Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
CF-RAY
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Link
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Report-To
NEL
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
X-UA-Compatible
Alt-Svc
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Request-Id
X-Varnish
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-FRAME-OPTIONS
Feature-Policy
X-Content-Security-Policy
X-Iinfo
X-Request-ID
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CDN
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
Upgrade
X-Via
X-XSS-PROTECTION
X-Ws-Request-Id
Access-Control-Max-Age
Server-Timing
P3p
X-Cache-Group
X-Turbo-Charged-By
EagleId
X-Backend
Keep-Alive
Request-Context
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-UA-Device
X-Proxy-Cache
Host-Header
X-Amz-Request-Id
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
Ali-Swift-Global-Savetime
X-Varnish-Cache
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-Dispatcher
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-Cache-Spec
X-Device
Cf-Railgun
X-Page-Speed
X-Host
Allow
X-Node
X-Akamai-Path-Stats
X-Pingback
Accept-CH
X-Backend-Server
Surrogate-Control
X-Server-Id
X-Aws-Lambda-Call-Status
X-CST
Request-Id
X-Akam-SW-Version
X-Readtime
X-HW
X-Cache-Lookup
X-Response-Time
Accept-CH-Lifetime
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
X-Cloud-Trace-Context
Rating
X-Ua-Compatible
X-Trace
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Url
X-Country
Cf-Edge-Cache
Fastly-Restarts
Accept-Ch-Lifetime
X-TtlSet
X-PC
X-Vname
X-Ruxit-JS-Agent
X-Mod-Pagespeed
X-Server-Name
X-MS-InvokeApp
X-Rack-Cache
X-Clacks-Overhead
Edge-Control
X-Content-Type
RTSS
X-Varnish-TTL
X-ESI
X-VARITI-CCR
Cache-Tag
X-Vcap-Request-Id
X-Px
X-B3-TraceId
X-Ac
X-Kinja-Build
X-Kinja
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Variant
X-Kinja-Revision
X-Use-Magma
X-Amz-Rid
X-Exp-Id
X-Kinja-Server
Public-Key-Pins
X-Cnection
X-Dw-Request-Base-Id
X-Element-Page-Cache
Verso
X-D2id
X-Cache-TTL
X-Amz-Server-Side-Encryption
X-RateLimit-Remaining
X-Navigation-Version
Accept-Ch
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
Service-Worker-Allowed
X-FastCGI-Cache
X-Webkit-Csp
X-Sol
X-Middleton-Display
X-Country-Code
Pagespeed
X-GitHub-Request-Id
Display
X-Ser
X-Ruxit-Js-Agent
X-Version
Arr-Disable-Session-Affinity
Access-Control-Request-Method
X-NF-Request-ID
X-Middleton-Response
Response
X-Goog-Hash
X-Edge
X-Upstream
X-Correlation-Id
AR-SID
AR-CACHE
AR-ATIME
