Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
P3p
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CONTENT-TYPE-OPTIONS
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
Allow
EagleEye-TraceId
X-WebKit-CSP
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
X-HW
Accept-CH-Lifetime
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
X-Country
Fastly-Restarts
X-MS-InvokeApp
Accept-Ch-Lifetime
X-Rack-Cache
X-Mod-Pagespeed
X-PC
X-Vname
X-TtlSet
X-Clacks-Overhead
X-Ruxit-JS-Agent
Accept-Ch
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-Varnish-TTL
X-Amz-Server-Side-Encryption
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
X-B3-TraceId
X-Dw-Request-Base-Id
X-Amz-Rid
X-Cdn-Fetch
Public-Key-Pins
X-Use-Magma
X-Kinja-Server
X-Exp-Id
X-Kinja
X-GoogleNews-Bot
X-Kinja-Revision
X-Exp-Variant
X-Kinja-Build
X-Px
X-Cnection
X-D2id
X-Edge
X-Ac
X-RateLimit-Remaining
X-Navigation-Version
X-FastCGI-Cache
X-Element-Page-Cache
Verso
X-Ser
X-Sol
Pagespeed
X-Middleton-Display
Display
X-Client-IP
X-Powered-By-Plesk
X-Abt-Application-Version
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Ttl
X-Country-Code
Response
X-Middleton-Response
X-NF-Request-ID
X-Correlation-Id
X-Ruxit-Js-Agent
Access-Control-Request-Method
X-Goog-Hash
X-Content-Security-Policy-Report-Only
SPIisLatency
SPRequestDuration
X-Kinsta-Cache
X-Cached
X-Edge-Location-Klb
AR-CACHE
AR-PoweredBy
AR-Request-ID
AR-ATIME
AR-SID
SPRequestGuid
X-SharePointHealthScore
X-Upstream
X-Powered-CMS
X-LLID
Edge-Cache-Tag
X-RateLimit-Limit
X-NWS-LOG-UUID
X-Instrumentation
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Forwarded-For
X-Cache-Key
Nginx-Cache
X-Litespeed-Cache
X-TTL
Content-MD5
X-Id
X-MSEdge-Ref
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
TCN
X-T
X-B3-TraceId-Primal
X-Recruiting
S
X-Daa-Tunnel
X-Content-Digest
X-DataDome
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Webkit-Csp
X-Mg-S
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-HP-Webp
X-HP-Trace-Id
X-Ua-Device
MS-Author-Via
X-Jurisdiction
X-Accel-Expires
X-ECACHE
X-WebKit-CSP-Report-Only
X-Protected-By
X-Ezoic-Cdn
X-HS-Cache-Config
X-HS-Content-Id
X-HS-Hub-Id
X-HS-Combine-CSS
X-Grace
X-Content
X-Ab
X-Frontend
MicrosoftSharePointTeamServices
X-Ua-Browser
X-Request-Received
X-Request-Processing-Time
Server-Node
Front-End-Https
Filters
TP-L2-Cache
X-Yandex-Sdch-Disable
TP-Cache
X-DynaTrace
X-PressLabs-Stats
X-Server-ID
X-Origin-Server
X-Distributor
Fastcgi-Cache
X-ORACLE-DMS-ECID
X-Mid
X-Geo-Country
X-ORACLE-DMS-RID
X-Hits
X-Request-Handler-Origin-Region
X-Microsite
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-Amzn-Trace-Id
X-LB-Cache
Charset
Cleartype
Host
X-Debug-Info
X-Ratelimit-Reset
X-Page-Id
X-F-Cache
