Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
CF-Cache-Status
Link
ETag
Expect-CT
Via
Age
X-Cache
X-XSS-Protection
CF-RAY
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
X-Cache-Hits
Referrer-Policy
X-Amz-Cf-Pop
CF-Ray
X-Amz-Cf-Id
P3P
X-UA-Compatible
X-Served-By
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-FRAME-OPTIONS
X-Drupal-Cache
X-Check
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Cacheable
X-Permitted-Cross-Domain-Policies
X-DNS-Prefetch-Control
X-Generator
X-Cache-Status
P3p
X-Ua-Compatible
Timing-Allow-Origin
X-Iinfo
X-Template
X-Language
Status
Upgrade
X-AspNetMvc-Version
X-Content-Security-Policy
X-CDN
X-Buckets
Content-Encoding
Access-Control-Expose-Headers
X-Request-ID
Access-Control-Max-Age
X-Kinja-Server-Push
Keep-Alive
X-Via
X-Turbo-Charged-By
X-AH-Environment
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
X-Cache-Group
X-Pass-Why
X-Ws-Request-Id
X-Backend
X-Age
X-Server
EagleId
X-Proxy-Cache
X-Amz-Id-2
X-Amz-Request-Id
X-Robots-Tag
Xkey
X-Page-Speed
X-Hacker
X-Server-Powered-By
Feature-Policy
X-Pingback
Server-Timing
Request-Context
X-Swift-SaveTime
X-Swift-CacheTime
X-Nginx-Cache-Status
Ali-Swift-Global-Savetime
Grace
X-Varnish-Cache
X-UA-Device
X-Amz-Version-Id
Cf-Railgun
Report-To
X-OneAgent-JS-Injection
X-LiteSpeed-Cache
X-Rq
X-Server-Id
X-Device
X-Origin-Cache
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Vhost
EagleEye-TraceId
X-Host
X-Backend-Server
X-Node
X-Response-Time
X-Dispatcher
X-Ac
NEL
X-Cache-Lookup
X-WebKit-CSP
X-Origin-Upstream-Status
X-Readtime
Surrogate-Control
Request-Id
Content-Location
X-Ruxit-JS-Agent
X-Application-Context
Fusion-Source
Fusion-Content-Source
Fusion-Template-Id
Fusion-Component-Id
Fusion-Content-Id
X-HW
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-DataDome
X-Cnection
X-Country
X-Mod-Pagespeed
X-Akam-SW-Version
X-Url
Edge-Control
X-Cloud-Trace-Context
Rating
X-Rack-Cache
X-Clacks-Overhead
RTSS
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-FTR-Request-ID
X-PC
X-TtlSet
X-Vname
X-Goog-Hash
X-Country-Code
X-ASPNET-VERSION
X-DynaTrace
X-Instart-Request-ID
X-Varnish-TTL
Service-Worker-Allowed
X-Dns-Prefetch-Control
Verso
X-GitHub-Request-Id
Allow
Content-MD5
Fusion-Deployment-Id
X-D2id
X-MS-InvokeApp
X-Kinja-Server
X-Server-Name
X-GoogleNews-Bot
X-Exp-Id
X-Cdn-Fetch
X-Exp-Variant
X-Kinja
X-Kinja-Build
X-Kinja-Revision
X-Use-Magma
X-Ttl
X-ESI
Pinterest-Generated-By
Accept-CH
SPRequestGuid
X-Cached
X-Navigation-Version
X-Powered-By-Plesk
X-Forwarded-Proto
X-Vcache
X-Trace
TCN
X-Abt-Application-Version
X-Amz-Server-Side-Encryption
X-Amz-Rid
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
Public-Key-Pins
X-SharePointHealthScore
X-Fastly-Request-ID
Nginx-Cache
X-Debug
X-MSEdge-Ref
X-Vcap-Request-Id
Accept-CH-Lifetime
