Threat Level: green Handler on Duty: Russ McRee

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-FRAME-OPTIONS
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-Dns-Prefetch-Control
X-AH-Environment
X-UA-Device
Host-Header
X-Amz-Request-Id
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
X-Rq
Grace
X-Akamai-Path-Stats
X-Swift-CacheTime
X-Swift-SaveTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Ua-Compatible
X-Dispatcher
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-WebKit-CSP
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
Allow
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-Trace
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
Accept-Ch-Lifetime
Fastly-Restarts
X-Country
X-Mod-Pagespeed
X-MS-InvokeApp
X-TtlSet
X-Vname
X-PC
X-Rack-Cache
X-Ruxit-JS-Agent
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-Varnish-TTL
X-ESI
X-VARITI-CCR
X-Content-Type
X-B3-TraceId
Cache-Tag
X-Vcap-Request-Id
Accept-Ch
X-Cdn-Fetch
X-GoogleNews-Bot
X-Kinja-Build
X-Kinja-Revision
X-Exp-Id
X-Use-Magma
X-Kinja
X-Kinja-Server
X-Exp-Variant
X-Amz-Rid
X-Amz-Server-Side-Encryption
Public-Key-Pins
X-Dw-Request-Base-Id
X-Cnection
X-Px
X-Ac
X-D2id
X-Element-Page-Cache
Verso
X-Navigation-Version
X-RateLimit-Remaining
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
X-Cache-TTL
X-Edge
Display
Pagespeed
X-Middleton-Display
X-Sol
X-Ser
X-FastCGI-Cache
Service-Worker-Allowed
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
X-Ruxit-Js-Agent
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Correlation-Id
X-Goog-Hash
X-Ttl
X-Kinsta-Cache
SPRequestDuration
SPIisLatency
AR-CACHE
AR-ATIME
AR-PoweredBy
AR-Request-ID
AR-SID
X-Edge-Location-Klb
X-Upstream
X-Webkit-Csp
X-NWS-LOG-UUID
X-TTL
X-LLID
X-Cached
X-Powered-CMS
X-Instrumentation
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
Edge-Cache-Tag
SPRequestGuid
X-SharePointHealthScore
Nginx-Cache
X-RateLimit-Limit
X-Content-Security-Policy-Report-Only
X-Cache-Key
X-Forwarded-For
X-Litespeed-Cache
Content-MD5
X-MSEdge-Ref
TCN
MRF-Tech
Mrf-Cache-Status
X-Shield-Request-Id
MS-Author-Via
X-Daa-Tunnel
X-B3-TraceId-Primal
X-Id
X-T
X-Recruiting
S
X-Content-Digest
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Mg-S
X-DataDome
X-Ua-Device
X-Protected-By
X-HP-Webp
X-Jurisdiction
X-HP-Trace-Id
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-HS-Content-Id
X-HS-Hub-Id
X-Accel-Expires
X-Ezoic-Cdn
X-HS-Cache-Config
X-HS-Combine-CSS
X-Content
X-Ua-Browser
X-Frontend
X-Ab
MicrosoftSharePointTeamServices
Server-Node
X-Grace
X-ECACHE
X-Request-Received
X-Request-Processing-Time
X-Yandex-Sdch-Disable
Front-End-Https
Filters
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-PressLabs-Stats
X-Mid
X-Server-ID
Fastcgi-Cache
X-DynaTrace
X-Geo-Country
TP-L2-Cache
TP-Cache
X-Origin-Server
X-Hits