X-Git-Hash
X-B3-Sampled
X-Forwarded-Proto
Cross-Origin-Opener-Policy
X-DIS-Request-ID
X-Cache-Age
X-Www-Served-By
Realpath
Cache-Status
Access-Control-Allow-Method
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
X-Seen-By
X-AppVersion
X-Activity-Id
X-Az
ServerID
X-Fastly-Request-Id
Accept-Charset
Cache-Tags
Filterid
X-Varnish-Age
X-XRDS-LOCATION
X-Cluster-Name
X-Aspnetmvc-Version
X-Mcache
X-Nginx-Upstream-Cache-Status
X-Rid
X-Language
X-Content-Options
X-Type
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-MCACHE
X-App-Environment
Retry-After
Country
Server-Name
X-FB-Debug
X-Upgrade-Enabled
Viewport
Node
X-Varnish-Backend
Paypal-Debug-Id
DC
X-Tb
X-Varnish-Grace
X-Origin-Cache
X-User-Agent
X-B-Cache
X-Drupal-Cache-Tags
X-Signature
X-Whom
X-Goog-Generation
X-Wix-Request-Id
X-Goog-Metageneration
X-GUploader-UploadID
X-TT
X-Mobile-URL
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Oracle-Dms-Ecid
X-Providence-Cookie
X-Is-Crawler
X-Flags
X-Request-Guid
X-Aspnet-Duration-Ms
X-Route-Name
X-Oracle-Dms-Rid
X-VCache
X-B
Protected
X-NWS-UUID-VERIFY
X-Oneagent-Js-Injection
Permissions-Policy
X-Debug
Fastcgi-Useragent
X-Logged-In
WPO-Cache-Status
X-Amz-Replication-Status
WPO-Cache-Message
Payment
X-N
X-Via-JSL
X-Amz-Meta-S3cmd-Attrs
X-Cache-NGX
X-Load-Cache
Surrogate-Key
X-Contextid
X-Cache-Control
Count-Hit
X-Node-Name
X-Template
X-ECache
Healthy
X-Browser-Type
Amp-Access-Control-Allow-Source-Origin
X-Erf-Bev-Bev
X-B3-Traceid
X-Erf-Bev-Bev-Is-Generated
X-Webkit-CSP
X-FW-Type
X-FW-Serve
X-FW-Hash
X-FW-Static
X-FW-Server
X-FW-Dynamic
X-Mobile
X-Original-Request-Id
X-Trace-Id
X-Response-Served-From
SD-X-WS
Akamai-GRN
X-Proxy
Refresh
Content-Disposition
X-Revision
X-Cache-Time
X-XRDS-Location
X-G
X-Jobs
X-Framework
X-Zen-Fury
X-UUID
Uber-Trace-Id
X-Akamai-Request-ID2
Alternate-Protocol
X-Real-IP
X-Cache-TTL-Remaining
NGB
X-Rendered-As
X-Cacheable-TTL
X-Device-Type
X-Hostname
VIX-Pulpo-Node
X-Restarts
X-Is-Bot
VIX-Pulpo-Upstream-Status
X-Proxy-Cache-Status
X-Fastcgi-Cache
X-NGENIX-Cache
Url
X-Http-Reason
X-Adobe-Content
X-Adobe-Loc
X-Instance
Access-Control-Request-Headers
X-Page-View
X-Drupal-Cache-Contexts
X-Debug-IsConnected
X-Debug-IsPreview
X-Servername
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Fastly-Request-ID
X-Cache-Grace
X-IPLB-Instance
X-Varnish-Server
X-Mg-Request-UUID
Version
X-EdgeConnect-Cache-Status
X-Environment-Context
X-L-Path
X-Source
X-Midtier
Accept-Language
X-HTML-Minification-Powered-By
MS-CV
X-RTag
Countrycode
Ms-Operation-Id
X-Cache-Rule
Frame-Options
X-Cache-Hit
X-Vgn-Hpd-Reason
X-Cache-Expired-At
From-Origin
Referer-Policy
Liferay-Portal
X-App-Server
X-NYM-Debug-Backend
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Backend
