Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics - SANS Internet Storm Center HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Pragma
CF-RAY
X-Powered-By
Link
ETag
Expect-CT
X-XSS-Protection
Via
CF-Cache-Status
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
X-Cache-Hits
P3P
X-Amz-Cf-Pop
X-Amz-Cf-Id
Referrer-Policy
X-Served-By
X-Xss-Protection
X-Request-Id
X-Varnish
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
Alt-Svc
X-Adblock-Key
X-Drupal-Cache
X-Check
X-Cacheable
Content-Security-Policy-Report-Only
X-Generator
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-DNS-Prefetch-Control
X-AspNetMvc-Version
P3p
X-Template
X-Language
Status
Timing-Allow-Origin
X-Iinfo
Content-Encoding
X-Content-Security-Policy
X-Buckets
Upgrade
X-Kinja-Server-Push
Xkey
X-CDN
X-Via
X-Turbo-Charged-By
Keep-Alive
Access-Control-Expose-Headers
Access-Control-Max-Age
X-Cache-Group
X-Pass-Why
X-AH-Environment
X-Age
X-Drupal-Dynamic-Cache
X-Server
X-Backend
X-Pingback
X-Amz-Id-2
X-Amz-Request-Id
X-Envoy-Upstream-Service-Time
X-Page-Speed
X-Robots-Tag
X-Proxy-Cache
X-Hacker
EagleId
Grace
X-Server-Powered-By
X-UA-Device
Request-Context
X-Varnish-Cache
X-Nginx-Cache-Status
Cf-Railgun
X-Ua-Compatible
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Server-Id
X-WebKit-CSP
Server-Timing
Feature-Policy
X-Device
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Rq
X-Host
Report-To
X-Ac
X-Request-ID
X-OneAgent-JS-Injection
X-Node
Content-Location
X-Cnection
X-Response-Time
X-Backend-Server
X-Cloud-Trace-Context
X-Origin-Cache
X-Application-Context
X-Readtime
Request-Id
Allow
Surrogate-Control
EagleEye-TraceId
X-ORACLE-DMS-ECID
X-Country
X-Vhost
X-DynaTrace
X-TTL
X-Cache-Lookup
X-Origin-Upstream-Status
X-Rack-Cache
X-Url
X-FTR-Request-ID
X-Clacks-Overhead
NEL
Pinterest-Generated-By
Rating
X-ORACLE-DMS-RID
X-Dispatcher
X-EdgeConnect-Origin-MEX-Latency
X-Country-Code
X-EdgeConnect-MidMile-RTT
X-CST
X-Ruxit-JS-Agent
X-HW
X-Cdn
X-Instart-Request-ID
X-Goog-Hash
Fusion-Source
Fusion-Template-Id
Fusion-Content-Source
Fusion-Content-Id
Fusion-Component-Id
X-DataStream-Cache-Status
X-TtlSet
X-Vname
X-PC
X-DataDome
Edge-Control
X-VARITI-CCR
X-Px
Service-Worker-Allowed
Verso
X-MS-InvokeApp
X-Mod-Pagespeed
RTSS
X-Dns-Prefetch-Control
X-Recruiting
X-Exp-Variant
X-Kinja
X-Exp-Id
X-Cdn-Fetch
X-GoogleNews-Bot
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Varnish-TTL
X-D2id
SPRequestGuid
X-Vcap-Request-Id
X-ESI
X-Abt-Application-Version
TCN
X-GitHub-Request-Id
X-Amz-Server-Side-Encryption
X-SharePointHealthScore
X-Akam-SW-Version
X-Navigation-Version
X-B3-TraceId
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Powered-By-Plesk
X-Middleton-Response
Response
Display
