Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Report-To
NEL
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
P3P
X-UA-Compatible
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
Feature-Policy
X-Iinfo
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
P3p
X-CDN
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
X-Ws-Request-Id
Access-Control-Max-Age
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
EagleId
Keep-Alive
Request-Context
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Request-Id
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-Dispatcher
X-WebKit-CSP
EagleEye-TraceId
X-Nginx-Cache-Status
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Akamai-Path-Stats
X-Cache-Spec
X-OneAgent-JS-Injection
X-Device
Cf-Railgun
X-Page-Speed
Allow
X-Host
X-Node
X-Pingback
X-Server-Id
Accept-CH
X-Aws-Lambda-Call-Status
Surrogate-Control
X-Backend-Server
X-CST
Request-Id
X-Akam-SW-Version
X-Readtime
X-Cache-Lookup
X-HW
X-Response-Time
X-Application-Context
Accept-CH-Lifetime
Xkey
Content-Location
X-ASPNET-VERSION
X-Cloud-Trace-Context
Rating
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Url
Cf-Edge-Cache
Fastly-Restarts
X-Country
Accept-Ch-Lifetime
X-Mod-Pagespeed
X-PC
X-Vname
X-TtlSet
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-ESI
X-Varnish-TTL
X-Content-Type
X-B3-TraceId
X-VARITI-CCR
Cache-Tag
X-Vcap-Request-Id
X-GoogleNews-Bot
X-Amz-Rid
X-Kinja
X-Exp-Variant
X-Use-Magma
X-Exp-Id
X-Px
X-Cdn-Fetch
X-Kinja-Server
X-Kinja-Revision
X-Kinja-Build
X-Ac
Public-Key-Pins
X-Cnection
X-Dw-Request-Base-Id
X-Element-Page-Cache
X-Amz-Server-Side-Encryption
X-D2id
Verso
X-Navigation-Version
X-Cache-TTL
Accept-Ch
X-RateLimit-Remaining
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
X-FastCGI-Cache
Service-Worker-Allowed
X-Sol
X-Middleton-Display
Pagespeed
Display
X-GitHub-Request-Id
X-Ser
X-Country-Code
Arr-Disable-Session-Affinity
X-Version
X-Ruxit-Js-Agent
X-Edge
Response
X-Middleton-Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Correlation-Id
X-Upstream
X-Ttl
X-Kinsta-Cache
AR-Request-ID
AR-SID
AR-PoweredBy
AR-CACHE
AR-ATIME
X-Edge-Location-Klb
X-Cached
X-Webkit-Csp
SPIisLatency
SPRequestDuration
X-TTL
X-LLID
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Instrumentation
X-NWS-LOG-UUID
Nginx-Cache
X-Powered-CMS
MS-Author-Via
Edge-Cache-Tag
X-RateLimit-Limit
TCN
X-Cache-Key
MRF-Tech
Mrf-Cache-Status
X-Litespeed-Cache
X-Forwarded-For
X-MSEdge-Ref
SPRequestGuid
X-SharePointHealthScore
X-B3-TraceId-Primal
Content-MD5
X-Shield-Request-Id
X-Content-Security-Policy-Report-Only
X-T
X-Id
X-Daa-Tunnel
X-Recruiting
X-Mg-S
S
X-Content-Digest
X-Language
X-Protected-By
X-Ua-Device
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Frontend
X-HS-Cache-Config
X-HS-Content-Id
X-HS-Hub-Id
X-Ab
X-Ua-Browser
Server-Node
X-Content
X-Yandex-Sdch-Disable
X-Ezoic-Cdn
Front-End-Https