AR-PoweredBy
AR-Request-ID
X-Kinsta-Cache
X-Edge-Location-Klb
X-Ttl
X-Cached
MS-Author-Via
X-TTL
X-LLID
X-Instrumentation
X-Kraken-Loop-Name
SPIisLatency
X-Server-Lifecycle-Phase
SPRequestDuration
Nginx-Cache
X-NWS-LOG-UUID
X-Powered-CMS
X-RateLimit-Limit
TCN
Edge-Cache-Tag
X-Cache-Key
Mrf-Cache-Status
MRF-Tech
X-Litespeed-Cache
X-MSEdge-Ref
X-Forwarded-For
X-SharePointHealthScore
SPRequestGuid
X-B3-TraceId-Primal
Content-MD5
X-Shield-Request-Id
X-Id
X-Content-Security-Policy-Report-Only
X-T
X-Daa-Tunnel
X-Server-ID
X-Recruiting
S
X-Mg-S
X-Language
X-Protected-By
X-Content-Digest
X-HP-Webp
X-HP-Trace-Id
X-Jurisdiction
X-Ua-Device
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-DataDome
X-Frontend
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Hub-Id
X-Yandex-Sdch-Disable
X-Ab
X-Ua-Browser
X-Content
Server-Node
X-HS-Combine-CSS
X-Request-Received
Front-End-Https
X-Ezoic-Cdn
X-Request-Processing-Time
X-TEC-API-VERSION
X-TEC-API-ROOT
Filters
X-TEC-API-ORIGIN
MicrosoftSharePointTeamServices
X-Grace
Fastcgi-Cache
X-Accel-Expires
X-Mid
X-Template
Pinterest-Version
X-Geo-Country
X-Pinterest-Rid
Pinterest-Generated-By
X-Hits
X-Ratelimit-Reset
X-Debug-Info
X-Origin-Server
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Amzn-Trace-Id
X-Distributor
TP-L2-Cache
TP-Cache
Charset
X-ECACHE
Cleartype
X-Page-Id
Host
X-Git-Hash
X-DIS-Request-ID
X-B3-Sampled
X-Www-Served-By
Cross-Origin-Opener-Policy
X-DynaTrace
X-F-Cache
X-PressLabs-Stats
ServerID
Cache-Tags
X-Kong-Upstream-Latency
X-LB-Cache
X-Kong-Proxy-Latency
X-Forwarded-Proto
Access-Control-Allow-Method
Server-Name
X-Cache-Age
Realpath
X-Seen-By
X-Cluster-Name
X-Az
X-Origin-Cache
X-AppVersion
X-Activity-Id
X-WebKit-CSP-Report-Only
X-MCACHE
X-Aspnetmvc-Version
X-Varnish-Age
Accept-Charset
X-Rid
Filterid
X-Content-Options
X-Type
X-Upgrade-Enabled
Cache-Status
X-Mobile-URL
X-Request-Handler-Origin-Region
X-Microsite
X-App-Environment
X-FB-Debug
X-Via-JSL
Viewport
X-Varnish-Grace
Node
Country
X-User-Agent
X-Tb
X-Wix-Request-Id
X-B-Cache
DC
X-Drupal-Cache-Tags
X-Aspnet-Duration-Ms
X-Request-Guid
X-Signature
X-Whom
X-Route-Name
X-Flags
Paypal-Debug-Id
X-Is-Crawler
X-Providence-Cookie
X-TT
X-NWS-UUID-VERIFY
X-Goog-Storage-Class
X-Oracle-Dms-Ecid
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-VCache
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-Goog-Generation
Protected
Fastcgi-Useragent
X-Fastly-Request-Id
X-XRDS-LOCATION
X-Oracle-Dms-Rid
X-Nginx-Upstream-Cache-Status
X-Varnish-Backend
Retry-After
X-Contextid
Payment