X-B3-TraceId
X-VARITI-CCR
Arr-Disable-Session-Affinity
Charset
MS-Author-Via
SPRequestDuration
SPIisLatency
X-Accel-Expires
X-Cache-TTL
X-NF-Request-ID
X-Px
X-Middleton-Response
Pagespeed
Display
X-Middleton-Display
Response
Realpath
X-Content-Type
X-Fastcgi-Cache
X-Sol
X-DynaTrace-JS-Agent
Edge-Cache-Tag
NR-ENABLED
X-Ser
X-Client-IP
Cache-Tag
X-SRCache-Store-Status
X-SRCache-Fetch-Status
Front-End-Https
Access-Control-Request-Method
S
X-Powered-CMS
X-Version
X-Id
X-Webkit-Csp
X-Grace
Pinterest-Version
X-Pinterest-Rid
X-Jurisdiction
X-Hp-Webp
AR-ATIME
AR-Request-ID
AR-PoweredBy
X-Upstream
X-Hits
X-T
X-Element-Page-Cache
X-Amz-Meta-S3cmd-Attrs
X-Content-Digest
X-Forwarded-For
X-Shield-Request-Id
X-Dw-Request-Base-Id
DynaTrace
X-Mrf-Section-Lastmod
Accept-Ch
Mrf-Cache-Status
X-Mrf-Item-Lastmod
MRF-Tech
X-B3-TraceId-Primal
WPE-Backend
X-Server-ID
AR-CACHE
Ar-Sid
Fastcgi-Cache
X-Node-Name
X-Aspnet-Version
ServerID
X-Cache-Hit
X-Mobile-URL
X-Recruiting
X-FTR-Balancer
X-FTR-Backend-Server
X-FTR-Backend
X-FTR-Realm
X-Country-Code-Real
X-FTR-Cache-Status
X-FTR-DC
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
Server-Node
PB-RID
Powered
PB-PID
TP-L2-Cache
X-HS-Hub-Id
X-HS-Content-Id
X-Correlation-Id
X-Frontend
TP-Cache
X-HS-Cache-Config
AMP-Access-Control-Allow-Source-Origin
Accept-Ch-Lifetime
X-FTR-Expires
Arc-Version
X-Mobile-Rewrite
X-DIS-Request-ID
X-Request-Processing-Time
X-Request-Received
Upgrade-Insecure-Requests
Refresh
X-Shard
X-Ezoic-Cdn
X-HS-Combine-CSS
Alternate-Protocol
X-Amzn-Trace-Id
X-NWS-LOG-UUID
X-XRDS-Location
Server-Name
X-Microsite
X-Request-Handler-Origin-Region
X-Logged-In
X-Varnish-Age
Fastly-Restarts
Host-Header
X-Geo-Country
X-Page-Id
X-FTR-Cache-Host
X-LB-Cache
X-F-Cache
X-Akamai-Edgescape
X-B
X-N
X-Rid
X-User-Agent
Backend-Timing
X-ATS-Timestamp
X-Aspnetmvc-Version
X-Content-Security-Policy-Report-Only
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
MicrosoftSharePointTeamServices
X-XRDS-LOCATION
X-Via-JSL
Healthy
X-Zen-Fury
X-Kinsta-Cache
X-ORACLE-APMCS-TAG
Host
X-ORACLE-APMCS-REQUEST-ID
X-Varnish-Grace
X-Origin-Server
Cache-Status
X-Request-Guid
Fastcgi-Useragent
X-Content-Options
X-TTL
X-Hostname
X-TT
X-B-Cache
X-ATG-Version
X-Git-Hash
X-Instance
X-Signature
X-App-Environment
X-Whom
Section-Io-Cache
X-AOL-HN
X-B3-Sampled
X-FB-Debug
X-Jobs
X-Cache-Action
X-Revision
X-Varnish-Backend
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Type
X-Tumblr-User
X-Amz-Replication-Status
X-Cache-Key
Paypal-Debug-Id
X-Debug-Info
Access-Control-Allow-Method
Actual-Object-TTL
Frame-Options
X-WebKit-CSP-Report-Only
X-Cluster
X-Seen-By
X-Cache-Age
X-Cache-Rule
Trailer
X-Cache-Operation
Liferay-Portal
X-Content-Powered-By
X-Endurance-Cache-Level
X-Contextid
X-SERVER
X-FastCGI-Cache