X-Sol
X-Middleton-Display
MS-Author-Via
X-RateLimit-Remaining
X-Forwarded-Proto
DynaTrace
Realpath
Charset
X-Version
X-Upstream
X-Powered-CMS
Public-Key-Pins
Fastly-Restarts
X-Amz-Rid
ServerID
X-Shield-Request-Id
Nginx-Cache
X-Server-Name
X-Cached
X-Trace
AR-PoweredBy
AR-CACHE
Ar-Sid
AR-ATIME
X-Shard
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Mrf-Item-Lastmod
X-B3-TraceId-Primal
MRF-Tech
X-Mrf-Section-Lastmod
Mrf-Cache-Status
X-Dw-Request-Base-Id
Content-MD5
Accept-Ch-Lifetime
X-Grace
AR-Request-ID
Pagespeed
Accept-CH
Paypal-Debug-Id
Access-Control-Request-Method
X-MSEdge-Ref
SPIisLatency
X-DynaTrace-JS-Agent
SPRequestDuration
X-Client-IP
Accept-Ch
X-Goog-Storage-Class
X-FTR-Backend
X-FTR-DC
X-FTR-Realm
X-FTR-Expires
X-FTR-Cache-Status
X-FTR-Balancer
X-Country-Code-Real
X-FTR-Backend-Server
X-Debug
S
X-DataStream-MidMile-RTT
X-DataStream-Origin-MEX-Latency
X-Id
X-Ezoic-Cdn
X-Fastly-Request-ID
Front-End-Https
X-Amz-Meta-S3cmd-Attrs
X-FastCGI-Cache
X-T
X-Amzn-Trace-Id
X-NF-Request-ID
Arr-Disable-Session-Affinity
X-N
MicrosoftSharePointTeamServices
X-Content-Type
X-DIS-Request-ID
X-Hits
X-B3-Sampled
Pinterest-Version
X-Pinterest-Rid
X-VCache
X-FTR-Cache-Host
X-Upstream-Proxy
X-Vcache
X-Acc-Meta-Resource-Type
X-Frontend
X-XRDS-Location
X-B3-Traceid
Fastcgi-Cache
X-Logged-In
PB-RID
PB-PID
Arc-Version
X-Mobile-Rewrite
X-Content-Digest
X-Varnish-Age
Server-Name
X-Ser
X-Correlation-Id
X-Srv
Alternate-Protocol
X-Forwarded-For
Nel
X-Node-Name
X-Cache-Key
X-Microsite
X-Request-Handler-Origin-Region
FilterID
X-Pad
Powered
AMP-Access-Control-Allow-Source-Origin
X-User-Agent
X-Rid
X-LB-Cache
X-Type
TP-L2-Cache
X-XRDS-LOCATION
TP-Cache
Healthy
X-Kinsta-Cache
X-IPLB-Instance
X-F-Cache
X-Request-Received
X-Zen-Fury
X-Request-Processing-Time
X-Cache-2
X-Amz-Apigw-Id
X-Amzn-RequestId
Host
X-Revision
Edge-Cache-Tag
X-Via-JSL
X-Debug-Info
X-AOL-HN
X-Kong-Proxy-Latency
X-Analytics
X-Kong-Upstream-Latency
Backend-Timing
X-AppVersion
X-Az
X-Cache-Age
X-Activity-Id
Powered-By-ChinaCache
X-GUploader-UploadID
X-HS-Hub-Id
Accept-CH-Lifetime
X-HS-Content-Id
X-Cached-By
X-Accel-Expires
X-Hostname
X-Cache-Rule
Surrogate-Key
Cache-Status
X-Varnish-Backend
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Jobs
X-Content-Options
X-Server-ID
X-BCube-Filmed-By
Server-Node
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Signature
X-Tumblr-User
X-Instance
X-Page-Id
X-PHP-Backend
X-Content-Security-Policy-Report-Only
X-Forwarded-Host
X-FB-Debug
Cleartype
X-Varnish-Grace
X-B-Cache
X-Cluster
X-Content-Powered-By
X-Request-Guid
X-App-Environment
X-Amz-Replication-Status
X-Akamai-Edgescape
Refresh
X-Fastcgi-Cache
Source
X-TT
X-FW-Type
X-Framework
Liferay-Portal
X-FW-Static
