Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Strict-Transport-Security
Content-Length
X-Content-Type-Options
Link
Last-Modified
Cf-Request-Id
CF-Cache-Status
CF-RAY
ETag
X-XSS-Protection
Accept-Ranges
Expect-CT
Pragma
X-Powered-By
X-Cache
Via
Age
Content-Security-Policy
Report-To
NEL
Alt-Svc
Referrer-Policy
Access-Control-Allow-Origin
Content-Language
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-Served-By
X-UA-Compatible
P3P
X-Download-Options
X-Xss-Protection
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Varnish
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-FRAME-OPTIONS
Access-Control-Allow-Credentials
Content-Security-Policy-Report-Only
X-AspNet-Version
X-Runtime
P3p
X-DNS-Prefetch-Control
Accept-CH
Accept-CH-Lifetime
X-Cache-Status
X-Drupal-Cache
X-Ua-Compatible
X-Check
X-Generator
Server-Timing
X-Cacheable
X-Envoy-Upstream-Service-Time
Timing-Allow-Origin
X-Iinfo
X-Request-ID
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-Content-Security-Policy
Feature-Policy
Content-Encoding
X-CDN
Status
X-AspNetMvc-Version
Upgrade
Access-Control-Max-Age
X-Via
X-Amz-Request-Id
X-Amz-Id-2
Host-Header
CF-Ray
Cf-Edge-Cache
Allow
X-Backend
Request-Context
X-UA-Device
Keep-Alive
X-Robots-Tag
X-Server
X-Cache-Group
X-Hacker
X-AH-Environment
X-Turbo-Charged-By
X-Ws-Request-Id
X-Proxy-Cache
X-Age
Xkey
X-Rq
X-Vhost
EagleId
X-Dispatcher
X-Server-Powered-By
X-Amz-Version-Id
X-Varnish-Cache
Grace
Cf-Apo-Via
X-Page-Speed
X-Pingback
X-Swift-SaveTime
X-Swift-CacheTime
Cf-Railgun
X-LiteSpeed-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Device
Ali-Swift-Global-Savetime
EagleEye-TraceId
X-Aws-Lambda-Call-Status
X-WebKit-CSP
X-CST
X-Dns-Prefetch-Control
X-OneAgent-JS-Injection
X-Backend-Server
Permissions-Policy
X-Readtime
X-Server-Id
X-Response-Time
X-Host
X-Akam-SW-Version
Request-Id
Surrogate-Control
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-HW
X-Nginx-Upstream-Cache-Status
X-Litespeed-Cache
X-Cloud-Trace-Context
X-Node
X-Nginx-Cache-Status
X-Cache-Lookup
X-Application-Context
X-Country-Code
Content-Location
X-Ruxit-JS-Agent
X-Trace
X-Country
Service-Worker-Allowed
X-Url
X-Content-Type
X-Clacks-Overhead
X-Oneagent-Js-Injection
X-Origin-Cache-Key
X-Edge
Accept-Ch-Lifetime
X-Amz-Server-Side-Encryption
X-Rack-Cache
Cross-Origin-Opener-Policy
Cache-Tag
X-FTR-Request-ID
X-Mcache
X-Midtier
X-Mod-Pagespeed
X-MS-InvokeApp
Nginx-Cache
X-PC
X-TtlSet
X-Vname
X-ESI
X-Upstream
X-ECACHE
X-Powered-By-Plesk
Rating
Edge-Control
X-Server-Name
X-Browser-Type
X-D2id
X-Times
X-Element-Page-Cache
Verso
X-Cnection
X-Exp-Id
X-Kinja-Revision
