Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Xss-Protection
X-UA-Compatible
X-Served-By
Alt-Svc
X-Varnish
X-Timer
X-Request-Id
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-DNS-Prefetch-Control
X-Kinja-Server-Push
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Ua-Compatible
X-Iinfo
X-Buckets
X-Request-ID
Status
X-Content-Security-Policy
Content-Encoding
Access-Control-Expose-Headers
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-AH-Environment
X-Backend
X-Age
X-Server
X-Turbo-Charged-By
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Hacker
X-Page-Speed
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
X-Pingback
Grace
Server-Timing
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
X-LiteSpeed-Cache
P3p
Ali-Swift-Global-Savetime
Report-To
X-Amz-Version-Id
X-Server-Id
Cf-Railgun
X-Rq
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-OneAgent-JS-Injection
EagleEye-TraceId
X-Dns-Prefetch-Control
X-Origin-Cache
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Readtime
X-Ac
X-Cache-Lookup
X-Backend-Server
X-Node
NEL
X-Dispatcher
X-Origin-Upstream-Status
Content-Location
X-HW
Fusion-Component-Id
Fusion-Content-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Source
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-ORACLE-DMS-RID
X-Country
Allow
X-Ruxit-JS-Agent
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Cloud-Trace-Context
Accept-CH
Rating
X-Country-Code
X-Cnection
Accept-CH-Lifetime
X-Rack-Cache
Edge-Control
X-Url
RTSS
X-Clacks-Overhead
X-Px
MS-Author-Via
X-FTR-Request-ID
X-TtlSet
X-PC
X-Vname
X-Goog-Hash
Verso
X-Powered-By-Plesk
Host-Header
Service-Worker-Allowed
X-Varnish-TTL
X-GoogleNews-Bot
X-Cdn-Fetch
X-Kinja
X-Exp-Id
X-Exp-Variant
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-B3-TraceId
Public-Key-Pins
X-GitHub-Request-Id
Arr-Disable-Session-Affinity
X-MS-InvokeApp
X-Amz-Server-Side-Encryption
X-Ttl
X-Forwarded-Proto
Response
X-Middleton-Response
X-Sol
Display
Pagespeed
X-Middleton-Display
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-Cdn
X-D2id
X-Amz-Rid
X-NF-Request-ID
TCN
X-Vcap-Request-Id
X-CST
X-Abt-Application-Version
X-Cached
X-VARITI-CCR
Pinterest-Generated-By
AR-PoweredBy
AR-Request-ID
AR-ATIME
Ar-Sid
AR-CACHE
X-ESI
X-Version
X-Navigation-Version
X-Powered-CMS
X-Upstream
Cache-Tag
X-Fastly-Request-ID
X-Server-Name
X-Grace
X-Debug
X-Instart-Request-ID
Access-Control-Request-Method
X-XRDS-Location
Charset
X-MSEdge-Ref
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
Nginx-Cache
Content-MD5
X-Element-Page-Cache
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
X-Mrf-Section-Lastmod
X-Mrf-Item-Lastmod
X-Accel-Expires
Realpath
X-Ezoic-Cdn
X-DynaTrace-JS-Agent