X-HS-Combine-CSS
X-Request-Processing-Time
X-Request-Received
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
Filters
MicrosoftSharePointTeamServices
X-DataDome
X-Accel-Expires
X-Grace
Fastcgi-Cache
X-Mid
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Server-ID
X-ECACHE
X-Geo-Country
X-Template
X-Hits
Pinterest-Generated-By
X-Pinterest-Rid
Pinterest-Version
X-Ratelimit-Reset
X-Origin-Server
X-Debug-Info
X-Distributor
TP-Cache
TP-L2-Cache
X-Amzn-Trace-Id
X-Tt-Trace-Host
X-Tt-Trace-Tag
Cleartype
Charset
X-Page-Id
Host
X-Git-Hash
X-DIS-Request-ID
X-F-Cache
Cross-Origin-Opener-Policy
X-B3-Sampled
X-Www-Served-By
X-DynaTrace
X-PressLabs-Stats
Cache-Tags
ServerID
X-LB-Cache
X-Forwarded-Proto
Access-Control-Allow-Method
X-Seen-By
X-Cache-Age
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Server-Name
X-Az
X-Activity-Id
X-AppVersion
X-Cluster-Name
Realpath
X-WebKit-CSP-Report-Only
X-Oracle-Dms-Ecid
X-Request-Handler-Origin-Region
Accept-Charset
X-Aspnetmvc-Version
X-Varnish-Age
X-Microsite
X-Rid
X-Oracle-Dms-Rid
Filterid
Cache-Status
X-Type
X-Content-Options
X-Origin-Cache
X-Upgrade-Enabled
X-Mobile-URL
X-MCACHE
X-App-Environment
X-FB-Debug
X-Via-JSL
Country
X-Varnish-Grace
Node
Viewport
X-User-Agent
X-Wix-Request-Id
X-Drupal-Cache-Tags
X-Tb
X-Request-Guid
X-Aspnet-Duration-Ms
X-Providence-Cookie
X-Route-Name
X-Flags
Paypal-Debug-Id
DC
X-Is-Crawler
X-Whom
X-Signature
X-B-Cache
Protected
X-TT
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
X-NWS-UUID-VERIFY
X-XRDS-LOCATION
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-Goog-Generation
Fastcgi-Useragent
X-Nginx-Upstream-Cache-Status
X-VCache
X-Fastly-Request-ID
Retry-After
X-Varnish-Backend
X-Oneagent-Js-Injection
X-Cache-NGX
X-Contextid
Payment
X-Amz-Replication-Status
X-N
X-B
X-Debug
X-Fastly-Request-Id
X-Fastcgi-Cache
X-Logged-In
X-FW-Serve
X-FW-Static
X-FW-Type
X-FW-Server
X-FW-Dynamic
X-FW-Hash
X-XRDS-Location
WPO-Cache-Status
WPO-Cache-Message
X-Load-Cache
X-Hostname
Surrogate-Key
X-Cache-Control
Amp-Access-Control-Allow-Source-Origin
X-Parallel-Accel
X-Node-Name
Count-Hit
X-Trace-Id
X-Erf-Bev-Bev
X-Buckets
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Response-Served-From
X-Original-Request-Id
SD-X-WS
X-Mobile
Akamai-GRN
X-Proxy
Refresh
X-Is-Bot
X-Cache-Time
X-Akamai-Request-ID2
X-Zen-Fury
X-UUID
X-Revision
Uber-Trace-Id
X-Rendered-As
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Jobs
Healthy
X-G
X-Cacheable-TTL
X-Page-View
X-Mcache
X-Http-Reason
X-Framework
X-Real-IP
X-Amz-Meta-S3cmd-Attrs
X-Cache-TTL-Remaining
X-Yottaa-Optimizations
NGB
X-Instance
X-Proxy-Cache-Status
X-Yottaa-Metrics
X-Debug-IsConnected
X-Cache-Rule
X-Debug-IsPreview
X-Drupal-Cache-Contexts
Alternate-Protocol
X-Device-Type
Content-Disposition
Access-Control-Request-Headers
X-Adobe-Loc
X-Vgn-Hpd-Reason
X-IPLB-Instance
X-Adobe-Content
From-Origin
Url
X-Source
X-COUNTRY
