Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CONTENT-TYPE-OPTIONS
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Dns-Prefetch-Control
X-Server
X-Robots-Tag
X-AH-Environment
X-Amz-Request-Id
X-UA-Device
X-Proxy-Cache
Host-Header
X-Amz-Id-2
X-Hacker
X-Akamai-Path-Stats
Grace
X-Rq
X-Swift-SaveTime
X-Swift-CacheTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-Amz-Version-Id
X-LiteSpeed-Cache
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-Dispatcher
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Allow
X-OneAgent-JS-Injection
X-WebKit-CSP
X-Nginx-Cache-Status
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-CST
X-Pingback
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Server-Id
X-Backend-Server
Accept-CH
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
X-Cloud-Trace-Context
Rating
Accept-CH-Lifetime
X-Url
X-Trace
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
Accept-Ch-Lifetime
X-Country
Fastly-Restarts
X-MS-InvokeApp
X-Mod-Pagespeed
X-Ruxit-JS-Agent
X-Rack-Cache
X-TtlSet
X-Vname
X-PC
X-Clacks-Overhead
X-Server-Name
RTSS
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-ESI
Accept-Ch
X-B3-TraceId
X-Content-Type
Cache-Tag
X-Vcap-Request-Id
X-Amz-Server-Side-Encryption
X-Cdn-Fetch
X-Kinja-Server
X-Kinja-Revision
X-Kinja-Build
X-Use-Magma
X-Kinja
X-GoogleNews-Bot
X-Exp-Id
X-Exp-Variant
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Cnection
X-Px
X-Ac
X-RateLimit-Remaining
X-D2id
X-Element-Page-Cache
Verso
X-Navigation-Version
X-Abt-Application-Version
X-Client-IP
X-Edge
X-Powered-By-Plesk
X-Cache-TTL
X-Sol
X-Middleton-Display
Pagespeed
Display
X-Ser
X-Version
Service-Worker-Allowed
Arr-Disable-Session-Affinity
X-FastCGI-Cache
X-GitHub-Request-Id
X-Country-Code
Response
X-Middleton-Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Correlation-Id
X-Ruxit-Js-Agent
X-Kinsta-Cache
SPRequestDuration
SPIisLatency
X-Webkit-Csp
X-TTL
X-Edge-Location-Klb
AR-PoweredBy
AR-CACHE
AR-Request-ID
AR-ATIME
AR-SID
X-Ttl
X-Upstream
X-Cached
X-NWS-LOG-UUID
X-RateLimit-Limit
X-LLID
X-Powered-CMS
SPRequestGuid
X-SharePointHealthScore
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Cache-Key
Edge-Cache-Tag
X-Litespeed-Cache
Nginx-Cache
TCN
X-Content-Security-Policy-Report-Only
X-Forwarded-For
X-MSEdge-Ref
Content-MD5
Mrf-Cache-Status
MRF-Tech
X-Id
X-Shield-Request-Id
X-Server-ID
X-B3-TraceId-Primal
X-Daa-Tunnel
X-T
MS-Author-Via
X-Recruiting
S
X-Content-Digest
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-Ua-Device
X-TEC-API-VERSION
X-DataDome
X-Mg-S
X-Protected-By
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
X-Accel-Expires
X-Ezoic-Cdn
X-SRCache-Store-Status
X-SRCache-Fetch-Status
MicrosoftSharePointTeamServices
X-HS-Hub-Id
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Cache-Config
X-Ab
X-Frontend
X-Content
