Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Xss-Protection
X-UA-Compatible
X-Served-By
Alt-Svc
X-Varnish
X-Timer
X-Request-Id
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-DNS-Prefetch-Control
X-Kinja-Server-Push
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Ua-Compatible
X-Iinfo
X-Buckets
Status
X-Content-Security-Policy
Content-Encoding
X-Request-ID
Access-Control-Expose-Headers
Upgrade
X-CDN
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-AH-Environment
X-Backend
X-Server
X-Age
X-Turbo-Charged-By
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Page-Speed
X-Hacker
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
X-Pingback
Grace
Server-Timing
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
P3p
X-LiteSpeed-Cache
Ali-Swift-Global-Savetime
Report-To
X-Amz-Version-Id
X-Server-Id
Cf-Railgun
X-Rq
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-Dns-Prefetch-Control
EagleEye-TraceId
X-Origin-Cache
X-OneAgent-JS-Injection
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Readtime
X-Ac
X-Cache-Lookup
X-Node
X-Backend-Server
NEL
X-Dispatcher
X-Origin-Upstream-Status
Content-Location
X-HW
Fusion-Source
Fusion-Content-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Component-Id
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-ORACLE-DMS-RID
Allow
X-Country
X-Ruxit-JS-Agent
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Cloud-Trace-Context
Accept-CH
Rating
X-Country-Code
X-Cnection
Accept-CH-Lifetime
X-Rack-Cache
Edge-Control
RTSS
X-Url
X-Clacks-Overhead
X-Px
MS-Author-Via
X-Cdn
X-FTR-Request-ID
X-Goog-Hash
X-Vname
X-TtlSet
X-PC
Verso
X-Powered-By-Plesk
Service-Worker-Allowed
Host-Header
X-Varnish-TTL
X-B3-TraceId
X-GoogleNews-Bot
X-Kinja
X-Cdn-Fetch
X-Kinja-Build
X-Exp-Id
X-Exp-Variant
X-Kinja-Server
X-Kinja-Revision
X-Use-Magma
Arr-Disable-Session-Affinity
Public-Key-Pins
X-MS-InvokeApp
X-GitHub-Request-Id
X-Ttl
X-Amz-Server-Side-Encryption
X-Forwarded-Proto
Pagespeed
Display
X-Sol
X-Middleton-Response
Response
X-Middleton-Display
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-D2id
X-NF-Request-ID
X-Amz-Rid
TCN
X-Vcap-Request-Id
X-CST
X-Abt-Application-Version
X-Cached
X-VARITI-CCR
Pinterest-Generated-By
AR-PoweredBy
AR-ATIME
AR-Request-ID
Ar-Sid
AR-CACHE
X-Version
X-Navigation-Version
X-Powered-CMS
X-Upstream
X-Fastly-Request-ID
Cache-Tag
X-ESI
X-Server-Name
X-Debug
X-Grace
X-Instart-Request-ID
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
Access-Control-Request-Method
X-XRDS-Location
X-MSEdge-Ref
Charset
Nginx-Cache
Content-MD5
MRF-Tech
Mrf-Cache-Status
X-Mrf-Section-Lastmod
X-Mrf-Item-Lastmod
X-B3-TraceId-Primal
X-Element-Page-Cache
Realpath
X-Accel-Expires