X-Amz-Replication-Status
X-Cache-NGX
X-B
X-Fastly-Request-ID
X-Debug
X-N
X-Fastcgi-Cache
X-FW-Serve
X-FW-Type
X-FW-Static
X-FW-Server
X-FW-Hash
X-FW-Dynamic
X-Logged-In
X-Parallel-Accel
X-XRDS-Location
WPO-Cache-Message
X-Hostname
WPO-Cache-Status
X-Load-Cache
Surrogate-Key
X-B3-Traceid
Amp-Access-Control-Allow-Source-Origin
X-Buckets
X-Cache-Control
X-Node-Name
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Erf-Bev-Bev
Count-Hit
SD-X-WS
X-Mobile
X-Trace-Id
X-Original-Request-Id
X-Response-Served-From
Akamai-GRN
X-Proxy
X-Akamai-Request-ID2
X-Cache-Rule
X-Cache-Time
X-UUID
X-Real-IP
X-Rendered-As
X-Revision
X-G
X-IPLB-Instance
X-Is-Bot
X-Zen-Fury
Refresh
VIX-Pulpo-Upstream-Status
Uber-Trace-Id
VIX-Pulpo-Node
X-Cacheable-TTL
X-Http-Reason
X-Framework
Alternate-Protocol
X-Page-View
X-Jobs
Healthy
X-Yottaa-Optimizations
X-Proxy-Cache-Status
X-Yottaa-Metrics
X-Vgn-Hpd-Reason
NGB
X-Debug-IsPreview
X-Debug-IsConnected
X-Device-Type
X-Instance
X-Drupal-Cache-Contexts
X-Cache-TTL-Remaining
Access-Control-Request-Headers
From-Origin
Content-Disposition
X-Adobe-Loc
X-Adobe-Content
X-Amz-Meta-S3cmd-Attrs
X-Source
Url
X-Servername
X-ECache
X-Cache-Expired-At
X-Cache-Grace
Version
Referer-Policy
Accept-Language
X-Cache-Hit
X-Varnish-Server
X-App-Server
X-Oneagent-Js-Injection
X-Ratelimit-Remaining
X-FW-Version
X-L-Path
X-Environment-Context
X-EdgeConnect-Cache-Status
X-Mcache
X-Cache-Action
X-Mg-Request-UUID
X-NGENIX-Cache
Countrycode
Permissions-Policy
X-RTag
Ms-Operation-Id
MS-CV
Cross-Origin-Window-Policy
X-Tumblr-User
X-Tumblr-Pixel-1
X-IPS-LoggedIn
X-ProcessESI
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-RemovedCookies
X-Hyper-Cache
X-Restarts
CF-IPCountry
Backend
X-Rule
X-NYM-Debug-Backend
Content-Secure-Policy
Liferay-Portal
Ec-Rule-Version
X-COUNTRY
WP-Super-Cache
X-PCL
X-Nginx-Cache
X-UPSTREAM-Address
X-RN-RSRV
X-OCL
X-Redis-Cache
X-Cache-Server
X-Unique-Id
Upgrade-Insecure-Requests
Meta-Geo
X-Access
X-Cache-Enabled
X-Ua
X-Mode
X-FB-TRIP-ID
X-Section
X-HTML-Minification-Powered-By
X-Generation-Time
X-No-Session
X-Cluster-Node
X-Format
X-Detected-As
Cache-Tv-Group
X-Content-Age
Frame-Options
Azure-SiteName
Apigw-Requestid
Azure-InstanceId
Azure-RegionName
Webcakes-App-Version
X-Site-Version
X-Server-W
X-Generated-By
X-SayCDN-TTL
X-Web-Node
X-Via-Fastly
X-Urbn-Context-Path
X-Urbn-Site-Id
X-Varnish-Cache-Hits
X-Say-TTL
X-Hosted-By
X-PERF
X-Origin-Hint
X-Origin-Date
X-PHP-Backend
X-Region
X-Human
X-Say-Cacheable
X-Request-Time
X-Sql-Count
X-Be
S-Rt
TWC-Connection-Speed
