Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Pragma
X-Powered-By
ETag
Link
Expect-CT
X-XSS-Protection
Via
Age
CF-RAY
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
Alt-Svc
X-Served-By
CF-Ray
X-Xss-Protection
X-Timer
X-Varnish
X-Download-Options
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Request-ID
X-Generator
P3p
X-Cacheable
X-Kinja-Server-Push
Timing-Allow-Origin
X-DNS-Prefetch-Control
X-Iinfo
X-Content-Security-Policy
Status
X-AspNetMvc-Version
Content-Encoding
Upgrade
X-CDN
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
X-Envoy-Upstream-Service-Time
Access-Control-Expose-Headers
X-Template
X-Language
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Backend
X-Dns-Prefetch-Control
X-Hacker
X-Cache-Group
X-AH-Environment
X-Server
X-Robots-Tag
X-Amz-Request-Id
X-UA-Device
EagleId
X-Amz-Id-2
X-Proxy-Cache
X-Buckets
X-Turbo-Charged-By
Request-Context
X-Server-Powered-By
Server-Timing
Host-Header
X-Nginx-Cache-Status
Grace
Report-To
Xkey
X-Page-Speed
X-Rq
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Pingback
X-LiteSpeed-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Cf-Bgj
Cf-Railgun
Ali-Swift-Global-Savetime
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Vhost
X-Amz-Version-Id
X-Host
X-WebKit-CSP
NEL
X-Dispatcher
X-Device
X-Backend-Server
X-Node
Surrogate-Control
X-Cache-Lookup
X-Ruxit-JS-Agent
X-Response-Time
Content-Location
X-Origin-Cache
Request-Id
X-Server-Id
X-Akam-SW-Version
X-ASPNET-VERSION
X-Ac
Accept-CH-Lifetime
X-Country
EagleEye-TraceId
Accept-CH
X-HW
X-Mod-Pagespeed
Rating
X-Readtime
X-Cloud-Trace-Context
X-ORACLE-DMS-RID
X-ORACLE-DMS-ECID
X-Application-Context
Pinterest-Generated-By
Edge-Control
X-Country-Code
X-DataDome
X-Url
X-Vname
X-PC
X-TtlSet
X-Varnish-TTL
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Origin-Upstream-Status
X-Cnection
Allow
Fusion-Deployment-Id
Fusion-Content-Source
Fusion-Source
Fusion-Template-Id
Fusion-Content-Id
Fusion-Component-Id
X-MS-InvokeApp
X-D2id
X-GitHub-Request-Id
X-Content-Type
X-Clacks-Overhead
X-ESI
X-Abt-Application-Version
X-Pinterest-Rid
Pinterest-Version
X-Trace
X-Navigation-Version
X-Server-Name
X-FTR-Request-ID
X-Vcap-Request-Id
Pagespeed
X-Middleton-Display
X-Sol
Display
X-Middleton-Response
Response
X-Px
Verso
X-Rack-Cache
X-Webkit-CSP
X-DynaTrace
X-Cached
X-B3-TraceId
X-Element-Page-Cache
Service-Worker-Allowed
X-Fastly-Request-ID
MS-Author-Via
X-Client-IP
X-Cache-TTL
Arr-Disable-Session-Affinity
X-Powered-By-Plesk
X-Dw-Request-Base-Id
X-Version
Content-MD5
X-Upstream
X-Forwarded-Proto
AR-ATIME
AR-PoweredBy
AR-CACHE
AR-Request-ID
Accept-Ch
Ar-Sid
X-TTL
X-NF-Request-ID
X-T
X-SharePointHealthScore
SPRequestGuid
Fastly-Restarts
X-Debug
X-VARITI-CCR
X-Server-ID
X-Kinja-Server
X-GoogleNews-Bot
X-Kinja
X-Kinja-Build