X-DynaTrace-JS-Agent
X-Ezoic-Cdn
X-SRCache-Fetch-Status
X-SRCache-Store-Status
SPIisLatency
SPRequestDuration
X-Oneagent-Js-Injection
X-Shield-Request-Id
X-Pinterest-Rid
Pinterest-Version
X-SharePointHealthScore
S
SPRequestGuid
Accept-Ch
X-Hp-Webp
X-Jurisdiction
X-Pass-Why
X-Amz-Meta-S3cmd-Attrs
X-Recruiting
X-Dw-Request-Base-Id
X-Id
X-Trace
X-Kinsta-Cache
X-T
X-Client-IP
Fastcgi-Cache
X-Content-Digest
X-Node-Name
X-Logged-In
Accept-Ch-Lifetime
X-Cache-Key
X-NWS-LOG-UUID
TP-Cache
TP-L2-Cache
X-Mobile-URL
X-Hostname
X-Cache-Hit
X-Request-Received
X-FastCGI-Cache
X-Request-Processing-Time
Server-Node
X-Frontend
ServerID
X-Cache-Age
X-Amzn-Trace-Id
Fastly-Restarts
Front-End-Https
X-TTL
X-FTR-DC
X-FTR-Cache-Status
X-FTR-Realm
X-FTR-Balancer
X-FTR-Backend-Server
X-FTR-Backend
X-Country-Code-Real
Edge-Cache-Tag
X-Forwarded-For
X-Yandex-Sdch-Disable
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Generation
X-FTR-Expires
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Storage-Class
Server-Name
Powered
PB-RID
PB-PID
Arc-Version
X-Ruxit-Js-Agent
X-Microsite
X-Request-Handler-Origin-Region
X-Revision
X-User-Agent
X-DIS-Request-ID
X-Hits
X-Content-Security-Policy-Report-Only
X-Page-Id
Filters
X-F-Cache
X-Akamai-Edgescape
X-LB-Cache
X-Jobs
X-Zen-Fury
DynaTrace
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-ORACLE-APMCS-REQUEST-ID
X-ORACLE-APMCS-TAG
X-Mobile-Rewrite
X-Fastcgi-Cache
X-Origin-Server
X-Content-Powered-By
X-HS-Content-Id
X-HS-Combine-CSS
X-HS-Hub-Id
X-HS-Cache-Config
Alternate-Protocol
X-Geo-Country
Accept-Charset
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Age
X-Correlation-Id
X-Esi
X-N
X-FTR-Cache-Host
X-Daa-Tunnel
X-B
Cache-Tags
X-RateLimit-Remaining
X-Varnish-Backend
X-Rid
X-Type
X-Amz-Replication-Status
Retry-After
X-Varnish-Grace
X-Git-Hash
DC
Section-Io-Cache
X-Content-Options
Surrogate-Key
X-WebKit-CSP-Report-Only
Host
Paypal-Debug-Id
X-FB-Debug
X-App-Environment
X-Server-ID
X-Request-Guid
X-Whom
X-Signature
X-TT
X-Via-JSL
X-B-Cache
X-AppVersion
X-ATS-Timestamp
X-Edge
X-Activity-Id
X-Status
Backend-Timing
X-Az
X-Debug-Info
MicrosoftSharePointTeamServices
X-Ser
Fastcgi-Useragent
Frame-Options
Actual-Object-TTL
X-IPLB-Instance
X-ATG-Version
X-Webkit-CSP
Healthy
Nel
X-Endurance-Cache-Level
X-App-Server
X-HTML-Minification-Powered-By
X-Contextid
Srv
X-AOL-HN
X-Cache-Action
X-Seen-By
X-Amzn-RequestId
X-ECACHE
Refresh
X-B3-Sampled
X-Pinterest-Direct
From-Origin
X-Amz-Apigw-Id
X-Cache-Rule
X-Upgrade-Enabled
X-Response-Served-From
Access-Control-Allow-Method
X-Accel-Buffering
X-RemovedCookies
X-Protected-By
X-Cache-Operation
X-Drupal-Cache-Tags
Content-Disposition
X-ProcessESI
X-Host-Name
X-Tumblr-Pixel-0