X-Kinja-Server
X-Kinja-Build
X-Kinja
X-GoogleNews-Bot
X-Cdn-Fetch
X-Exp-Variant
X-Ac
SPRequestDuration
SPIisLatency
AR-PoweredBy
AR-ATIME
AR-SID
AR-Request-ID
X-Ruxit-Js-Agent
SPRequestGuid
X-SharePointHealthScore
X-Abt-Application-Version
X-Navigation-Version
X-Vcap-Request-Id
X-B3-TraceId
X-Ser
X-NF-Request-ID
X-GitHub-Request-Id
X-Dw-Request-Base-Id
X-RateLimit-Remaining
X-NWS-LOG-UUID
AR-CACHE
X-Pinterest-Rid
Pinterest-Generated-By
Pinterest-Version
X-Mg-S
X-VARITI-CCR
S
Pagespeed
Display
X-Middleton-Display
X-Sol
X-Client-IP
X-Ttl
Edge-Cache-Tag
X-Server-ID
X-Cache-Key
RTSS
Fastly-Restarts
X-Amzn-Trace-Id
X-Amz-Rid
X-Cache-TTL
X-Powered-CMS
X-Goog-Hash
X-Instrumentation
X-Erf-Bev-Bev
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Erf-Bev-Bev-Is-Generated
Cache-Status
X-Kinsta-Cache
X-Edge-Location-Klb
Accept-Ch
X-Version
Access-Control-Request-Method
X-Recruiting
X-Erf-Stays-Pdp-Viaduct-Migration-Web-V2
X-ARC
Origin-Trial
X-Varnish-TTL
X-TraceId
X-Middleton-Response
X-Content-Digest
Response
X-Webkit-Csp
X-Forwarded-For
Arr-Disable-Session-Affinity
X-T
X-Content-Security-Policy-Report-Only
X-MSEdge-Ref
X-SRCache-Store-Status
X-SRCache-Fetch-Status
Content-MD5
MicrosoftSharePointTeamServices
TP-Cache
X-Accel-Expires
X-Daa-Tunnel
X-Shield-Request-Id
X-Hits
Cross-Origin-Resource-Policy
X-Cached
Front-End-Https
Public-Key-Pins
X-Id
X-FTR-Cache-Status
X-Country-Code-Real
MS-Author-Via
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-Balancer
X-FTR-Expires
X-FastCGI-Cache
X-HS-Content-Id
X-DIS-Request-ID
X-Request-Processing-Time
X-HS-Combine-CSS
X-HS-Cache-Config
Server-Node
X-ORACLE-DMS-RID
X-Request-Received
X-HS-Hub-Id
X-Ua-Browser
Payment
X-Frontend
X-Forwarded-Proto
X-LLID
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
Realpath
X-Protected-By
X-GUploader-UploadID
TP-L2-Cache
X-LB-Cache
X-Fastcgi-Cache
Cache-Tags
X-RateLimit-Limit
X-ORACLE-DMS-ECID
X-Distributor
X-Origin-Server
X-Amz-Apigw-Id
X-Amzn-RequestId
X-Request-Handler-Origin-Region
X-Microsite
Count-Hit
X-Page-Id
Referer-Policy
X-Hostname
X-Kong-Upstream-Latency
X-B3-TraceId-Primal
X-Kong-Proxy-Latency
X-Az
X-Activity-Id
MRF-Tech
X-AppVersion
Mrf-Cache-Status
X-Geo-Country
X-Debug-Info
X-Ratelimit-Limit
X-Cluster-Name
X-Www-Served-By
X-Varnish-Backend
X-F-Cache
X-Correlation-Id
Accept-Charset
Fastcgi-Cache
X-NGENIX-Cache
X-App-Server
X-Envoy-Decorator-Operation
Host
X-Varnish-Server
X-XRDS-LOCATION
X-PressLabs-Stats
X-Fastly-Request-Id
X-FB-Debug
X-Ua-Device
X-Goog-Metageneration
X-TTL
Access-Control-Allow-Method
X-RateLimit-Reset
X-Varnish-Ttl
X-Git-Hash
Retry-After