SPIisLatency
SPRequestDuration
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Shield-Request-Id
X-SharePointHealthScore
S
SPRequestGuid
Pinterest-Version
X-Pinterest-Rid
X-Hp-Webp
Accept-Ch
X-Jurisdiction
X-Pass-Why
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Recruiting
X-Id
X-Kinsta-Cache
X-Trace
X-T
Fastcgi-Cache
X-Client-IP
X-Content-Digest
X-Node-Name
X-Logged-In
X-Cache-Key
Accept-Ch-Lifetime
X-NWS-LOG-UUID
TP-Cache
TP-L2-Cache
X-Mobile-URL
X-Oneagent-Js-Injection
X-FastCGI-Cache
X-Hostname
Server-Node
X-Request-Processing-Time
X-Request-Received
X-Frontend
X-Cache-Hit
ServerID
X-Cache-Age
Front-End-Https
X-Amzn-Trace-Id
Fastly-Restarts
X-FTR-Realm
X-FTR-Backend-Server
X-Country-Code-Real
X-FTR-Balancer
X-FTR-Cache-Status
X-FTR-DC
X-FTR-Backend
X-TTL
Edge-Cache-Tag
X-Forwarded-For
X-FTR-Expires
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Storage-Class
X-Yandex-Sdch-Disable
Powered
Server-Name
PB-PID
Arc-Version
PB-RID
X-Ruxit-Js-Agent
X-Request-Handler-Origin-Region
X-Microsite
X-User-Agent
X-Content-Security-Policy-Report-Only
X-Revision
X-Page-Id
X-DIS-Request-ID
X-Hits
Filters
X-F-Cache
X-Jobs
X-LB-Cache
X-Akamai-Edgescape
X-Zen-Fury
DynaTrace
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-ORACLE-APMCS-TAG
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-ORACLE-APMCS-REQUEST-ID
X-Mobile-Rewrite
X-Fastcgi-Cache
X-HS-Hub-Id
X-HS-Content-Id
X-Origin-Server
X-Content-Powered-By
Alternate-Protocol
X-HS-Cache-Config
X-HS-Combine-CSS
X-Geo-Country
Accept-Charset
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Age
X-Correlation-Id
X-FTR-Cache-Host
X-N
X-Daa-Tunnel
X-B
X-Varnish-Backend
Cache-Tags
X-Rid
X-Esi
X-WebKit-CSP-Report-Only
X-Type
X-Varnish-Grace
Retry-After
X-Amz-Replication-Status
Surrogate-Key
X-Whom
Section-Io-Cache
X-Content-Options
DC
X-Git-Hash
Host
X-B-Cache
X-Signature
X-TT
X-Server-ID
Paypal-Debug-Id
X-FB-Debug
X-App-Environment
X-Request-Guid
X-Via-JSL
X-AppVersion
X-Activity-Id
X-Edge
X-RateLimit-Remaining
X-Az
Backend-Timing
X-Status
X-ATS-Timestamp
MicrosoftSharePointTeamServices
X-Ser
X-Debug-Info
Fastcgi-Useragent
Frame-Options
Actual-Object-TTL
X-IPLB-Instance
X-ATG-Version
X-Webkit-CSP
Healthy
Nel
X-Endurance-Cache-Level
X-App-Server
X-HTML-Minification-Powered-By
X-Contextid
Srv
X-AOL-HN
X-Cache-Action
X-Seen-By
X-Amzn-RequestId
X-ECACHE
X-Pinterest-Direct
X-B3-Sampled
Refresh
From-Origin
X-Amz-Apigw-Id
Access-Control-Allow-Method
X-Upgrade-Enabled
X-Protected-By
X-Response-Served-From
X-Accel-Buffering
X-Cache-Rule
X-Drupal-Cache-Tags
Content-Disposition
X-Tumblr-User
X-Host-Name
X-ProcessESI
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Cache-Operation
X-RemovedCookies
X-Is-Bot