X-Use-Magma
X-Kinja-Revision
X-Exp-Variant
X-Cdn-Fetch
X-Exp-Id
X-Jurisdiction
X-XRDS-Location
X-Goog-Hash
Access-Control-Request-Method
X-Powered-CMS
TP-L2-Cache
TP-Cache
X-FastCGI-Cache
X-MSEdge-Ref
X-Content-Digest
X-Ttl
X-Release
X-Edge
X-NWS-LOG-UUID
TCN
S
SPIisLatency
X-CST
SPRequestDuration
RTSS
X-Amz-Rid
X-Pinterest-Direct
X-PressLabs-Stats
Cache-Tag
X-Request-Processing-Time
X-Request-Received
Public-Key-Pins
Fastcgi-Cache
X-Yandex-Sdch-Disable
X-Node-Name
X-Ezoic-Cdn
X-MCACHE
X-Cache-Key
Server-Node
X-Mid
Accept-Ch-Lifetime
X-Accel-Expires
Front-End-Https
X-Amzn-Trace-Id
X-Ratelimit-Remaining
X-Logged-In
X-Cache-Hit
ServerID
X-Ser
X-Request-Handler-Origin-Region
X-Microsite
X-Recruiting
X-Kinsta-Cache
X-Page-Id
X-Origin-Server
Alternate-Protocol
Accept-Charset
Host
X-B
X-B3-TraceId-Primal
MRF-Tech
Mrf-Cache-Status
X-Ratelimit-Limit
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Hostname
X-Mobile-URL
X-Varnish-Age
X-Content-Security-Policy-Report-Only
X-FireWall-Port
Nginx-Cache
X-ECACHE
Filterid
X-DIS-Request-ID
X-FTR-Cache-Status
X-Forwarded-For
X-Country-Code-Real
X-FTR-Balancer
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-Realm
X-FTR-DC
X-FTR-Expires
X-Shield-Request-Id
X-Mg-S
X-Seen-By
Realpath
X-Load-Cache
X-Daa-Tunnel
X-Content-Options
X-Grace
Edge-Cache-Tag
X-Jobs
Akamai-Age-Ms
X-Amz-Server-Side-Encryption
X-Git-Hash
X-F-Cache
X-N
X-LB-Cache
X-Activity-Id
X-AppVersion
X-Az
X-Hits
X-Varnish-Grace
X-Request-Guid
Paypal-Debug-Id
X-Varnish-Backend
X-Type
X-App-Environment
X-Rid
X-HP-Webp
X-Id
Fastcgi-Useragent
X-Zen-Fury
X-Proxy
DynaTrace
X-FB-Debug
MicrosoftSharePointTeamServices
Cache-Tags
Access-Control-Allow-Method
X-Upgrade-Enabled
X-App-Server
Cleartype
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-TEC-API-ROOT
X-WebKit-CSP-Report-Only
X-TEC-API-ORIGIN
X-TEC-API-VERSION
DC
X-Geo-Country
Content-Disposition
X-Akamai-Edgescape
X-Cached-By
X-Content-Powered-By
X-Cache-Operation
X-Cache-Rule
X-Correlation-ID
X-Wix-Request-Id
X-Host-Name
X-Amz-Meta-S3cmd-Attrs
X-Accel-Buffering
AMP-Access-Control-Allow-Source-Origin
X-User-Agent
X-B3-Sampled
X-Response-Served-From
X-Original-Request-Id
X-IPLB-Instance
X-Endurance-Cache-Level
X-Signature
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-Cache-Age
X-Goog-Generation
X-Goog-Stored-Content-Length
X-HS-Cache-Config
X-B-Cache
X-AOL-HN
Healthy
X-HS-Hub-Id
X-HS-Content-Id
X-GUploader-UploadID
X-Goog-Storage-Class
X-VCache
Powered-By-ChinaCache
X-Cacheable-TTL
X-HS-Combine-CSS
X-Distributor
MS-CV
X-UUID
X-Rendered-As
X-Region
X-Ua
X-Is-Bot
Payment
X-FW-Dynamic
NGB
X-Debug-Info
X-FW-Static
X-Whom
X-FW-Hash
X-FW-Server
X-FW-Serve
X-Respond-Thread
Refresh
X-FW-Type
X-HTML-Minification-Powered-By
X-Rule
X-Instance
Datacenter
X-Cache-Time
X-Mobile