X-FW-Server
X-FW-Hash
X-FW-Serve
X-Time
DC
Accept-Charset
X-ATG-Version
X-RateLimit-Limit
Tracecode
Fastcgi-Useragent
Access-Control-Allow-Method
X-Varnish-Hostname
X-Cache-Action
X-Whom
Host-Header
X-Drupal-Cache-Tags
X-Mobile
X-Cache-Operation
X-Presslabs-Stats
WPE-Backend
X-WA-Info
X-B
X-App-Server
X-Cache-Control
X-Edge-Location
X-APP-VERSION
Retry-After
X-Cache-TTL
Payment
X-Mobile-URL
X-Hp-Webp
X-Response-Served-From
X-Accel-Buffering
NGB
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Content-Age
Cache-Tag
Filters
X-Git-Hash
X-Handled-By
Cache-Tv-Group
Viewport
X-WebKit-CSP-Report-Only
Actual-Object-TTL
X-Storage
X-Cacheable-TTL
Eomportal-Instance
X-NWS-LOG-UUID
X-GeoIP
X-TX-ID
X-Esi
X-TT-TIMESTAMP
X-Cache-Hit
X-RequestSource
X-Tumblr-Pixel-2
MS-CV
Upgrade-Insecure-Requests
X-Tumblr-Pixel-1
X-Adobe-Content
X-Adobe-Loc
X-ProcessESI
X-RemovedCookies
X-Status
X-UA-Device-Type
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-FW-Dynamic
Xserver
X-Ratelimit-Limit
X-Geo-Country
Webserver
X-SS-Set-Cookie
X-VG-WebCache
X-Seen-By
X-TA-CDN-Provider
Ms-Operation-Id
X-RTag
X-Cache-TTL-Remaining
X-Host-Name
X-FB-TRIP-ID
Datacenter
Frame-Options
X-Cache-Enabled
From-Origin
X-Hyper-Cache
X-Origin-Server
Cache
X-B3-Spanid
X-Contextid
X-Generated-By
X-Mode
X-CF-Powered-By
GEO-INFO
Country
X-Drupal-Cache-Contexts
Server-Info
Load-Balancing
Machine
X-Path-Route
X-Timing-Wait
X-ES-SERVER
Meta-Geo
X-Tumblr-Pixel-3
X-Cache-Var-Map
X-Cache-Var
X-RN-RSRV
X-Proxy-Build
Vix-Hermes-Req-Id
X-Access
X-Loop
X-MP-GENERATED-AT
X-Hit
X-Generated
X-Cache-Config
X-Proxied
X-TNCMS
X-Upstream-CT
CACHE
X-Routing-Service
S-Cnection
X-Zipkin-Id
X-Section
X-Varnish-Server
X-Upstream-HT
X-Cluster-Node
Rt-Fastcgi-Cache
X-Varnish-Cache-Hits
X-Human
Mn-Server-Ip
X-Guploader-Uploadid
X-Backend-Name
X-From
X-JoinUs
X-R9-Blue-Green-Version
X-VWS-Id
X-Web-Node
X-Ratelimit-Reset
DSUID
X-AWS-Id
X-Akamai-Request-ID
Now
Decoy-Debug-TTL
Decoy-Debug-Status
X-Goog-Meta-Goog-Reserved-File-Mtime
Cache-Name
Decoy-Debug-Key
X-EIG-Tracking-Id
X-FC-Vary-Parameters
X-RateLimit-Reset
X-Region
X-LJ-Flow-ID
X-Labrador-Cache-Channel
X-Rule
X-Upgrade-Enabled
X-VG-TLSProxy
X-Origin-Response-Time
SRV
X-Viewer-Country
X-Cache-Host
X-OCL
Akamai-GRN
Cache-Key
X-PCL
X-Locale
X-Proto
X-Site-Version
X-Cache-Grace
Release
X-Akamai-Request-ID2
X-Www-Served-By
X-Hosted-By
X-Via-Fastly
X-Trace-Id
X-NCache
X-Debug-Cache
X-Device-Type
X-Shopify-Stage
X-Sorting-Hat-PodId
ServedBy
Mail-Subject
X-ShopId
OT-Force-Account-Verify
X-ShardId
We-Hiring
X-Sorting-Hat-ShopId
X-Alternate-Cache-Key
X-Magnolia-Registration
DB-Nickname
X-Environment-Context
ProcessTime
X-Rendered-As
X-L-Path
X-Endurance-Cache-Level
X-Request-Time