X-MCACHE
X-Region
X-Rendered-As
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-Cacheable-TTL
Odigeo-Trace-Id
X-Instance
X-Mid
X-WA-Info
X-Release
Payment
X-L-Path
X-Environment-Context
X-UUID
X-FW-Server
X-Varnish-Server
X-FW-Static
X-Rule
X-FW-Type
X-FW-Serve
Eomportal-Instance
X-FW-Dynamic
X-FW-Hash
MS-CV
X-Cache-Time
X-Adobe-Loc
X-Adobe-Content
Countrycode
X-Litespeed-Cache
Datacenter
Source
Uber-Trace-Id
X-Time
X-Proxy
X-Load-Cache
X-Cached-By
X-Akamai-Request-ID2
X-EdgeConnect-Cache-Status
X-Cache-Control
X-Cache-Server
X-UnsetCookies
Xserver
X-Mobile
X-Correlation-ID
X-PHP-Backend
X-GeoIP
Cache-Status
Access-Control-Request-Headers
X-Azure-Ref
X-SERVER-NAME
X-Akamai-Transformed
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-NewRelic-App-Data
X-Tt-Trace-Tag
Accept-Language
X-Tt-Trace-Host
X-Origin-Response-Time
X-PressLabs-Stats
X-Air-Hostname
Version
Filterid
X-NGENIX-Cache
X-Wix-Request-Id
X-Handled-By
X-Mode
Liferay-Portal
X-Cache-NGX
X-NWS-UUID-VERIFY
X-Backend-Name
X-Cluster
X-VCache
X-Framework
X-URL
X-IPS-LoggedIn
Server-Info
X-APP-VERSION
X-Proxied
Meta-Geo
Load-Balancing
X-Cache-Remote
X-Tumblr-Pixel-2
X-Locale
X-Path-Route
X-Tumblr-Pixel-1
X-RN-RSRV
X-Routing-Service
X-Via-Fastly
X-UPSTREAM-Address
X-UA-Device-Type
X-VWS-Id
X-FireWall-Port
Cross-Origin-Window-Policy
X-Zipkin-Id
X-LJ-Flow-ID
X-PERF
X-AWS-Id
NGB
X-ES-SERVER
X-Cache-Var-Map
X-CCM
X-ApacheServer
X-Adobe-Source
X-Cache-Var
X-Real-IP
X-Cache-Status-Check
DSUID
X-Site-Version
X-Viewer-Country
X-TX-ID
ServedBy
X-Www-Served-By
X-Qloud-Router
Cache-Hits
Cache
X-Detected-As
Mn-Server-Ip
X-MP-GENERATED-AT
Section-Io-Id
X-NCache
X-OCL
X-Section
Now
Akamai-GRN
X-Storage
X-Web-Node
Section-Io-Origin-Status
X-Access
X-Human
X-Format
X-SayCDN-TTL
X-IP
Cache-Tv-Group
X-Info
Decoy-Debug-Status
X-Redis-Cache
Section-Io-Origin-Time-Seconds
X-R9-Blue-Green-Version
X-PCL
Decoy-Debug-Key
X-Cache-Config
X-Say-TTL
X-Pubstack
Section-Origin-Responded
X-Say-Cacheable
Cleartype
Cache-Name
Decoy-Debug-TTL
X-Alternate-Cache-Key
Webserver
Webcakes-Region
X-Bc-Bl
X-BYPASS-REASON
X-Cache-Host
X-Cache-Enabled
Webcakes-App-Version
Webcakes-App-Name
TWC-Device-Class
TWC-Connection-Speed
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Privacy
TWC-Locale-Group
X-CS
X-Device-Type
X-ShopId
X-ServerID
X-ProxyCache-Status
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Varnish-Cache-Hits
X-Sorting-Hat-ShopId
X-ProxyCache-Key
X-PHP-Host
X-FC-Vary-Parameters
X-EIG-Tracking-Id
X-FW-Version
X-Hosted-By
X-Origin-Hint
X-Labrador-Cache-Channel
S-Rt
X-ShardId
X-CSRF-Token
X-Unique-Id
Fastly-SSL
Property-Id
X-Proxy-Build
X-Ua
X-JoinUs
X-SaId
X-Hl-Ver
X-Content-Age
X-Origin
X-FB-TRIP-ID
X-No-Session
X-From