X-Amzn-RequestId
X-Frontend
X-Amz-Apigw-Id
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-XRDS-LOCATION
Countrycode
PB-PID
PB-RID
Arc-Version
Surrogate-Key
X-Varnish-Server
X-Fastcgi-Cache
X-Tec-Api-Origin
X-Oneagent-Js-Injection
X-Tec-Api-Version
X-Tec-Api-Root
S-Cnection
X-Protected-By
X-PHP-Backend
X-App-Version
X-Backend-Name
X-Acc-Debug-Context
X-Via-JSL
Viewport
X-NewRelic-App-Data
Liferay-Portal
X-Azure-Ref
X-Cache-Server
X-Hyper-Cache
X-Litespeed-Cache
Powered
Filters
X-Hp-Webp
X-Cache-Expired-At
X-WA-Info
Charset
X-Proxy-Cache-Status
Retry-After
Referer-Policy
X-Cache-Control
X-Sucuri-ID
X-Time
X-DynaTrace-JS-Agent
Section-Io-Cache
X-EdgeConnect-Cache-Status
X-Source
X-Amz-Replication-Status
X-Cache-Action
X-ProcessESI
Cache
X-RemovedCookies
X-ES-SERVER
X-RN-RSRV
X-Cache-Var
X-Mode
Eomportal-Instance
X-Real-IP
Meta-Geo
X-Cache-Var-Map
X-Locale
X-CSRF-Token
X-Site-Version
X-From
X-Debug-Cache
X-Framework
Version
X-Xfnlog-Site
X-R9-Blue-Green-Version
X-Qloud-Router
X-L-Path
X-Cache-Host
X-FB-TRIP-ID
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Time-Microsecs
X-Environment-Context
X-Via-Fastly
X-GeoIP
X-RTag
Mn-Server-Ip
Cache-Tv-Group
Cross-Origin-Window-Policy
Ec-Rule-Version
Ms-Operation-Id
Uber-Trace-Id
FSS-Cache
X-Routing-Service
X-FW-Version
X-Human
X-Server-W
X-TNCMS
X-Cache-TTL-Remaining
X-Zipkin-Id
X-Ratelimit-Reset
X-LJ-Flow-ID
X-Proxied
X-PCL
X-OCL
X-Loop
X-FTR-Cache-Host
X-ProxyCache-Status
X-ProxyCache-Key
X-Cluster
X-VWS-Id
X-AWS-Id
X-BYPASS-REASON
TWC-Connection-Speed
TWC-Device-Class
X-Revision
Webcakes-Region
X-JoinUs
X-Amzn-Remapped-Content-Length
X-Proxy-Build
Webcakes-App-Version
X-NYM-Debug-Backend
TWC-Locale-Group
TWC-Privacy
Webcakes-App-Name
X-Origin-Hint
TWC-GeoIP-LatLong
X-Hl-Ver
X-PHP-Host
TWC-GeoIP-Country
DB-Nickname
X-Labrador-Cache-Channel
Property-Id
X-Generated-By
X-Timing-Wait
X-Status
X-BCube-Filmed-By
X-Handled-By
X-Redis-Cache
X-SaId
Selected-Fe
X-Hosted-By
X-Detected-As
X-Device-Type
X-Air-Hostname
Frame-Options
GEO-INFO
X-Access
X-Be
X-Format
X-Proto
X-Section
X-ServerID
Nel
X-Unique-Id
X-No-Session
X-ATG-Version
X-Cache-PHP
X-Sucuri-Cache
X-Drupal-Cache-Contexts
From-Origin
Webserver
X-Correlation-Id
X-NWS-UUID-VERIFY
X-Varnish-Cache-Hits
Server-Name
X-Contextid
X-TA-CDN-Provider
X-Drupal-Cache-Tags
X-Origin
X-NCache
X-CDN-Forward
CF-Cached-On
OT-Force-Account-Verify
X-EIG-Tracking-Id
X-EC-Lua
X-IPS-LoggedIn
X-Oss-Hash-Crc64ecma
X-Oss-Object-Type
X-Tt-Trace-Tag
X-Adobe-Content
X-Adobe-Loc
X-GoCache-CacheStatus
X-Akamai-Transformed
X-Bc-Bl
X-Tt-Trace-Host
X-Oss-Server-Time
X-Oss-Storage-Class
X-Oss-Request-Id
X-IP
X-AIR-PT
X-Esi
X-ECache
X-TT
X-NC
X-Vgn-Hpd-Variations-Key
X-APP-VERSION
X-Cache-Enabled
X-Vgn-Hpd-Cached
X-Ruxit-Js-Agent
Azure-Version
Azure-SlotName
Azure-SiteName