TWC-GeoIP-Country
TWC-GeoIP-LatLong
Property-Id
Mn-Server-Ip
Azure-Version
Fastly-SSL
Locale
TWC-Locale-Group
TWC-Privacy
X-Sql-Duration-Ms
X-AOL-HN
X-ApacheServer
X-UA-Device-Type
X-Akamai-Edgescape
Webcakes-App-Name
Webcakes-Region
X-Storage
Azure-SlotName
TWC-Device-Class
Section-Io-Cache
X-Cache-Operation
X-Accel-Buffering
CDN-Cache
CDN-CachedAt
X-Cache-Tags
X-Debug-Cache
CDN-EdgeStorageId
X-Content-Powered-By
X-Status
CDN-RequestCountryCode
Eomportal-Instance
X-Xfnlog-Site
X-BYPASS-REASON
CDN-Uid
X-Uri
CDN-RequestId
CDN-PullZone
X-Cache-Type
X-Nginx-Cache-Key
X-ProxyCache-Key
X-Platform-Server
X-Forwarded-Host
X-ProxyCache-Status
X-Backend-Name
X-SaId
X-Varnishpool
X-Extlb
X-Routing-Service
X-Alternate-Cache-Key
X-Proxied
X-Sorting-Hat-PodId
X-Zipkin-Id
X-Shopify-Stage
X-Cache-Host
X-ShardId
X-NewRelic-App-Data
X-Sorting-Hat-ShopId
X-Hl-Ver
X-JoinUs
X-ShopId
X-ServerID
X-Tid
X-Timing-Wait
X-Cache-Remote
Selected-Fe
ServedBy
X-Webkit-CSP
X-Proxy-Build
X-Adobe-Source
X-Rewrite-Enabled
X-Ratelimit-Limit
X-APP-VERSION
X-Handled-By
Xserver
X-Dc
Webserver
SRV
X-Soup
X-Pubstack
X-GG-Cache-Date
X-Locale
X-PHP-Host
X-Labrador-Cache-Channel
X-LSADC-Cache
SID
X-Datadome
X-VWS-Id
X-LJ-Flow-ID
X-AWS-Id
LB
X-VC-Cache
X-Cached-By
X-App-Version
Mime-Version
Fastly-Drupal-Html
Country-Code
X-CDN-Forward
X-TT-LOGID
Decoy-Debug-TTL
Decoy-Debug-Key
Decoy-Debug-Status
X-Microcachable
X-GEO
X-Request-Host
Web-Mar-Node
X-Edge-Location
X-Reqid
X-Proto
X-Storefront-Renderer-Rendered
X-Ms-Request-Id
Onion-Location
X-Origin-CC
X-Ms-Version
X-Origin-TTL
X-Tec-Api-Origin
Xet-Cookie
X-Tec-Api-Root
X-Tec-Api-Version
Server-Info
X-NCache
X-Varnish-Hostname
X-TA-CDN-Provider
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
X-R9-Blue-Green-Version
X-TIME
DynaTrace
X-Tumblr-Pixel-3
Cache-Hits
X-Bc-Bl
X-SRV
X-Cms-Context
Cache-Name
X-Cluster
X-Varnish-Beresp-Grace
X-Azure-Ref
X-CSRF-Token
X-Varnish-Hits
X-Amz-Apigw-Id
DB-Nickname
X-Amzn-RequestId
X-RCS-CacheZone
X-Endurance-Cache-Level
X-Origin-Response-Time
Load-Balancing
X-HS-Content-Campaign-Id
X-GeoCode
X-GeoCountry
X-LAGOON
X-Men
X-Ig-Push-State
X-From
X-Conf
X-Connection-Hash
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-Cdn-Srv
T-Server
Surrogated-Key
Pramga
Odigeo-Trace-Id
Rendered-Blocks
X-D
Sslversion
X-Cache-NE
X-A
X-Application
X-AK-Request-ID
X-ARC
X-Cache-Bucket
X-B-Cookie
X-Cache-Id
X-Aed
X-A-Dam
X-A-Ccd
X-A-Dcw
X-A-Dgt
X-A-Wwc
X-Destination
NM-Fastcgi-Cache
Cmstype
Cmsid
DCR-Decision-By
DCR-Processing-Time-Ms
Expiry