X-NYM-Debug-Backend
X-Loop
X-BCube-Filmed-By
X-TNCMS
X-Timing-Wait
X-Time-Microsecs
Selected-Fe
X-RTag
DB-Nickname
X-Generated
X-Amzn-Remapped-Content-Length
X-RateLimit-Limit
Ms-Operation-Id
Origin-Cache-Control
X-Hyper-Cache
X-XRDS-LOCATION
Azure-SlotName
Azure-RegionName
Ec-Rule-Version
Azure-SiteName
X-Presslabs-Stats
Azure-InstanceId
Azure-Version
X-Geo
X-Cache-2
Apigw-Requestid
X-Drupal-Cache-Contexts
X-Cache-TTL-Remaining
Locale
Time
Origin-Edge-Control
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Xfnlog-Site
SD-X-WS
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Vcache
Country
X-RequestSource
X-EC-Lua
X-Pad
X-Source
X-Old-Content-Length
X-Varnish-Hostname
X-CDN-Forward
Geo-Info
X-Cluster-Node
X-Debug-Cache
User-Agent
X-Soup
X-Backend-TTL
Upgrade-Insecure-Requests
X-Cache-NE
X-Akamai-Request-ID
X-Parent-Response-Time
X-RCS-CacheZone
X-Proto
X-Tb
X-Storefront-Renderer-Rendered
X-Cache-Backend
X-SRV
X-App-Version
Proxy-Connection
X-Cache-PHP
X-NC
X-TA-CDN-Provider
X-Cache-Grace
X-DC
FilterID
X-Proxy-Cache-Status
Cache-Key
X-FORWARDED-FOR
X-Origin-CC
X-Origin-TTL
X-Forwarded-Host
X-B-Cookie
X-ARC
X-A-Dgt
Fastcgi-X-Cache-Version
VivaBuild
X-Destination
X-Developer
X-Geo-Header
X-Application
GEO-REGION-INFO
UCS
X-Accel-Expires-Debug
True-Client-Country-4JS
FNAC-ModuleRouting
Viewtype
LB
X-A-Wwc
Content-Style-Type
X-Date
Content-Script-Type
X-DevSite-Last-Modified
X-CF-Lambda-Version
X-External-Request-Id
X-CF-Lambda-Fn
X-Dispatch
X-A-Dcw
X-A-Ccd
BehaviorPad-Version
X-App
X-AIR-PT
Arc-Country
X-G
X-D
AsisCache
X-A
X-Connection-Hash
Who
X-A-Dam
X-Response-By
X-Scheme
X-ScT
X-SD-PageType
X-Method
X-S-Cookie
X-S
X-Rewrite-Enabled
X-Rojux
X-Transaction
X-Trace-Id
X-Vtex-Processado-Em
Meta-Geo-Continent
MD5-Digest
X-Vtex-Remote-Cache
X-Swa-Ws
Rendered-Blocks
Machine
X-Session-Fingerprint
X-SIPLIST1
M-TraceId
X-SRCache-Key
X-Aed
T-Server
X-Trv-Group
X-Nginx-Cache-Key
X-PAYTM-SRV-ID
X-VG-WebCache
N-Cache
X-Uri
X-Vdms-Version
X-Processor
X-VG-WebServer
Xc-Version
X-Region-Sid
X-Vdms-Path
X-Twitter-Response-Tags
IsBot
Mobile-Detection-Method
ServerName
X-NodeID
X-Tumblr-Pixel-3
X-Magnolia-Registration
User-Cache-Control
NM-Fastcgi-Cache
On-Server
Wxu-Next-Commit
Viewport
We-Hiring
Sever-Int
V-Age
Thinkindot-CacheControl
Thinkindot-Control
Thinkindot-CacheControl-Type
Server-Hostname
Server-Host
Release
Pagetype
Wxu-Next-Hostname
RNT-Machine
RNT-Time
Server-Ext
Web-Mar-Node
Wxu-Next-Region
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-RateLimit-Remaining-Second
NGX
X-Req
X-Reqid
X-RateLimit-Limit-Second
X-Policy
X-Matched-Rule
X-Micro-Cache
X-Node-Id
X-Owner
X-Servername
X-ServiceProvider
X-Thinkindot-L3
X-Thanos
X-User
X-Varnish-Cacheable