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Tt-Trace-Host
X-Amzn-Requestid
X-Amz-Apigw-Id
X-Tt-Trace-Tag
Tracecode
Source
X-Az
X-Activity-Id
X-AppVersion
X-PHP-Backend
X-FireWall-Port
X-Host-Name
X-Daa-Tunnel
X-Framework
X-WA-Info
X-IPLB-Instance
X-Presslabs-Stats
Retry-After
X-Upgrade-Enabled
Xserver
Accept-Charset
X-Mobile
X-Accel-Buffering
X-Response-Served-From
X-Cached-By
NGB
DC
From-Origin
X-RemovedCookies
X-ProcessESI
X-UUID
X-Is-Bot
X-Rendered-As
Srv
X-FW-Hash
X-FW-Serve
X-FW-Type
X-FW-Static
X-Cacheable-TTL
Surrogate-Key
Payment
X-Adobe-Content
X-Adobe-Loc
X-FW-Server
X-Srv
X-GeoIP
Eomportal-Instance
X-Cache-NE
X-Region
X-Handled-By
X-Environment-Context
X-Tumblr-Pixel-1
X-L-Path
X-RequestSource
X-Varnish-Server
X-Tumblr-Pixel-2
X-UA-Device-Type
Filters
VIX-Pulpo-Upstream-Status
X-Origin-Response-Time
VIX-Pulpo-Node
X-RateLimit-Remaining
X-Time-Microsecs
X-Varnish-Hostname
X-Wix-Request-Id
X-Cache-TTL-Remaining
X-Unique-Id
X-Proxy
X-APP-VERSION
Nel
Filterid
X-Webkit-CSP
X-NGENIX-Cache
X-EdgeConnect-Cache-Status
X-Cache-Server
X-Esi
X-Backend-Name
Datacenter
MS-CV
X-Akamai-Transformed
Server-Info
X-Cache-Time
X-Cache-Control
X-TIME
X-Cache-2
Version
Cache-Tv-Group
X-Status
X-B3-Traceid
X-Cache-Enabled
X-Mode
S-Cnection
X-Yottaa-Optimizations
X-Yottaa-Metrics
GEO-INFO
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-ES-SERVER
X-Oss-Request-Id
X-Oss-Server-Time
X-Oss-Storage-Class
Meta-Geo
X-CCM
X-Cache-Var-Map
X-Path-Route
X-Cache-Var
X-IP
Ec-Rule-Version
X-TNCMS
X-RN-RSRV
Webserver
X-Detected-As
X-Loop
Cache-Tags
X-Say-TTL
X-Hl-Ver
X-Say-Cacheable
X-PERF
Cleartype
Country
X-Human
X-Redis-Cache
X-Real-IP
X-FW-Dynamic
X-Via-Fastly
X-Debug-Cache
X-Forwarded-Host
X-FC-Vary-Parameters
S-Rt
X-Web-Node
X-ApacheServer
X-Ua-Device
X-Adobe-Source
ServedBy
OT-Force-Account-Verify
X-SayCDN-TTL
X-TX-ID
X-R9-Blue-Green-Version
X-Proto
TWC-Locale-Group
X-RCS-CacheZone
X-Cache-Status-Check
Section-Origin-Responded
X-Akamai-Request-ID2
X-Goog-Meta-Goog-Reserved-File-Mtime
X-BYPASS-REASON
X-Cache-Config
X-AWS-Id
X-Generated
X-Alternate-Cache-Key
X-ProxyCache-Key
Access-Control-Request-Headers
X-ProxyCache-Status
X-Device-Type
Content-Disposition
X-Locale
X-Proxy-Cache-Status
NGX
X-EIG-Tracking-Id
X-LJ-Flow-ID
Section-Io-Origin-Status
Cache-Key
Section-Io-Id
Section-Io-Origin-Time-Seconds
X-Sorting-Hat-ShopId
Decoy-Debug-TTL
Decoy-Debug-Status
X-VWS-Id
Now
X-Vgn-Hpd-Reason
TWC-GeoIP-LatLong
Property-Id
Origin-Cache-Control
Decoy-Debug-Key
Cache-Hits
Webcakes-App-Name
TWC-Privacy
DB-Nickname
Akamai-GRN
Webcakes-App-Version
X-Pubstack
X-Amzn-Remapped-Content-Length
Webcakes-Region
X-Hosted-By
Origin-Edge-Control
X-ShopId
X-Tb
X-Shopify-Generated-Cart-Token
X-Origin
X-ShardId
TWC-Connection-Speed
X-ServerID
X-Shopify-Stage