X-TEC-API-ROOT
X-Upgrade-Enabled
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Ezoic-Cdn
X-WebKit-CSP-Report-Only
X-Load-Cache
X-CSRF-Token
X-Content-Options
Server-Name
X-Seen-By
X-Contextid
X-Datadog-Parent-Id
X-Px
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Revision
X-Cache-Control
X-Tt-Trace-Tag
X-Tt-Trace-Host
TCN
X-Amz-Meta-S3cmd-Attrs
Charset
X-Request-Guid
X-Trace-Id
X-Grace
Section-Io-Cache
X-Kinja-CCPA
DC
Cleartype
X-Type
Paypal-Debug-Id
X-B3-Sampled
X-B
X-TT
X-Fb-Rlafr
X-B-Cache
X-App-Environment
X-Signature
Healthy
X-Whom
X-Wix-Request-Id
X-Node-Name
Frame-Options
X-Origin-Cache
X-Mobile
X-Magnolia-Registration
X-Amz-Replication-Status
X-Newrelic-App-Data
X-Rid
X-Azure-Ref
X-EdgeConnect-Cache-Status
X-Goog-Stored-Content-Length
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Proxy
X-Is-Crawler
X-Aspnet-Duration-Ms
X-Flags
X-Route-Name
X-Providence-Cookie
X-Logged-In
Filterid
X-N
X-Oracle-Dms-Ecid
X-Language
X-WP-CF-Super-Cache
X-WP-CF-Super-Cache-Cache-Control
X-Air-Pt
X-Ratelimit-Remaining
Content-Disposition
Backend
Akamai-GRN
X-Response-Served-From
X-Oracle-Dms-Rid
X-Original-Request-Id
Upgrade-Insecure-Requests
X-Time
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
NGB
X-Template
X-Proxy-Cache-Info
X-ProcessESI
X-Tumblr-Pixel
SD-X-WS
Refresh
X-Rendered-As
X-RemovedCookies
X-Is-Bot
X-Yottaa-Optimizations
X-Varnish-Grace
X-Unique-Id
X-Debug-IsPreview
X-Tumblr-User
X-Yottaa-Metrics
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
X-Datadog-Sampled
X-Fastly-Request-ID
X-Debug-IsConnected
X-Cache-Age
Ms-Operation-Id
MS-CV
Viewport
X-Servername
X-RTag
Liferay-Portal
X-App-Version
X-UUID
X-Instance
X-Amzn-Remapped-Content-Length
X-IPS-LoggedIn
X-Adobe-Loc
X-Adobe-Content
X-FW-Serve
X-FW-Server
X-FW-Hash
X-FW-Dynamic
X-FW-Static
X-G
X-Cache-Grace
X-Debug
X-FW-Type
X-FW-Version
X-Region
Fastly-SWR
Fastly-SIE
X-User-Agent
From-Origin
X-Cacheable-TTL
X-NYM-Debug-Backend
X-Backend-Name
Country
X-Rule
X-Hl-Ver
X-Cache-Hit
X-Environment-Context
X-L-Path
X-Device-Type
X-Status
X-Jobs
ServerID
Url
X-B3-Traceid
X-CCDN-CacheTTL
X-Via-JSL
X-CCDN-Origin-Time
X-Hcs-Proxy-Type
X-Origin-TTL
Countrycode
X-Origin-CC
X-VC-Cache
WPO-Cache-Message
WPO-Cache-Status
X-INCAP-ABP
Alternate-Protocol
X-Page-View
X-Webkit-CSP
X-B3-SpanId
X-Air-Trace-Id
Surrogate-Key
X-Cache-Status-Check
X-Hosted-By
Version
X-Air-Hostname
X-Air-Source
X-HTML-Minification-Powered-By
X-Akamai-Request-ID2
X-Content-Powered-By
GEO-INFO
X-NODE
Protected
X-Source
CDN-RequestId
X-WP-CF-Super-Cache-Active
Amp-Access-Control-Allow-Source-Origin
X-Akamai-Edgescape
