Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
X-Powered-By
CF-Cache-Status
Pragma
ETag
CF-RAY
Expect-CT
Via
Age
X-Cache
X-XSS-Protection
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Served-By
Alt-Svc
X-Request-Id
X-Varnish
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Drupal-Cache
X-Check
Content-Security-Policy-Report-Only
X-Adblock-Key
X-Generator
X-Permitted-Cross-Domain-Policies
CF-Ray
X-Cache-Status
X-Cacheable
X-DNS-Prefetch-Control
X-Kinja-Server-Push
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-Ua-Compatible
X-AspNetMvc-Version
X-Iinfo
Status
X-Buckets
X-Content-Security-Policy
X-CDN
Upgrade
Content-Encoding
Access-Control-Expose-Headers
Access-Control-Max-Age
X-Envoy-Upstream-Service-Time
Keep-Alive
X-Request-ID
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-Server
X-Turbo-Charged-By
X-AH-Environment
X-Backend
X-Age
X-Cache-Group
Xkey
X-Robots-Tag
Feature-Policy
X-Proxy-Cache
X-Amz-Id-2
X-Amz-Request-Id
Request-Context
X-Hacker
X-Page-Speed
X-UA-Device
EagleId
X-Server-Powered-By
X-Nginx-Cache-Status
X-Pingback
Grace
X-Varnish-Cache
Server-Timing
P3p
X-LiteSpeed-Cache
Report-To
X-Swift-CacheTime
X-Swift-SaveTime
X-WebKit-CSP
Ali-Swift-Global-Savetime
X-Amz-Version-Id
Cf-Railgun
X-Server-Id
X-Rq
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-OneAgent-JS-Injection
X-Origin-Cache
X-Host
EagleEye-TraceId
X-Device
Surrogate-Control
X-Response-Time
X-Vhost
X-Backend-Server
X-Dns-Prefetch-Control
X-Cache-Lookup
X-Ac
X-Node
X-Pass-Why
X-Origin-Upstream-Status
X-Readtime
X-Dispatcher
X-HW
Fusion-Content-Id
Fusion-Component-Id
Fusion-Content-Source
Fusion-Source
Fusion-Template-Id
Request-Id
X-DataDome
X-Mod-Pagespeed
Content-Location
X-Application-Context
X-Akam-SW-Version
X-ORACLE-DMS-ECID
X-Ruxit-JS-Agent
Fusion-Deployment-Id
X-ORACLE-DMS-RID
X-Country
NEL
X-EdgeConnect-MidMile-RTT
Allow
X-EdgeConnect-Origin-MEX-Latency
Rating
X-Country-Code
X-Clacks-Overhead
Edge-Control
X-Cnection
X-Url
X-Rack-Cache
X-Px
X-Cloud-Trace-Context
X-FTR-Request-ID
X-Goog-Hash
RTSS
X-PC
X-Vname
X-TtlSet
MS-Author-Via
X-Powered-By-Plesk
Verso
X-DynaTrace
X-Ttl
Accept-CH
Public-Key-Pins
X-B3-TraceId
X-GitHub-Request-Id
Service-Worker-Allowed
X-Kinja
X-Kinja-Server
X-Exp-Id
X-Kinja-Revision
X-Kinja-Build
X-Cdn-Fetch
X-Use-Magma
X-GoogleNews-Bot
X-Exp-Variant
X-MS-InvokeApp
X-Middleton-Response
X-Amz-Server-Side-Encryption
X-Middleton-Display
Response
Pagespeed
Display
X-Sol
Arr-Disable-Session-Affinity
X-Varnish-TTL
X-Forwarded-Proto
X-Cache-TTL
Accept-CH-Lifetime
X-D2id
X-Abt-Application-Version
TCN
X-CST
Pinterest-Generated-By
X-Amz-Rid
X-Cached
Accept-Ch
X-Vcap-Request-Id
X-NF-Request-ID
X-VARITI-CCR
X-Content-Type
Nel
X-Navigation-Version
X-Fastly-Request-ID
Cache-Tag
X-Server-Name
X-Instart-Request-ID
X-Accel-Expires
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-ESI
Accept-Ch-Lifetime
X-MSEdge-Ref
X-Version
Nginx-Cache
Access-Control-Request-Method
AR-Request-ID
X-Grace
AR-ATIME
AR-PoweredBy
S