X-Distributor
X-Ratelimit-Reset
X-Debug-Info
X-Amzn-Trace-Id
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-WebKit-CSP-Report-Only
Charset
Host
X-Page-Id
Cleartype
X-DIS-Request-ID
X-Git-Hash
X-F-Cache
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
Cross-Origin-Opener-Policy
X-Microsite
X-Request-Handler-Origin-Region
X-B3-Sampled
X-LB-Cache
X-Www-Served-By
X-Forwarded-Proto
ServerID
Access-Control-Allow-Method
X-Cache-Age
X-Seen-By
Cache-Tags
X-Az
Cache-Status
X-AppVersion
X-Activity-Id
X-Varnish-Age
Accept-Charset
X-Cluster-Name
X-Language
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
Realpath
Filterid
X-Aspnetmvc-Version
X-MCACHE
Server-Name
X-Rid
X-Type
X-Content-Options
X-Nginx-Upstream-Cache-Status
X-App-Environment
X-Varnish-Grace
Viewport
Node
Country
X-Tb
X-Mobile-URL
X-NWS-UUID-VERIFY
X-User-Agent
X-XRDS-LOCATION
X-Origin-Cache
Retry-After
X-Upgrade-Enabled
X-Request-Guid
X-Drupal-Cache-Tags
X-Flags
X-Aspnet-Duration-Ms
Paypal-Debug-Id
DC
X-Providence-Cookie
X-Route-Name
X-Signature
X-FB-Debug
X-B-Cache
X-Wix-Request-Id
X-Whom
X-Is-Crawler
X-TT
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Varnish-Backend
X-Oracle-Dms-Ecid
Protected
X-VCache
X-Goog-Generation
X-Goog-Metageneration
X-Goog-Storage-Class
X-GUploader-UploadID
X-Fastly-Request-Id
X-Oracle-Dms-Rid
Fastcgi-Useragent
X-Via-JSL
X-Oneagent-Js-Injection
X-B
X-N
X-Cache-NGX
X-Amz-Replication-Status
X-Debug
Payment
X-Contextid
X-Logged-In
X-Fastly-Request-ID
X-Fastcgi-Cache
X-Load-Cache
WPO-Cache-Message
WPO-Cache-Status
X-Template
X-Mcache
X-XRDS-Location
Surrogate-Key
X-FW-Type
X-FW-Serve
X-FW-Static
X-FW-Hash
X-FW-Dynamic
X-FW-Server
X-Cache-Control
X-Amz-Meta-S3cmd-Attrs
Count-Hit
X-Trace-Id
X-Node-Name
Amp-Access-Control-Allow-Source-Origin
Healthy
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Original-Request-Id
X-Response-Served-From
SD-X-WS
Permissions-Policy
X-Proxy
Akamai-GRN
Refresh
X-Cache-Time
X-UUID
X-Revision
X-Jobs
X-Hostname
X-G
X-Zen-Fury
X-Real-IP
X-Akamai-Request-ID2
X-Rendered-As
Content-Disposition
X-Is-Bot
X-Adobe-Content
X-Adobe-Loc
X-Mobile
X-Cache-TTL-Remaining
X-Page-View
X-Framework
X-Cacheable-TTL
Alternate-Protocol
X-Http-Reason
Uber-Trace-Id
X-Debug-IsPreview
X-Proxy-Cache-Status
X-Debug-IsConnected
X-Instance
VIX-Pulpo-Node
NGB
X-Drupal-Cache-Contexts
VIX-Pulpo-Upstream-Status
X-Device-Type
X-Yottaa-Optimizations
Access-Control-Request-Headers
X-Yottaa-Metrics
X-IPLB-Instance
Url
X-Servername
X-Source
Version
From-Origin
X-COUNTRY
X-Cache-Grace
X-ECache
X-Cache-Rule
X-Varnish-Server
X-Vgn-Hpd-Reason
X-B3-Traceid
X-Parallel-Accel
X-Restarts
X-L-Path
X-NGENIX-Cache
X-Environment-Context
X-Mg-Request-UUID
X-EdgeConnect-Cache-Status
Accept-Language
X-Cache-Hit
X-Cache-Expired-At
Countrycode
Referer-Policy
MS-CV
X-RTag
Ms-Operation-Id
