Threat Level: green Handler on Duty: Russ McRee

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
Host-Header
X-Amz-Request-Id
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
X-Rq
Grace
X-Dns-Prefetch-Control
X-Akamai-Path-Stats
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-WebKit-CSP
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-OneAgent-JS-Injection
X-Nginx-Cache-Status
Allow
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-Trace
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Country
Accept-Ch-Lifetime
Fastly-Restarts
X-Mod-Pagespeed
X-MS-InvokeApp
X-Rack-Cache
X-TtlSet
X-Vname
X-PC
X-Ruxit-JS-Agent
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-Varnish-TTL
X-ESI
X-VARITI-CCR
X-Content-Type
Cache-Tag
X-Vcap-Request-Id
Accept-Ch
X-B3-TraceId
X-Kinja
X-Kinja-Build
X-Kinja-Revision
X-Use-Magma
X-Kinja-Server
X-GoogleNews-Bot
X-Exp-Id
X-Exp-Variant
X-Cdn-Fetch
X-Amz-Server-Side-Encryption
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Cnection
X-Ac
X-D2id
X-Element-Page-Cache
X-Navigation-Version
Verso
X-RateLimit-Remaining
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
X-Cache-TTL
X-Sol
Display
Pagespeed
X-Middleton-Display
X-Edge
X-Ser
X-FastCGI-Cache
Service-Worker-Allowed
X-Version
Arr-Disable-Session-Affinity
X-Country-Code
X-GitHub-Request-Id
X-Ruxit-Js-Agent
Response
X-Middleton-Response
X-NF-Request-ID
Access-Control-Request-Method
X-Correlation-Id
X-Goog-Hash
X-Ttl
X-Kinsta-Cache
SPIisLatency
SPRequestDuration
AR-Request-ID
AR-CACHE
AR-ATIME
AR-SID
AR-PoweredBy
X-Edge-Location-Klb
X-Upstream
X-Webkit-Csp
X-NWS-LOG-UUID
X-TTL
X-LLID
X-Cached
X-Powered-CMS
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
SPRequestGuid
X-SharePointHealthScore
Edge-Cache-Tag
Nginx-Cache
X-RateLimit-Limit
X-Cache-Key
X-Forwarded-For
X-Content-Security-Policy-Report-Only
X-Litespeed-Cache
TCN
X-MSEdge-Ref
Content-MD5
MRF-Tech
Mrf-Cache-Status
X-Id
X-Shield-Request-Id
X-Daa-Tunnel
X-B3-TraceId-Primal
MS-Author-Via
X-T
X-Recruiting
S
X-Content-Digest
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
X-Mg-S
X-Ua-Device
X-Protected-By
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Ezoic-Cdn
X-HS-Hub-Id
X-HS-Content-Id
X-Accel-Expires
X-HS-Cache-Config
X-HS-Combine-CSS
X-Ab
X-Content
X-Frontend
X-DataDome
MicrosoftSharePointTeamServices
X-Ua-Browser
X-Grace
X-Request-Received
X-Request-Processing-Time
Server-Node
X-ECACHE
X-Yandex-Sdch-Disable
Front-End-Https
Filters
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
Fastcgi-Cache
X-Server-ID
X-Mid
X-DynaTrace
TP-Cache
X-Origin-Server
X-Geo-Country
X-Hits
TP-L2-Cache
X-Distributor
X-PressLabs-Stats
X-Ratelimit-Reset
X-Debug-Info
X-Amzn-Trace-Id
X-Tt-Trace-Tag
X-Tt-Trace-Host
Charset
Cleartype
X-WebKit-CSP-Report-Only
X-Page-Id