X-Tumblr-User
X-Nginx-Cache
X-IPS-LoggedIn
X-Parallel-Accel
X-FW-Version
X-APP-VERSION
X-COUNTRY
Content-Secure-Policy
X-Datadome
X-Hosted-By
X-Cache-Server
X-Unique-Id
X-RN-RSRV
Upgrade-Insecure-Requests
X-UPSTREAM-Address
Meta-Geo
Section-Io-Cache
X-RemovedCookies
X-PCL
X-Redis-Cache
X-Ua
X-No-Session
X-OCL
X-Generation-Time
X-ProcessESI
X-Region
X-PHP-Backend
X-Origin-Hint
X-Request-Time
X-Server-W
X-Via-Fastly
X-Cache-Enabled
X-FB-TRIP-ID
X-Content-Age
X-Varnish-Cache-Hits
X-Format
X-UA-Device-Type
X-Uri
X-Section
X-Access
WP-Super-Cache
Azure-Version
Mn-Server-Ip
Azure-SlotName
Azure-SiteName
Apigw-Requestid
Azure-InstanceId
Azure-RegionName
Property-Id
S-Rt
Webcakes-App-Name
Webcakes-App-Version
Webcakes-Region
TWC-Privacy
TWC-Locale-Group
TWC-Connection-Speed
TWC-GeoIP-Country
TWC-GeoIP-LatLong
X-Cluster-Node
TWC-Device-Class
CF-IPCountry
X-Mode
X-Debug-Cache
X-ProxyCache-Status
X-Content-Powered-By
X-Site-Version
X-Sql-Duration-Ms
X-Sql-Count
X-Cache-Action
X-ProxyCache-Key
X-Nginx-Cache-Key
X-ShardId
X-ShopId
X-Shopify-Stage
X-Sorting-Hat-ShopId
X-Human
X-Status
X-Locale
X-Alternate-Cache-Key
X-PERF
X-Storage
X-Origin-Date
X-ApacheServer
X-Be
Locale
Fastly-SSL
Cache-Tv-Group
Eomportal-Instance
X-Sorting-Hat-PodId
X-AOL-HN
X-Cache-Host
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Akamai-Edgescape
X-Xfnlog-Site
X-BYPASS-REASON
X-Cache-Type
X-Extlb
X-Backend-Name
X-NewRelic-App-Data
X-Detected-As
X-Routing-Service
X-Say-Cacheable
X-Generated-By
X-Say-TTL
X-SayCDN-TTL
X-PHP-Host
X-Labrador-Cache-Channel
X-Forwarded-Host
X-Zipkin-Id
Ec-Rule-Version
X-Proxied
X-SaId
X-ServerID
X-Varnishpool
X-Tid
X-Hl-Ver
X-JoinUs
X-AWS-Id
X-Platform-Server
X-LJ-Flow-ID
X-VWS-Id
X-Web-Node
X-Cms-Context
X-Cache-Tags
X-Handled-By
X-Adobe-Source
Selected-Fe
CDN-CachedAt
X-GG-Cache-Date
X-Proxy-Build
CDN-Cache
CDN-RequestId
CDN-RequestCountryCode
CDN-PullZone
X-Timing-Wait
CDN-Uid
CDN-EdgeStorageId
X-Ratelimit-Remaining
ServedBy
X-VC-Cache
X-Dc
X-Edge-Location
X-Storefront-Renderer-Rendered
Load-Balancing
X-Hyper-Cache
SRV
X-CDN-Forward
X-Proto
X-Rule
X-LSADC-Cache
X-Cache-Operation
Web-Mar-Node
X-GeoCountry
X-TT-LOGID
Onion-Location
Webserver
X-GeoCode
Fastly-Drupal-Html
X-App-Version
X-Cached-By
X-Cache-Remote
Mime-Version
X-Rewrite-Enabled
X-Varnish-Hostname
X-Soup
Cache-Hits
SID
X-TA-CDN-Provider
X-GEO
Xserver
X-Accel-Buffering
X-Cluster
X-Pubstack
X-Cdn
X-Reqid
X-Varnish-Ttl
X-Origin-CC
Country-Code
X-Origin-TTL
X-Varnish-Hits
Xet-Cookie
X-Envoy-Decorator-Operation
X-Microcachable
X-Air-Source
Server-Info
X-Air-Hostname
X-Air-Trace-Id
X-Buckets
X-Tumblr-Pixel-2
X-SRV
X-Ratelimit-Limit
X-Tumblr-Pixel-3
Decoy-Debug-Key
X-Magnolia-Registration
Decoy-Debug-TTL
X-MP-GENERATED-AT