X-App-Server
X-HTML-Minification-Powered-By
X-Ratelimit-Remaining
Frame-Options
X-FW-Version
X-NYM-Debug-Backend
Cross-Origin-Window-Policy
Liferay-Portal
X-Tumblr-Pixel-0
X-IPS-LoggedIn
X-Tumblr-Pixel-1
X-Tumblr-User
Backend
X-Tumblr-Pixel
X-Cache-Action
X-RemovedCookies
X-ProcessESI
X-APP-VERSION
Content-Secure-Policy
CF-IPCountry
WP-Super-Cache
Section-Io-Cache
X-RN-RSRV
X-Redis-Cache
Meta-Geo
X-Cache-Server
X-UPSTREAM-Address
X-Nginx-Cache
Upgrade-Insecure-Requests
X-Section
X-PCL
X-Format
X-Ua
X-Hosted-By
Ec-Rule-Version
Cache-Tv-Group
X-OCL
X-Detected-As
X-Cache-Enabled
X-No-Session
X-Generation-Time
X-Access
X-FB-TRIP-ID
TWC-GeoIP-LatLong
TWC-GeoIP-Country
TWC-Device-Class
TWC-Connection-Speed
TWC-Locale-Group
Webcakes-App-Version
X-Mode
Webcakes-App-Name
TWC-Privacy
Webcakes-Region
X-Akamai-Edgescape
Locale
X-Cluster-Node
X-Be
Apigw-Requestid
X-Origin-Date
X-Generated-By
X-Origin-Hint
X-Content-Age
X-PHP-Backend
Property-Id
Mn-Server-Ip
Fastly-SSL
S-Rt
X-Server-W
X-SayCDN-TTL
X-Say-TTL
Azure-SlotName
Azure-SiteName
X-Datadome
Azure-RegionName
X-Sql-Duration-Ms
X-Say-Cacheable
X-Human
X-Sql-Count
X-AOL-HN
X-Hyper-Cache
X-Request-Time
X-Region
X-UA-Device-Type
Azure-Version
Azure-InstanceId
X-Uri
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Via-Fastly
X-Varnish-Cache-Hits
X-Web-Node
X-Adobe-Source
X-Debug-Cache
X-BYPASS-REASON
X-Cache-Tags
X-Content-Powered-By
CDN-Uid
X-Cache-Host
CDN-PullZone
CDN-RequestCountryCode
CDN-EdgeStorageId
CDN-CachedAt
CDN-Cache
X-Nginx-Cache-Key
CDN-RequestId
X-ProxyCache-Key
X-ProxyCache-Status
X-PERF
X-Xfnlog-Site
X-ApacheServer
X-Storage
Eomportal-Instance
X-Site-Version
X-Status
X-Platform-Server
X-Tid
X-Zipkin-Id
X-Varnishpool
X-Backend-Name
X-TT-LOGID
X-Unique-Id
X-Extlb
X-Proxied
X-SaId
X-Cache-Type
X-ServerID
X-JoinUs
X-Routing-Service
X-Forwarded-Host
X-Handled-By
X-Hl-Ver
X-ShopId
X-Alternate-Cache-Key
X-Sorting-Hat-PodId
X-Shopify-Stage
X-Rule
X-Sorting-Hat-ShopId
X-ShardId
X-Webkit-CSP
X-Proxy-Build
X-Timing-Wait
X-Midtier
X-NewRelic-App-Data
Selected-Fe
X-GG-Cache-Date
X-Labrador-Cache-Channel
X-PHP-Host
X-Locale
ServedBy
X-LJ-Flow-ID
X-VWS-Id
X-AWS-Id
X-Dc
Webserver
X-VC-Cache
X-Accel-Buffering
X-Cache-Operation
X-LSADC-Cache
X-Cache-Remote
X-Rewrite-Enabled
X-Edge-Location
X-Ratelimit-Limit
X-Proto
X-Cms-Context
Fastly-Drupal-Html
Web-Mar-Node
SRV
X-Soup
Mime-Version
X-CDN-Forward
X-Storefront-Renderer-Rendered
SID
X-TA-CDN-Provider
X-Cached-By
Xserver
X-Pubstack
X-GEO
X-Reqid
X-Buckets
Onion-Location
X-Varnish-Hostname
X-App-Version
Load-Balancing
X-GeoCode
X-GeoCountry
Country-Code
X-Request-Host
X-Cdn
X-Microcachable
X-Origin-CC
X-Origin-TTL
Cache-Hits
Decoy-Debug-TTL
Decoy-Debug-Status
LB
Decoy-Debug-Key
X-Cluster
Server-Info
X-Varnish-Hits
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