X-NewRelic-App-Data
X-IP
X-Time-Microsecs
X-Xfnlog-Site
X-S
X-CCM
Time
Azure-Version
X-Load-Cache
Property-Id
S-Rt
TWC-GeoIP-Country
TWC-Connection-Speed
Azure-SlotName
Azure-SiteName
X-Dc
NtCoent-Length
X-RCS-CacheZone
Azure-InstanceId
Azure-RegionName
TWC-GeoIP-LatLong
TWC-Device-Class
TWC-Locale-Group
X-Wix-Request-Id
Version
Uber-Trace-Id
X-FW-Version
X-Origin-Hint
TWC-Privacy
Webcakes-App-Name
Webcakes-Region
Webcakes-App-Version
X-VCT
X-Origin
X-Oracle-Dms-Rid
X-Varnish-Hits
X-No-Session
X-EdgeConnect-Cache-Status
X-Proxy
X-Via-CDN
X-Nginx-Cache
Cteonnt-Length
X-FireWall-Port
X-PressLabs-Stats
X-Redis-Cache
X-ProxyCache-Status
X-ProxyCache-Key
X-UUID
X-BYPASS-REASON
X-Akamai-Transformed
NGX
X-CS
X-Vgn-Hpd-Reason
X-Platform-Server
Accept-Language
X-HTML-Minification-Powered-By
X-Daa-Tunnel
X-ApacheServer
X-PERF
X-Format
Odigeo-Trace-Id
X-UA
X-MServer
X-Hl-Ver
X-CDN-Forward
X-Cache-NE
Ec-Rule-Version
X-Rocket-Nginx-Bypass
X-Cache-Server
X-ECACHE
X-UnsetCookies
X-GEO
X-IPS-LoggedIn
Access-Control-Request-Headers
Origin
Selected-Fe
X-Real-IP
Cache-Tags
X-Cache-Remote
X-Distributor
X-Amzn-Remapped-Content-Length
X-Tb
X-ServerID
LB
X-Webkit-Csp
X-Nc
Fastly-SSL
Proxy-Connection
X-Compress-Hint
X-B3-Parentspanid
X-Microcachable
L5d-Success-Class
X-URL
BehaviorPad-Version
Countrycode
Content-Script-Type
X-Worker
X-CF-Lambda-Fn
Mobile-Detection-Method
X-Cdn-Srv
Hostname
X-Trv-Group
Cross-Origin-Window-Policy
X-Geo-Header
Content-Style-Type
Xc-Version
REQUESTUUID
X-Is-Bot
X-Developer
X-B-Cookie
Cache-Cookie-Set-Lfrom
Cdn-Host
Cache-Prefix
Request-Time
X-IN-APIGATEWAY
X-Instart-Info
X-Internal-Host
Cache-Cookie-Set-Idcheck
Rt-Proxy-Cache
X-Destination
X-Cache-Bucket
Cache-Cookie-Set-From
X-Date
X-Generated-On
Server-ID
X-Detected-As
X-Level-Front-Cache
Cdn-Request-Time
Node
Rendered-Blocks
Viewtype
X-Clientip
X-Cluster-Name
GEO-REGION-INFO
X-Server-Time
X-AIR-PT
X-ScT
X-S-Maxage
X-Aed
X-Vtex-Remote-Cache
X-Rewrite-Enabled
X-Rojux
X-S-Cookie
X-External-Request-Id
X-App-Name
X-Edge-Server
X-ARC
X-DPWN-IS-SECURE
X-Twitter-Response-Tags
X-Transaction
X-SVT-ORM-VERSION
Arc-Country
AKAMAI
AsisCache
X-Application
X-SRCache-Key
X-SVT-ORM-RULES
X-Request-UUID
X-Accel-Expires-Debug
X-Org
X-D
MD5-Digest
VivaBuild
X-A-Wwc
X-NU-AKA-ACS-Version
Meta-Geo-Continent
X-VG-WebServer
X-Vtex-Processado-Em
X-G
Fastcgi-X-Cache-Version
X-CF-Lambda-Version
X-Core-Mission
X-PAYTM-SRV-ID
X-A-Dam
X-Region-Sid
X-A-Dcw
X-A-Dgt
X-Unique-ID
Fly-Request-Id
X-A-Ccd
Fly-Cache
X-Varnish-Url
X-A
X-Connection-Hash
A
Served-By
X-BACKEND-TTL
ServerName
Backend-Name
Apple-News-Services-Request-Url
Fastly-SIE
X-Eu-Site
IBM-Web2-Location
Gh-Request-Id
Ha-Gx-Prefs
Fastly-SWR
X-Distil-CS
Content-Disposition