X-Storage
X-Rocket-Nginx-Serving-Static
X-Accel-Version
SRV
OT-Force-Account-Verify
X-Framework
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
X-VC
X-Http-Reason
X-Real-IP
Access-Control-Request-Headers
X-Edge-Location
X-Nginx-Cache
X-Cache-Rule
Front
Xet-Cookie
X-CDN-Forward
X-Mode
Webserver
CF-IPCountry
X-Cache-Time
X-Cache-Operation
X-Rewrite-Enabled
AMP-Access-Control-Allow-Source-Origin
X-Upstream-Ht
X-Upstream-Ct
X-Rn-Rsrv
X-UPSTREAM-Address
X-ServerID
X-Xfnlog-Site
Filters
Meta-Geo
X-Httpd
X-Tumblr-Pixel-2
X-Served-From
X-Tumblr-Pixel-3
X-Director
X-Soup
Selected-Fe
X-Varnish-Cache-Hits
X-JoinUs
Accept-Language
X-Origin
X-Timing-Wait
X-Proxy-Build
X-SaId
X-Worker
X-Say-Cacheable
X-Use-Mantle
X-Web-Node
X-Say-TTL
X-Adobe-Source
X-Redis-Cache
Node
X-PHP-Host
X-Cache-Debug
X-Endurance-Cache-Level
X-Detected-As
X-Handled-By
X-Labrador-Cache-Channel
X-Logging-Id
X-SayCDN-TTL
ServedBy
X-Format
Xserver
Section-Io-Id
Azure-SlotName
Azure-Version
Azure-SiteName
DB-Nickname
Azure-InstanceId
X-Tncms
X-GeoCountry
X-GeoCode
X-S
X-BYPASS-REASON
X-Loop
X-RM-Cache-TTL
X-Cms-Context
X-VCT
Property-Id
X-Varnish-Beresp-Grace
X-Varnish-Age
Webcakes-Region
Azure-RegionName
Webcakes-App-Name
X-Server-W
Webcakes-App-Version
X-ProxyCache-Status
TWC-Privacy
Web-Mar-Node
X-ProxyCache-Key
X-No-Session
X-Origin-Hint
X-Skip-Cache
TWC-GeoIP-LatLong
TWC-Locale-Group
TWC-GeoIP-Country
TWC-Connection-Speed
X-Restarts
X-Lambda-Id
TWC-Device-Class
X-Container-Uri
X-Git-Commit
X-Is-Supported-Browser
X-Is-Desktop
X-Cache-Server
X-Generation-Time
X-Is-Tablet
X-Fetched-On
X-Geo-Region
X-Site-Version
X-IPLB-Request-ID
X-DynaTrace
X-VWS-Id
X-AB
X-LJ-Flow-ID
X-Tb
X-Tcp-Rtt
Apigw-Requestid
X-IPLB-Instance
Mn-Server-Ip
Cross-Origin-Embedder-Policy
X-AWS-Id
X-R9-Blue-Green-Version
X-Locale
X-Is-Mobile
X-RCS-CacheZone
X-Browser-Name
X-Vercel-Id
X-Vercel-Cache
X-Ms-Version
X-Platform-Router
X-Cluster
X-Ms-Request-Id
X-Zipkin-Id
X-Cache-Host
X-Reqid
X-Forwarded-Host
X-TT-LOGID
X-Provided-By
X-Proxied
X-Extlb
X-Routing-Service
X-Platform-Cluster
X-Frame-Option
X-Platform-Processor
X-Vcache
X-Webstats-RespID
X-Uri
X-MP-GENERATED-AT
X-Drupal-Cache-Tags
X-Drupal-Cache-Contexts
WP-Super-Cache
X-Origin-Date
CDN-RequestPullSuccess
X-Alternate-Cache-Key
Cache-Tv-Group
CDN-Uid
X-Shopify-Stage
CDN-Cache
CDN-PullZone
CDN-RequestCountryCode
CDN-EdgeStorageId
CDN-CachedAt
CDN-RequestPullCode
X-Storefront-Renderer-Rendered
Source
Fastcgi-Useragent
Priority
X-XRDS-Location
X-Sucuri-Cache
X-Vcl-Version
X-Sql-Duration-Ms
Content-Secure-Policy
X-Sql-Count
X-FB-TRIP-ID
X-Sucuri-ID
X-Sorting-Hat-PodId
