Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
P3p
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Dns-Prefetch-Control
X-Turbo-Charged-By
Keep-Alive
X-Backend
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-UA-Device
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
Allow
X-WebKit-CSP
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Request-Id
Surrogate-Control
X-Backend-Server
Cf-Edge-Cache
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Accept-CH-Lifetime
Content-Location
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
X-Country
Fastly-Restarts
Accept-Ch
Accept-Ch-Lifetime
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-PC
X-TtlSet
X-Vname
X-Clacks-Overhead
RTSS
Edge-Control
X-VARITI-CCR
X-ESI
X-Server-Name
X-Amz-Server-Side-Encryption
X-Varnish-TTL
Cache-Tag
X-B3-TraceId
X-Content-Type
X-Vcap-Request-Id
X-Dw-Request-Base-Id
X-Amz-Rid
X-Kinja-Build
X-Exp-Id
X-Kinja-Revision
X-Use-Magma
X-Cdn-Fetch
X-Exp-Variant
X-Kinja
X-Kinja-Server
X-GoogleNews-Bot
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-Edge
X-Ac
X-Ser
X-Navigation-Version
X-Element-Page-Cache
Verso
Display
X-Middleton-Display
X-Client-IP
Pagespeed
X-Sol
X-FastCGI-Cache
X-Abt-Application-Version
X-Powered-By-Plesk
X-RateLimit-Remaining
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Country-Code
X-Middleton-Response
Response
X-Correlation-Id
X-NF-Request-ID
X-Ttl
Access-Control-Request-Method
X-Goog-Hash
X-Content-Security-Policy-Report-Only
SPIisLatency
SPRequestDuration
X-Kinsta-Cache
AR-Request-ID
AR-SID
AR-PoweredBy
AR-ATIME
X-Edge-Location-Klb
AR-CACHE
X-Cached
X-SharePointHealthScore
SPRequestGuid
X-Powered-CMS
X-Instrumentation
X-Server-Lifecycle-Phase
Edge-Cache-Tag
X-Kraken-Loop-Name
X-Upstream
X-LLID
X-Litespeed-Cache
X-NWS-LOG-UUID
X-TTL
X-Ruxit-Js-Agent
X-Forwarded-For
Nginx-Cache
X-Cache-Key
Content-MD5
X-RateLimit-Limit
X-Id
X-MSEdge-Ref
X-Shield-Request-Id
Mrf-Cache-Status
MRF-Tech
TCN
X-T
X-Recruiting
X-B3-TraceId-Primal
S
X-Daa-Tunnel
X-TEC-API-ROOT
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Content-Digest
X-ECACHE
X-Ua-Device
X-DataDome
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Mg-S
X-Jurisdiction
X-HP-Webp
X-HP-Trace-Id
X-Accel-Expires
X-Ezoic-Cdn
X-WebKit-CSP-Report-Only
X-Grace
X-HS-Cache-Config
X-HS-Hub-Id
X-Protected-By
X-HS-Combine-CSS
MS-Author-Via
X-HS-Content-Id
MicrosoftSharePointTeamServices
X-Content
X-Ab
X-Ua-Browser
X-Frontend
X-DynaTrace
X-Request-Received
X-Request-Processing-Time
Server-Node
TP-L2-Cache
TP-Cache
X-Yandex-Sdch-Disable
Front-End-Https
Filters
X-Server-ID
X-PressLabs-Stats
X-Origin-Server
X-Distributor
Fastcgi-Cache
X-Mid
X-Geo-Country
X-Hits
X-Webkit-Csp
X-Microsite
X-Request-Handler-Origin-Region