Host
X-F-Cache
X-Git-Hash
X-DIS-Request-ID
Pinterest-Version
Pinterest-Generated-By
X-Pinterest-Rid
X-B3-Sampled
X-Request-Handler-Origin-Region
X-Microsite
Cross-Origin-Opener-Policy
X-LB-Cache
X-Www-Served-By
X-MCACHE
X-Forwarded-Proto
ServerID
X-Cache-Age
Access-Control-Allow-Method
X-Seen-By
Cache-Tags
Cache-Status
X-AppVersion
X-Activity-Id
X-Az
X-Cluster-Name
Accept-Charset
X-Varnish-Age
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Realpath
X-Language
Filterid
X-Aspnetmvc-Version
X-Rid
Server-Name
X-Type
X-Content-Options
X-Nginx-Upstream-Cache-Status
X-App-Environment
Country
X-Varnish-Grace
Node
Viewport
X-XRDS-LOCATION
X-Tb
X-Mobile-URL
Retry-After
X-NWS-UUID-VERIFY
X-Upgrade-Enabled
X-User-Agent
X-Request-Guid
X-Providence-Cookie
X-FB-Debug
X-Route-Name
X-Flags
X-B-Cache
X-Wix-Request-Id
DC
X-Is-Crawler
X-Signature
X-Aspnet-Duration-Ms
X-Whom
X-Origin-Cache
Paypal-Debug-Id
X-Drupal-Cache-Tags
X-TT
Protected
X-Oracle-Dms-Ecid
X-VCache
X-Varnish-Backend
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Goog-Generation
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Stored-Content-Length
Fastcgi-Useragent
X-Oracle-Dms-Rid
X-Via-JSL
X-Fastly-Request-ID
X-B
X-N
X-Amz-Replication-Status
X-Debug
X-Cache-NGX
Payment
X-Logged-In
X-Contextid
X-Fastly-Request-Id
X-Fastcgi-Cache
X-Load-Cache
WPO-Cache-Status
WPO-Cache-Message
X-Template
Surrogate-Key
X-XRDS-Location
X-FW-Hash
X-FW-Type
X-FW-Static
X-FW-Server
X-FW-Dynamic
X-FW-Serve
X-Cache-Control
X-Amz-Meta-S3cmd-Attrs
X-Node-Name
Count-Hit
X-Trace-Id
X-B3-Traceid
Amp-Access-Control-Allow-Source-Origin
Healthy
X-Erf-Bev-Bev
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Response-Served-From
X-Original-Request-Id
SD-X-WS
Content-Disposition
Permissions-Policy
Akamai-GRN
X-Proxy
X-Is-Bot
X-Hostname
X-Real-IP
X-Zen-Fury
X-Jobs
X-Revision
Refresh
X-Cache-Time
X-Akamai-Request-ID2
X-Mobile
X-Rendered-As
X-G
X-UUID
X-Adobe-Loc
X-Adobe-Content
X-Page-View
X-Cache-TTL-Remaining
X-Http-Reason
Uber-Trace-Id
X-Cacheable-TTL
Alternate-Protocol
X-Framework
X-Drupal-Cache-Contexts
NGB
X-Instance
VIX-Pulpo-Upstream-Status
X-Debug-IsPreview
X-Proxy-Cache-Status
X-Debug-IsConnected
VIX-Pulpo-Node
X-Device-Type
X-Yottaa-Optimizations
X-Mcache
X-Yottaa-Metrics
Access-Control-Request-Headers
Url
X-IPLB-Instance
X-Servername
X-Cache-Grace
X-Source
Version
From-Origin
X-Cache-Rule
X-Varnish-Server
X-ECache
X-Vgn-Hpd-Reason
X-Parallel-Accel
X-Mg-Request-UUID
X-Environment-Context
X-L-Path
X-Restarts
X-NGENIX-Cache
X-Cache-Hit
Accept-Language
X-EdgeConnect-Cache-Status
X-Cache-Expired-At
X-Oneagent-Js-Injection
Referer-Policy
MS-CV
X-RTag
Ms-Operation-Id
X-App-Server
Countrycode
X-Datadome
X-HTML-Minification-Powered-By
Frame-Options
X-Ratelimit-Remaining
X-FW-Version
Liferay-Portal