X-ShopId
X-Sorting-Hat-ShopId
X-ShardId
Sid
X-Cdn-Origin
X-Generated-By
Onion-Location
Cross-Origin-Embedder-Policy-Report-Only
X-Newrelic-Synthetics
X-SRV
X-Content-Age
X-Urbn-Context-Path
X-Urbn-Site-Id
X-Xrds-Location
Locale
X-Pass-Why
X-Buckets
Atl-Traceid
X-Cluster-Node
S-Rt
X-ECache
WZWS-RAY
X-Thinkindot-L3
X-Shield-Cache-Expires
Thinkindot-CacheControl-Type
Thinkindot-Control
Thinkindot-CacheControl
X-Scope-Id
X-CMSURLCustom
TDXMobile
Cache
X-DataDome
Cross-Origin-Window-Policy
X-LSADC-Cache
X-Use-Magma
X-Proxy-Cache-Status
X-WP-CF-Super-Cache-Cookies-Bypass
X-GEO
X-Cache-Action
X-Cache-Expired-At
X-Ua
HostName
X-Dc
X-Optimistic-Header
Edge-Copy-Time
X-Via-SSL
X-Via-Edge
X-Via-CDN
X-Varnish-Beresp-Ttl
X-TIM-N
X-Epic-Correlation-Id
DCR-Decision-By
Gannett-Cam-Experience-Id
X-Viewer-Country
X-SRCache-Key
DCR-Processing-Time-Ms
X-Varnish-Hostname
X-External-Request-Id
Candidate-Md5Url
X-Platform
X-Ec-GeoHdr
CDCHOST
X-Vdms-Version
Redirect-Candidate
X-Rojux
X-Aed
X-Dispatcher-Server
X-Application
X-A-Wwc
X-A-Dgt
X-A-Ccd
X-A-Dam
X-A-Dcw
X-B-Cookie
X-Bc-Bl
X-Conf
X-D
X-Destination
X-Developer
X-Request-Start
X-Cache-NE
X-BCube-Filmed-By
X-Bl-Debug
X-Cache-Bucket
X-A
X-S-Cookie
Ngx.Var.Host
Origin
Origin-Agent-Cluster
X-Vtex-Remote-Cache
Ngx-Var-Key
X-Ec-Custom-Error
MD5-Digest
Meta-Geo-Continent
X-Ec-Fail
Rendered-Blocks
Req-ID
Type
Vix-Hermes-Req-Id
X-Scheme
X-ScT
T-Server
Server-Host
Sslversion
Surrogated-Key
Lang
X-Vdms-Path
X-PAYTM-SRV-ID
X-Request-URI
X-Connection-Hash
User-Cache-Control
Expiry
Fastly-GeoIP-CountryCode
Environment
X-Correlation-ID
X-Access
Host-ID
X-Mly-Id
X-Branch-Name
Fastly-SSL
X-Request-Time
X-Thanos
Cluster
X-GeoIP-Region-Code
X-GeoIP-Country-Code
X-TH-Server
Content-Style-Type
X-Bip
X-Cache-Id
X-Cache-Info
DSUID
Magicmarker
X-SB
X-Section
Release
X-Gzip
X-Instance-Name
X-SD-PageType
V-Age
X-Op-Id-All
Ssr
X-VCache
X-Human
Pramga
Apple-News-Services-Request-Url
X-Loc
X-Rocket-Build-Number
X-Esi-Check
X-Level-Front-Cache
X-Sigma-Backend
X-TA-CDN-Provider
X-Sigma
NM-Fastcgi-Cache
X-Origin-Time
Content-Script-Type
X-Pool
X-VG-TLSProxy
X-Forwarded-Site
X-VG-WebCache
X-Node-Id
X-Core-Value
X-Generated-On
X-Gdpr
L
X-Debug-Cache-Fetch
X-VServer
A
Apple-News-Services-Handled
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
X-Mg-Request-UUID
X-Nyt-Route
X-Debug-Cache-Store
X-WA-Info
X-We-Are-Hiring
Server-Ext
X-Varnishpool
X-Clientip
X-Varnish-Director
X-Varnish-Beresp-Status
Server-Hostname
X-NMSegId
X-Proxied-Request
X-Fastly-Cache
Sever-Int
X-Pubstack
X-Datadome
X-Service
X-Origin-Response-Time
X-TimeS