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-Amzn-Trace-Id
X-LB-Cache
Charset
X-Debug-Info
Cleartype
Host
X-Page-Id
X-F-Cache
Cross-Origin-Opener-Policy
X-B3-Sampled
X-Git-Hash
X-Ratelimit-Reset
X-Forwarded-Proto
X-Cache-Age
X-DIS-Request-ID
X-ORACLE-DMS-ECID
X-Seen-By
X-ORACLE-DMS-RID
Access-Control-Allow-Method
Cache-Status
X-Www-Served-By
Realpath
X-Az
X-Activity-Id
X-AppVersion
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
ServerID
Accept-Charset
X-Aspnetmvc-Version
X-Oracle-Dms-Ecid
X-Oracle-Dms-Rid
Filterid
X-Mcache
Cache-Tags
X-Fastly-Request-Id
X-Varnish-Age
X-Cluster-Name
X-Nginx-Upstream-Cache-Status
X-Rid
X-Content-Options
X-Type
X-Language
X-App-Environment
X-FB-Debug
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Retry-After
Server-Name
Country
X-Tb
Viewport
Node
X-Upgrade-Enabled
X-Varnish-Backend
X-User-Agent
X-MCACHE
Paypal-Debug-Id
X-Varnish-Grace
DC
X-TT
X-Signature
X-Drupal-Cache-Tags
X-Origin-Cache
X-Whom
X-B-Cache
X-Wix-Request-Id
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Mobile-URL
X-Oneagent-Js-Injection
X-Flags
X-Aspnet-Duration-Ms
X-VCache
X-B
X-Providence-Cookie
X-Request-Guid
X-Is-Crawler
X-Route-Name
X-XRDS-LOCATION
Protected
Permissions-Policy
X-NWS-UUID-VERIFY
X-Debug
Fastcgi-Useragent
X-Cache-NGX
X-Logged-In
X-Amz-Meta-S3cmd-Attrs
X-Amz-Replication-Status
X-N
WPO-Cache-Status
Payment
WPO-Cache-Message
X-Via-JSL
X-Load-Cache
X-XRDS-Location
Surrogate-Key
X-Contextid
X-Cache-Control
Amp-Access-Control-Allow-Source-Origin
Count-Hit
X-Webkit-CSP
Healthy
X-Node-Name
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Template
X-FW-Server
X-FW-Type
X-FW-Static
X-FW-Serve
X-FW-Dynamic
X-FW-Hash
X-Fastcgi-Cache
X-Original-Request-Id
X-Response-Served-From
SD-X-WS
X-Mobile
Content-Disposition
Akamai-GRN
Refresh
X-Restarts
X-Cache-Time
X-G
X-Proxy
Url
X-NGENIX-Cache
X-UUID
X-Akamai-Request-ID2
X-Revision
Uber-Trace-Id
Alternate-Protocol
X-Real-IP
X-Jobs
X-Cache-TTL-Remaining
VIX-Pulpo-Upstream-Status
X-Adobe-Content
X-Device-Type
X-Debug-IsConnected
X-Zen-Fury
X-Debug-IsPreview
X-Rendered-As
X-Drupal-Cache-Contexts
X-Framework
X-Proxy-Cache-Status
X-Adobe-Loc
X-Servername
NGB
VIX-Pulpo-Node
X-Is-Bot
X-Instance
X-Cache-Grace
X-Http-Reason
X-Hostname
X-Yottaa-Metrics
Access-Control-Request-Headers
X-Page-View
X-Yottaa-Optimizations
X-Cacheable-TTL
X-Fastly-Request-ID
X-Mg-Request-UUID
X-Trace-Id
X-ECache
X-Varnish-Server
X-IPLB-Instance
X-Midtier
X-B3-Traceid
Version
X-Environment-Context
X-L-Path
X-EdgeConnect-Cache-Status
X-Source
Accept-Language
X-HTML-Minification-Powered-By
Countrycode
X-RTag
Ms-Operation-Id
MS-CV
Frame-Options
X-Cache-Hit
X-Cache-Rule
X-Vgn-Hpd-Reason
From-Origin
Referer-Policy
X-Ratelimit-Remaining
X-Cache-Expired-At
X-NYM-Debug-Backend