X-Grace
X-Ua-Browser
X-ECACHE
X-Request-Processing-Time
Front-End-Https
X-Request-Received
Server-Node
X-Yandex-Sdch-Disable
Filters
X-DynaTrace
X-Mid
X-PressLabs-Stats
Fastcgi-Cache
X-Geo-Country
X-Origin-Server
TP-L2-Cache
TP-Cache
X-Hits
X-Distributor
X-Debug-Info
X-ORACLE-DMS-ECID
X-Microsite
X-Request-Handler-Origin-Region
X-Amzn-Trace-Id
Cross-Origin-Opener-Policy
Charset
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-ORACLE-DMS-RID
Cleartype
X-DIS-Request-ID
X-WebKit-CSP-Report-Only
X-F-Cache
X-Git-Hash
X-Page-Id
Host
X-LB-Cache
Pinterest-Generated-By
Pinterest-Version
X-B3-Sampled
X-Pinterest-Rid
X-Ratelimit-Reset
X-Www-Served-By
X-Cache-Age
X-Forwarded-Proto
Access-Control-Allow-Method
ServerID
X-Seen-By
Cache-Status
X-Activity-Id
X-Cluster-Name
Cache-Tags
X-AppVersion
X-Az
X-Aspnetmvc-Version
Realpath
X-Varnish-Age
X-Oracle-Dms-Ecid
X-Language
Accept-Charset
X-Oracle-Dms-Rid
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Rid
Filterid
X-MCACHE
X-Nginx-Upstream-Cache-Status
X-Type
Server-Name
X-Content-Options
X-App-Environment
Country
X-Varnish-Grace
X-Fastly-Request-ID
Viewport
X-Upgrade-Enabled
Retry-After
Node
X-Origin-Cache
X-B-Cache
X-Signature
X-Mobile-URL
X-Tb
X-FB-Debug
X-NWS-UUID-VERIFY
X-Whom
X-User-Agent
X-Route-Name
X-Request-Guid
X-Is-Crawler
Paypal-Debug-Id
X-Drupal-Cache-Tags
X-Flags
DC
X-Aspnet-Duration-Ms
X-Providence-Cookie
X-Wix-Request-Id
X-Goog-Metageneration
X-TT
X-Varnish-Backend
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
X-VCache
Protected
Fastcgi-Useragent
X-XRDS-LOCATION
X-Via-JSL
X-B
X-N
X-Amz-Replication-Status
X-Cache-NGX
X-Fastcgi-Cache
X-Debug
X-Contextid
Payment
X-Logged-In
X-Mcache
X-Load-Cache
WPO-Cache-Status
WPO-Cache-Message
X-Template
X-Fastly-Request-Id
Surrogate-Key
X-Amz-Meta-S3cmd-Attrs
Amp-Access-Control-Allow-Source-Origin
X-FW-Serve
X-FW-Type
X-FW-Static
X-FW-Hash
X-Cache-Control
Count-Hit
X-FW-Dynamic
X-FW-Server
X-Node-Name
Healthy
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-XRDS-Location
X-Hostname
Permissions-Policy
SD-X-WS
X-G
X-Original-Request-Id
X-Response-Served-From
X-Revision
X-Proxy
X-UUID
X-Mobile
X-Jobs
X-Cache-Time
Content-Disposition
Refresh
X-Zen-Fury
X-Trace-Id
X-Cacheable-TTL
X-Akamai-Request-ID2
X-Rendered-As
X-Cache-TTL-Remaining
X-Real-IP
Uber-Trace-Id
X-Framework
X-Is-Bot
Akamai-GRN
X-Http-Reason
Access-Control-Request-Headers
X-Page-View
X-Adobe-Content
X-Adobe-Loc
X-Proxy-Cache-Status
VIX-Pulpo-Node
NGB
VIX-Pulpo-Upstream-Status
X-Yottaa-Optimizations
X-Device-Type
X-Drupal-Cache-Contexts
Alternate-Protocol
X-Debug-IsPreview
X-Instance
X-Debug-IsConnected
X-Yottaa-Metrics
Url
X-Servername
X-IPLB-Instance
X-ECache
X-Cache-Grace
X-Cache-Rule
X-B3-Traceid
Version
X-Source
X-Varnish-Server
From-Origin
X-Mg-Request-UUID
X-Restarts
X-L-Path
X-Environment-Context