X-CSRF-Token
Decoy-Debug-Status
X-IPLB-Request-ID
LB
X-Request-Host
DB-Nickname
X-Ms-Request-Id
X-Ms-Version
X-Amzn-RequestId
Cache
X-Amz-Apigw-Id
X-Endurance-Cache-Level
Source
Host-ID
Fastcgi-X-Cache-Version
BehaviorPad-Version
Expiry
X-VG-WebCache
Xc-Version
X-Vtex-Remote-Cache
Cmsid
A
X-Origin-Response-Time
Cdnsip
Cmstype
Cdncip
DCR-Processing-Time-Ms
X-Via-NSCOPI
DCR-Decision-By
X-Vtex-Processado-Em
Sslversion
X-Connection-Hash
X-Processor
X-D
X-Destination
X-Ec-Fail
X-Developer
X-Conf
X-CF-Lambda-Version
X-Cache-Id
X-S
X-Cache-NE
X-Cdn-Srv
X-CF-Lambda-Fn
X-Rojux
X-PBS-Appsvrname
X-Ec-GeoHdr
X-PAYTM-SRV-ID
X-Hash
X-HS-Content-Campaign-Id
X-Orig-Expires
X-NAPM-TraceId
X-Ig-Push-State
X-Gzip
X-Geo-Header
X-Esi-Check
X-Epic-Correlation-Id
X-External-Request-Id
X-Forwarded-Path
X-Ftr-Request-Id
X-B-Cookie
X-S-Cookie
Rendered-Blocks
Pramga
X-TrackingId
X-TIM-N
X-SRCache-Key
X-Tenant
Odigeo-Trace-Id
X-User
MD5-Digest
Lang
X-Vdms-Path
Meta-Geo-Continent
NM-Fastcgi-Cache
Mobile-Detection-Method
X-Shop-Environment
Surrogated-Key
X-ScT
X-A-Wwc
X-Aed
X-AK-Request-ID
X-ARC
X-Application
X-A-Dgt
X-SD-PageType
X-A-Ccd
T-Server
X-A-Dam
X-A-Dcw
X-Session-Fingerprint
X-Vdms-Version
X-A
X-NCache
X-Tt-Logid
X-Newrelic-Synthetics
X-Bc-Bl
X-Time
X-RCS-CacheZone
X-Tx-Id
X-B3-SpanId
Machine
X-Cache-Info
X-Cache-Bucket
Fastly-GeoIP-CountryCode
X-Ckpd-Fst-Backend
Environment
X-Clara-WADP
X-Cache-Backend
X-CacheTTL
Mail-Subject
Wxu-Next-Commit
We-Hiring
State
Server-Host
Wxu-Next-Hostname
Wxu-Next-Region
X-Amzn-Remapped-Content-Length
Memcached
X-Core-Mission
X-Varnish-Beresp-Grace
X-Device-Os
X-Sigma
X-Server-IP
X-Scheme
X-SB
X-Sigma-Backend
X-SVT-ORM-RULES
X-WADP-Cache
X-Via-Ucdn
X-V-Cache
X-SVT-ORM-VERSION
X-Rocket-Build-Number
X-Origin-Time
X-Fmm-Version
X-Fetched-On
X-Fastly-Cache
X-Developers
X-Gdpr
X-Irp-Debug
X-Origin
X-NodeID
X-Node-Id
X-Mvc-Supplant-Cachable
X-Core-Value
X-Nyt-Route
AKAMAI
X-Skip-Cache
X-Azure-Ref
CDN
X-ZONE
Cache-Name
DynaTrace
X-R9-Blue-Green-Version
X-Minions-Version
X-Loop
X-Gen-Mode
X-Generated-On
X-Gamma-Serve
X-Forwarded-Site
X-Level-Front-Cache
X-Is-Gdpr
X-JWT-State
X-Hnp-Log
X-HN
X-LAGOON
X-Has-Esi
X-Dispatcher-Number
X-BBC-Edge-Cache-Status
X-Block-Status
X-Branch-Name
X-Auto-Login
Web-Mar-Region
V-Age
Vix-Hermes-Req-Id
X-Cache-Date
X-CGP
X-Planisys-CDN-Cache
X-Ec-Custom-Error
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Csrf-Jwt
X-Datadog-Parent-Id
X-Eu-Site
X-Platform
Producers
X-DefElseHash
X-DefHash
Platform
Is-Eu
X-Wix-Viewer-Type
Adler-Geo
X-DPWN-IS-SECURE
X-GeoIP
X-Varnish-Remaining-TTL
X-Worker
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-Origin-Expires
X-Variation
X-Viewer-Country
X-VG-TLSProxy
X-Pool
X-Proxy-Upstream
X-RateLimit-Limit-Second