X-Cache-Backend
Azure-InstanceId
Azure-RegionName
VIX-Pulpo-Upstream-Status
X-Backend-Host
VIX-Pulpo-Node
X-URL
X-Tumblr-Pixel-3
X-Cdn
X-TIME
X-CCM
X-Adobe-Source
SD-X-WS
Access-Control-Request-Headers
Time
X-CACHE-AGE
X-Cache-2
Node
X-Aed
X-Accel-Expires-Debug
X-A-Dgt
X-A-Ccd
X-A
X-A-Dam
X-A-Dcw
X-Application
X-A-Wwc
X-Worker
X-VG-WebCache
X-Connection-Hash
X-D
X-Vdms-Version
X-Vdms-Path
X-Date
X-VG-WebServer
X-Vtex-Processado-Em
X-Cache-NE
X-ARC
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Vtex-Remote-Cache
Xc-Version
Mobile-Detection-Method
X-Storefront-Renderer-Rendered
Fastcgi-X-Cache-Version
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Shopify-Stage
DCR-Processing-Time-Ms
DCR-Decision-By
Apple-News-Services-Request-Url
CloudFront-Viewer-Country
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
X-ShopId
X-ShardId
MD5-Digest
Machine
Meta-Geo-Continent
Now
Rendered-Blocks
X-Alternate-Cache-Key
X-ApacheServer
X-PERF
X-Pubstack
Host-ID
X-Forwarded-Host
X-Cache-Grace
Surrogated-Key
X-B-Cookie
X-PAYTM-SRV-ID
X-Ms-Version
X-Trv-Group
X-PBS-Appsvrname
X-Transaction
X-RCS-CacheZone
X-External-Request-Id
X-G
X-Processor
X-ScT
X-Twitter-Response-Tags
X-Rewrite-Enabled
X-Request-UUID
X-Ms-Request-Id
X-S-Cookie
X-Destination
X-Rojux
X-S
X-Backend-TTL
X-UA
X-Soup
X-Varnishpool
CDN-EdgeStorageId
CDN-Cache
Cache-Status
Platform
CDN-RequestId
X-Core-Value
CDN-Uid
X-Servername
X-DPWN-IS-SECURE
X-Thanos
X-Microcachable
X-Variation
X-Say-Cacheable
X-Req
X-Method
CDN-CachedAt
X-VG-TLSProxy
X-Say-TTL
X-SayCDN-TTL
X-Varnish-Ttl
Fastly-SSL
Is-Eu
X-Storage
X-Minions-Version
Adler-Geo
CDN-PullZone
X-Envoy-Decorator-Operation
X-Rebelmouse-Surrogate-Control
X-Cache-Bucket
X-Bip
CDN-RequestCountryCode
X-Skip-Cache
X-Cache-Config
Fastly-SWR
X-Up
X-Owner
X-Web-Node
Fastly-SIE
X-Generation-Time
X-Rebelmouse-Cache-Control
X-Viewer-Country
X-Micro-Cache
CACHE
X-Cluster-Name
X-Request-Host
X-OVcl-Cache
X-Render-Time
X-Platform
X-Policy
Country-Code
Fastly-Drupal-HTML
X-NGENIX-Cache
X-OVcl
Gh-Request-Id
Group
Origin
X-Fastly-Backend
X-Auto-Login
X-Backend-State
X-SN
X-Clara-WADP
X-Gamma-Serve
X-Fmm-Version
X-Fastly-Cache
X-Cache-Date
X-Cache-NGX
X-TX-ID
X-VarnishDD-TTL
X-Varnish-Cacheable
X-Dispatcher-Server
X-CUA
X-Edge-Location
X-Clientip
X-Cms-Context
X-Generated-On
X-WADP-Cache
PFcat
Rt-Fastcgi-Cache
Ufe-Result
NM-Fastcgi-Cache
X-Li-Pop
L
Mail-Subject
X-LI-UUID
We-Hiring
Wxu-Next-Commit
X-Slack-Backend
X-HN
X-Hash
X-Level-Front-Cache
X-Li-Fabric
Wxu-Next-Hostname
Wxu-Next-Region
X-Request-Start
X-Core-Mission
Upgrade-Insecure-Requests
X-Ah-Environment
Decoy-Debug-Key
Country
AKAMAI
C-Via
Decoy-Debug-TTL
Decoy-Debug-Status
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
Backend
X-Varnish-Beresp-Ttl
FSS-Proxy
X-Amz-Meta-Cb-Modifiedtime