Cross-Origin-Window-Policy
X-NYM-Debug-Backend
X-IPS-LoggedIn
X-Tumblr-Pixel-0
Backend
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-Cache-Action
X-Nginx-Cache
X-COUNTRY
X-ProcessESI
X-APP-VERSION
Content-Secure-Policy
X-RemovedCookies
WP-Super-Cache
CF-IPCountry
Meta-Geo
Section-Io-Cache
X-UPSTREAM-Address
X-RN-RSRV
X-Redis-Cache
X-Cache-Server
Upgrade-Insecure-Requests
X-Hosted-By
X-Content-Age
X-Access
X-Detected-As
X-PCL
X-Section
X-Ua
Cache-Tv-Group
X-OCL
X-No-Session
X-FB-TRIP-ID
X-Format
X-Generation-Time
X-Cache-Enabled
Ec-Rule-Version
TWC-Locale-Group
TWC-GeoIP-Country
TWC-Device-Class
TWC-Connection-Speed
TWC-Privacy
Webcakes-App-Name
X-Request-Time
X-Akamai-Edgescape
Webcakes-Region
Webcakes-App-Version
S-Rt
Property-Id
X-SayCDN-TTL
Apigw-Requestid
X-UA-Device-Type
X-Varnish-Cache-Hits
X-Say-TTL
Fastly-SSL
Mn-Server-Ip
Locale
X-Say-Cacheable
X-Be
X-Cluster-Node
Azure-InstanceId
X-Via-Fastly
X-Uri
X-Urbn-Site-Id
Azure-RegionName
Azure-SiteName
X-AOL-HN
X-Human
Azure-Version
Azure-SlotName
X-Urbn-Context-Path
X-Hyper-Cache
X-Origin-Hint
X-Origin-Date
X-Generated-By
X-Region
X-PHP-Backend
X-Server-W
X-Sql-Duration-Ms
X-Sql-Count
X-Site-Version
X-Web-Node
TWC-GeoIP-LatLong
X-Mode
Eomportal-Instance
X-Content-Powered-By
X-Adobe-Source
X-ApacheServer
CDN-Uid
CDN-RequestId
CDN-CachedAt
CDN-EdgeStorageId
CDN-PullZone
CDN-RequestCountryCode
X-Cache-Host
X-Nginx-Cache-Key
X-Status
X-Xfnlog-Site
X-BYPASS-REASON
X-ProxyCache-Key
X-Platform-Server
X-Debug-Cache
X-Forwarded-Host
X-ProxyCache-Status
X-PERF
CDN-Cache
X-Cache-Tags
X-Storage
X-Alternate-Cache-Key
X-Hl-Ver
X-JoinUs
X-Unique-Id
X-ShardId
X-Varnishpool
X-Routing-Service
X-Backend-Name
X-Handled-By
X-Shopify-Stage
X-ShopId
X-Extlb
X-Sorting-Hat-PodId
X-Tid
X-Sorting-Hat-ShopId
X-Proxied
X-Zipkin-Id
X-TT-LOGID
X-Cache-Type
X-ServerID
X-SaId
X-NewRelic-App-Data
X-Rule
Webserver
X-Midtier
X-Locale
X-Labrador-Cache-Channel
X-GG-Cache-Date
X-PHP-Host
X-Webkit-CSP
ServedBy
X-LJ-Flow-ID
X-AWS-Id
X-VWS-Id
X-VC-Cache
Selected-Fe
X-Timing-Wait
X-Proxy-Build
X-Cache-Operation
X-Accel-Buffering
X-LSADC-Cache
X-Cache-Remote
X-Rewrite-Enabled
SID
X-Dc
X-Edge-Location
X-Ratelimit-Limit
X-Proto
X-Cached-By
X-Cms-Context
X-Storefront-Renderer-Rendered
Web-Mar-Node
Mime-Version
X-Soup
Fastly-Drupal-Html
SRV
X-TA-CDN-Provider
X-CDN-Forward
Xserver
Onion-Location
X-Pubstack
X-GEO
X-Reqid
X-App-Version
X-Varnish-Hostname
Load-Balancing
X-GeoCode
Country-Code
X-GeoCountry
X-Request-Host
X-Buckets
X-Cdn
X-Microcachable
LB
Decoy-Debug-Status
Cache-Hits
X-Origin-TTL
X-Origin-CC
Decoy-Debug-Key
Decoy-Debug-TTL
Server-Info
X-Cluster
X-Varnish-Hits
X-Ms-Request-Id
X-Tumblr-Pixel-3
X-SRV
X-Tumblr-Pixel-2
X-Ms-Version
Xet-Cookie
X-MP-GENERATED-AT
X-Envoy-Decorator-Operation
X-Magnolia-Registration