X-Tumblr-Pixel-3
X-Ms-Version
X-Ms-Request-Id
Xet-Cookie
X-SRV
X-Magnolia-Registration
X-Envoy-Decorator-Operation
X-CSRF-Token
X-Air-Source
X-NCache
X-Air-Hostname
X-Air-Trace-Id
X-Amz-Apigw-Id
X-Amzn-RequestId
X-Time
X-Bc-Bl
DynaTrace
X-B3-SpanId
DB-Nickname
X-Endurance-Cache-Level
X-RCS-CacheZone
A
X-Vdms-Path
DCR-Decision-By
X-HS-Content-Campaign-Id
X-Ig-Push-State
DCR-Processing-Time-Ms
X-Hash
X-Gzip
X-CF-Lambda-Version
X-Conf
X-Connection-Hash
X-Vdms-Version
X-Forwarded-Path
X-Ec-GeoHdr
X-Epic-Correlation-Id
X-Esi-Check
X-VG-WebCache
X-Ec-Fail
X-Cdn-Srv
X-Developer
X-CF-Lambda-Fn
BehaviorPad-Version
X-D
X-External-Request-Id
X-Cache-NE
X-Cache-Bucket
X-Geo-Header
Cmsid
Source
X-Cache-Id
X-Ftr-Request-Id
Cdncip
Cdnsip
X-Destination
X-From
Cmstype
X-Webstats-RespID
Rendered-Blocks
X-NAPM-TraceId
X-TIM-N
NM-Fastcgi-Cache
T-Server
Mobile-Detection-Method
Meta-Geo-Continent
X-A
X-Orig-Expires
X-PAYTM-SRV-ID
X-PBS-Appsvrname
Surrogated-Key
X-Tenant
X-SRCache-Key
X-R9-Blue-Green-Version
X-Processor
Pramga
X-Rojux
X-S-Cookie
X-ScT
X-SD-PageType
Odigeo-Trace-Id
X-Shop-Environment
Cache-Name
X-Session-Fingerprint
X-S
X-A-Ccd
X-Vtex-Remote-Cache
X-A-Dam
X-User
X-AK-Request-ID
X-Application
X-ARC
Sslversion
X-B-Cookie
Fastcgi-X-Cache-Version
X-Aed
Xc-Version
X-TrackingId
X-A-Dcw
Expiry
Lang
X-Varnish-Beresp-Grace
X-Vtex-Processado-Em
X-A-Wwc
X-A-Dgt
Host-ID
X-Origin-Response-Time
X-Tx-Id
X-Azure-Ref
Cache
Apple-News-Services-Host
Apple-News-Services-Handled
Server-Host
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Wxu-Next-Hostname
Is-Eu
Machine
Mail-Subject
X-Amzn-Remapped-Content-Length
X-Cache-Backend
X-Block-Status
AKAMAI
Memcached
Wxu-Next-Region
User-Cache-Control
Platform
We-Hiring
Web-Mar-Region
Environment
Wxu-Next-Commit
Producers
X-Varnish-Remaining-TTL
State
X-Node-Id
X-LAGOON
X-Rocket-Build-Number
X-Sigma-Backend
X-Sigma
X-Fetched-On
X-Ec-Custom-Error
X-JWT-State
X-Cache-Info
X-Core-Mission
X-Device-Os
X-TNCMS
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Planisys-CDN-TTL
X-Mvc-Supplant-Cachable
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Origin-Expires
X-Origin-Time
X-SB
X-NodeID
X-Loop
X-Location
X-Slack-Backend
X-Server-IP
X-Scheme
MD5-Digest
Fastly-GeoIP-CountryCode
X-Fastly-Cache
CDN
X-Fmm-Version
X-Gdpr
X-GeoIP
X-Gen-Mode
X-DPWN-IS-SECURE
X-Developers
X-Clara-WADP
X-Ckpd-Fst-Backend
X-Core-Value
X-DefElseHash
X-DefHash
X-Nyt-Route
X-Origin
X-Wix-Viewer-Type
X-Variation
X-V-Cache
X-Is-Gdpr
X-Worker
X-Varnish-CookieHashed-On
X-WADP-Cache
X-Has-Esi
X-Varnish-CookieINHashed-On
X-Hnp-Log
X-VG-TLSProxy
X-Irp-Debug
Adler-Geo
X-ZONE
X-Varnish-Ttl
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
L
Kp-EeAlive
X-Viewer-Country
CloudFront-Viewer-Country
Origin
X-Via-NSCOPI
Origin-CC
Ssr
CDCHOST
TDXMobile
X-CGP
X-Httpd
X-Csrf-Jwt