Liferay-Portal
X-App-Server
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
Backend
X-Tumblr-User
X-Tumblr-Pixel
X-APP-VERSION
X-COUNTRY
X-IPS-LoggedIn
X-Datadome
X-FW-Version
Content-Secure-Policy
X-Nginx-Cache
X-Hosted-By
X-UPSTREAM-Address
Meta-Geo
X-Cache-Server
X-RN-RSRV
X-Unique-Id
X-Parallel-Accel
X-NewRelic-App-Data
X-PCL
X-Redis-Cache
X-Ua
X-Cache-Enabled
Section-Io-Cache
X-No-Session
Upgrade-Insecure-Requests
X-OCL
X-Generation-Time
WP-Super-Cache
X-Format
Azure-RegionName
Azure-SiteName
X-ProcessESI
X-Akamai-Edgescape
X-Origin-Date
X-Content-Age
X-Access
X-Mode
Apigw-Requestid
Azure-InstanceId
X-Via-Fastly
X-UA-Device-Type
X-Region
Mn-Server-Ip
X-Cluster-Node
X-Server-W
Azure-Version
X-RemovedCookies
S-Rt
X-Be
X-Section
CF-IPCountry
X-Uri
Azure-SlotName
X-Sorting-Hat-PodId
TWC-GeoIP-Country
Property-Id
Locale
Eomportal-Instance
TWC-Device-Class
TWC-Connection-Speed
X-Sorting-Hat-ShopId
Cache-Tv-Group
X-Varnish-Cache-Hits
X-Say-Cacheable
X-Request-Time
X-Content-Powered-By
X-Say-TTL
X-SayCDN-TTL
X-Site-Version
X-Shopify-Stage
X-Debug-Cache
X-ProxyCache-Status
X-PERF
X-Origin-Hint
X-Locale
X-Generated-By
X-Forwarded-Host
X-ProxyCache-Key
X-PHP-Backend
X-Status
X-Storage
Webcakes-App-Version
Webcakes-Region
X-Sql-Duration-Ms
Webcakes-App-Name
X-Labrador-Cache-Channel
X-PHP-Host
TWC-Locale-Group
X-Sql-Count
Fastly-SSL
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Cache-Host
X-BYPASS-REASON
X-ApacheServer
X-AOL-HN
X-Xfnlog-Site
TWC-GeoIP-LatLong
TWC-Privacy
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-ServerID
X-Backend-Name
X-SaId
X-Proxied
X-Nginx-Cache-Key
X-Routing-Service
X-Cache-Tags
X-Web-Node
Ec-Rule-Version
X-Zipkin-Id
X-Adobe-Source
X-JoinUs
X-Cms-Context
X-Platform-Server
X-Extlb
X-VWS-Id
X-Detected-As
X-Cache-Action
X-Cache-Type
X-LJ-Flow-ID
X-AWS-Id
X-VC-Cache
X-Tid
X-Human
X-Hl-Ver
X-FB-TRIP-ID
X-Varnishpool
X-GG-Cache-Date
CDN-Uid
CDN-Cache
X-Handled-By
Load-Balancing
CDN-EdgeStorageId
CDN-CachedAt
CDN-RequestCountryCode
CDN-PullZone
CDN-RequestId
X-Edge-Location
X-Timing-Wait
X-Proxy-Build
X-Storefront-Renderer-Rendered
Selected-Fe
Webserver
X-GeoCountry
X-Proto
X-GeoCode
SRV
ServedBy
Fastly-Drupal-Html
X-LSADC-Cache
X-Ratelimit-Limit
Web-Mar-Node
X-Hyper-Cache
X-CDN-Forward
Mime-Version
X-Rule
Onion-Location
X-Dc
X-Cache-Operation
X-Cached-By
X-GEO
X-TT-LOGID
SID
X-Rewrite-Enabled
X-Cache-Remote
X-Varnish-Hostname
Cache-Hits
X-App-Version
X-Cdn
X-Varnish-Ttl
X-SRV
Xserver
X-Cluster
X-Soup
X-Pubstack
X-Accel-Buffering
X-Origin-CC
X-Varnish-Hits
X-Reqid
X-Origin-TTL
X-TA-CDN-Provider
Country-Code
X-Magnolia-Registration
X-Envoy-Decorator-Operation
Xet-Cookie
X-Microcachable
Server-Info
LB
X-IPLB-Request-ID
X-Tumblr-Pixel-2
X-Air-Source
X-Buckets
X-Air-Hostname