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-NCache
X-Req
X-HS-Content-Campaign-Id
We-Hiring
X-Org
X-Nginx-Cache-Key
X-Request-Host
X-Micro-Cache
Web-Mar-Region
X-Policy
X-Aicache-OS
X-Zen-Fury
X-Ad-Load-Variation
X-Irp-Debug
X-Mvc-Supplant-Cachable
X-ApacheServer
X-Mvc-Supplant-OutputCached
X-Men
X-Contensis-Viewer-Groups
X-Cache-Date
X-UA-Device-Type
X-Cache-Aspx
X-B3-Trace-ID
Canary
X-Old-Content-Length
X-V-Cache
Adler-Geo
X-GeoIP-City
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
Esi-Enabled
Wxu-Next-Hostname
Wxu-Next-Commit
X-Var-Ttl
X-GeoIP
Cache-Provider
C-Via
X-FC-Vary-Parameters
X-PERF
X-Device-Os
X-From
X-Varnish-Authentication
X-Geo-Header
Req-Svc-Chain
Uber-Trace-Id
Wxu-Next-Region
X-DPWN-IS-SECURE
Producers
Platform
X-GoCache-CacheStatus
X-Gen-Mode
X-Hnp-Log
X-Moov-Xdn-Version
True-Client-Country-4JS
X-Moov-T
X-Server-IP
Gh-Request-Id
On-Server
Mail-Subject
Machine
X-Acquia-Purge-Cdn-Unconfigured
Is-Eu
X-Cache-TTL-Remaining
X-Amz-Meta-Cb-Modifiedtime
X-Block-Status
X-BBC-Edge-Cache-Status
X-Auto-Login
Fastly-Drupal-HTML
X-Fastly-Backend
X-Hash
X-Edge-Server
Cache-Key
Tube-Got-Eval
Tube-Got-Results
Tube-Return
X-Proto
RNT-Time
Locid
RNT-Machine
W
X-Cdn-Srv
X-ND-Cache
X-AK-Request-ID
Yak-Timeinfo
Cdnsip
Cdncip
X-Fmm-Version
X-Region-Sid
Country-Code
Tube-Get-Contents
X-Sn-Servicetimems
Click-Count-Error
X-Test
X-Slack-Shared-Secret-Outcome
X-Slack-Backend
Proxy-Firewall
X-App-Name
Cdn-Request-Time
Cf-Device-Type
AKAMAI
X-Wikidot-Static-Cache
Cdn-Host
Click-Count-Action-Start
X-Wikidot-Backend
X-Azure-Ref-OriginShield
X-Parent-Response-Time
X-Eu-Site
X-HN
PFcat
X-Csrf-Jwt
X-VarnishDD-TTL
X-Up
Ha-Gx-Prefs
HA-Ipaddr
L5d-Success-Class
X-CGP
X-Accel-Expires-Debug
X-CacheTTL
Fastly-Backend-Name
X-Date
X-ZONE
X-Amz-Storage-Class
X-Core-Mission
NGX
X-Ah-Environment
X-Tx-Id
X-NGINX-Cache
X-Backend-Instance
X-Owner
Pics-Label
X-LB-ID
IsBot
X-SIPLIST1
X-DC
X-COUNTRY
XM
LB
X-Varnish-Hits
X-Tb-Optimization-Total-Bytes-Saved
X-Lagoon
X-Via-Poph
X-Cache-Backend
X-Via-Popv
X-Origin-Expires
X-HA-Backend
X-API-Version
X-DynaTrace-JS-Agent
X-Via-Popn
X-CACHE-GROUP
X-Servedbyhost
X-Qloud-Router
NtCoent-Length
X-Refresh
X-RID
X-Ratelimit-Reset
Datacenter
X-CF-Lambda-Fn
N-Cache
GeoIp-Country-Code
X-CDN-Cache-Status
X-LB-NoCache
X-CF-Lambda-Version
Expect-Staple
X-UA
X-VHOST
Cdn
RATING
X-Cache-Type
X-Forwarded-Path
X-Tenant
X-Orig-Expires
Xc-Version
X-Shop-Environment
Cdn-Requestid
Cmsid
Cmstype
X-Nananana
X-Gamma-Serve
X-Srv
X-Wa
X-Nc
CloudFront-Viewer-Country
CPC-Cache
Server-ID
Cross-Origin-Opener-Policy-Report-Only
SID
CPC-Age
X-Akamai-Transformed
X-Vmg-Version