Charset
SPIisLatency
SPRequestDuration
X-Debug
X-Upstream
AR-CACHE
Ar-Sid
X-Powered-CMS
SPRequestGuid
X-SharePointHealthScore
X-SRCache-Fetch-Status
X-Client-IP
X-SRCache-Store-Status
X-Trace
X-Pinterest-Rid
Pinterest-Version
X-DynaTrace-JS-Agent
X-FastCGI-Cache
X-Ezoic-Cdn
Realpath
Content-MD5
X-Mrf-Section-Lastmod
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
X-Mrf-Item-Lastmod
X-Element-Page-Cache
X-Dw-Request-Base-Id
X-Id
X-Hp-Webp
X-Jurisdiction
X-Recruiting
X-Amz-Meta-S3cmd-Attrs
X-Node-Name
X-Shield-Request-Id
Fastcgi-Cache
X-T
X-ASPNET-VERSION
X-Content-Digest
X-Kinsta-Cache
X-Logged-In
X-Mobile-URL
X-NWS-LOG-UUID
X-Country-Code-Real
X-FTR-Cache-Status
X-FTR-DC
Edge-Cache-Tag
Server-Node
X-Frontend
X-FTR-Balancer
X-FTR-Realm
X-FTR-Backend
X-FTR-Backend-Server
X-Goog-Metageneration
X-Request-Received
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Goog-Generation
X-Goog-Storage-Class
X-Request-Processing-Time
X-XRDS-Location
TP-Cache
TP-L2-Cache
X-Cache-Hit
X-Cache-Age
X-FTR-Expires
Front-End-Https
Server-Name
DynaTrace
Fastly-Restarts
X-Forwarded-For
X-Hostname
ServerID
Arc-Version
X-Amzn-Trace-Id
PB-RID
PB-PID
X-Zen-Fury
X-DIS-Request-ID
Powered
X-Microsite
X-Request-Handler-Origin-Region
Backend-Timing
X-ATS-Timestamp
X-Mobile-Rewrite
X-Content-Security-Policy-Report-Only
X-Revision
X-User-Agent
X-Hits
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Hub-Id
X-Cdn
X-LB-Cache
X-F-Cache
X-Akamai-Edgescape
Accept-Charset
X-Oneagent-Js-Injection
X-Jobs
X-Page-Id
X-Cache-Key
X-Fastcgi-Cache
X-FTR-Cache-Host
X-Geo-Country
Filters
X-ORACLE-APMCS-TAG
X-ORACLE-APMCS-REQUEST-ID
AMP-Access-Control-Allow-Source-Origin
MicrosoftSharePointTeamServices
X-Content-Powered-By
X-Via-JSL
X-Varnish-Age
X-Kong-Upstream-Latency
X-TTL
X-Kong-Proxy-Latency
X-Origin-Server
X-B
X-Ser
Alternate-Protocol
X-Rid
X-N
X-Yandex-Sdch-Disable
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Varnish-Backend
Host-Header
X-Daa-Tunnel
X-Esi
X-Debug-Info
X-XRDS-LOCATION
X-Git-Hash
X-WebKit-CSP-Report-Only
DC
X-Az
X-Activity-Id
X-AppVersion
X-ATG-Version
Retry-After
X-FB-Debug
X-Amz-Replication-Status
Frame-Options
X-Server-ID
Paypal-Debug-Id
X-Type
X-App-Server
X-Signature
Cache-Tags
X-Varnish-Grace
X-B-Cache
Actual-Object-TTL
X-Contextid
Section-Io-Cache
X-Whom
X-App-Environment
Fastcgi-Useragent
X-TT
X-Correlation-Id
X-Request-Guid
X-Edge
Surrogate-Key
X-AOL-HN
X-Content-Options
X-Status
X-RateLimit-Remaining
Host
X-Seen-By
Source
Healthy
X-Cache-Action
X-Ruxit-Js-Agent
X-Host-Name
WPE-Backend
X-B3-Sampled
Refresh
NR-ENABLED
X-HTML-Minification-Powered-By
X-Pinterest-Direct
X-Instance
X-IPLB-Instance
X-Endurance-Cache-Level
X-Tumblr-User
X-Tumblr-Pixel
X-Upgrade-Enabled
X-ECACHE
X-Tumblr-Pixel-0
From-Origin
Access-Control-Allow-Method
X-APP-VERSION
X-Response-Served-From
X-ProcessESI
X-Accel-Buffering
X-Cache-Rule
X-RemovedCookies
X-Drupal-Cache-Tags
Payment
X-MCACHE
X-Mid
X-Cache-Operation
X-Cacheable-TTL
VIX-Pulpo-Node
X-Cache-Control