X-VC-Cache
X-WADP-Cache
X-Wikidot-Backend
X-Worker
X-Skip-Cache
X-Wikidot-Static-Cache
X-SN
X-Logging-Id
X-Loc
X-Cache-Info
X-Cache-FS-Status
X-Cache-URL
X-Clara-WADP
X-Cms-Context
X-Cache-Bucket
X-Block-Status
X-Agile-Age
X-Agile-Id
X-Backend-State
X-Bip
X-Compress-Hint
X-Developers
X-Hash
X-Generation-Time
X-Hnp-Log
X-LAGOON
X-Level-Front-Cache
X-Generated-On
X-Generated-In
X-Device-Os
X-Dispatcher-Server
X-Fmm-Version
X-Gen-Mode
X-Agile
Vix-Hermes-Req-Id
Cache-Cookie-Set-Idcheck
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Kp-EeAlive
Cache-Cookie-Set-Lfrom
Referer-Policy
CDCHOST
CacheControlHeader
Apple-News-Services-Host
Cache-Cookie-Set-From
X-Newrelic-Synthetics
Apple-News-Services-Handled
Mail-Subject
Magicmarker
AKAMAI
X-Srv
X-B3-Traceid
OT-Force-Account-Verify
X-Hit
X-Cluster-Name
X-Key
X-Core-Mission
X-TH-Server
X-Clientip
X-Cache-Tags
X-Cache-Id
X-Core-Value
Node
X-BBXSRF
X-Slack-Backend
X-Distributor
X-JWT-State
X-Is-Gdpr
X-Irp-Debug
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
X-Location
X-Origin-Expires
X-Origin-Date
X-NU-AKA-ACS-Version
X-Mvc-Supplant-Cachable
X-Has-Esi
X-Gzip
X-Epic-Correlation-Id
X-Envoy-Decorator-Operation
X-Auto-Login
X-Distil-CS
X-Esi-Check
X-Eu-Site
X-Request-Host
X-Request-UUID
X-Fastly-Cache
X-Edge-Location
X-Server-W
X-CGP
Rt-Fastcgi-Cache
Fastly-Drupal-HTML
Fastly-SIE
Is-Eu
W
X-Var-Ttl
HA-Ipaddr
X-VG-TLSProxy
Fastly-SWR
Platform
Ha-Gx-Prefs
Gh-Request-Id
X-TrackingId
L5d-Success-Class
X-We-Are-Hiring
X-Webstats-RespID
X-Variation
C-Via
X-VServer
Adler-Geo
Sid
X-Be
X-Varnish-Beresp-Grace
X-Reboot
X-LI-UUID
X-GoCache-CacheStatus
Pragrma
X-Backend-Host
X-Contensis-Viewer-Groups
X-Cache-ASPX
Memcached
X-Varnish-Beresp-Ttl
X-Varnish-Authentication
X-Li-Fabric
X-Varnish-Beresp-Status
X-Li-Pop
X-LI-Proto
X-Dc
X-Nc
GEO-INFO
X-BC
X-Wa
X-ZONE
X-Cache-Debug
X-Branch-Name
MIME-Version
S-Cnection
X-Configured-By
Cf-Ipcountry
X-Via-PopH
X-Up
X-Via-PopV
X-Instart-Info
X-Refresh
Fastly-Backend-Name
X-Varnish-URL
X-Via-CDN
X-UA
HostName
X-Microcachable
X-Batcache
X-Envoy-Upstream-Healthchecked-Cluster
X-Servedbyhost
X-Platform-Server
X-Minions-Version
X-Ua-Device
X-ElasticPress-Query
X-TIME
X-TT-TIMESTAMP
X-Ms-Version
CACHE
X-Mvc-Supplant-OutputCached
X-Ms-Request-Id
X-Cdn-Forward
Memory
X-Aicache-OS
X-MSEdge-Features
X-MSEdge-Flight
X-Vgn-Hpd-Reason
X-Nginx-Cache
X-VCL-Version
NR-ENABLED
X-ND-Cache
Esi-Enabled
WPE-Backend
NtCoent-Length
X-Sucuri-ID
X-Debug-Panamera-Host
X-Debug-Panamera-Sitecode
X-App-Name
Server-ID
DCR-Processing-Time-Ms
DCR-Decision-By
L
X-Server-IP
X-Pjax-Url
X-PF-Uncompressing
X-FPC
X-GEO
X-Client-Ip
Powered-By-ChinaCache
Hostname
X-Fastly-Cache-Status
Cache-Host
X-COUNTRY
Pramga
X-Bc
X-Zone