X-Policy
X-Pod-Name
X-Planisys-CDN-TTL
User-Cache-Control
X-RateLimit-Remaining-Second
X-Request-URI
X-TNCMS
X-VarnishDD-TTL
X-Thinkindot-L3
X-Slack-Backend
X-Rocket-Nginx-Serving-Static
X-Served-From
X-Planisys-CDN-Rules
X-Region-Sid
L
L5d-Success-Class
Apple-News-Services-Handled
Apple-News-Services-Request-Url
CloudFront-Viewer-Country
Cluster
Gh-Request-Id
Ha-Gx-Prefs
Svr
HA-Ipaddr
Ssr
N-Cache
Apple-News-Services-Host
Redirect-Candidate
Release
Req-Svc-Chain
PFcat
Origin-EX
Apple-News-Services-Parsed-Url
Origin
Origin-CC
TDXMobile
Kp-EeAlive
Thinkindot-CacheControl
Thinkindot-Control
CDCHOST
Traceparent
Fastcgi-Cache-TTL
Thinkindot-CacheControl-Type
X-Optimistic-Header
X-Aicache-OS
X-GeoIP-City
X-Owner
Sever-Int
X-Webstats-RespID
X-Httpd
X-Qloud-Router
Server-Hostname
Ohc-File-Size
DSUID
X-VServer
X-From
X-Rebelmouse-Cache-Control
HostName
X-Cdn-Origin
Datacenter
X-Rebelmouse-Surrogate-Control
NGX
X-Scale
Cache-Key
X-Wikidot-Static-Cache
Fastly-SWR
X-Loc
Server-Ext
IsBot
X-Wikidot-Backend
X-Proxy-Cache-Info
X-Sn-Servicetimems
X-BCube-Filmed-By
Candidate-Md5Url
X-SIPLIST1
Fastly-SIE
X-Cache-Status-Check
Pics-Label
X-WP-CF-Super-Cache
VNS-Cache
GEO-INFO
X-Refresh
X-Ad-Defer-Variation
CPC-Cache
X-Parent-Response-Time
X-WP-CF-Super-Cache-Cache-Control
X-SplitTest
CPC-Age
X-Location
XM
VNS-Age
X-Tec-Api-Root
X-Tec-Api-Origin
X-Tec-Api-Version
AMP-Access-Control-Allow-Source-Origin
X-NC
X-CS
X-WA-Info
X-Srv
Fastly-Backend-Name
X-VC
X-Tb-Optimization-Total-Bytes-Saved
X-CACHE-KEY
X-Micro-Cache
X-Men
X-LB-NoCache
Env
X-Contensis-Viewer-Groups
X-Cache-ASPX
Arc-Country
X-Ah-Environment
Locid
X-AIR-PT
X-Edge-Pop
Servername
Ms-Author-Via
X-EC-Lua
X-TIME
Lb
X-Udemy-Cache-App-Namespace
X-Varnish-Authentication
Memory
Time
X-TraceId
X-Old-Content-Length
X-Response-By
X-DB
X-DSS
X-Servedbyhost
X-Amz-Meta-Cb-Modifiedtime
X-RPS
X-DW
X-Generated-In
X-RSL
X-RPM
X-Mvc-Supplant-OutputCached
Path
X-DI
X-Xrds-Location
X-Api-Version
X-Via-Popn
X-Via-Popv
X-Via-Poph
X-Accel-Expires-Debug
Cache-Host
GeoIp-Country-Code
Ngx.Var.Host
X-Date
X-Akamai-Transformed
Ohc-Cache-HIT
ITXSESSIONID
X-HA-Backend
X-S-Maxage
X-GeoIP-Country-Code
X-Varnish-Beresp-TTL
X-GeoIP-Region-Code
X-RateLimit-Reset
X-Proxy-CacheRZ
X-Vc
XkeyRZ
X-Cs
X-Cache-Debug
Geoip-Latitude
X-VCL-Version
FSS-Cache
Client
True-Client-IP
X-API-Version
X-Clientip
Fusion-Component-Id
Fusion-Deployment-Id
Fusion-Template-Id
Hostname
Fusion-Content-Source
Fusion-Content-Id
Fusion-Source
X-VHOST
Server-ID
X-DC
CacheControlHeader
X-Trace-ID
X-TH-Server
X-FireWall-Port
X-Presslabs-Stats
X-Action
True-Client-Country-4JS
X-Fpc
X-Zone
X-Backend-TTL
X-Dmc
X-TX-ID
X-B3-Spanid
Geo-Info
Powered-By
X-MSEdge-Features
X-Render-Time
X-MSEdge-Flight