X-Eu-Site
X-Developers
X-Cache-Tags
X-Geo-Header
X-Csrf-Jwt
X-CGP
X-Content-Age
X-JWT-State
X-Old-Content-Length
X-HS-Content-Campaign-Id
X-Gzip
X-Webstats-RespID
X-Wikidot-Backend
X-Platform-Server
X-Wikidot-Static-Cache
X-Cdn-Srv
X-Cache-URL
X-Proxy-Upstream
X-Location
X-Is-Gdpr
X-Reqid
Akamai-GRN
X-Cache-Id
Memcached
X-Has-Esi
X-Esi-Check
L5d-Success-Class
Fastly-Backend-Name
CacheControlHeader
HA-Ipaddr
X-LAGOON
Ha-Gx-Prefs
X-CS
X-Irp-Debug
X-Agile-Id
X-Agile
X-Agile-Age
X-Wa
X-Providence-Cookie
X-Is-Crawler
Pagetype
X-Route-Name
X-Aspnet-Duration-Ms
X-Flags
X-UPSTREAM-Address
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
UCS
X-DefHash
X-DefElseHash
X-NODE
HostName
X-LB-ID
X-Aicache-OS
X-Refresh
X-PF-Uncompressing
X-Mvc-Supplant-Cachable
X-B3-Traceid
X-ZONE
X-BC
X-Instart-Request-ID
X-RateLimit-Remaining
X-Branch-Name
X-Cache-Debug
X-Via-Poph
X-Session-Fingerprint
M-TraceId
X-Via-Popn
X-DC
X-Dc
X-Cdn-Forward
X-Debug-Cache-Store
X-LI-Proto
X-Debug-Cache-Fetch
X-Ua-Device
X-Servedbyhost
X-B3-Spanid
Arc-Country
NGX
Cdn-Host
X-Mvc-Supplant-OutputCached
X-Edge-Server
Viewtype
VivaBuild
Cdn-Request-Time
X-Page-View
X-GEO
X-SERVER
X-Ftr-Cache-Host
X-Via-Ucdn
X-RunCloud-Cache
Xserver
Srv
X-Bc
X-Nginx-Cache
X-Zone
X-Varnish-Hostname
X-SERVER-NAME
SRV
X-Request-Time
Hostname
X-Pinterest-Sli-Endpoint-Name
X-Pinterest-Sli-Latency-Threshold
X-Pinterest-Sli-Response-Type
X-APP
Memory
X-Vgn-Hpd-Ssi
X-FPC
X-ORACLE-APMCS-REQUEST-ID
Actual-Object-TTL
X-Action
X-Check-Cacheable
X-LiteSpeed-Cache-Control
X-DI
X-DSS
X-RPS
X-RPM
X-DB
WWW-Authenticate
X-Srv
X-Cs
X-Via-CDN
X-VCL-Version
X-RSL
X-DW
X-NU-AKA-ACS-Version
X-HS-Status
Geo-Info
X-Datadome
X-Unique-ID
X-NGINX-Cache
X-Sql-Count
X-Via-Popv
WebServer
X-UnsetCookies
X-Cluster-Node
X-Sql-Duration-Ms
X-Oss-Cdn-Auth
X-Geo
X-Vcache
Geoip-Latitude
ProcessTime
GeoIp-Country-Code
Sid
X-Akamai-Request-ID2
X-CF-Powered-By
X-Dynatrace-Js-Agent
X-MP-GENERATED-AT
X-Via-SSL
Edge-Copy-Time
X-Via-Edge
X-CSRF-TOKEN
X-Hit
SID
User-Agent
X-We-Are-Hiring
W
Apigw-Requestid
X-Svr
On-Server
XServer
X-SRV
Processtime
X-Epic-Correlation-Id
X-Www-Served-By
GeoIP-Latitude
GeoIP-Country-Code
NtCoent-Length
X-Webkit-CSP-Report-Only
X-FORWARDED-FOR
Amp-Access-Control-Allow-Source-Origin
Server-Info
X-Cache-Remote
X-S-Maxage
Cache-Hits
LB
X-FC-Vary-Parameters
ServedBy
Ohc-File-Size
X-HOST
X-Mobile-Rewrite
S-Rt
T-Server
X-Envoy-Upstream-Healthchecked-Cluster
X-Fpc
X-Nc
X-Presslabs-Stats
X-HITS
X-Fastly-Country-Code
X-Vcl-Version
X-MSEdge-Features
CF-IPCountry
Accept-Language
X-Pass-Why
X-Tb
X-MSEdge-Flight
X-Cache-Hfrom
X-Cache-Hm
Esi-Enabled
X-Pjax-Url
Server-Host
Origin-Cache-Control
A
N-Cache
X-Key
Origin-Edge-Control
Pics-Label
Magicmarker
Cteonnt-Length
Cdn
X-Varnish-Hits
X-COUNTRY
X-CACHE-KEY
Proxy-Firewall