X-Cacheable-TTL
X-Is-Bot
X-Rendered-As
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-Tumblr-Pixel
Odigeo-Trace-Id
X-Instance
X-Tumblr-User
X-MCACHE
X-Environment-Context
X-Mid
X-L-Path
X-Region
X-UUID
X-FW-Hash
X-WA-Info
X-FW-Serve
X-FW-Dynamic
X-FW-Static
Eomportal-Instance
X-FW-Type
X-FW-Server
Datacenter
X-Release
Payment
X-Varnish-Server
X-Rule
X-Cache-Time
X-Adobe-Content
X-Adobe-Loc
X-Litespeed-Cache
MS-CV
Uber-Trace-Id
Source
Countrycode
X-Time
X-Cached-By
X-Proxy
X-Akamai-Request-ID2
X-URL
X-EdgeConnect-Cache-Status
X-Cache-Control
X-Load-Cache
X-UnsetCookies
X-Cache-Server
Xserver
X-Mobile
X-Correlation-ID
X-GeoIP
Cache-Status
X-PHP-Backend
X-Akamai-Transformed
X-SERVER-NAME
X-Yottaa-Metrics
X-Azure-Ref
X-Yottaa-Optimizations
Access-Control-Request-Headers
X-Tt-Trace-Host
Accept-Language
X-NewRelic-App-Data
X-Tt-Trace-Tag
X-Origin-Response-Time
Version
X-Air-Hostname
X-PressLabs-Stats
X-Wix-Request-Id
X-Mode
X-Handled-By
X-NWS-UUID-VERIFY
X-NGENIX-Cache
X-Cache-NGX
Liferay-Portal
X-Cluster
X-Backend-Name
Filterid
X-IPS-LoggedIn
X-Framework
X-APP-VERSION
Server-Info
X-Proxied
Meta-Geo
X-PERF
Load-Balancing
X-Path-Route
X-Locale
X-Routing-Service
X-CCM
X-Cache-Var-Map
X-Zipkin-Id
X-FireWall-Port
X-ES-SERVER
X-LJ-Flow-ID
X-Via-Fastly
X-VWS-Id
X-AWS-Id
X-Cache-Var
NGB
X-ApacheServer
X-Cache-Remote
X-Adobe-Source
X-UPSTREAM-Address
X-RN-RSRV
X-Detected-As
X-Tumblr-Pixel-2
X-Www-Served-By
ServedBy
X-Viewer-Country
X-Tumblr-Pixel-1
X-Site-Version
Mn-Server-Ip
Cache
X-RateLimit-Limit
X-TX-ID
X-VCache
X-MP-GENERATED-AT
X-UA-Device-Type
X-Qloud-Router
Cache-Hits
Decoy-Debug-Key
Cache-Tv-Group
Akamai-GRN
Cache-Name
X-IP
X-Section
X-Web-Node
X-PCL
X-OCL
X-SayCDN-TTL
X-Say-TTL
X-Real-IP
X-Pubstack
X-Redis-Cache
X-Say-Cacheable
X-R9-Blue-Green-Version
X-Info
Section-Io-Origin-Status
Section-Io-Id
DSUID
Decoy-Debug-TTL
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Human
X-Format
X-Cache-Status-Check
X-Access
X-Storage
Decoy-Debug-Status
TWC-Privacy
TWC-GeoIP-LatLong
X-NCache
Webcakes-App-Name
Webcakes-Region
Webcakes-App-Version
TWC-GeoIP-Country
TWC-Device-Class
S-Rt
Property-Id
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
TWC-Connection-Speed
X-Shopify-Stage
X-Labrador-Cache-Channel
X-PHP-Host
X-EIG-Tracking-Id
X-Origin-Hint
X-FW-Version
X-Hosted-By
X-Cache-Host
X-Cache-Enabled
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-Bc-Bl
X-Cache-Config
Now
TWC-Locale-Group
Fastly-SSL
Cross-Origin-Window-Policy
X-Varnish-Cache-Hits
X-CSRF-Token
X-Unique-Id
Cleartype
X-BYPASS-REASON
Webserver
X-BCube-Filmed-By
X-ProxyCache-Status
X-CS
X-From
X-NYM-Debug-Backend
X-Origin
X-FC-Vary-Parameters
X-Device-Type