X-NCache
X-B3-SpanId
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
X-CSRF-Token
X-Bc-Bl
X-Amz-Apigw-Id
X-Time
X-Amzn-RequestId
DynaTrace
DB-Nickname
X-RCS-CacheZone
X-Endurance-Cache-Level
X-Varnish-Beresp-Grace
Cdnsip
Lang
DCR-Decision-By
Cmstype
Cmsid
Expiry
Fastcgi-X-Cache-Version
DCR-Processing-Time-Ms
BehaviorPad-Version
Mobile-Detection-Method
A
Source
Meta-Geo-Continent
Host-ID
Odigeo-Trace-Id
NM-Fastcgi-Cache
Cdncip
X-Hash
X-PAYTM-SRV-ID
X-Origin-Response-Time
X-Orig-Expires
X-PBS-Appsvrname
X-Processor
X-S
X-Rojux
X-NAPM-TraceId
X-Ig-Push-State
X-From
X-Forwarded-Path
X-Ftr-Request-Id
X-Geo-Header
X-HS-Content-Campaign-Id
X-Gzip
X-S-Cookie
X-ScT
X-VG-WebCache
X-Vdms-Version
X-Vdms-Path
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Webstats-RespID
X-User
X-TrackingId
X-Session-Fingerprint
X-SD-PageType
X-Shop-Environment
X-SRCache-Key
X-TIM-N
X-Tenant
X-External-Request-Id
X-Esi-Check
Cache-Name
X-A-Dgt
X-A-Dcw
X-A-Wwc
X-Aed
X-Application
X-AK-Request-ID
X-A-Dam
X-A-Ccd
Sslversion
Rendered-Blocks
Surrogated-Key
X-R9-Blue-Green-Version
X-A
T-Server
X-ZONE
X-ARC
X-Destination
X-D
X-Connection-Hash
X-Developer
X-Ec-Fail
X-Epic-Correlation-Id
X-Ec-GeoHdr
X-Conf
X-CF-Lambda-Version
X-Cache-Id
X-Cache-Bucket
X-Cache-NE
Pramga
X-CF-Lambda-Fn
X-Cdn-Srv
X-B-Cookie
Cache
X-Azure-Ref
X-Tx-Id
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-VG-TLSProxy
Wxu-Next-Region
Wxu-Next-Hostname
X-Varnish-CookieHashed-On
X-Variation
X-Block-Status
X-Cache-Backend
X-Slack-Backend
X-Amzn-Remapped-Content-Length
X-V-Cache
X-TNCMS
X-JWT-State
Web-Mar-Region
Producers
Fastly-GeoIP-CountryCode
Platform
MD5-Digest
Mail-Subject
Memcached
Server-Host
State
User-Cache-Control
We-Hiring
X-WADP-Cache
X-Wix-Viewer-Type
X-Worker
X-Scheme
X-SB
X-GeoIP
X-Mvc-Supplant-Cachable
X-Gen-Mode
X-Gdpr
X-Nyt-Route
X-NodeID
X-Loop
X-Has-Esi
X-Irp-Debug
X-Is-Gdpr
X-LAGOON
X-Hnp-Log
X-Location
X-Fmm-Version
X-Origin
X-DefHash
X-Developers
X-DefElseHash
X-Core-Value
X-Ckpd-Fst-Backend
X-Clara-WADP
X-DPWN-IS-SECURE
X-Planisys-CDN-TTL
X-Origin-Expires
X-Fastly-Cache
X-Origin-Time
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
Machine
Wxu-Next-Commit
X-Device-Os
X-Sigma
CDN
X-Core-Mission
X-Sigma-Backend
Environment
X-SVT-ORM-RULES
X-Rocket-Build-Number
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
X-Ec-Custom-Error
X-Fetched-On
X-Node-Id
Adler-Geo
AKAMAI
Apple-News-Services-Host
Apple-News-Services-Handled
X-SVT-ORM-VERSION
X-Cache-Info
Is-Eu
X-Varnish-Ttl
N-Cache
X-Region-Sid
X-Served-From
X-Csrf-Jwt
X-Rebelmouse-Cache-Control
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Rebelmouse-Surrogate-Control
X-Level-Front-Cache
Kp-EeAlive
PFcat
X-HN
X-Cdn-Origin
X-Forwarded-Site
L
X-CGP
X-Request-URI
X-Datadog-Trace-Id
X-RateLimit-Limit-Second