X-Air-Trace-Id
X-MP-GENERATED-AT
X-Tumblr-Pixel-3
Decoy-Debug-Status
Decoy-Debug-TTL
Decoy-Debug-Key
X-Request-Host
Cache
X-CSRF-Token
DB-Nickname
X-Ms-Request-Id
X-Newrelic-Synthetics
X-Ms-Version
Source
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Tx-Id
X-Tt-Logid
X-B3-SpanId
X-Endurance-Cache-Level
X-Conf
Host-ID
X-CF-Lambda-Version
X-PBS-Appsvrname
X-Processor
Fastcgi-X-Cache-Version
Expiry
X-CF-Lambda-Fn
X-Connection-Hash
X-Developer
A
X-Geo-Header
X-Gzip
X-Hash
X-HS-Content-Campaign-Id
X-Ec-Fail
X-Via-NSCOPI
X-Epic-Correlation-Id
X-Esi-Check
X-Ec-GeoHdr
X-Forwarded-Path
X-Ftr-Request-Id
X-Ig-Push-State
BehaviorPad-Version
X-Orig-Expires
Cmstype
DCR-Decision-By
DCR-Processing-Time-Ms
X-D
Cmsid
X-Vtex-Processado-Em
X-Destination
Cdncip
Cdnsip
X-NAPM-TraceId
X-PAYTM-SRV-ID
Mobile-Detection-Method
X-AK-Request-ID
X-TIM-N
X-TrackingId
X-User
Sslversion
X-Tenant
X-Application
Xc-Version
X-B-Cookie
Lang
Rendered-Blocks
X-SRCache-Key
Surrogated-Key
X-Aed
X-Vtex-Remote-Cache
X-A-Dam
X-VG-WebCache
X-A-Ccd
X-A
X-A-Dcw
X-Vdms-Version
T-Server
X-Time
X-A-Wwc
X-A-Dgt
X-Vdms-Path
X-Shop-Environment
X-ARC
X-S
X-S-Cookie
NM-Fastcgi-Cache
MD5-Digest
X-Rojux
X-Cache-Id
X-External-Request-Id
Meta-Geo-Continent
X-Cache-NE
X-ScT
Odigeo-Trace-Id
X-Cdn-Srv
X-Session-Fingerprint
X-SD-PageType
X-RCS-CacheZone
X-Bc-Bl
X-Origin-Response-Time
X-NCache
X-Core-Mission
Adler-Geo
We-Hiring
Is-Eu
X-Skip-Cache
X-CacheTTL
Mail-Subject
Memcached
X-Clara-WADP
State
X-DefHash
X-Cache-Bucket
Environment
X-DefElseHash
X-Cache-Backend
Pramga
Producers
Server-Host
X-Amzn-Remapped-Content-Length
X-Cache-Info
Fastly-GeoIP-CountryCode
AKAMAI
X-DPWN-IS-SECURE
X-Developers
Platform
X-Core-Value
X-Nyt-Route
X-NodeID
X-Variation
X-Server-IP
X-Node-Id
X-Mvc-Supplant-Cachable
X-Varnish-Remaining-TTL
X-Varnish-CookieHashed-On
X-Origin
X-Origin-Expires
X-Sigma
X-Sigma-Backend
X-Worker
X-SVT-ORM-RULES
X-Origin-Time
X-SVT-ORM-VERSION
X-Irp-Debug
X-Varnish-CookieINHashed-On
X-Gdpr
X-Rocket-Build-Number
X-Fmm-Version
X-Fastly-Cache
X-Via-Ucdn
X-GeoIP
X-Scheme
X-WADP-Cache
X-SB
Cache-Name
X-Azure-Ref
CDN
X-SIPLIST1
Kp-EeAlive
X-Region-Sid
X-Request-URI
X-Block-Status
X-Has-Esi
X-Rocket-Nginx-Serving-Static
X-Branch-Name
X-Cache-Date
X-V-Cache
Wxu-Next-Region
X-VG-TLSProxy
Wxu-Next-Hostname
Wxu-Next-Commit
X-Viewer-Country
Web-Mar-Region
X-VarnishDD-TTL
X-Wikidot-Backend
X-Sn-Servicetimems
X-Auto-Login
X-Thinkindot-L3
X-Wikidot-Static-Cache
X-Aicache-OS
X-Is-Gdpr
X-Slack-Backend
X-JWT-State
X-Minions-Version
X-Loc
X-LAGOON
X-Httpd
X-Datadog-Trace-Id
X-BCube-Filmed-By
X-Planisys-CDN-Cache
X-Datadog-Parent-Id
X-Datadog-Sampling-Priority
X-Device-Os
X-Dispatcher-Number
X-Gamma-Serve
X-Forwarded-Site
X-Fetched-On
X-Gen-Mode
X-GeoIP-City
X-Hnp-Log
