Cache-Status
X-LI-UUID
X-Li-Pop
Rip
X-Beluga-Status
C-Via
X-Beluga-Response-Time
X-Beluga-Record
X-Beluga-Node
Tube-Return
X-Gateway-Cache-Key
X-Gateway-Cache-Status
Tube-Got-Results
WZWS-RAY
Tube-Get-Contents
Click-Count-Action-Start
X-Gateway-Request-Id
Proxy-Connection
Tube-Got-Eval
Click-Count-Error
X-ND-Cache
X-ServedByHost
X-Service
X-Gateway-Skip-Cache
OT-Force-Account-Verify
X-CLOUD-TRACE-CONTEXT
X-DynaTrace-JS-Agent
X-Alfa-Service
X-CUA
Esi-Enabled
Srvid
X-Ha-Backend
X-URL
X-Via-PopN
X-Via-PopH
X-Via-PopV
Resin-Trace
HIT
X-RAMCache
X-Qnm-Cache
X-M-Reqid
X-M-Log
X-Time-Microsecs
Tcn
Srv
X-Check-Cacheable
X-Geo
GeoIP-Country-Code
Target-Params
GeoIP-Latitude
X-Platform-Router
X-Platform-Processor
Tracecode
Uri
X-Cdn-Forward
Cf-Device-Type
X-Platform-Cluster
X-Fragments
Sid
On-Server
X-Akamai-Pragma-Client-IP
MIME-Version
X-CCDN-Origin-Time
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
X-APP
Epwk-X-Cache
X-Proxy-Cache-Hk
X-FC-Vary-Parameters
X-Var-Ttl
X-ATG-Version
X-Sucuri-ID
X-Sucuri-Cache
Lfy
X-Fastly-Backend
X-Fastly-Backend-Reqs
X-Azure-Ref-OriginShield
X-Fetch-By
X-LI-Proto
X-LiteSpeed-Cache-Control
Fastly-Drupal-HTML
X-TRACE-ID
X-Backend-Host
ENV
ServerName
X-Lb-Nocache
Cdn
X-Esi
XServer
Section-Io-Id
X-Backend-State
Magicmarker
X-Li-Proto
Section-Io-Origin-Status
X-NU-AKA-ACS-Version
WebServer
Section-Io-Origin-Time-Seconds
X-Edge-POP
X-Varnish-Beresp-Status
X-B3-Traceid-Primal
X-Cache-Expires
Section-Origin-Responded
X-HostName
X-Srcache-Store-Status
X-Srcache-Fetch-Status
X-MG-S
X-App
Inserted-Into-Cache-At
CF-Cached-On
PICS-Label
X-ElasticPress-Query
X-CF-Powered-By
X-Newrelic-App-Data
X-Yottaa-OS
Wpo-Cache-Status
Cf-Ipcountry
D-Url-Rewrites
X-Request-Start
Wpo-Cache-Message
X-Serial
X-Edge-Origin-Shield-Bytes
M-TraceId
X-Acquia-Application-UUID
X-Acquia-Application-Trace
X-Nc
X-Acquia-Site
X-Cache-CFC
X-Iplb-Instance
X-Iplb-Request-Id
X-Edge-Origin-Shield-Region
Server-Ttl
X-Vcache
X-Acquia-Purge-Tags
Servedby
Warning
Fastcgi-Cache-Ttl
X-Vercel-Cache
X-Wp-Cf-Super-Cache-Cache-Control
X-Wp-Cf-Super-Cache
X-Vercel-Id
X-Fastly-Cache-Hits
X-Back
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-BBC-Origin-Response-Status
X-Release
X-Dist-Code
X-Litespeed-Cache-Control
X-Request-Url
X-Snapshot-Date
Ngx
Cneonction
X-B3-Parentspanid
X-Thanos
Content-Style-Type
X-Bip
X-Th-Server
X-Storefront-Renderer-Verified
Content-Script-Type
X-Dw-Trace-Id
X-Swift-Error
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
CountryCode
X-Request-URL