X-Servername
Version
X-Cache-Expired-At
X-Cache-Grace
X-B3-Traceid
Referer-Policy
X-Cache-Hit
Permissions-Policy
Accept-Language
X-Varnish-Server
X-L-Path
X-Environment-Context
X-ECache
X-App-Server
X-Ratelimit-Remaining
X-EdgeConnect-Cache-Status
X-Mg-Request-UUID
X-FW-Version
Countrycode
X-Cache-Action
MS-CV
X-RTag
Ms-Operation-Id
X-NGENIX-Cache
X-Restarts
Cross-Origin-Window-Policy
X-IPS-LoggedIn
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-RemovedCookies
X-ProcessESI
Backend
X-NYM-Debug-Backend
Liferay-Portal
X-Hyper-Cache
CF-IPCountry
Frame-Options
Content-Secure-Policy
X-Rule
Ec-Rule-Version
X-HTML-Minification-Powered-By
X-Datadome
X-PCL
X-OCL
X-RN-RSRV
X-UPSTREAM-Address
X-Nginx-Cache
Upgrade-Insecure-Requests
Meta-Geo
X-Cache-Server
WP-Super-Cache
X-Redis-Cache
X-Unique-Id
X-APP-VERSION
Apigw-Requestid
X-No-Session
X-Cluster-Node
X-Access
X-Section
X-Ua
Section-Io-Cache
X-Content-Age
X-Detected-As
X-Cache-Enabled
Cache-Tv-Group
X-Generation-Time
X-FB-TRIP-ID
X-Format
Azure-InstanceId
X-Sql-Count
Azure-RegionName
Azure-SiteName
X-Uri
X-Sql-Duration-Ms
X-UA-Device-Type
X-Storage
X-Urbn-Context-Path
X-Urbn-Site-Id
X-Via-Fastly
X-Varnish-Cache-Hits
Azure-SlotName
X-Web-Node
Locale
Webcakes-Region
S-Rt
Property-Id
X-Akamai-Edgescape
Mn-Server-Ip
X-AOL-HN
Webcakes-App-Version
Webcakes-App-Name
TWC-Locale-Group
TWC-Privacy
TWC-GeoIP-LatLong
TWC-GeoIP-Country
TWC-Device-Class
X-ApacheServer
X-Be
X-Say-TTL
X-Say-Cacheable
X-SayCDN-TTL
Fastly-SSL
X-Site-Version
X-Server-W
X-Request-Time
X-PHP-Backend
X-Hosted-By
X-Generated-By
X-Human
X-Origin-Hint
X-PERF
Azure-Version
TWC-Connection-Speed
X-Mode
CDN-Cache
CDN-CachedAt
CDN-EdgeStorageId
CDN-PullZone
X-Region
X-Xfnlog-Site
X-Status
X-Origin-Date
X-ProxyCache-Status
X-Nginx-Cache-Key
Eomportal-Instance
X-Forwarded-Host
CDN-RequestCountryCode
X-Cache-Type
X-Cache-Tags
X-Cache-Host
X-Platform-Server
X-ProxyCache-Key
X-Content-Powered-By
CDN-RequestId
CDN-Uid
X-Debug-Cache
X-BYPASS-REASON
X-Sorting-Hat-ShopId
X-Hl-Ver
X-Tid
X-Extlb
X-Alternate-Cache-Key
X-Backend-Name
X-Accel-Buffering
X-Varnishpool
X-JoinUs
X-Proxied
X-Cache-Operation
X-Zipkin-Id
X-Sorting-Hat-PodId
X-Shopify-Stage
X-ServerID
X-Routing-Service
X-ShopId
X-ShardId
X-SaId
Selected-Fe
ServedBy
X-Adobe-Source
Webserver
X-NewRelic-App-Data
X-Timing-Wait
X-Webkit-CSP
X-Proxy-Build
X-TT-LOGID
X-Handled-By
X-Cache-Remote
X-Dc
Xserver
X-Locale
X-PHP-Host
SID
X-Labrador-Cache-Channel
X-GG-Cache-Date
X-Rewrite-Enabled
X-Ratelimit-Limit
X-LSADC-Cache
X-AWS-Id
X-Soup
X-Pubstack
X-VWS-Id
X-LJ-Flow-ID
LB
X-Cached-By
SRV
X-VC-Cache
Mime-Version
Fastly-Drupal-Html
X-CDN-Forward
X-Request-Host
X-GEO
X-Proto
Decoy-Debug-TTL
Web-Mar-Node
X-Edge-Location
Decoy-Debug-Status
Decoy-Debug-Key
X-Reqid
X-Storefront-Renderer-Rendered
Country-Code
X-Microcachable
Onion-Location
Xet-Cookie
X-Origin-TTL
X-App-Version
X-Origin-CC
X-Varnish-Hostname