TWC-Device-Class
X-Origin-Hint
X-Site-Version
X-Sorting-Hat-PodId
TWC-GeoIP-Country
X-Soup
X-Content-Age
Azure-Version
X-Proxy-Build
Azure-SiteName
X-Format
X-FB-TRIP-ID
X-MP-GENERATED-AT
X-JoinUs
X-NCache
Azure-SlotName
X-Www-Served-By
X-Cache-Remote
Cross-Origin-Window-Policy
X-Timing-Wait
Mn-Server-Ip
X-Request-Time
X-HTML-Minification-Powered-By
Odigeo-Trace-Id
X-SaId
X-Routing-Service
Azure-RegionName
Selected-Fe
Azure-InstanceId
X-Proxied
X-BCube-Filmed-By
X-Zipkin-Id
X-NYM-Debug-Backend
X-Section
X-Access
X-Xfnlog-Site
X-CST
Node
X-Viewer-Country
X-Cdn
X-Geo
X-Rule
X-No-Session
X-Cache-NGX
X-Varnish-Hits
X-Akamai-Request-ID
X-Pad
X-Microcachable
X-IPS-LoggedIn
X-EC-Lua
X-Generated-By
X-PressLabs-Stats
X-NewRelic-App-Data
Accept-Language
X-Drupal-Cache-Tags
X-Backend-TTL
X-Dc
Cf-Ipcountry
Time
X-From
X-CF-Powered-By
X-Amzn-RequestId
X-Azure-Ref
X-NWS-UUID-VERIFY
X-Uri
X-RTag
Ms-Operation-Id
X-Source
X-CACHE-KEY
FilterID
User-Agent
X-Old-Content-Length
X-RateLimit-Limit
X-PHP-Host
X-Labrador-Cache-Channel
X-NC
X-PCL
X-Qloud-Router
X-VCT
X-OCL
Uber-Trace-Id
X-Cache-Grace
X-Varnish-Cache-Hits
X-GoCache-CacheStatus
Cache-Name
Proxy-Connection
X-Nginx-Cache
X-App-Server
X-SS-Set-Cookie
X-Hyper-Cache
X-CS
X-Newrelic-Synthetics
X-Drupal-Cache-Contexts
X-Info
ServerName
VivaBuild
Fastcgi-X-Cache-Version
Arc-Country
BehaviorPad-Version
AsisCache
GEO-REGION-INFO
True-Client-Country-4JS
T-Server
Viewtype
A
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Request-Url
Machine
Meta-Geo-Continent
Mobile-Detection-Method
Rendered-Blocks
MD5-Digest
Request-Country
Apple-News-Services-Handled
X-A
Request-EU
X-Cdn-Srv
X-Rojux
X-S
X-S-Cookie
X-ScT
X-Rocket-Nginx-Bypass
X-Rewrite-Enabled
X-Reboot
X-Region-Sid
X-Request-URI
X-Request-UUID
X-Session-Fingerprint
X-SRCache-Key
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-VG-WebCache
X-Vdms-Version
X-Transaction
X-Trv-Group
X-Twitter-Response-Tags
X-Processor
X-PAYTM-SRV-ID
X-Aed
X-Application
X-ARC
X-B-Cookie
X-Accel-Expires-Debug
X-A-Wwc
X-A-Dam
X-A-Dcw
X-A-Dgt
X-Edge-Location
X-CF-Lambda-Fn
X-DPWN-IS-SECURE
X-External-Request-Id
X-G
X-GeoIP-Country-Code
X-Destination
X-Date
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-A-Ccd
X-Developer
X-Storage
Cache
X-Varnish-Ttl
User-Cache-Control
X-MCACHE
X-Edge
X-UA
X-Cluster-Name
X-Gen-Mode
X-DevSite-Last-Modified
X-Geo-Header
X-Hnp-Log
X-IN-APIGATEWAY
X-Has-Esi
X-GeoIP-City
X-Core-Value
X-Generated-On
X-Cache-Expired-At
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
Server-Host
Rt-Fastcgi-Cache
PFcat
Thinkindot-Control
Viewport
X-IN-APIGATEWAYSSL
X-Block-Status
X-Backend-State
Web-Mar-Node
X-Cdn-Origin
X-Li-Fabric
X-Trafficlayer-App-Name
X-Trafficlayer-App-Scope
X-Thinkindot-L3
X-Sn-Servicetimems
X-Slack-Backend