X-FB-TRIP-ID
X-ProxyCache-Key
X-ServerID
X-Ua
X-Time-Microsecs
X-Amzn-Remapped-Content-Length
DB-Nickname
X-Loop
X-Generated
X-TNCMS
X-Content-Age
X-RTag
Ms-Operation-Id
Origin-Cache-Control
X-Hyper-Cache
X-No-Session
X-Timing-Wait
X-Presslabs-Stats
Ec-Rule-Version
Azure-InstanceId
X-Proxy-Build
X-SaId
Azure-Version
X-Hl-Ver
Selected-Fe
Azure-SlotName
Azure-SiteName
X-XRDS-LOCATION
X-JoinUs
Azure-RegionName
Apigw-Requestid
X-Cache-2
X-Geo
X-Drupal-Cache-Contexts
X-Vcache
X-Cache-TTL-Remaining
Origin-Edge-Control
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Xfnlog-Site
Locale
Time
X-Goog-Meta-Goog-Reserved-File-Mtime
SD-X-WS
X-RequestSource
Country
X-EC-Lua
X-Pad
X-Source
X-Old-Content-Length
User-Agent
X-Varnish-Hostname
X-Cluster-Node
Geo-Info
X-Debug-Cache
X-CDN-Forward
Upgrade-Insecure-Requests
X-Soup
X-Backend-TTL
X-Cache-NE
X-Akamai-Request-ID
X-SRV
X-RCS-CacheZone
X-Parent-Response-Time
X-Proto
X-Tb
X-Cache-Backend
FilterID
X-Storefront-Renderer-Rendered
X-App-Version
Proxy-Connection
X-NC
X-Cache-PHP
X-TA-CDN-Provider
X-Cache-Grace
X-DC
Cache-Key
X-FORWARDED-FOR
X-Origin-TTL
X-Origin-CC
X-Forwarded-Host
Meta-Geo-Continent
ServerName
Rendered-Blocks
N-Cache
T-Server
Mobile-Detection-Method
True-Client-Country-4JS
VivaBuild
Who
X-A
X-Trv-Group
X-Twitter-Response-Tags
MD5-Digest
UCS
X-Vdms-Path
X-VG-WebCache
X-Vtex-Processado-Em
BehaviorPad-Version
Content-Script-Type
AsisCache
Arc-Country
Xc-Version
X-Vtex-Remote-Cache
X-App
Content-Style-Type
Fastcgi-X-Cache-Version
GEO-REGION-INFO
IsBot
M-TraceId
X-Vdms-Version
FNAC-ModuleRouting
X-VG-WebServer
X-A-Ccd
Machine
X-Accel-Expires-Debug
X-Developer
X-Rewrite-Enabled
X-DevSite-Last-Modified
X-Response-By
X-Destination
X-Date
X-Rojux
X-Connection-Hash
X-D
X-Region-Sid
X-Processor
X-Nginx-Cache-Key
X-Method
X-Geo-Header
X-NodeID
X-PAYTM-SRV-ID
X-Dispatch
X-External-Request-Id
X-G
X-S
X-CF-Lambda-Version
X-Trace-Id
X-Swa-Ws
X-SRCache-Key
X-Aed
X-Transaction
X-A-Dcw
X-A-Dgt
X-A-Wwc
X-Application
X-SIPLIST1
X-Scheme
X-S-Cookie
X-CF-Lambda-Fn
X-ScT
X-B-Cookie
X-Session-Fingerprint
X-ARC
X-SD-PageType
X-A-Dam
Viewtype
X-Proxy-Cache-Status
X-AIR-PT
X-Uri
LB
X-Tumblr-Pixel-3
User-Cache-Control
Server-Host
Server-Ext
X-LAGOON
X-RateLimit-Limit-Second
Server-Hostname
X-RateLimit-Remaining-Second
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
X-Hnp-Log
Sever-Int
X-Owner
X-Level-Front-Cache
NM-Fastcgi-Cache
X-Logging-Id
X-Matched-Rule
X-Micro-Cache
On-Server
Magicmarker
RNT-Time
RNT-Machine
Thinkindot-Control
X-Loc
X-Node-Id
Vix-Hermes-Req-Id
X-Block-Status
X-Cache-Bucket
X-Backend-State
X-Developers
X-Device-Os
X-Cache-FS-Status
X-Cache-Info
X-Clara-WADP
X-Cms-Context
X-Cache-URL