X-Ec-Custom-Error
X-HN
X-Planisys-CDN-Rules
X-Csrf-Jwt
X-Eu-Site
X-Loop
X-CGP
X-Proxy-Upstream
X-Cdn-Origin
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Proxy-Cache-Info
X-TNCMS
X-Pod-Name
Candidate-Md5Url
X-Planisys-CDN-TTL
X-Policy
Cache-Key
X-Ckpd-Fst-Backend
Vix-Hermes-Req-Id
X-Wix-Viewer-Type
X-Rebelmouse-Surrogate-Control
X-BBC-Edge-Cache-Status
Origin
CloudFront-Viewer-Country
Cluster
Origin-CC
Origin-EX
Ohc-File-Size
Fastcgi-Cache-TTL
PFcat
HostName
Machine
Gh-Request-Id
Fastly-SWR
Fastly-SIE
Ha-Gx-Prefs
HA-Ipaddr
L5d-Success-Class
L
IsBot
Redirect-Candidate
CDCHOST
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
TDXMobile
Thinkindot-Control
Apple-News-Services-Host
User-Cache-Control
Apple-News-Services-Handled
Traceparent
V-Age
Apple-News-Services-Parsed-Url
Svr
Apple-News-Services-Request-Url
X-R9-Blue-Green-Version
Req-Svc-Chain
Release
Ssr
X-Cache-Status-Check
X-Varnish-Beresp-Grace
NGX
DynaTrace
X-Webstats-RespID
DSUID
X-Pool
X-Platform
X-Level-Front-Cache
X-Qloud-Router
X-Optimistic-Header
Datacenter
Server-Ext
CPC-Age
CPC-Cache
VNS-Age
Server-Hostname
X-Generated-On
X-Ad-Defer-Variation
GEO-INFO
Sever-Int
VNS-Cache
X-SplitTest
N-Cache
X-From
X-Served-From
X-Scale
XM
X-VServer
X-ZONE
X-Location
X-WP-CF-Super-Cache-Cache-Control
X-WP-CF-Super-Cache
X-Refresh
Pics-Label
X-CS
X-WA-Info
Fastly-Backend-Name
X-Owner
X-VC
X-CACHE-KEY
X-Tb-Optimization-Total-Bytes-Saved
X-NC
X-Parent-Response-Time
Locid
X-Contensis-Viewer-Groups
X-Cache-ASPX
Env
X-Ah-Environment
Ms-Author-Via
X-EC-Lua
Servername
X-LB-NoCache
X-Udemy-Cache-App-Namespace
X-Varnish-Authentication
X-Response-By
Arc-Country
X-Men
X-Micro-Cache
AMP-Access-Control-Allow-Source-Origin
X-AIR-PT
X-Mvc-Supplant-OutputCached
Memory
X-Edge-Pop
X-Old-Content-Length
X-Amz-Meta-Cb-Modifiedtime
Time
Path
X-Servedbyhost
Lb
X-Tec-Api-Origin
X-TIME
X-Tec-Api-Root
X-Xrds-Location
X-Tec-Api-Version
X-DI
X-DSS
X-Via-Popv
X-Generated-In
X-DW
X-Via-Popn
X-RSL
X-RPM
X-Via-Poph
Cache-Host
Ngx.Var.Host
X-DB
X-TraceId
X-RPS
X-Srv
Ohc-Cache-HIT
X-Date
X-Trace-ID
ITXSESSIONID
X-Accel-Expires-Debug
X-Akamai-Transformed
X-HA-Backend
X-Api-Version
X-RateLimit-Reset
X-Varnish-Beresp-TTL
GeoIp-Country-Code
X-VCL-Version
X-GeoIP-Country-Code
Client
X-S-Maxage
X-GeoIP-Region-Code
X-DC
X-Proxy-CacheRZ
XkeyRZ
X-Vc
True-Client-IP
X-Cache-Debug
X-Clientip
FSS-Cache
X-API-Version
X-VHOST
X-Cs
Server-ID
Geoip-Latitude
Fusion-Component-Id
X-Zone
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Source
Fusion-Template-Id
Hostname
CacheControlHeader
X-Presslabs-Stats
X-Fpc
X-Dmc
X-TH-Server
X-FireWall-Port
True-Client-Country-4JS
X-Action
X-Webkit-Csp-Report-Only
X-Render-Time
X-MSEdge-Features
X-Traceid
Powered-By
X-MSEdge-Flight
X-Backend-TTL
X-TX-ID