X-Geo-Header
Cdnsip
A
X-Hash
BehaviorPad-Version
X-Gzip
Cdncip
X-Ftr-Request-Id
Fastcgi-X-Cache-Version
X-Ec-Fail
Lang
Meta-Geo-Continent
Mobile-Detection-Method
X-Developer
X-Ec-GeoHdr
X-Epic-Correlation-Id
X-Forwarded-Path
X-External-Request-Id
Host-ID
X-Esi-Check
X-Envoy-Decorator-Operation
X-Magnolia-Registration
X-B3-SpanId
X-VG-WebCache
X-Rojux
X-Vdms-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Processor
X-Webstats-RespID
X-S-Cookie
X-ScT
X-Vdms-Path
X-TIM-N
X-TrackingId
X-User
X-Tenant
X-SRCache-Key
X-SD-PageType
X-Session-Fingerprint
X-Shop-Environment
X-Via-NSCOPI
X-S
X-PAYTM-SRV-ID
X-NAPM-TraceId
X-Orig-Expires
X-PBS-Appsvrname
X-NodeID
Environment
X-Tx-Id
X-DPWN-IS-SECURE
Mail-Subject
Memcached
X-DI
X-Developers
X-Device-Os
X-SVT-ORM-RULES
X-Nyt-Route
X-DSS
X-Old-Content-Length
Is-Eu
Web-Mar-Region
X-Fastly-Cache
X-Fetched-On
X-Sigma
X-Sigma-Backend
X-DW
X-SVT-ORM-VERSION
Vix-Hermes-Req-Id
X-Slack-Backend
We-Hiring
Machine
X-DefHash
X-Varnish-CookieINHashed-On
State
Ssr
X-Core-Value
Svr
X-Variation
X-Ckpd-Fst-Backend
X-Clara-WADP
X-Varnish-CookieHashed-On
X-Core-Mission
X-Varnish-Remaining-TTL
Server-Host
X-DB
X-DefElseHash
X-Fmm-Version
X-Node-Id
X-Date
User-Cache-Control
X-Mvc-Supplant-Cachable
X-TNCMS
Platform
GEO-INFO
X-Server-IP
X-Accel-Expires-Debug
X-Cache-Info
X-Hnp-Log
X-Planisys-CDN-Cache
X-Request-URI
Adler-Geo
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Handled
AKAMAI
X-WADP-Cache
X-Amzn-Remapped-Content-Length
X-Is-Gdpr
X-JWT-State
X-Worker
X-Cache-Backend
X-Planisys-CDN-TTL
X-Wix-Viewer-Type
X-Planisys-CDN-Rules
X-Varnish-Ttl
X-Irp-Debug
X-Has-Esi
Apple-News-Services-Host
X-Gen-Mode
X-Origin-Expires
X-Viewer-Country
X-RSL
X-Gdpr
Wxu-Next-Region
Wxu-Next-Hostname
X-Block-Status
X-Scheme
X-Origin
Fastly-GeoIP-CountryCode
X-Loop
X-VG-TLSProxy
X-Location
X-Rocket-Build-Number
X-GeoIP
Wxu-Next-Commit
X-Origin-Time
X-RPS
X-RPM
Cache
CDN
X-TraceId
Producers
X-CGP
X-VServer
X-Cdn-Origin
X-VarnishDD-TTL
X-Cache-Date
X-Eu-Site
X-RateLimit-Limit-Second
X-Httpd
X-RateLimit-Remaining-Second
X-Rebelmouse-Cache-Control
X-HN
X-Rebelmouse-Surrogate-Control
X-Qloud-Router
X-Proxy-Upstream
X-Loc
X-Platform
X-Level-Front-Cache
X-Pod-Name
X-Proxy-Cache-Info
X-Policy
X-Region-Sid
X-Response-By
X-Thinkindot-L3
X-Sn-Servicetimems
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Csrf-Jwt
X-Datadog-Parent-Id
X-Skip-Cache
X-Minions-Version
X-Rocket-Nginx-Serving-Static
X-GeoIP-City
X-Generated-On
X-Gamma-Serve
X-Forwarded-Site
X-Served-From
X-V-Cache
X-Branch-Name