X-NGENIX-Cache
X-Parallel-Accel
X-Vgn-Hpd-Reason
X-Oneagent-Js-Injection
X-EdgeConnect-Cache-Status
Accept-Language
X-Cache-Hit
X-Cache-Expired-At
Countrycode
MS-CV
X-RTag
Ms-Operation-Id
Referer-Policy
X-HTML-Minification-Powered-By
Frame-Options
X-App-Server
X-Tumblr-Pixel
X-Tumblr-Pixel-0
Liferay-Portal
X-NYM-Debug-Backend
X-FW-Version
Backend
X-Tumblr-Pixel-1
Cross-Origin-Window-Policy
X-Tumblr-User
X-IPS-LoggedIn
X-COUNTRY
X-Cache-Action
X-Nginx-Cache
Content-Secure-Policy
X-RemovedCookies
X-ProcessESI
Upgrade-Insecure-Requests
CF-IPCountry
X-Datadome
Section-Io-Cache
X-RN-RSRV
X-Cache-Server
Cache-Tv-Group
X-UPSTREAM-Address
X-Redis-Cache
Meta-Geo
X-UA-Device-Type
X-Webkit-CSP
X-Ua
Ec-Rule-Version
X-OCL
X-Content-Age
X-Hosted-By
X-Varnish-Cache-Hits
X-Human
X-Section
X-Format
X-Generation-Time
X-No-Session
X-FB-TRIP-ID
X-Say-TTL
X-Cache-Type
X-Access
X-Say-Cacheable
X-Request-Time
X-Region
X-Cache-Enabled
X-Web-Node
X-Detected-As
X-AOL-HN
X-PCL
X-APP-VERSION
X-SayCDN-TTL
Azure-RegionName
X-Cluster-Node
X-Site-Version
Azure-Version
Azure-SlotName
Azure-SiteName
Webcakes-Region
X-ProxyCache-Status
X-Urbn-Context-Path
Apigw-Requestid
X-Be
X-BYPASS-REASON
X-Uri
X-Urbn-Site-Id
Azure-InstanceId
X-Sql-Count
X-Server-W
X-Akamai-Edgescape
Locale
TWC-Device-Class
X-Generated-By
X-Sql-Duration-Ms
S-Rt
X-Origin-Date
TWC-Locale-Group
X-Storage
TWC-GeoIP-LatLong
TWC-GeoIP-Country
X-Origin-Hint
Property-Id
X-Via-Fastly
Fastly-SSL
X-ProxyCache-Key
X-Content-Powered-By
Webcakes-App-Name
X-PHP-Backend
Mn-Server-Ip
TWC-Privacy
X-Nginx-Cache-Key
Webcakes-App-Version
TWC-Connection-Speed
WP-Super-Cache
X-Mode
CDN-RequestCountryCode
CDN-RequestId
CDN-Uid
X-Debug-Cache
CDN-PullZone
CDN-EdgeStorageId
X-Cache-Tags
CDN-Cache
CDN-CachedAt
X-Ratelimit-Remaining
Eomportal-Instance
X-Adobe-Source
X-ApacheServer
X-Forwarded-Host
X-PERF
X-Hyper-Cache
X-Unique-Id
X-Midtier
X-Platform-Server
X-Cache-Host
X-Xfnlog-Site
X-Shopify-Stage
X-ShopId
X-ShardId
X-Alternate-Cache-Key
X-Sorting-Hat-PodId
X-Sorting-Hat-ShopId
X-ServerID
X-SaId
X-Status
X-Tid
X-Extlb
X-Handled-By
X-Backend-Name
X-Proxied
Webserver
X-JoinUs
X-Hl-Ver
X-NewRelic-App-Data
X-Routing-Service
X-Zipkin-Id
X-Varnishpool
X-PHP-Host
X-Labrador-Cache-Channel
X-Locale
Selected-Fe
X-Proxy-Build
X-Timing-Wait
X-GG-Cache-Date
X-Rule
X-TT-LOGID
X-AWS-Id
X-VWS-Id
X-LJ-Flow-ID
X-Cache-Operation
ServedBy
X-VC-Cache
X-Edge-Location
X-Storefront-Renderer-Rendered
X-LSADC-Cache
X-Cms-Context
X-Accel-Buffering
X-Soup
X-Cache-Remote
X-Proto
SID
X-App-Version
X-Rewrite-Enabled
X-Cached-By
Web-Mar-Node
SRV
X-Dc
Fastly-Drupal-Html
Mime-Version
X-GEO
X-CDN-Forward
X-GeoCode
Onion-Location
Load-Balancing
X-GeoCountry
Xserver
X-Cdn
X-TA-CDN-Provider
X-Pubstack
X-Varnish-Hostname
X-Reqid
Cache-Hits
X-Buckets
Country-Code
X-Microcachable
X-Request-Host
X-Origin-TTL