Req-Svc-Chain
Origin-EX
X-Platform
X-Loc
X-Rocket-Nginx-Serving-Static
X-Pool
Locid
X-Eu-Site
X-Pod-Name
X-Policy
Origin
X-Httpd
X-Gamma-Serve
X-Qloud-Router
X-Proxy-Upstream
X-Dispatcher-Number
X-Proxy-Cache-Info
Origin-CC
X-RateLimit-Remaining-Second
L5d-Success-Class
X-Thinkindot-L3
Fastcgi-Cache-TTL
TDXMobile
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
HA-Ipaddr
X-VarnishDD-TTL
Redirect-Candidate
Fastly-SIE
Vix-Hermes-Req-Id
Ssr
X-Minions-Version
Gh-Request-Id
X-Viewer-Country
X-Via-NSCOPI
V-Age
Fastly-SWR
Thinkindot-Control
Traceparent
X-CacheTTL
X-Sn-Servicetimems
Ha-Gx-Prefs
X-Server-IP
CloudFront-Viewer-Country
X-Branch-Name
CDCHOST
X-VServer
X-Auto-Login
Cluster
X-BBC-Edge-Cache-Status
X-Skip-Cache
X-Aicache-OS
X-Cache-Date
Svr
X-Generated-On
X-Men
X-GeoIP-City
X-EC-Lua
X-Optimistic-Header
X-SIPLIST1
Arc-Country
X-Scale
X-IPLB-Request-ID
DSUID
Sever-Int
Server-Hostname
Release
NGX
Server-Ext
X-Via-Ucdn
HostName
IsBot
X-CS
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
X-Old-Content-Length
Pics-Label
X-Refresh
X-Owner
AMP-Access-Control-Allow-Source-Origin
Ohc-File-Size
X-Response-By
X-NC
X-TraceId
X-WP-CF-Super-Cache-Cache-Control
X-Parent-Response-Time
X-RPS
X-RPM
X-WP-CF-Super-Cache
X-RSL
X-DI
X-DSS
X-DW
X-DB
Memory
Time
X-VC
X-Tb-Optimization-Total-Bytes-Saved
X-Srv
X-Akamai-Transformed
X-Newrelic-Synthetics
X-Udemy-Cache-App-Namespace
X-Tt-Logid
X-Date
Candidate-Md5Url
Cache-Key
Env
X-CACHE-KEY
X-Edge-Pop
X-Wikidot-Backend
X-Wikidot-Static-Cache
Datacenter
Servername
X-LB-NoCache
X-Mvc-Supplant-OutputCached
X-Ah-Environment
X-Accel-Expires-Debug
X-Ad-Defer-Variation
X-BCube-Filmed-By
Ms-Author-Via
X-TIME
VNS-Age
VNS-Cache
XM
X-SplitTest
CPC-Cache
X-Contensis-Viewer-Groups
X-GeoIP-Country-Code
X-Generated-In
X-GeoIP-Region-Code
X-Cache-ASPX
CPC-Age
Geo-Info
Fastly-Backend-Name
X-Via-Popv
X-Varnish-Authentication
X-Via-Poph
X-Cache-Debug
X-Via-Popn
GEO-INFO
X-Amz-Meta-Cb-Modifiedtime
GeoIp-Country-Code
X-WA-Info
X-Cache-Status-Check
X-Xrds-Location
X-HA-Backend
X-S-Maxage
X-Servedbyhost
X-Micro-Cache
X-API-Version
Path
Fusion-Component-Id
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Source
CacheControlHeader
X-AIR-PT
ITXSESSIONID
Lb
X-Presslabs-Stats
Ohc-Cache-HIT
X-RateLimit-Reset
X-Vc
Client
X-Action
X-VCL-Version
Geoip-Latitude
True-Client-Country-4JS
X-DC
Cache-Host
X-TH-Server
X-Backend-TTL
Server-ID
Ngx.Var.Host
True-Client-IP
X-VHOST
X-Cs
Hostname
X-Proxy-CacheRZ
XkeyRZ
X-Varnish-Beresp-TTL
X-Trace-ID
FSS-Cache
X-Api-Version
X-Req
Edge-Cache
X-Clientip
X-FireWall-Port
X-Provided-By
X-Fpc
X-TX-ID
My-App
X-Webkit-Csp-Report-Only
Powered-By
X-Pass-Why
X-Zone
X-Origin-Upstream-Status
X-B3-Spanid
X-Varnish-Beresp-Ttl
X-PX
X-Up
NtCoent-Length
X-FPC
X-Traceid
X-CSRF-TOKEN
X-MSEdge-Features