X-Trafficlayer-App-Version
X-VG-TLSProxy
X-FW-Version
X-Cache-Bucket
Memcached
X-VServer
X-ServiceProvider
X-Servername
X-Li-Pop
N-Cache
X-Level-Front-Cache
X-JWT-State
X-LI-Proto
X-LI-UUID
X-Served-From
X-Request-Host
X-OVcl
X-Matched-Rule
X-Is-Gdpr
X-OVcl-Cache
Content-Script-Type
Content-Style-Type
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-From
Cache-Cookie-Set-Idcheck
X-Magnolia-Registration
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-S-Maxage
X-Time
X-Epic-Correlation-Id
X-Distributor
X-Cache-Info
X-Backend-Host
X-BBXSRF
X-Cache-ASPX
X-Auto-Login
X-Fetched-On
X-Gamma-Serve
Cache-Host
X-Generated-In
SD-X-WS
Server-Cache-Control
CDCHOST
X-Distil-CS
Server-Surrogate-Control
X-Eu-Site
X-Device-Os
X-Cms-Context
X-Fastly-Cache
X-Core-Mission
X-Debug-Cache-Store
X-Cluster-Node
X-Clientip
X-Irp-Debug
X-Fmm-Version
X-CGP
X-CUA
X-Debug-Cache-Fetch
X-Clara-WADP
X-Cache-URL
X-Dispatch
X-Developers
X-Contensis-Viewer-Groups
X-Debug-Cookies
X-Debug-Log
X-Trace-Id
X-Dispatcher-Server
Gh-Request-Id
X-Variation
X-Var-Ttl
X-Urbn-Site-Id
FNAC-ModuleRouting
X-Varnish-Cacheable
X-Rocket-Build-Number
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Req
X-Scheme
X-Urbn-Context-Path
X-SN
X-Swa-Ws
X-Thanos
X-Skip-Cache
X-SIPLIST1
X-TT-TIMESTAMP
X-Sigma
X-Sigma-Backend
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
AKAMAI
Adler-Geo
X-Logging-Id
X-Ms-Request-Id
X-LAGOON
X-Instart-Isnd
X-Cache-Tags
X-Hash
X-WebServer
X-Ms-Version
X-Nginx-Cache-Key
X-Platform-Server
X-VC-Cache
X-Proxy-Upstream
X-Owner
X-Origin-Expires
X-NodeID
X-NX-Host
X-Origin-Date
On-Server
X-Debug-Cache-Expiry
V-Age
Countrycode
Fastly-Drupal-HTML
Server-ID
RNT-Machine
Fastly-SIE
W
We-Hiring
Wxu-Next-Region
X-Instart-Info
Wxu-Next-Hostname
Wxu-Next-Commit
Country-Code
X-Micro-Cache
Platform
Heartbleed
Is-Eu
HA-Ipaddr
Ha-Gx-Prefs
Group
IsBot
Kp-EeAlive
Mail-Subject
Fastly-SWR
Locid
Locale
L5d-Success-Class
X-Wikidot-Static-Cache
RNT-Time
X-App-Name
X-Varnish-Authentication
X-Agile-Id
X-Agile-Age
X-TrackingId
X-Server-W
X-Cache-FS-Status
X-Bip
X-Bc-Bl
X-Agile
X-Tumblr-Pixel-3
X-WADP-Cache
X-Wikidot-Backend
X-Webstats-RespID
X-We-Are-Hiring
X-APP
X-Response-By
Proxy-Firewall
X-UnsetCookies
X-Hit
X-Generation-Time
X-C
Geo-Info
X-CDN-Forward
X-Sucuri-ID
X-Varnish-Beresp-Ttl
Vix-Hermes-Req-Id
X-Pinterest-Direct
X-ECACHE
X-RESPONSE-TIME
X-Refresh
X-CSRF-Token
X-Mid
X-Node-Id
Powered-By-ChinaCache
X-CLOUD-TRACE-CONTEXT
X-Nc
Request-Time
X-Cache-PHP
Mime-Version
CF-Cached-On
X-TA-CDN-Provider
X-Vdms-Path
Pramga
X-Lb-Id
NM-Fastcgi-Cache
X-VCache
M-TraceId
Cloudfront-Viewer-Country
X-Parent-Response-Time
X-ND-Cache
X-B3-Spanid
X-Service
Pagetype
HitType
X-Varnish-URL
X-Ratelimit-Remaining
X-Pjax-Url
Server-Ext
Server-Hostname
Sever-Int
Origin
X-Load-Cache
PICS-Label