X-Origin-CC
Decoy-Debug-TTL
LB
X-Ratelimit-Limit
Decoy-Debug-Status
Decoy-Debug-Key
X-Cluster
Server-Info
X-Varnish-Hits
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
X-CSRF-Token
X-Ms-Request-Id
X-Envoy-Decorator-Operation
X-Ms-Version
Xet-Cookie
X-Magnolia-Registration
X-Time
X-Air-Trace-Id
X-Amzn-RequestId
X-Air-Hostname
X-Amz-Apigw-Id
X-Air-Source
X-NCache
X-B3-SpanId
X-RCS-CacheZone
X-SRV
DynaTrace
Cache
X-Bc-Bl
X-Endurance-Cache-Level
DB-Nickname
X-Tx-Id
X-Core-Mission
X-Connection-Hash
Host-ID
X-Ec-Custom-Error
X-Orig-Expires
X-CF-Lambda-Version
X-Forwarded-Path
Pramga
Rendered-Blocks
X-Fetched-On
Expiry
X-Ec-Fail
X-Webstats-RespID
X-External-Request-Id
X-Esi-Check
X-Epic-Correlation-Id
Fastly-GeoIP-CountryCode
X-Node-Id
X-Conf
X-NAPM-TraceId
Fastcgi-X-Cache-Version
X-D
X-Ec-GeoHdr
X-Ig-Push-State
Cdncip
X-Ftr-Request-Id
X-Vtex-Remote-Cache
Cdnsip
NM-Fastcgi-Cache
BehaviorPad-Version
X-Geo-Header
X-Destination
Meta-Geo-Continent
MD5-Digest
Mobile-Detection-Method
X-Developer
X-From
X-Device-Os
A
X-HS-Content-Campaign-Id
Cmstype
DCR-Decision-By
DCR-Processing-Time-Ms
Cmsid
Lang
X-Gzip
X-Tenant
X-Hash
Odigeo-Trace-Id
Xc-Version
X-Cdn-Srv
X-Rocket-Build-Number
X-Sigma
X-Cache-NE
X-Processor
X-SD-PageType
X-Sigma-Backend
X-S
X-TrackingId
X-Rojux
X-Varnish-Beresp-Grace
X-Cache-Info
X-User
X-Session-Fingerprint
X-Cache-Bucket
X-A-Dcw
X-Vtex-Processado-Em
X-Vdms-Path
X-Shop-Environment
X-A-Wwc
X-Vdms-Version
X-Cache-Id
X-A-Dam
X-S-Cookie
Sslversion
X-ScT
X-TIM-N
X-Origin-Response-Time
X-SVT-ORM-RULES
X-A-Ccd
X-CF-Lambda-Fn
X-Application
X-A
X-SVT-ORM-VERSION
X-SRCache-Key
X-AK-Request-ID
X-Aed
X-ARC
X-B-Cookie
T-Server
Surrogated-Key
X-VG-WebCache
X-PAYTM-SRV-ID
X-PBS-Appsvrname
X-A-Dgt
X-R9-Blue-Green-Version
X-Varnish-Ttl
Source
X-ZONE
Cache-Name
X-DPWN-IS-SECURE
Machine
X-Amzn-Remapped-Content-Length
X-Developers
Kp-EeAlive
X-Block-Status
Mail-Subject
X-Dispatcher-Number
L
X-BBC-Edge-Cache-Status
We-Hiring
Producers
X-Core-Value
X-CacheTTL
Platform
Origin-EX
TDXMobile
Release
Req-Svc-Chain
Is-Eu
Server-Host
X-Ckpd-Fst-Backend
Ssr
State
X-Clara-WADP
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
Wxu-Next-Commit
Web-Mar-Region
X-DefHash
Wxu-Next-Hostname
X-Cache-Backend
Wxu-Next-Region
X-DefElseHash
X-Cache-Date
Origin-CC
Thinkindot-Control
Origin
Traceparent
User-Cache-Control
Memcached
X-Has-Esi
X-Origin-Time
X-Origin-Expires
X-VG-TLSProxy
X-Planisys-CDN-Cache
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-VServer
X-WADP-Cache
X-Location
X-Wix-Viewer-Type
X-Loop
X-Mvc-Supplant-Cachable
X-Nyt-Route
X-NodeID
X-Pool
X-Rocket-Nginx-Serving-Static
X-Azure-Ref
X-V-Cache
X-Skip-Cache
X-Slack-Backend
X-Thinkindot-L3
X-TNCMS
X-Server-IP
X-Served-From
X-Varnish-Remaining-TTL
X-SB
X-Scheme
X-Varnish-CookieINHashed-On
X-Variation
X-Varnish-CookieHashed-On
X-Loc