Country-Code
Esi-Enabled
Apple-News-Services-Parsed-Url
X-Fastly-Cache
X-Bip
X-Qloud-Router
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
W
HA-Ipaddr
X-Method
X-Nginx-Cache-Key
X-Server-IP
X-Varnish-Cacheable
X-Thanos
X-TrackingId
X-Auto-Login
X-CGP
X-Pubstack
X-Skip-Cache
X-We-Are-Hiring
X-Backend-State
Request-Country
X-Hash
Request-EU
Proxy-Firewall
Powered-By
Apple-News-Services-Handled
Memcached
X-HS-Cache-Config
X-HS-Combine-CSS
X-Location
X-BBXSRF
UCS
Section-Io-Cache
X-Developers
X-C
Apple-News-Services-Host
Locale
X-Urbn-Site-Id
Origin-Edge-Control
X-SERVER
Origin-Cache-Control
X-Urbn-Context-Path
X-ElasticPress-Search
X-Dynatrace-Js-Agent
X-Webstats-RespID
Server-Host
X-NX-Host
X-Origin-Date
Heartbleed
X-Debug-Cookies
SS
X-Origin-Expires
X-WebServer
X-Debug-Log
Server-Int
X-Variation
X-Reqid
X-Release
X-Request-Start
X-SIPLIST1
X-Servername
X-ServiceProvider
X-Reboot
X-Sn-Servicetimems
X-TH-Server
X-Wikidot-Backend
Wxu-Next-Commit
Wxu-Next-Hostname
Wxu-Next-Region
X-Crawler
X-Cache-Info
Adler-Geo
X-Cdn-Origin
X-Dispatch
X-Cache-Category-Id
On-Server
N-Cache
Fastly-Soc-X-Request-Id
L
X-Epic-Correlation-Id
GW-Server
Is-Eu
IsBot
Kp-EeAlive
X-Key
PFcat
X-Wikidot-Static-Cache
X-Grey
X-Irp-Debug
RNT-Machine
RNT-Time
X-GeoIP-Country-Code
X-GeoIP-City
Platform
X-Device-Os
Pramga
X-Generation-Time
X-Clara-WADP
X-WADP-Cache
X-CDN-Cache
X-VC-Cache
X-Swa-Ws
X-LI-UUID
X-Hnp-Log
X-Li-Fabric
X-Li-Pop
X-Gen-Mode
X-Gannett-Site-Version
X-Dispatcher-Server
X-Fetched-On
X-FPC
X-LI-Proto
X-CUA
X-Request-URI
X-Response-By
X-SD-PageType
X-Proxy-Upstream
X-Cms-Context
X-Owner
X-PHP-Host
X-Proxy-Cache-Status
X-Secret
X-Amz-Meta-Cache-Control
User-Cache-Control
X-Cache-Id
Who
True-Client-Country-4JS
SD-X-WS
CDCHOST
Resin-Trace
X-SERVER-NAME
Web-Mar-Node
X-Azure-Ref-OriginShield
X-Cache-FS-Status
X-Azure-Ref
X-Block-Status
X-Varnish-Ttl
X-OVcl
X-Cache-Backend
X-Matched-Rule
X-ABtesting
Pagetype
X-FE
X-VServer
X-Thinkindot-L3
X-NC
X-CLOUD-TRACE-CONTEXT
X-Pf-Uncompressing
X-OVcl-Cache
X-Flog
X-Hello
Thinkindot-Control
V-Age
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
PageSpeed
User-Agent
X-Edge
CF-IPCountry
X-User
X-Parent-Response-Time
Magicmarker
X-Ratelimit-Remaining
X-Backend-Host
X-Backend-Url
X-Served-From
X-MSEdge-Features
X-Via-NSCOPI
X-GoCache-CacheStatus
Mime-Version
X-Up
X-Be
X-Processor
X-MSEdge-Flight
X-Generated-In
X-Oneagent-Js-Injection
X-Tt-Trace-Tag
X-Soup
X-Geo
X-LAGOON
X-Via-SSL
X-Debug-Cache-Expiry
X-Debug-Cache-Fetch
X-Debug-Cache-Store
X-Via-Edge
Memory
X-Ua
X-Powered-By-Defense
Cache-Hits
X-B3-SpanId
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-Protected-By
X-Varnish-Beresp-Ttl
X-ND-Cache
X-Oss-Storage-Class
X-Newrelic-Synthetics