X-Compress-Hint
X-Dispatcher-Server
X-Agile-Id
X-Generated-On
Wxu-Next-Commit
Web-Mar-Node
Kp-EeAlive
X-Generation-Time
Wxu-Next-Hostname
Wxu-Next-Region
X-Agile-Age
X-Agile
X-Fmm-Version
X-Gen-Mode
V-Age
NGX
X-Thinkindot-L3
CacheControlHeader
Apple-News-Services-Handled
Apple-News-Services-Host
X-WADP-Cache
X-ServiceProvider
X-Magnolia-Registration
X-VC-Cache
X-Varnish-Cacheable
X-Skip-Cache
AKAMAI
CDCHOST
Cache-Cookie-Set-Lfrom
X-Servername
X-Worker
Cache-Cookie-Set-Idcheck
Referer-Policy
X-User
X-Wikidot-Static-Cache
Apple-News-Services-Parsed-Url
X-Wikidot-Backend
X-Req
Cache-Cookie-Set-From
Apple-News-Services-Request-Url
X-Newrelic-Synthetics
OT-Force-Account-Verify
X-Generated-In
X-Variation
We-Hiring
Adler-Geo
W
X-VServer
X-Core-Value
X-Bip
X-BBXSRF
X-Cache-Id
X-Key
X-Edge-Location
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Webstats-RespID
X-We-Are-Hiring
Viewport
X-VG-TLSProxy
X-Esi-Check
X-Epic-Correlation-Id
X-Envoy-Decorator-Operation
Node
X-Distributor
X-Fastly-Cache
X-Has-Esi
Fastly-SIE
Fastly-SWR
X-Var-Ttl
X-Location
Platform
Pagetype
Mail-Subject
X-Server-W
X-Rebelmouse-Surrogate-Control
Is-Eu
X-Rebelmouse-Cache-Control
X-Reqid
X-Request-UUID
X-Policy
Release
Fastly-Drupal-HTML
X-TH-Server
X-SN
X-Thanos
X-Is-Gdpr
X-Gzip
X-Hash
X-Slack-Backend
X-JWT-State
X-Hit
Sid
X-LI-UUID
X-LI-Proto
X-TrackingId
X-Request-Host
X-GoCache-CacheStatus
Pragrma
X-Clientip
X-Cluster-Name
X-Reboot
X-Contensis-Viewer-Groups
X-Core-Mission
X-NU-AKA-ACS-Version
X-Mvc-Supplant-Cachable
X-Varnish-Authentication
X-Distil-CS
X-Origin-Date
X-Eu-Site
X-CGP
X-Li-Pop
X-Origin-Expires
X-Irp-Debug
X-Li-Fabric
L5d-Success-Class
Memcached
Rt-Fastcgi-Cache
X-Auto-Login
Ha-Gx-Prefs
Gh-Request-Id
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
C-Via
X-Backend-Host
HA-Ipaddr
X-Cache-Tags
X-Cache-ASPX
X-Dc
X-Nc
X-Srv
X-COUNTRY
GEO-INFO
X-Configured-By
X-Cache-Debug
X-Wa
MIME-Version
S-Cnection
X-BC
X-Branch-Name
X-Be
X-ZONE
Cf-Ipcountry
X-Up
X-Instart-Info
X-Varnish-URL
Fastly-Backend-Name
X-Refresh
X-UA
X-Microcachable
HostName
X-Via-CDN
X-Via-PopH
X-Servedbyhost
X-Via-PopV
X-Envoy-Upstream-Healthchecked-Cluster
X-Minions-Version
X-Platform-Server
X-Batcache
X-Ua-Device
X-Ms-Request-Id
CACHE
X-TIME
X-TT-TIMESTAMP
X-ElasticPress-Query
X-Ms-Version
X-B3-Traceid
X-Cdn-Forward
X-Nginx-Cache
X-MSEdge-Flight
X-MSEdge-Features
Memory
X-Aicache-OS
X-Mvc-Supplant-OutputCached
X-Vgn-Hpd-Reason
X-ND-Cache
Esi-Enabled
X-VCL-Version
NR-ENABLED
WPE-Backend
X-Sucuri-ID
NtCoent-Length
L
X-Debug-Panamera-Host
DCR-Processing-Time-Ms
Server-ID
X-App-Name
DCR-Decision-By
X-Debug-Panamera-Sitecode
X-Client-Ip
Powered-By-ChinaCache
Cache-Host
X-Fastly-Cache-Status