Origin-EX
Release
X-VarnishDD-TTL
X-Eu-Site
X-Platform
X-Gamma-Serve
X-Pod-Name
X-Generated-On
X-GeoIP-City
X-HN
X-Level-Front-Cache
X-Minions-Version
X-Policy
X-Proxy-Cache-Info
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
Thinkindot-CacheControl
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Proxy-Upstream
X-Forwarded-Site
X-Qloud-Router
X-Request-URI
Req-Svc-Chain
Gh-Request-Id
X-Dispatcher-Number
X-Loc
PFcat
Vix-Hermes-Req-Id
X-Thinkindot-L3
V-Age
X-Aicache-OS
Ha-Gx-Prefs
X-Skip-Cache
L5d-Success-Class
X-Rocket-Nginx-Serving-Static
X-Pool
HA-Ipaddr
X-Served-From
N-Cache
Thinkindot-CacheControl-Type
Locid
X-VServer
X-Branch-Name
X-CacheTTL
Redirect-Candidate
Thinkindot-Control
Cluster
Svr
X-BBC-Edge-Cache-Status
Traceparent
Fastcgi-Cache-TTL
X-Auto-Login
Fastly-SIE
Fastly-SWR
X-Men
X-SIPLIST1
HostName
X-Via-Ucdn
X-IPLB-Request-ID
X-Optimistic-Header
X-Sn-Servicetimems
Server-Hostname
Server-Ext
NGX
Sever-Int
X-Region-Sid
IsBot
DSUID
X-Cdn-Origin
X-Scale
X-EC-Lua
Arc-Country
X-Cache-Date
X-Tec-Api-Version
X-Tec-Api-Origin
X-Tec-Api-Root
X-TraceId
X-NC
X-Owner
X-Response-By
AMP-Access-Control-Allow-Source-Origin
X-WP-CF-Super-Cache
X-Old-Content-Length
X-WP-CF-Super-Cache-Cache-Control
X-Refresh
Ohc-File-Size
Pics-Label
X-Srv
Time
X-DW
X-Parent-Response-Time
X-RSL
X-RPM
X-RPS
X-CS
X-DI
X-DSS
X-Tb-Optimization-Total-Bytes-Saved
X-VC
X-DB
Memory
X-Newrelic-Synthetics
X-Akamai-Transformed
X-Udemy-Cache-App-Namespace
X-BCube-Filmed-By
X-Wikidot-Static-Cache
Servername
X-Ad-Defer-Variation
X-Wikidot-Backend
X-Edge-Pop
Env
X-Ah-Environment
X-CACHE-KEY
X-Date
X-Accel-Expires-Debug
X-LB-NoCache
X-Tt-Logid
Candidate-Md5Url
Cache-Key
Datacenter
X-Mvc-Supplant-OutputCached
Ms-Author-Via
X-TIME
VNS-Age
X-Cache-ASPX
GEO-INFO
X-Contensis-Viewer-Groups
X-GeoIP-Region-Code
CPC-Age
CPC-Cache
XM
X-GeoIP-Country-Code
X-Generated-In
X-SplitTest
VNS-Cache
GeoIp-Country-Code
X-Cache-Debug
X-Amz-Meta-Cb-Modifiedtime
X-Cache-Status-Check
Geo-Info
X-WA-Info
X-Varnish-Authentication
Fastly-Backend-Name
X-Xrds-Location
Path
X-Servedbyhost
X-Micro-Cache
X-API-Version
X-S-Maxage
X-Via-Poph
X-Via-Popn
X-Via-Popv
Fusion-Content-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Source
Fusion-Component-Id
X-HA-Backend
X-AIR-PT
Geoip-Latitude
Lb
CacheControlHeader
ITXSESSIONID
X-Vc
X-RateLimit-Reset
Ohc-Cache-HIT
X-VCL-Version
Cache-Host
Client
X-TH-Server
X-Cs
X-Action
True-Client-Country-4JS
True-Client-IP
X-Backend-TTL
Server-ID
Ngx.Var.Host
Hostname
X-VHOST
X-Varnish-Beresp-TTL
FSS-Cache
X-Api-Version
X-Trace-ID
X-DC
XkeyRZ
X-Proxy-CacheRZ
X-Presslabs-Stats
Edge-Cache
X-Req
X-Clientip
X-Zone
Powered-By
My-App
X-TX-ID
X-FireWall-Port
X-Provided-By
X-Fpc
X-Pass-Why
X-Webkit-Csp-Report-Only
X-NGINX-Cache
X-Origin-Upstream-Status
X-Varnish-Beresp-Ttl
X-FPC
X-PX
X-B3-Spanid