X-ID
X-VC
CDN
Lb
X-SB
X-Dispatch
WZWS-RAY
Ohc-Cache-HIT
Protected
X-Amzn-Remapped-Connection
X-Geo-Region
X-Instart-Info
X-Amzn-Remapped-Date
X-Info
Powered-By
X-StackifyID
X-ServedByHost
HitType
X-Li-Proto
X-RAMCache
X-Via-NSCOPI
X-B3-SpanId
X-LLID
X-Newrelic-App-Data
X-Dynatrace
X-Uri
Server-Ttl
X-TH-Server
Cache-Key
User-Cache-Control
BehaviorPad-Version
X-Akamai-Pragma-Client-IP
X-TT-LOGID
X-Served-From
Fastcgi-Cache-TTL
X-Generated
X-Newrelic-Synthetics
X-Cache-Tag
X-App
Tracecode
X-Lb-Id
X-Via-PopV
X-Via-PopH
X-Erf-Bev-Bev-Is-Generated
X-TrackingId
Ssr
X-Via-PopN
Cache-Provider
X-Erf-Bev-Bev
X-LiteSpeed-Tag
X-Magnolia-Registration
Dnion-Transfer-Encoding
Lfy
Section-Origin-Responded
X-Men
X-WA
X-Agile-Brick-Ok
Odigeo-Trace-Id
X-Tt-Logid
X-Erf-Stays-Bingo-Pdp-Web
Section-Io-Origin-Time-Seconds
X-Batcache
Cache-Name
X-Provided-By
Section-Io-Id
X-Planisys-CDN-Cache
X-Path-Route
X-Scheme
X-Planisys-CDN-TTL
DSUID
X-Planisys-CDN-Rules
Xet-Cookie
Section-Io-Origin-Status
Tcn
X-UA-Device-Type
X-Block-Status
X-Cache-ASPX
X-BBXSRF
X-Azure-Ref-OriginShield
X-Rocket-Build-Number
Release
X-BBC-Edge-Cache-Status
Server-Ext
True-Client-Country-4JS
SR-User-Adfree
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
Thinkindot-Control
V-Age
Vix-Hermes-Req-Id
Server-Hostname
X-Cache-Expires
Server-ID
Web-Mar-Node
Sever-Int
X-API-Version
X-Gen-Mode
X-NodeID
X-Nyt-Route
X-Node-Id
X-Nginx-Cache-Key
X-Matched-Rule
X-Origin-CC
X-Origin-Date
X-Parent-Response-Time
X-Origin-TTL
X-Origin-Time
X-Origin-Expires
X-Loc
X-Hnp-Log
X-Response-By
X-ElasticPress-Query
X-Developer
X-Contensis-Viewer-Groups
X-Cdn-Origin
X-Request-URI
X-Gdpr
X-Goog-Meta-Goog-Reserved-File-Mtime
X-GeoIP-City
X-RateLimit-Remaining-Second
X-SD-PageType
X-Cache-Info
X-SVT-ORM-VERSION
X-Varnish-Url
X-Thinkindot-L3
X-Varnish-Authentication
Cf-Alt-Svc
Path
X-VC-Cache
X-Pf-Uncompressing
Inserted-Into-Cache-At
Who
X-PJAX-URL
X-Traceid
X-Yottaa-OS
X-RateLimit-Limit-Second
X-Trace-Id
X-User
X-VServer
X-HostName
X-SVT-ORM-RULES
X-SRCache-Key
FNAC-ModuleRouting
CDCHOST
X-ServiceProvider
Instruction
IsBot
MIME-Version
Locid
X-Server-IP
X-Sigma
X-Cc-Via
X-SIPLIST1
X-Varnish-Beresp-TTL
X-Sn-Servicetimems
D-Cc-Upstream
X-Sigma-Backend
X-Cc-Req-Id
X-Cache-Spec
X-RateLimit-Limit
X-Selected-Host-Header
X-Acc-Rdl
CountryCode
X-Selected-Name
X-Selected-Scheme
X-Swa-Ws
X-No-Cache
X-BBC-Origin-Response-Status
X-Var-Ttl
Req-Svc-Chain
Pragrma
Mime-Version
X-MiniProfiler-Ids
X-C
X-Origin-Response-Time
PICS-Label
X-Pad
X-Dw-Trace-Id
Content-Style-Type
X-Tid
Content-Script-Type
X-Proxy-Cachei7
Vha6-Origin
X-Vgn-Hpd-Reason
X-Apw-Access-Action
Pramga
Kp-EeAlive
Resin-Trace
X-Device-Os
X-Fetched-On
Cache-Host
X-Snapshot-Date
X-Apw-Access-Token
X-Apw-Access-Object
X-Apw-Hits
X-Request-URL
Source
X-Generated-In