Environment
X-Wa
X-MSEdge-Flight
X-MSEdge-Features
HostName
X-FPC
X-Method
X-Ua
X-Be
X-DC
X-ECache
X-BACKEND-TTL
X-Via-PopV
X-Via-PopH
X-App-Version
X-Worker
X-Protected-By
Geoip-Latitude
Magicmarker
Geoip-City
Fastly-Backend-Name
X-Envoy-Upstream-Healthchecked-Cluster
X-Wix-Viewer-Type
GeoIp-Country-Code
X-Up
X-Branch-Name
X-Request-Start
X-HS-Status
X-FORWARDED-FOR
X-C-Zone
X-C-Key
X-Policy
X-Origin-TTL
Memory
X-Origin-CC
Hostname
Dt-Cache-Category
X-CSRF-TOKEN
X-URL
X-Newrelic-App-Data
X-SRV
X-Zone
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Myra-Origin2
X-Planisys-CDN-TTL
X-Cdn-Forward
X-Bc
NtCoent-Length
X-Azure-Ref-OriginShield
X-Server-Time
Pragrma
X-Edge-Server
TTL
Esi-Enabled
Cdn-Request-Time
Cdn-Host
X-Litespeed-Cache
X-TT-LOGID
X-Referer
X-Servedbyhost
X-Cache-Metadata
Cteonnt-Length
X-GEO
X-Edge-O15-RID
X-Ratelimit-Limit
X-VCL-Version
Cdn
X-Reqid
X-Correlation-ID
Who
X-Vcl-Version
X-Dynatrace-Js-Agent
SRV
Lb
X-NU-AKA-ACS-Version
Resin-Trace
Release
X-Oneagent-Js-Injection
Cdnsip
X-ServedByHost
X-Cache-Host
X-AK-Request-ID
X-Via-Ucdn
Ttl
Cdncip
X-SERVER-NAME
X-SVT-ORM-VERSION
X-Fastly-Country-Code
X-ZONE
X-SVT-ORM-RULES
X-BC
X-Country-IP
UCS
X-Pf-Uncompressing
Load-Balancing
XServer
X-NGINX-Cache
CACHE
GeoIP-Country-Code
Product
X-Air-Hostname
Ohc-File-Size
X-Swift-Error
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
X-Configured-By
GeoIP-City
X-Cache-Id
X-Esi-Check
X-AIR-PT
GeoIP-Latitude
X-Ruxit-Js-Agent
Sid
X-Datadome
RequestId
X-COUNTRY
X-Gzip
X-TH-Server
Dnion-Transfer-Encoding
X-Node-ID
X-Cache-Debug
Ohc-Cache-HIT
IBM-Web2-Location
FSS-Cache
Pics-Label
X-Fpc
X-WA
X-Server-IP
X-Tb-Optimization-Total-Bytes-Saved
MIME-Version
X-VarnishDD-TTL
X-WPE-Loopback-Upstream-Addr
X-B3-SpanId
LB
C-Via
X-Svr
X-Varnish-Url
X-RAMCache
Server-Int
X-Powered-Y
X-PJAX-URL
X-BE
Lfy
X-Fastly-Backend-Reqs
X-Ocache
X-Fastly-Request-Id
X-Varnish-Beresp-TTL
Powered-By
X-SD-PageType
X-MID
X-Location
X-LiteSpeed-Cache-Control
X-PF-Uncompressing
Warning
My-App
X-Apw-Access-Object
X-Apw-Access-Action
X-Apw-Access-Token
X-Apw-Hits
X-Unique-ID
X-Nananana
X-Page-Impression-Id
X-Mvc-Supplant-Cachable
X-ElasticPress-Search
X-Zalando-Child-Request-Id
Fastly-SSL
X-Flow-Id
Xet-Cookie
X-Sucuri-Cache
Amp-Access-Control-Allow-Source-Origin
X-Agile-Brick-Ok
X-UPSTREAM-Address
Requestid
Fastly-Soc-X-Request-Id
CF-IPCountry
X-DI
X-DSS
X-DW
X-RPM
X-ElasticPress-Query
X-Cache-Backend
X-RSL
X-RPS
X-Aicache-OS
X-Action
CDN
X-B3-Parentspanid
X-Debug-Revision
X-Debug-Controller
L
X-Check-Cacheable
X-Compress-Hint
X-DB
X-Sucuri-Id
URI
FSS-Proxy
X-Dw-Trace-Id
X-Mvc-Supplant-OutputCached
CloudFront-Viewer-Country
X-MiniProfiler-Ids
X-LB-ID
DataCenter
X-Fastly-Cache-Hits
X-ABtesting
X-Hello
X-Request-Url
X-Request-URL
Cneonction
X-Flog
SN