X-Origin
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
X-Gdpr
Apple-News-Services-Handled
AKAMAI
X-Gen-Mode
X-Worker
Adler-Geo
X-GeoIP
CloudFront-Viewer-Country
X-Hnp-Log
X-Is-Gdpr
X-JWT-State
X-LAGOON
X-Fastly-Cache
X-Fmm-Version
Environment
X-Irp-Debug
X-Region-Sid
X-Forwarded-Site
X-Request-URI
X-Sn-Servicetimems
X-Generated-On
X-Branch-Name
X-SIPLIST1
X-Gamma-Serve
X-Via-Ucdn
X-Auto-Login
X-Proxy-Upstream
X-Viewer-Country
X-Via-NSCOPI
X-Httpd
X-HN
X-Eu-Site
X-CGP
X-Level-Front-Cache
X-Minions-Version
X-Csrf-Jwt
X-Datadog-Parent-Id
X-Cdn-Origin
X-Datadog-Sampling-Priority
X-Proxy-Cache-Info
X-Qloud-Router
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Policy
X-Pod-Name
X-GeoIP-City
X-Datadog-Trace-Id
X-Platform
X-VarnishDD-TTL
X-Aicache-OS
Sever-Int
Server-Hostname
Svr
CDN
PFcat
IsBot
Server-Ext
L5d-Success-Class
Locid
Cluster
Redirect-Candidate
Fastcgi-Cache-TTL
HostName
DSUID
NGX
HA-Ipaddr
Ha-Gx-Prefs
Fastly-SWR
X-Srv
CDCHOST
X-Xrds-Location
Gh-Request-Id
X-IPLB-Request-ID
V-Age
N-Cache
Vix-Hermes-Req-Id
Fastly-SIE
X-Tec-Api-Version
X-Tec-Api-Origin
X-Tec-Api-Root
X-RateLimit-Limit-Second
Arc-Country
Ohc-File-Size
X-WP-CF-Super-Cache
X-RateLimit-Remaining-Second
X-Scale
X-Optimistic-Header
X-Men
X-WP-CF-Super-Cache-Cache-Control
X-Refresh
X-Newrelic-Synthetics
X-Old-Content-Length
X-VC
X-EC-Lua
X-Response-By
X-CS
X-Parent-Response-Time
X-Owner
Pics-Label
X-Udemy-Cache-App-Namespace
X-NC
X-Tt-Logid
X-RPM
X-RPS
Env
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Ah-Environment
X-LB-NoCache
X-DI
X-Ad-Defer-Variation
X-TraceId
X-BCube-Filmed-By
Servername
Datacenter
Candidate-Md5Url
X-DB
X-RSL
X-DW
X-DSS
Ms-Author-Via
AMP-Access-Control-Allow-Source-Origin
GEO-INFO
X-Tb-Optimization-Total-Bytes-Saved
XM
X-RateLimit-Reset
VNS-Cache
X-SplitTest
X-Accel-Expires-Debug
VNS-Age
X-Contensis-Viewer-Groups
X-Mvc-Supplant-OutputCached
Memory
Cache-Key
X-Edge-Pop
X-Date
X-Cache-ASPX
CPC-Age
CPC-Cache
Time
X-Akamai-Transformed
X-Amz-Meta-Cb-Modifiedtime
X-GeoIP-Region-Code
X-WA-Info
X-Generated-In
X-Varnish-Authentication
X-Cache-Status-Check
X-GeoIP-Country-Code
X-TIME
X-Cache-Debug
X-Servedbyhost
X-Via-Poph
Path
Fastly-Backend-Name
X-Via-Popv
X-Micro-Cache
X-Via-Popn
GeoIp-Country-Code
Lb
X-CACHE-KEY
X-S-Maxage
X-HA-Backend
X-API-Version
X-AIR-PT
ITXSESSIONID
Fusion-Source
Geo-Info
X-DC
Ohc-Cache-HIT
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Content-Source
Fusion-Component-Id
CacheControlHeader
X-VCL-Version
Cache-Host
Client
Geoip-Latitude
Server-ID
True-Client-Country-4JS
X-Action
FSS-Cache
X-TH-Server
Ngx.Var.Host
X-Vc
X-VHOST
X-Cs
True-Client-IP
X-Varnish-Beresp-TTL
X-Api-Version
X-Trace-ID
X-Backend-TTL
X-Proxy-CacheRZ
XkeyRZ
X-Presslabs-Stats
X-Clientip
Hostname
X-Fpc
X-Req
Edge-Cache
X-FireWall-Port
X-Webkit-Csp-Report-Only
Powered-By
My-App