X-Webkit-Csp-Report-Only
X-Req
Edge-Cache
X-INCAP-ABP
X-PX
NtCoent-Length
X-Traceid
X-DynaTrace-JS-Agent
X-Gateway-Request-Id
Test
X-Gateway-Skip-Cache
X-Gateway-Cache-Key
X-Service
Rip
C-Via
X-FPC
X-Pass-Why
My-App
X-Gateway-Cache-Status
Tcn
X-NGINX-Cache
X-M-Reqid
X-Qnm-Cache
X-HS-Status
X-M-Log
Tube-Get-Contents
Tube-Got-Eval
HIT
Esi-Enabled
Tube-Got-Results
Server-Id
Click-Count-Action-Start
Click-Count-Error
X-CSRF-TOKEN
X-Cdn-Request-ID
Tube-Return
X-Provided-By
X-Origin-Upstream-Status
X-Correlation-ID
X-Beluga-Trace
On-Server
X-Beluga-Record
X-Beluga-Node
User-Agent
X-Beluga-Status
X-Beluga-Response-Time
X-Beluga-Cache-Status
X-Up
X-Vcl-Version
X-Webkit-CSP-Report-Only
OT-Force-Account-Verify
X-Ha-Backend
X-Varnish-Beresp-Ttl
X-LB-ID
X-Via-PopH
X-Alfa-Service
Cf-Int-Pingora-Origin-Digest
X-Via-PopV
X-Via-PopN
X-TRACE-ID
Sid
Proxy-Connection
Srvid
X-URL
Uri
Resin-Trace
X-Proxy-Cache-Hk
WebServer
X-Check-Cacheable
X-CLOUD-TRACE-CONTEXT
DataCenter
X-APP
X-RAMCache
X-Li-Fabric
X-Geo
X-UnsetCookies
GeoIP-Latitude
X-Li-Pop
GeoIP-Country-Code
X-LI-UUID
X-Edge-Origin-Shield-Bytes
MIME-Version
X-Akamai-Pragma-Client-IP
X-CCDN-CacheTTL
Epwk-X-Cache
X-Edge-Origin-Shield-Region
X-LI-Proto
X-CCDN-Origin-Time
Srv
X-ServedByHost
Cdn
X-Time-Microsecs
X-Fetch-By
X-ND-Cache
X-Hcs-Proxy-Type
WZWS-RAY
X-Cdn-Forward
ENV
Fastly-Drupal-HTML
M-TraceId
Server-Ttl
X-CUA
X-Fastly-Backend-Reqs
X-Backend-Host
Warning
X-Esi
X-Lb-Nocache
X-B3-Traceid-Primal
X-Dynatrace
X-Fragments
X-Platform-Cluster
XServer
X-Platform-Router
X-ATG-Version
ServerName
Cf-Device-Type
X-App
Target-Params
X-Edge-POP
Tracecode
X-Platform-Processor
X-HostName
Dt-Hot-News
X-MG-S
PICS-Label
Lfy
X-ElasticPress-Query
X-Newrelic-App-Data
X-Azure-Ref-OriginShield
X-Var-Ttl
X-HITS
Section-Io-Id
Section-Io-Origin-Status
X-Sucuri-ID
X-Sucuri-Cache
X-Yottaa-OS
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Fastly-Backend
CF-Cached-On
X-FC-Vary-Parameters
Inserted-Into-Cache-At
X-Request-Url
D-Url-Rewrites
X-Request-URL
X-Cache-Expires
X-Serial
X-Iplb-Instance
X-Varnish-Beresp-Status
X-Dw-Trace-Id
X-Bip
X-Akamai-Request-ID
X-CF-Powered-By
X-Iplb-Request-Id
X-Thanos
X-Vcache
X-Nc
Cf-Ipcountry
X-LiteSpeed-Cache-Control
DT-Hot-News
Cdn-Uid
Cdn-Cachedat
Cdn-Edgestorageid
Cdn-Cache
Wp-Super-Cache
Servedby
Cdn-Pullzone
Cdn-Requestcountrycode
Cdn-Requestid
X-Vercel-Id
X-Wp-Cf-Super-Cache
True-Client-Ip
X-Wp-Cf-Super-Cache-Cache-Control
X-Vercel-Cache
X-Fastly-Cache-Hits
Content-Style-Type
X-Release
CountryCode
X-Snapshot-Date
X-BBC-Origin-Response-Status
X-Li-Proto
Magicmarker
X-Dist-Code
Content-Script-Type
X-Back
Ngx
X-Backend-State
X-NU-AKA-ACS-Version
X-Storefront-Renderer-Verified
X-Th-Server
Cneonction
Fastcgi-Cache-Ttl