Redirect-Candidate
PFcat
Origin-EX
Release
Req-Svc-Chain
TDXMobile
Gh-Request-Id
Kp-EeAlive
Origin-CC
Origin
Locid
L5d-Success-Class
L
HA-Ipaddr
Source
Arc-Country
Ha-Gx-Prefs
N-Cache
Thinkindot-CacheControl
X-Tt-Logid
X-Aicache-OS
Thinkindot-CacheControl-Type
V-Age
Cluster
CloudFront-Viewer-Country
X-Auto-Login
CDCHOST
Fastcgi-Cache-TTL
X-BBC-Edge-Cache-Status
Fastly-SWR
Thinkindot-Control
Traceparent
X-Akamai-Transformed
Fastly-SIE
Fusion-Deployment-Id
Fusion-Source
Fusion-Content-Source
Fusion-Template-Id
X-EC-Lua
Fusion-Content-Id
Fusion-Component-Id
X-GeoIP-Region-Code
DSUID
X-Optimistic-Header
X-GeoIP-Country-Code
NGX
HostName
X-SB
X-Parent-Response-Time
X-Midtier
AMP-Access-Control-Allow-Source-Origin
X-Ec-Custom-Error
X-Pool
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-NC
X-Presslabs-Stats
X-Cache-Debug
X-API-Version
X-ZONE
X-CacheTTL
X-Srv
X-CS
X-Tb-Optimization-Total-Bytes-Saved
X-Refresh
Env
X-Owner
MD5-Digest
Pics-Label
X-Udemy-Cache-App-Namespace
X-LB-NoCache
Servername
X-Dispatcher-Number
X-Ah-Environment
X-Mvc-Supplant-OutputCached
Time
CacheControlHeader
X-Edge-Pop
Memory
Ms-Author-Via
X-Newrelic-Synthetics
Server-Ext
X-Via-Ucdn
X-Time
X-TH-Server
Sever-Int
X-SIPLIST1
IsBot
Server-Hostname
X-Scale
True-Client-Country-4JS
X-Action
X-Generated-In
X-Backend-TTL
Geo-Info
X-VC
GeoIp-Country-Code
X-Vc
X-Xrds-Location
FSS-Cache
X-S-Maxage
X-Via-Popn
X-Via-Poph
Ohc-File-Size
X-Wikidot-Static-Cache
X-Via-Popv
X-Wikidot-Backend
X-IPLB-Request-ID
X-Servedbyhost
X-Amz-Meta-Cb-Modifiedtime
X-Varnish-Beresp-TTL
Candidate-Md5Url
Client
Cache-Key
Datacenter
X-CACHE-KEY
X-Ad-Defer-Variation
X-HA-Backend
Geoip-Latitude
X-Req
Edge-Cache
X-BCube-Filmed-By
X-RateLimit-Reset
X-VCL-Version
X-Contensis-Viewer-Groups
VNS-Cache
X-SplitTest
X-Origin-Upstream-Status
XM
VNS-Age
CPC-Cache
X-Cache-ASPX
X-Cs
CPC-Age
My-App
X-WA-Info
X-Dynatrace
X-Provided-By
X-Zone
Fastly-Backend-Name
X-Varnish-Authentication
ITXSESSIONID
Hostname
X-VHOST
DataCenter
X-Trace-ID
Server-ID
X-Up
X-Micro-Cache
Path
X-DC
X-AIR-PT
X-Cache-Status-Check
X-LB-ID
Ohc-Cache-HIT
X-FireWall-Port
NtCoent-Length
OT-Force-Account-Verify
Cache-Host
X-TX-ID
X-B3-Spanid
X-Pass-Why
X-Fpc
X-Li-Fabric
X-Li-Pop
X-LI-UUID
Lb
X-FPC
Ngx.Var.Host
True-Client-IP
X-Webkit-Csp-Report-Only
X-UnsetCookies
X-ND-Cache
X-NGINX-Cache
Test
X-CSRF-TOKEN
XkeyRZ
X-Proxy-CacheRZ
X-CUA
X-Clientip
X-Traceid
X-Varnish-Beresp-Ttl
X-Time-Microsecs
Cf-Int-Pingora-Origin-Digest
X-Fragments
X-Api-Version
X-RAMCache
Server-Id
Cf-Device-Type