X-TX-ID
X-Zone
X-Provided-By
X-PX
X-B3-Spanid
X-Traceid
X-Pass-Why
X-Origin-Upstream-Status
X-Dmc
X-FPC
X-Up
X-MSEdge-Flight
Test
X-MSEdge-Features
NtCoent-Length
X-Varnish-Beresp-Ttl
X-NGINX-Cache
Cf-Int-Pingora-Origin-Digest
X-HS-Status
X-CSRF-TOKEN
X-Render-Time
X-Cdn-Request-ID
X-INCAP-ABP
X-LB-ID
X-Correlation-ID
DataCenter
X-Beluga-Node
X-Beluga-Response-Time
X-Beluga-Status
X-Beluga-Record
User-Agent
X-Webkit-CSP-Report-Only
C-Via
X-Beluga-Trace
X-Beluga-Cache-Status
Rip
Server-Id
OT-Force-Account-Verify
Proxy-Connection
Tube-Got-Results
Click-Count-Error
Click-Count-Action-Start
Tube-Got-Eval
Srvid
Tube-Get-Contents
X-Gateway-Skip-Cache
X-Li-Fabric
X-LI-UUID
X-Service
X-Vcl-Version
X-UnsetCookies
X-Li-Pop
X-Gateway-Cache-Status
Tube-Return
X-Gateway-Request-Id
X-Gateway-Cache-Key
X-TRACE-ID
HIT
X-URL
X-Ha-Backend
GeoIP-Country-Code
X-RAMCache
WZWS-RAY
GeoIP-Latitude
X-Via-PopH
X-ND-Cache
X-Via-PopN
Uri
X-Via-PopV
X-M-Reqid
Esi-Enabled
X-DynaTrace-JS-Agent
X-Time-Microsecs
X-Alfa-Service
X-Dynatrace
On-Server
X-Qnm-Cache
X-M-Log
X-CUA
Sid
X-ServedByHost
Resin-Trace
X-MG-S
MIME-Version
X-Check-Cacheable
X-Akamai-Pragma-Client-IP
X-Platform-Cluster
X-Proxy-Cache-Hk
X-Fetch-By
X-Hcs-Proxy-Type
X-ATG-Version
Tracecode
Target-Params
X-Platform-Processor
Epwk-X-Cache
Srv
X-CCDN-CacheTTL
Cf-Device-Type
X-CCDN-Origin-Time
X-Fragments
X-LI-Proto
X-Platform-Router
X-Geo
X-Cdn-Forward
Cdn
Fastly-Drupal-HTML
X-Var-Ttl
X-Sucuri-ID
X-APP
X-Sucuri-Cache
Lfy
X-Backend-Host
X-FC-Vary-Parameters
X-Fastly-Backend
X-Fastly-Backend-Reqs
Tcn
X-Esi
X-Azure-Ref-OriginShield
ServerName
X-App
X-Lb-Nocache
Section-Io-Origin-Status
X-Varnish-Beresp-Status
Section-Io-Origin-Time-Seconds
Section-Io-Id
XServer
ENV
X-Cache-Expires
Section-Origin-Responded
X-Edge-POP
X-B3-Traceid-Primal
X-Srcache-Fetch-Status
X-Srcache-Store-Status
X-LiteSpeed-Cache-Control
X-Nc
X-ElasticPress-Query
Magicmarker
X-Backend-State
X-Li-Proto
X-Newrelic-App-Data
X-Yottaa-OS
X-NU-AKA-ACS-Version
CF-Cached-On
Inserted-Into-Cache-At
PICS-Label
WebServer
X-Vcache
X-Iplb-Instance
X-Iplb-Request-Id
X-HostName
Wpo-Cache-Status
Wpo-Cache-Message
M-TraceId
X-Edge-Origin-Shield-Bytes
Cf-Ipcountry
X-Edge-Origin-Shield-Region
D-Url-Rewrites
X-Dw-Trace-Id
X-CF-Powered-By
X-Acquia-Application-Trace
Server-Ttl
X-Acquia-Application-UUID
X-Serial
X-Acquia-Purge-Tags
X-Acquia-Site
Servedby
Warning
X-Vercel-Id
X-BBC-Origin-Response-Status
X-Release
True-Client-Ip
X-Fastly-Cache-Hits
X-Vercel-Cache
X-Cache-CFC
X-Dist-Code
X-Wp-Cf-Super-Cache-Cache-Control
X-Wp-Cf-Super-Cache
Fastcgi-Cache-Ttl
X-Request-Url
X-Snapshot-Date
X-Request-Start
Ngx
X-Request-URL
X-Litespeed-Cache-Control
Cneonction
X-Storefront-Renderer-Verified
X-Th-Server
Content-Script-Type
X-B3-Parentspanid
Content-Style-Type
X-Back
X-IN-APIGATEWAY
X-IN-APIGATEWAYSSL
CountryCode