X-Oss-Server-Time
X-Ttl
X-Oss-Request-Id
X-Backend-TTL
X-Page-Type
X-Check-Cacheable
Geoip-City
Geoip-Latitude
GeoIp-Country-Code
X-Fstrz
X-Zone
X-Akamai-SSL-Client-Sid
X-Say-Cacheable
X-Say-TTL
X-Old-Content-Length
X-SayCDN-TTL
X-Planisys-CDN-Cache
X-ZONE
Pragrma
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-Origin-CC
X-Tec-Api-Version
X-Origin-TTL
X-Cache-Time
X-Tec-Api-Root
X-Tec-Api-Origin
X-Cdn-Forward
WZWS-RAY
X-CSRF-TOKEN
X-Litespeed-Cache
X-DC
Cdn
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Core-Value
Inserted-Into-Cache-At
X-IN-WAF
X-Phone
X-IN-APIGATEWAYSSL
X-Logtrace-Id
Ajk
Fastly-Backend-Name
X-Node-Id
X-Cache-Ttl
X-TT-LOGID
X-Aicache-OS
X-Tb-Optimization-Total-Bytes-Saved
X-Vcl-Version
X-Datadome
X-Servedbyhost
X-Ruxit-Js-Agent
Amp-Access-Control-Allow-Source-Origin
Dynatrace
XServer
FSS-Proxy
FSS-Cache
SN
X-BC
X-HS-Status
X-NODE
HostName
X-ServedByHost
X-Amzn-Remapped-Date
X-Amzn-Remapped-Connection
X-RateLimit-Remaining-Second
X-Wa
X-RateLimit-Limit-Second
X-APP
X-VCL-Version
X-UPSTREAM-Address
Srv
X-Mid
X-MID
X-App-Version
X-Varnish-Authentication
Xkeyrz
X-CSRF-Token
Server-Surrogate-Control
X-Contensis-Viewer-Groups
X-Bc
X-Proxy-Cacherz
X-Cache-ASPX
T-Server
CF-Cached-On
Server-Cache-Control
X-Birta-Cache-Post
X-EC-Lua
Selected-FE
X-Birta-Served
X-WR-MODIFICATION
X-GDPR
X-COUNTRY
X-Refresh
PICS-Label
X-LiteSpeed-Cache-Control
X-NWS-UUID-VERIFY
X-Info
X-CACHE-KEY
RequestId
X-PJAX-URL
X-Varnish-Beresp-TTL
X-Varnish-IP
X-Cache-Debug
X-Source
Ohc-File-Size
MIME-Version
GeoIP-Latitude
Cf-Ipcountry
X-Render-Time
X-Agile
GeoIP-City
X-Agile-Id
X-Agile-Age
GeoIP-Country-Code
X-ECache
Ohc-Cache-HIT
WebServer
DataCenter
X-Fastly-Country-Code
HitType
X-FORWARDED-FOR
X-LB-ID
URI
X-Policy
SID
X-Uri
X-Nananana
X-Real-Ip
X-Fastly-Backend-Reqs
Xkeynj
Get-Access-Time
X-Lb-Id
Cache-Provider
X-Unique-Id
X-PAGE-TYPE
X-Via-Ucdn
Is-Session-Tracking
X-Micro-Cache
X-Service
X-BE
X-Cache-Tag
X-Web-Server
X-Requestid
X-Var-Ttl
X-Cache-Miss-From
X-NGINX-Cache
X-Sedo-Request-Id
X-NGENIX-Cache
X-Request-Url
X-JWT-State
Lb
Pics-Label
X-Has-Esi
X-TIME
X-Is-Gdpr
X-GRACE
X-Pjax-Url
Ohc-Response-Time
X-MCACHE
CDN
Cneonction
X-Apw-Access-Token
X-Apw-Hits
X-Vct
X-Apw-Access-Object
X-Apw-Access-Action
Group
X-Dw-Trace-Id
X-SRV
Xet-Cookie
X-Cdn-Request-ID
X-Ecache
FNAC-ModuleRouting
X-PF-Uncompressing
HTTPS
Warning
X-Cf-Powered-By
Correlation-Id
X-SN
Backend
X-Fpc
X-WA
X-Newrelic-App-Data
X-Akamai-ERRuleID
X-Fastly-Cache-Hits
Lfy
X-Akamai-ERPolicy
X-Edge-IP
X-Request-URL
Xkeypdq
X-Litespeed-Cache-Control
X-Fe
X-Flow-Id
X-DSS
X-DI
X-DW
X-RPM
X-RSL
X-RPS
X-DB
X-Swift-Error
X-Serial
X-ServerName
X-Page-Impression-Id
X-Bug-Bounty
X-Zalando-Child-Request-Id
Www