X-Ms-Version
X-Tec-Api-Root
X-Tec-Api-Origin
X-Ms-Request-Id
Server-Info
X-Tec-Api-Version
X-TA-CDN-Provider
X-Cms-Context
Cache-Hits
X-NCache
X-SRV
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
X-MP-GENERATED-AT
DynaTrace
X-Bc-Bl
X-Cluster
X-Varnish-Hits
X-B3-SpanId
Cache-Name
X-R9-Blue-Green-Version
X-GeoCountry
Load-Balancing
X-Varnish-Beresp-Grace
X-CSRF-Token
X-GeoCode
X-Air-Hostname
X-Air-Source
X-Air-Trace-Id
X-Endurance-Cache-Level
X-Amzn-RequestId
X-Amz-Apigw-Id
X-RCS-CacheZone
X-Origin-Response-Time
X-Midtier
X-TIME
DB-Nickname
X-Ig-Push-State
X-HS-Content-Campaign-Id
X-LAGOON
Expiry
X-CF-Lambda-Fn
X-CF-Lambda-Version
Surrogated-Key
T-Server
X-Cdn-Srv
Sslversion
X-Conf
X-D
Odigeo-Trace-Id
Pramga
Rendered-Blocks
X-Connection-Hash
X-Cache-NE
X-Cache-Id
X-B-Cookie
X-A-Wwc
X-Aed
X-AK-Request-ID
X-Application
X-A-Dgt
X-A-Dcw
X-Cache-Bucket
X-A
X-A-Ccd
X-A-Dam
NM-Fastcgi-Cache
X-Destination
Cmstype
Cmsid
DCR-Decision-By
DCR-Processing-Time-Ms
X-Ftr-Request-Id
Cdnsip
Cdncip
A
X-Envoy-Decorator-Operation
X-Gzip
BehaviorPad-Version
X-Geo-Header
X-From
X-Forwarded-Path
Lang
X-Ec-Fail
X-Developer
Meta-Geo-Continent
Mobile-Detection-Method
Host-ID
X-Ec-GeoHdr
Fastcgi-X-Cache-Version
X-External-Request-Id
X-Esi-Check
X-Epic-Correlation-Id
X-Hash
X-Magnolia-Registration
X-S-Cookie
X-VG-WebCache
X-Vdms-Version
X-PBS-Appsvrname
X-PAYTM-SRV-ID
X-ScT
X-Azure-Ref
X-Vdms-Path
X-Processor
X-Tenant
X-TIM-N
X-TrackingId
X-User
X-Rojux
X-SRCache-Key
X-SD-PageType
X-S
X-Shop-Environment
Xc-Version
X-NodeID
X-Session-Fingerprint
X-NAPM-TraceId
X-Webstats-RespID
X-Vtex-Processado-Em
X-ARC
X-Orig-Expires
X-Vtex-Remote-Cache
X-Tx-Id
Memcached
Mail-Subject
X-DefElseHash
X-Fetched-On
X-DB
X-Developers
X-DefHash
X-DI
X-DW
X-Slack-Backend
Platform
Is-Eu
X-Sigma
X-DSS
X-Men
X-Device-Os
X-Sigma-Backend
X-DPWN-IS-SECURE
Machine
X-Clara-WADP
Wxu-Next-Commit
Wxu-Next-Hostname
Web-Mar-Region
We-Hiring
V-Age
Vix-Hermes-Req-Id
Wxu-Next-Region
X-Viewer-Country
X-Worker
X-Amzn-Remapped-Content-Length
X-Wix-Viewer-Type
X-Block-Status
X-WADP-Cache
User-Cache-Control
X-VG-TLSProxy
Server-Host
X-Fmm-Version
X-V-Cache
X-Core-Mission
Producers
X-Core-Value
X-Ckpd-Fst-Backend
X-Variation
Svr
X-Cache-Info
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-TNCMS
X-Fastly-Cache
AKAMAI
X-Origin-Time
Adler-Geo
Apple-News-Services-Handled
X-Varnish-Ttl
Apple-News-Services-Request-Url
X-Origin
Apple-News-Services-Parsed-Url
X-Planisys-CDN-Cache
X-Has-Esi
X-JWT-State
X-Is-Gdpr
X-Irp-Debug
X-Hnp-Log
Fastly-GeoIP-CountryCode
X-Planisys-CDN-Rules
X-Request-URI
X-Planisys-CDN-TTL
X-Rocket-Build-Number
Apple-News-Services-Host
X-Mvc-Supplant-Cachable
X-Loop
X-Nyt-Route
X-Gen-Mode
X-RSL
X-Gdpr
X-Node-Id
Environment
X-Old-Content-Length
X-Location
X-Server-IP
X-GeoIP
X-RPS
X-RPM
CDN
Source
X-Via-NSCOPI
X-EC-Lua
X-Minions-Version
X-Cache-Date
X-SB
X-Cdn-Origin