Tracecode
Powered-By
Target-Params
X-Correlation-ID
X-Azure-Ref-OriginShield
Proxy-Connection
X-Beluga-Node
X-Beluga-Cache-Status
User-Agent
X-Beluga-Record
X-Beluga-Response-Time
X-Beluga-Status
X-Beluga-Trace
X-Var-Ttl
X-Sucuri-ID
X-ATG-Version
X-Webkit-CSP-Report-Only
X-Sucuri-Cache
X-Vcl-Version
X-FC-Vary-Parameters
X-Cdn-Request-ID
X-Fastly-Backend
Lfy
X-Via-PopV
X-Via-PopN
Uri
X-MSEdge-Features
X-MSEdge-Flight
X-Via-PopH
X-Ha-Backend
X-DynaTrace-JS-Agent
Sid
X-CLOUD-TRACE-CONTEXT
X-INCAP-ABP
X-M-Log
X-Platform-Cluster
X-Li-Proto
X-Dmc
X-NU-AKA-ACS-Version
X-URL
X-ServedByHost
Resin-Trace
X-Qnm-Cache
X-Platform-Processor
X-M-Reqid
X-Platform-Router
X-Varnish-Beresp-Status
X-Geo
X-HS-Status
X-Backend-State
X-Fastly-Backend-Reqs
X-Render-Time
X-Cdn-Forward
WZWS-RAY
GeoIP-Latitude
Magicmarker
GeoIP-Country-Code
MIME-Version
X-Check-Cacheable
X-Akamai-Pragma-Client-IP
X-Backend-Host
X-Request-Start
X-Fetch-By
X-Proxy-Cache-Hk
X-Hcs-Proxy-Type
C-Via
X-CCDN-CacheTTL
Epwk-X-Cache
Srvid
X-LI-Proto
X-CCDN-Origin-Time
Rip
X-Alfa-Service
X-TRACE-ID
Fastly-Drupal-HTML
X-Service
X-Gateway-Cache-Key
X-Gateway-Skip-Cache
X-Gateway-Request-Id
X-Gateway-Cache-Status
Click-Count-Error
X-Thanos
Tube-Get-Contents
Tube-Return
ENV
Tube-Got-Results
X-Bip
Tube-Got-Eval
Click-Count-Action-Start
Cdn
X-LiteSpeed-Cache-Control
X-Esi
WebServer
X-Edge-POP
X-Cache-CFC
X-App
XServer
X-Cache-Expires
X-B3-Traceid-Primal
X-Lb-Nocache
X-ElasticPress-Query
Server-Ttl
Esi-Enabled
PICS-Label
HIT
ServerName
X-Srcache-Fetch-Status
X-MG-S
X-Srcache-Store-Status
On-Server
M-TraceId
X-Cache-Config
X-Yottaa-OS
Section-Io-Origin-Time-Seconds
Tcn
Section-Origin-Responded
CF-Cached-On
X-Newrelic-App-Data
Section-Io-Id
Section-Io-Origin-Status
X-Acquia-Purge-Tags
D-Url-Rewrites
Wpo-Cache-Status
X-Acquia-Application-UUID
X-Acquia-Application-Trace
X-BBC-Origin-Response-Status
Srv
Wpo-Cache-Message
X-Vcache
X-Acquia-Site
Cf-Ipcountry
X-Serial
X-Nc
Inserted-Into-Cache-At
Servedby
X-HostName
Warning
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-Wp-Cf-Super-Cache-Cache-Control
X-LiteSpeed-Tag
X-Shopify-Generated-Cart-Token
X-APP
X-Akamai-Request-ID
X-Dist-Code
X-Akamai-ERRuleID
X-Akamai-ERPolicy
X-Swift-Error
X-Release
Cteonnt-Length
Fastcgi-Cache-Ttl
CountryCode
X-IN-APIGATEWAY
X-Storefront-Renderer-Verified
X-CF-Powered-By
X-IN-APIGATEWAYSSL
Content-Style-Type
X-Litespeed-Cache-Control
X-Th-Server
Content-Script-Type
X-B3-Parentspanid
X-Snapshot-Date
X-Back
Ngx
Cneonction
X-Dw-Trace-Id
X-Request-URL
X-Request-Url