X-Cdn-Srv
X-Svr
X-Oss-Storage-Class
Location
X-Oss-Hash-Crc64ecma
X-Oss-Server-Time
X-Oss-Request-Id
X-Oss-Object-Type
GeoIP-Country-Code
HitType
Ohc-File-Size
X-CF-Powered-By
X-Ratelimit-Reset
X-Varnishpool
X-BE
X-BACKEND-TTL
FSS-Cache
X-Generated-By
GeoIP-Latitude
Server-Surrogate-Control
Server-Cache-Control
X-Unique-ID
X-S-Maxage
X-Sucuri-Cache
X-LB-ID
Tracecode
X-Azure-Ref-OriginShield
Resin-Trace
X-Check-Cacheable
Ohc-Response-Time
X-OVcl
X-OVcl-Cache
X-Rocket-Nginx-Bypass
PFcat
X-Varnish-Ttl
X-Original-Request-Id
X-VarnishDD-TTL
Cteonnt-Length
X-VCT
X-Fastly-Country-Code
X-Fastly-Backend-Reqs
X-Instart-Isnd
X-Ratelimit-Remaining
X-CSRF-TOKEN
X-Cache-Expired-At
Heartbleed
X-Render-Time
X-Platform
Locid
Request-EU
Request-Country
Cdn-Request-Time
X-Vgn-Hpd-Variations-Key
Cdn-Host
X-Edge-Server
X-Vgn-Hpd-Ssi
X-Vgn-Hpd-Cached
X-PJAX-URL
X-VHOST
X-Varnish-Hits
Geoip-Latitude
X-HS-Status
GeoIp-Country-Code
X-Request-URI
X-Fpc
X-Newrelic-App-Data
CF-Cached-On
Lfy
X-CUA
SRV
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
Amp-Access-Control-Allow-Source-Origin
X-Gamma-Serve
X-Vcl-Version
Epwk-X-Cache
X-Pf-Uncompressing
Pics-Label
X-NGINX-Cache
X-Ratelimit-Limit
X-Oracle-Dms-Rid
SN
XServer
X-CLOUD-TRACE-CONTEXT
X-CACHE-AGE
X-Shopify-Generated-Cart-Token
WWW-Authenticate
Backend
X-ECache
X-WebServer
X-RunCloud-Cache
Backend-Name
X-CACHE-KEY
X-Proxy-Upstream
X-ServedByHost
X-Varnish-Url
X-Amzn-Remapped-Connection
X-StackifyID
WZWS-RAY
X-Amzn-Remapped-Date
X-Csrf-Jwt
URI
Product
X-Ftr-Cache-Host
X-Via-Popv
CloudFront-Viewer-Country
X-Cdn-Origin
X-Via-Poph
X-Oss-Cdn-Auth
Lb
X-Fetched-On
X-Fastly-Request-Id
X-Sn-Servicetimems
My-App
Mime-Version
A
X-Request-Time
X-GeoIP-Country-Code
X-Sigma
X-Debug-Cache-Store
X-Rocket-Build-Number
X-Nananana
X-Sigma-Backend
X-Debug-Cache-Fetch
Server-Ttl
PICS-Label
X-Debug-Cache-String
X-Debug-Cache-Status
X-Cache-Tag
Host-ID
CF-IPCountry
X-Tb-Optimization-Total-Bytes-Saved
X-B3-Spanid
Ohc-Cache-HIT
X-Debug-Do-Not-Cache-Uri
Cloudfront-Viewer-Country
X-Debug-Cache-Bypass
X-B3-SpanId
X-LiteSpeed-Cache-Control
X-Debug-Ysi-Auth
SID
X-Debug-Xas-Auth
Dt-Cache-Category
X-Cache-Version
X-Apw-Access-Object
X-Apw-Access-Token
X-Varnish-Beresp-TTL
DataCenter
X-Acquia-Site
X-DPWN-IS-SECURE
X-Request-Start
X-Acquia-Purge-Tags
X-Apw-Access-Action
X-Apw-Hits
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-WA
Proxy-Firewall
Cneonction
X-APP
Cf-Alt-Svc
X-Html-Edge-Cache
Dnion-Transfer-Encoding
Group
X-Lb-Id
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
FSS-Proxy
Country-Code
Warning
X-VC
X-Dw-Trace-Id
X-Request-URL
X-SB
X-Swift-Error
X-Served-From
X-ElasticPress-Search
Inserted-Into-Cache-At
X-WR-MODIFICATION
Cdn
X-Snapshot-Date