X-Via-Fastly
X-B3-Parentspanid
X-Cdn-Diag
X-TX-ID
Cache-Hits
X-Zone
Resin-Trace
Uri
X-Fpc
GeoIP-Latitude
X-Hit
DataCenter
XkeyRZ
X-Proxy-CacheRZ
X-Tt-Logid
X-Nf-Request-Id
User-Agent
X-Location
X-Ig-Origin-Region
X-Client-Ip
Fusion-Deployment-Id
X-Presslabs-Stats
X-B3-Spanid
X-NewRelic-App-Data
Fusion-Template-Id
Fusion-Source
Fusion-Component-Id
CacheControlHeader
X-URL
X-LAGOON
X-CS
Fastly-Drupal-Html
Fusion-Content-Source
Fusion-Content-Id
X-Variation
X-Cloudmap
X-Api-Version
X-Info
X-Fastly-Country-Code
Powered-By
X-Amz-Meta-Opti
True-Client-IP
X-TIME
X-DataCenter
Tcn
Cf-Ipcountry
Lb
MIME-Version
X-Jungle-Id
Mime-Version
Origin-CC
X-Datacenter
X-CUA
Origin-EX
True-Client-Ip
X-Varnish-Beresp-TTL
X-Cdn-Forward
X-Dynatrace-Js-Agent
X-HostName
Srv
X-CACHE-AGE
X-Geo
X-IAuth-Set-Uid
VNS-Age
VNS-Cache
X-User
X-NWS-UUID-VERIFY
X-LiteSpeed-Tag
Load-Balancing
X-Segment-20210421
Debug
X-Cached-By
X-CSRF-TOKEN
Hostname
CDN
X-Render-Time
X-Vc
X-HOST
X-LiteSpeed-Cache-Control
X-Powered-By-VTEX-Cache
X-VTEX-Cache-Server
X-VTEX-Cache-Time
X-FPC
X-Dispatcher-Number
X-AIR-PT
Cache-Name
X-Webkit-Csp-Report-Only
Server-Id
X-Wormhole-Sdk
Cl-Cache
X-Auth-Group-Type
Edge-Cache
Ohc-File-Size
X-MCACHE
Ohc-Cache-HIT
X-Mid
GeoIP-Country-Code
X-NC
X-Ig-Push-State
X-Esi
X-WA
X-Dispatch
X-Litespeed-Tag
X-APP-VERSION
X-NodeID
X-Cdn-Cache-Status
X-Lb-Nocache
Odigeo-Trace-Id
X-Oracle-DMS-ECID
X-Vgn-Hpd-Reason
BehaviorPad-Version
X-Custom-Header
X-ServedByHost
X-Cs
X-Cache-Ttl
X-Lb-Id
X-Pad
X-Via-PopH
X-Fastly-Backend-Reqs
X-Depends
X-Cache-Enabled
CountryCode
X-Via-PopN
X-Ha-Backend
X-Via-PopV
X-PHP-Backend
X-VCL-Version
Ms-Author-Via
X-Litespeed-Cache-Control
X-DefElseHash
X-Proxy-Cache-La3
Server-Info
X-DefHash
X-MSEdge-Features
X-Varnish-CookieHashed-On
X-Cdn-Request-ID
X-Akamai-Pragma-Client-IP
Xkeylog
X-MiniProfiler-Ids
Xkey-La3
X-Varnish-CookieINHashed-On
YJS-ID
X-Varnish-Remaining-TTL
X-MSEdge-Flight
Warning
X-M-Log
Srvid
X-VC-TTL
X-FL-QIT-DEBUG
FSS-Cache
X-FL-EDGE
Location
Time
PICS-Label
Ngx
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-M-Reqid
OriginIP
Memcached
Memory
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Acquia-Application-Trace
X-Snapshot-Date
My-App
X-Acquia-Site
X-Shopid
X-Sorting-Hat-Podid
X-Sorting-Hat-Shopid
X-Shardid
X-Cache-Version
X-Sucuri-Id
X-Th-Server
X-Wp-Cf-Super-Cache-Cookies-Bypass
X-Fastly-Cache-Hits
CF-Ctrl
X-Lsadc-Cache
CF-Cached-On
X-Internal-Host
Geoip-Latitude
X-RequestId
X-Check-Cacheable
X-Web-Server
X-Serial
Sm-Log-Id
X-Dw-Trace-Id
X-Udemy-Cache-App-Namespace
Akamai-Cache-Status
X-Mg-Cache
X-Service-Response-Time