NtCoent-Length
X-Up
X-CSRF-TOKEN
X-Dmc
X-MSEdge-Features
Test
X-LB-ID
X-Traceid
X-MSEdge-Flight
Cf-Int-Pingora-Origin-Digest
DataCenter
X-Dynatrace
X-Cdn-Request-ID
X-Render-Time
X-INCAP-ABP
X-HS-Status
X-Correlation-ID
X-LI-UUID
X-Webkit-CSP-Report-Only
X-UnsetCookies
C-Via
Rip
X-Vcl-Version
X-Beluga-Cache-Status
Server-Id
X-Li-Pop
X-Beluga-Trace
User-Agent
X-Beluga-Node
X-Li-Fabric
X-Beluga-Record
X-Beluga-Status
X-Beluga-Response-Time
X-Ha-Backend
Proxy-Connection
WZWS-RAY
X-Via-PopV
Tube-Got-Results
Click-Count-Error
Tube-Got-Eval
Tube-Return
X-Gateway-Cache-Key
X-Gateway-Skip-Cache
X-Service
X-Gateway-Cache-Status
X-Gateway-Request-Id
Tube-Get-Contents
OT-Force-Account-Verify
X-ND-Cache
X-Via-PopH
X-Via-PopN
Srvid
Click-Count-Action-Start
X-CLOUD-TRACE-CONTEXT
Sid
X-Alfa-Service
Resin-Trace
X-ServedByHost
X-M-Log
Esi-Enabled
X-Time-Microsecs
X-RAMCache
X-CUA
X-M-Reqid
X-DynaTrace-JS-Agent
X-URL
X-Qnm-Cache
HIT
Tcn
X-Geo
X-Check-Cacheable
X-Platform-Processor
X-Platform-Cluster
X-Platform-Router
GeoIP-Latitude
Uri
GeoIP-Country-Code
Tracecode
X-Fragments
On-Server
Cf-Device-Type
Target-Params
X-Akamai-Pragma-Client-IP
MIME-Version
X-CCDN-Origin-Time
X-CCDN-CacheTTL
X-Proxy-Cache-Hk
Epwk-X-Cache
X-Hcs-Proxy-Type
X-Azure-Ref-OriginShield
X-Var-Ttl
Lfy
X-Fastly-Backend
X-FC-Vary-Parameters
X-Sucuri-Cache
X-ATG-Version
Srv
X-LI-Proto
X-Fetch-By
X-Sucuri-ID
X-Cdn-Forward
Fastly-Drupal-HTML
X-TRACE-ID
X-APP
ENV
X-Backend-Host
X-Fastly-Backend-Reqs
X-LiteSpeed-Cache-Control
Cdn
X-Esi
X-ID
X-Li-Proto
X-B3-Traceid-Primal
X-Lb-Nocache
X-NU-AKA-ACS-Version
X-Cache-Expires
X-Backend-State
X-Edge-POP
XServer
X-App
WebServer
X-Varnish-Beresp-Status
ServerName
Magicmarker
Section-Origin-Responded
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
Section-Io-Id
X-Srcache-Fetch-Status
X-Srcache-Store-Status
X-MG-S
X-HostName
CF-Cached-On
X-ElasticPress-Query
Inserted-Into-Cache-At
X-Newrelic-App-Data
X-Yottaa-OS
PICS-Label
X-Acquia-Application-UUID
X-Request-Start
D-Url-Rewrites
X-Edge-Origin-Shield-Region
X-Acquia-Purge-Tags
X-Vcache
Wpo-Cache-Status
Wpo-Cache-Message
Cf-Ipcountry
X-Iplb-Instance
X-Iplb-Request-Id
M-TraceId
X-Edge-Origin-Shield-Bytes
Server-Ttl
X-Acquia-Application-Trace
X-Serial
X-Nc
X-Cache-CFC
X-Acquia-Site
X-CF-Powered-By
Warning
Servedby
X-Wp-Cf-Super-Cache-Cache-Control
X-Fastly-Cache-Hits
X-Vercel-Id
X-Wp-Cf-Super-Cache
X-Vercel-Cache
Fastcgi-Cache-Ttl
Vha6-Origin
Content-Style-Type
X-IN-APIGATEWAY
X-Dist-Code
X-B3-Parentspanid
X-BBC-Origin-Response-Status
X-IN-APIGATEWAYSSL
X-Litespeed-Cache-Control
X-Snapshot-Date
Ngx
Cneonction
X-Request-Url
X-Release
X-Thanos
Content-Script-Type
X-Back
X-Th-Server
X-Storefront-Renderer-Verified
X-Dw-Trace-Id
X-Bip
X-Swift-Error
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
CountryCode
X-Request-URL