X-VServer
X-Pod-Name
X-Branch-Name
X-Auto-Login
X-Level-Front-Cache
X-Loc
X-Platform
X-Origin-Expires
X-Cache-Backend
X-Rebelmouse-Cache-Control
X-Rocket-Nginx-Serving-Static
X-GeoIP-City
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Datadog-Trace-Id
X-Thinkindot-L3
X-Generated-On
X-Sn-Servicetimems
X-Eu-Site
X-Served-From
X-Forwarded-Site
X-Skip-Cache
X-Gamma-Serve
X-Scheme
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Qloud-Router
X-CGP
X-Proxy-Upstream
X-Httpd
X-Policy
X-Proxy-Cache-Info
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Csrf-Jwt
X-Response-By
X-Region-Sid
X-Rebelmouse-Surrogate-Control
X-HN
X-VarnishDD-TTL
X-BBC-Edge-Cache-Status
N-Cache
CloudFront-Viewer-Country
Locid
Cluster
Origin
Origin-CC
Release
Redirect-Candidate
Origin-EX
L5d-Success-Class
L
Fastly-SWR
Fastly-SIE
Fastcgi-Cache-TTL
X-TraceId
X-Akamai-Transformed
Gh-Request-Id
Kp-EeAlive
HA-Ipaddr
Ha-Gx-Prefs
Req-Svc-Chain
PFcat
CDCHOST
Thinkindot-CacheControl-Type
TDXMobile
Traceparent
Thinkindot-CacheControl
Arc-Country
X-Aicache-OS
Cache
State
Thinkindot-Control
GEO-INFO
HostName
X-Accel-Expires-Debug
NGX
X-Date
X-Optimistic-Header
X-Pool
X-Ec-Custom-Error
DSUID
Ssr
X-Parent-Response-Time
X-GeoIP-Region-Code
AMP-Access-Control-Allow-Source-Origin
X-Presslabs-Stats
X-NC
MD5-Digest
X-WP-CF-Super-Cache
X-WP-CF-Super-Cache-Cache-Control
X-Owner
X-Udemy-Cache-App-Namespace
X-GeoIP-Country-Code
X-CS
X-API-Version
Env
Pics-Label
X-Srv
X-Time
X-Tb-Optimization-Total-Bytes-Saved
X-Dispatcher-Number
X-ZONE
X-Newrelic-Synthetics
X-Mvc-Supplant-OutputCached
Fusion-Component-Id
Sever-Int
Servername
X-CacheTTL
X-LB-NoCache
X-Via-Ucdn
X-SIPLIST1
Server-Hostname
Server-Ext
Fusion-Source
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Content-Id
IsBot
X-Scale
X-Ah-Environment
Fusion-Content-Source
X-Generated-In
Memory
X-Edge-Pop
X-Cache-Debug
Time
X-VC
X-Tt-Logid
Ms-Author-Via
CacheControlHeader
X-Refresh
X-Wikidot-Static-Cache
GeoIp-Country-Code
X-Wikidot-Backend
True-Client-Country-4JS
X-Action
Geo-Info
X-TH-Server
X-Xrds-Location
Candidate-Md5Url
X-BCube-Filmed-By
X-Via-Popv
X-Amz-Meta-Cb-Modifiedtime
X-IPLB-Request-ID
X-CACHE-KEY
X-Servedbyhost
X-Via-Popn
X-Ad-Defer-Variation
Cache-Key
Ohc-File-Size
Datacenter
X-S-Maxage
X-Backend-TTL
X-Via-Poph
X-Vc
VNS-Age
XM
FSS-Cache
Geoip-Latitude
CPC-Cache
X-SplitTest
X-HA-Backend
VNS-Cache
CPC-Age
X-RateLimit-Reset
X-Cache-ASPX
X-WA-Info
X-Contensis-Viewer-Groups
X-Req
ITXSESSIONID
Fastly-Backend-Name
Client
Edge-Cache
X-VCL-Version
X-Varnish-Beresp-TTL
Path
X-Dynatrace
Server-ID
X-Micro-Cache
X-Varnish-Authentication
My-App
X-Zone
X-Provided-By
X-Cache-Status-Check
X-Cs
Hostname
X-VHOST
X-DC
X-AIR-PT
X-Origin-Upstream-Status
X-Trace-ID
X-Pass-Why
Cache-Host
X-Up
DataCenter
Ohc-Cache-HIT
X-FireWall-Port
Ngx.Var.Host
X-Fpc
True-Client-IP
X-TX-ID
X-LB-ID
X-Webkit-Csp-Report-Only
Lb
NtCoent-Length