X-INCAP-ABP
X-PX
X-B3-Spanid
NtCoent-Length
Geo-Info
X-DynaTrace-JS-Agent
Edge-Cache
Rip
X-Gateway-Cache-Key
C-Via
X-Req
Test
X-Gateway-Cache-Status
X-Service
Tcn
X-Gateway-Skip-Cache
X-Gateway-Request-Id
X-NGINX-Cache
X-M-Reqid
X-Qnm-Cache
Click-Count-Error
Click-Count-Action-Start
X-FPC
X-Cdn-Request-ID
Tube-Get-Contents
Tube-Got-Eval
Esi-Enabled
My-App
Tube-Return
Tube-Got-Results
X-M-Log
X-CSRF-TOKEN
X-Pass-Why
X-Correlation-ID
X-Origin-Upstream-Status
On-Server
User-Agent
X-Webkit-CSP-Report-Only
X-HS-Status
X-Beluga-Cache-Status
HIT
X-Beluga-Node
X-Beluga-Status
X-Beluga-Trace
Server-Id
X-Beluga-Response-Time
X-Beluga-Record
X-Alfa-Service
Uri
X-Provided-By
X-Vcl-Version
X-Up
Cf-Int-Pingora-Origin-Digest
X-TRACE-ID
X-Via-PopN
Resin-Trace
X-Via-PopV
Proxy-Connection
GeoIP-Country-Code
X-URL
X-Via-PopH
X-Akamai-Pragma-Client-IP
X-LB-ID
X-Check-Cacheable
X-Ha-Backend
GeoIP-Latitude
Srvid
OT-Force-Account-Verify
X-CLOUD-TRACE-CONTEXT
X-Varnish-Beresp-Ttl
Sid
X-APP
X-Proxy-Cache-Hk
X-Edge-Origin-Shield-Bytes
Srv
X-Li-Pop
X-RAMCache
X-CCDN-Origin-Time
Epwk-X-Cache
X-CCDN-CacheTTL
X-UnsetCookies
X-Hcs-Proxy-Type
X-ServedByHost
X-LI-UUID
X-LI-Proto
Cdn
X-Li-Fabric
X-Cdn-Forward
X-Edge-Origin-Shield-Region
WebServer
DataCenter
X-Geo
WZWS-RAY
X-Edge-POP
X-ND-Cache
M-TraceId
X-Time-Microsecs
X-Backend-Host
X-Fetch-By
MIME-Version
X-SERVER-NAME
Warning
X-Esi
ENV
X-CUA
X-App
X-Lb-Nocache
ServerName
Server-Ttl
X-Fastly-Backend-Reqs
Cf-Device-Type
XServer
X-B3-Traceid-Primal
X-MG-S
Fastly-Drupal-HTML
X-HostName
X-Dw-Trace-Id
DT-Hot-News
X-ATG-Version
Target-Params
X-Azure-Ref-OriginShield
Tracecode
PICS-Label
X-ElasticPress-Query
X-Fragments
X-Serial
X-Newrelic-App-Data
Section-Io-Id
Section-Io-Origin-Status
Section-Origin-Responded
X-Yottaa-OS
X-Request-Url
X-HITS
X-LiteSpeed-Cache-Control
CF-Cached-On
X-Platform-Router
Section-Io-Origin-Time-Seconds
X-Platform-Processor
X-Platform-Cluster
X-FC-Vary-Parameters
D-Url-Rewrites
X-Iplb-Instance
Dt-Hot-News
Inserted-Into-Cache-At
Lfy
X-Fastly-Backend
X-Iplb-Request-Id
True-Client-Ip
X-Sucuri-ID
X-Sucuri-Cache
X-CF-Powered-By
X-Var-Ttl
Cf-Ipcountry
X-Vcache
X-Nc
Wp-Super-Cache
Servedby
X-Air-Pt
Cdn-Pullzone
Cdn-Uid
Cdn-Requestcountrycode
Cdn-Edgestorageid
Cdn-Cachedat
Cdn-Requestid
Cdn-Cache
X-Bip
X-Akamai-Request-ID
X-Wp-Cf-Super-Cache-Cache-Control
Vha6-Origin
X-Vercel-Cache
X-IN-APIGATEWAY
X-Thanos
Hit
X-IN-APIGATEWAYSSL
X-Vercel-Id
Cneonction
X-Release
X-BBC-Origin-Response-Status
X-Storefront-Renderer-Verified
X-Th-Server
X-Back
X-NU-AKA-ACS-Version
Content-Script-Type
Content-Style-Type
X-Request-URL
X-Dist-Code
X-Varnish-Beresp-Status
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
Ngx
X-Cache-Expires
X-Snapshot-Date
CountryCode
X-Wp-Cf-Super-Cache