Pramga
X-FPC
X-Pjax-Url
X-Server-IP
X-GEO
X-Zone
X-Bc
X-BE
Hostname
X-PF-Uncompressing
GeoIP-Country-Code
X-Svr
X-Oss-Server-Time
X-Oss-Hash-Crc64ecma
X-CF-Powered-By
Ohc-File-Size
Location
X-Cdn-Srv
X-Oss-Object-Type
X-Oss-Request-Id
X-Oss-Storage-Class
X-Varnishpool
FSS-Cache
X-BACKEND-TTL
HitType
X-Ratelimit-Reset
GeoIP-Latitude
X-Generated-By
Server-Cache-Control
Server-Surrogate-Control
X-Unique-ID
X-S-Maxage
X-Sucuri-Cache
Ohc-Response-Time
Tracecode
Resin-Trace
X-Check-Cacheable
X-LB-ID
X-Azure-Ref-OriginShield
X-Rocket-Nginx-Bypass
X-Original-Request-Id
X-Varnish-Ttl
X-VarnishDD-TTL
PFcat
X-OVcl
X-OVcl-Cache
X-VCT
Cteonnt-Length
X-Instart-Isnd
X-Fastly-Backend-Reqs
X-Fastly-Country-Code
X-CSRF-TOKEN
Request-EU
Cdn-Host
Cdn-Request-Time
X-Edge-Server
X-Vgn-Hpd-Cached
X-PJAX-URL
Request-Country
X-Vgn-Hpd-Variations-Key
Locid
Heartbleed
X-Vgn-Hpd-Ssi
X-VHOST
X-Varnish-Hits
Geoip-Latitude
X-Fpc
X-Cache-Expired-At
X-Platform
X-HS-Status
X-Request-URI
X-Render-Time
GeoIp-Country-Code
X-Newrelic-App-Data
CF-Cached-On
X-CUA
Lfy
SRV
Amp-Access-Control-Allow-Source-Origin
X-Pf-Uncompressing
Epwk-X-Cache
X-Ratelimit-Remaining
Pics-Label
X-Vcl-Version
X-Gamma-Serve
X-CLOUD-TRACE-CONTEXT
SN
X-CACHE-AGE
X-Oracle-Dms-Rid
XServer
X-Shopify-Generated-Cart-Token
X-ECache
WWW-Authenticate
X-RunCloud-Cache
X-WebServer
Backend-Name
X-NGINX-Cache
X-CACHE-KEY
X-StackifyID
X-Varnish-Url
X-ServedByHost
WZWS-RAY
URI
Product
X-Ratelimit-Limit
X-Proxy-Upstream
Backend
X-Amzn-Remapped-Connection
X-Amzn-Remapped-Date
X-Ftr-Cache-Host
X-Tec-Api-Root
X-Via-Popv
X-Cdn-Origin
X-Fetched-On
X-Tec-Api-Origin
My-App
X-Csrf-Jwt
X-Tec-Api-Version
X-Sn-Servicetimems
Lb
CloudFront-Viewer-Country
X-Oss-Cdn-Auth
X-Via-Poph
Mime-Version
X-Request-Time
X-Debug-Cache-Fetch
X-Sigma-Backend
X-Debug-Cache-Store
X-Rocket-Build-Number
X-Sigma
A
X-GeoIP-Country-Code
X-Nananana
X-Debug-Xas-Auth
X-Debug-Cache-Bypass
X-Debug-Cache-Status
X-Debug-Cache-String
SID
Cloudfront-Viewer-Country
PICS-Label
X-B3-SpanId
Host-ID
Dt-Cache-Category
X-Tb-Optimization-Total-Bytes-Saved
X-B3-Spanid
X-Cache-Tag
Ohc-Cache-HIT
X-Debug-Ysi-Auth
X-Debug-Do-Not-Cache-Uri
Server-Ttl
CF-IPCountry
X-LiteSpeed-Cache-Control
X-Cache-Version
X-Apw-Access-Token
X-Apw-Access-Object
X-Apw-Hits
X-Varnish-Beresp-TTL
X-Request-Start
X-DPWN-IS-SECURE
X-Apw-Access-Action
X-Acquia-Purge-Tags
X-WA
X-Acquia-Site
Proxy-Firewall
Cneonction
X-Acquia-Application-Trace
X-Acquia-Application-UUID
X-APP
Inserted-Into-Cache-At
Dnion-Transfer-Encoding
Warning
FSS-Proxy
X-Snapshot-Date
X-WR-MODIFICATION
X-Html-Edge-Cache
Cf-Alt-Svc
X-Dw-Trace-Id
X-SB
X-VC
X-Request-URL
X-Served-From
X-Swift-Error
Cdn
X-ElasticPress-Search
Group