X-MSEdge-Flight
Test
X-LB-ID
X-Dmc
DataCenter
X-NGINX-Cache
Cf-Int-Pingora-Origin-Digest
X-Dynatrace
X-HS-Status
X-INCAP-ABP
X-Cdn-Request-ID
X-Render-Time
X-Correlation-ID
X-Beluga-Response-Time
X-Beluga-Trace
X-UnsetCookies
X-Li-Pop
X-Webkit-CSP-Report-Only
X-LI-UUID
X-Beluga-Status
X-Beluga-Node
Rip
X-Li-Fabric
X-Beluga-Record
Server-Id
C-Via
X-Vcl-Version
User-Agent
X-Beluga-Cache-Status
X-Gateway-Cache-Key
X-ND-Cache
X-Gateway-Request-Id
X-Gateway-Skip-Cache
X-Service
X-Gateway-Cache-Status
Tube-Return
Tube-Get-Contents
Srvid
WZWS-RAY
Tube-Got-Eval
Tube-Got-Results
Click-Count-Error
OT-Force-Account-Verify
Proxy-Connection
Click-Count-Action-Start
X-M-Reqid
X-CLOUD-TRACE-CONTEXT
X-Time-Microsecs
GeoIP-Latitude
X-M-Log
X-Qnm-Cache
X-Via-PopH
X-Via-PopV
X-Via-PopN
X-Ha-Backend
Resin-Trace
X-Alfa-Service
Esi-Enabled
X-ServedByHost
X-CUA
X-URL
X-RAMCache
X-Check-Cacheable
X-Geo
Tcn
X-DynaTrace-JS-Agent
GeoIP-Country-Code
X-Platform-Router
Uri
Sid
Target-Params
X-Fragments
HIT
On-Server
Cf-Device-Type
X-Platform-Processor
X-Platform-Cluster
Tracecode
X-Akamai-Pragma-Client-IP
MIME-Version
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
X-Sucuri-Cache
Epwk-X-Cache
X-CCDN-CacheTTL
X-Sucuri-ID
X-LI-Proto
Lfy
X-Proxy-Cache-Hk
X-Fetch-By
Srv
X-Azure-Ref-OriginShield
X-Var-Ttl
X-FC-Vary-Parameters
X-Fastly-Backend
X-ATG-Version
X-TRACE-ID
Fastly-Drupal-HTML
X-Cdn-Forward
X-APP
X-Backend-Host
X-Fastly-Backend-Reqs
ENV
Cdn
X-LiteSpeed-Cache-Control
X-Esi
Magicmarker
X-Cache-Expires
Section-Io-Id
XServer
X-B3-Traceid-Primal
X-Li-Proto
X-App
X-Varnish-Beresp-Status
X-Backend-State
X-Edge-POP
X-Lb-Nocache
ServerName
Section-Origin-Responded
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
X-NU-AKA-ACS-Version
X-Srcache-Fetch-Status
X-HostName
X-Srcache-Store-Status
X-MG-S
CF-Cached-On
Inserted-Into-Cache-At
X-Yottaa-OS
CountryCode
X-ElasticPress-Query
PICS-Label
X-Newrelic-App-Data
D-Url-Rewrites
X-Edge-Origin-Shield-Region
X-Edge-Origin-Shield-Bytes
X-Request-Start
X-Iplb-Instance
X-Cache-CFC
M-TraceId
WebServer
X-Vcache
X-Iplb-Request-Id
X-Acquia-Application-Trace
X-Serial
X-Nc
X-CF-Powered-By
Wpo-Cache-Status
Wpo-Cache-Message
Server-Ttl
Cf-Ipcountry
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Acquia-Site
Warning
Servedby
X-Vercel-Id
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-LiteSpeed-Tag
Vha6-Origin
X-Shopify-Generated-Cart-Token
X-Wp-Cf-Super-Cache-Cache-Control
X-Request-Url
X-Bip
X-Release
X-BBC-Origin-Response-Status
X-Dist-Code
X-Vercel-Cache
Hit
X-Snapshot-Date
X-Request-URL
Content-Style-Type
Content-Script-Type
X-Back
X-B3-Parentspanid
X-Storefront-Renderer-Verified
X-Th-Server
X-Dw-Trace-Id
X-IN-APIGATEWAY
X-Thanos
X-Swift-Error
Ngx
Cneonction
X-IN-APIGATEWAYSSL
X-Litespeed-Cache-Control
Fastcgi-Cache-Ttl