OT-Force-Account-Verify
X-NGINX-Cache
X-Li-Pop
XkeyRZ
X-B3-Spanid
X-Clientip
X-Varnish-Beresp-Ttl
X-LI-UUID
X-Li-Fabric
X-FPC
X-Proxy-CacheRZ
X-CSRF-TOKEN
Test
X-UnsetCookies
X-Traceid
X-ND-Cache
Cf-Int-Pingora-Origin-Digest
X-CUA
X-Cdn-Request-ID
Powered-By
Proxy-Connection
X-Api-Version
X-Time-Microsecs
X-Correlation-ID
Target-Params
X-Fragments
X-Beluga-Trace
X-Beluga-Status
X-RAMCache
Resin-Trace
X-Vcl-Version
X-Webkit-CSP-Report-Only
Server-Id
Tracecode
X-Beluga-Response-Time
X-Beluga-Cache-Status
Cf-Device-Type
User-Agent
X-Beluga-Record
X-Beluga-Node
X-Azure-Ref-OriginShield
X-Fastly-Backend
X-Dmc
X-MSEdge-Features
X-FC-Vary-Parameters
WZWS-RAY
X-HS-Status
X-Sucuri-Cache
X-Var-Ttl
Lfy
X-Sucuri-ID
X-ATG-Version
X-MSEdge-Flight
X-CLOUD-TRACE-CONTEXT
X-ServedByHost
X-URL
X-Platform-Router
X-Via-PopN
X-Render-Time
X-Via-PopV
X-Ha-Backend
X-Via-PopH
X-Platform-Cluster
X-Platform-Processor
X-Geo
X-INCAP-ABP
Rip
X-Li-Proto
X-DynaTrace-JS-Agent
Sid
X-Varnish-Beresp-Status
X-M-Reqid
X-Qnm-Cache
GeoIP-Country-Code
GeoIP-Latitude
X-M-Log
Uri
Srvid
X-NU-AKA-ACS-Version
C-Via
X-Cdn-Forward
MIME-Version
X-PX
Epwk-X-Cache
X-Fetch-By
X-LI-Proto
Click-Count-Action-Start
Tube-Get-Contents
Magicmarker
Click-Count-Error
Tube-Got-Eval
Tube-Got-Results
X-Backend-State
Tube-Return
X-Proxy-Cache-Hk
X-Service
X-CCDN-CacheTTL
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
X-Alfa-Service
Fastly-Drupal-HTML
X-Akamai-Pragma-Client-IP
X-Check-Cacheable
X-TRACE-ID
ENV
Esi-Enabled
X-Fastly-Backend-Reqs
X-Backend-Host
X-Gateway-Skip-Cache
X-Gateway-Cache-Status
X-Gateway-Cache-Key
X-Request-Start
X-Gateway-Request-Id
Cdn
X-ID
X-Esi
X-App
HIT
X-Edge-POP
ServerName
PICS-Label
Server-Ttl
X-Cache-Expires
XServer
X-Thanos
X-Lb-Nocache
X-B3-Traceid-Primal
X-Bip
X-Cache-CFC
X-Srcache-Store-Status
X-MG-S
Srv
X-Srcache-Fetch-Status
X-LiteSpeed-Cache-Control
Section-Io-Id
Section-Io-Origin-Time-Seconds
X-Yottaa-OS
On-Server
X-ElasticPress-Query
Section-Origin-Responded
Section-Io-Origin-Status
Tcn
CF-Cached-On
X-Newrelic-App-Data
WebServer
X-Nc
Inserted-Into-Cache-At
Wpo-Cache-Status
X-Iplb-Request-Id
M-TraceId
X-Vcache
D-Url-Rewrites
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Acquia-Site
X-Cache-Config
X-Serial
Wpo-Cache-Message
X-Iplb-Instance
Cf-Ipcountry
X-APP
X-BBC-Origin-Response-Status
X-HostName
Warning
Servedby
X-Request-Url
X-Wp-Cf-Super-Cache
X-Wp-Cf-Super-Cache-Cache-Control
X-Fastly-Cache-Hits
Fastcgi-Cache-Ttl
Cteonnt-Length
X-Dist-Code
X-Storefront-Renderer-Verified
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
Cneonction
X-Dw-Trace-Id
CountryCode
X-Swift-Error
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-Release
X-B3-Parentspanid
X-Akamai-Request-ID
Content-Script-Type
Ngx
X-Litespeed-Cache-Control
X-CF-Powered-By
X-Snapshot-Date
X-Akamai-ERPolicy
X-Akamai-ERRuleID
Content-Style-Type
X-Back
X-Th-Server
X-Request-URL