X-UUID
X-Region
VIX-Pulpo-Upstream-Status
Odigeo-Trace-Id
X-Rule
X-FW-Hash
MS-CV
X-FW-Dynamic
X-Environment-Context
X-Varnish-Server
X-Amz-Apigw-Id
X-FW-Server
X-FW-Serve
X-Cache-Time
X-FW-Type
X-FW-Static
X-L-Path
Eomportal-Instance
Datacenter
Countrycode
X-Is-Bot
Cache-Status
X-Rendered-As
X-WA-Info
Xserver
X-URL
X-Adobe-Content
X-Adobe-Loc
X-Correlation-ID
X-Protected-By
X-Amzn-RequestId
X-GeoIP
X-Wix-Request-Id
NGB
X-Cluster
X-RequestSource
X-SERVER-NAME
Content-Disposition
X-Akamai-Transformed
X-Cache-Server
Srv
X-Cached-By
X-Yottaa-Optimizations
X-EdgeConnect-Cache-Status
X-Yottaa-Metrics
Filterid
X-Presslabs-Stats
X-VCache
X-Akamai-Request-ID2
Uber-Trace-Id
X-PressLabs-Stats
X-Tumblr-Pixel-1
X-Tumblr-Pixel-2
Version
X-UnsetCookies
X-Origin-Response-Time
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Unique-Id
X-IPS-LoggedIn
Upgrade-Insecure-Requests
X-Load-Cache
X-Mobile
X-Vcache
X-Mode
Access-Control-Request-Headers
X-Handled-By
X-PHP-Backend
X-Time
Liferay-Portal
X-Proxy
X-Cache-Remote
X-Framework
Cross-Origin-Window-Policy
X-Time-Microsecs
X-FireWall-Port
X-No-Session
X-MP-GENERATED-AT
X-Path-Route
X-PCL
X-ES-SERVER
X-OCL
X-Cache-Var
Meta-Geo
X-RN-RSRV
X-Adobe-Source
X-Cache-Status-Check
X-Cache-Var-Map
X-CCM
X-Storage
X-Via-Fastly
X-Viewer-Country
Cache
X-UA-Device-Type
X-Cache-Config
X-BCube-Filmed-By
X-Pubstack
X-AWS-Id
X-Www-Served-By
Accept-Language
X-Say-TTL
X-Say-Cacheable
X-FW-Version
X-Web-Node
Fastly-SSL
X-ApacheServer
X-Redis-Cache
DSUID
Decoy-Debug-Key
Decoy-Debug-Status
Cache-Hits
Akamai-GRN
ServedBy
X-SayCDN-TTL
Webserver
X-Backend-Name
Decoy-Debug-TTL
X-Xfnlog-Site
X-VWS-Id
X-LJ-Flow-ID
X-TX-ID
X-PERF
X-NYM-Debug-Backend
X-NGENIX-Cache
X-Site-Version
X-Locale
X-Human
X-NCache
Section-Origin-Responded
X-Section
X-Format
X-ProxyCache-Status
Mn-Server-Ip
X-Origin
Cleartype
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Real-IP
Cache-Name
X-TNCMS
Section-Io-Id
Origin-Cache-Control
X-Access
Now
S-Rt
X-Info
Origin-Edge-Control
X-Hyper-Cache
X-RTag
X-Cache-NGX
Ms-Operation-Id
X-BYPASS-REASON
X-ProxyCache-Key
X-R9-Blue-Green-Version
X-Loop
X-FC-Vary-Parameters
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
X-Proxied
X-Origin-Hint
Webcakes-App-Version
X-Cache-Enabled
X-Bc-Bl
X-CS
X-Device-Type
X-Hl-Ver
X-FB-TRIP-ID
X-Amzn-Remapped-Content-Length
Webcakes-Region
TWC-GeoIP-Country
TWC-Device-Class
TWC-GeoIP-LatLong
TWC-Locale-Group
Webcakes-App-Name
TWC-Privacy
TWC-Connection-Speed
Property-Id
X-ServerID
X-Azure-Ref
X-Routing-Service
X-Zipkin-Id
X-JoinUs
X-Shopify-Stage
X-IP
X-Alternate-Cache-Key
X-Source
X-ShopId
X-ShardId
X-EIG-Tracking-Id
X-SaId
X-From
X-Generated
X-UPSTREAM-Address
X-Hosted-By
X-Timing-Wait
Ec-Rule-Version
X-Sorting-Hat-ShopId
Selected-Fe
X-Sorting-Hat-PodId
X-Proxy-Build
X-Detected-As
DB-Nickname
Country
X-CLOUD-TRACE-CONTEXT
Azure-RegionName
Azure-InstanceId
X-Cache-NE
X-Geo
Azure-SiteName
Azure-Version
Azure-SlotName
X-Varnish-Cache-Hits
X-Content-Age
X-CSRF-Token
X-Old-Content-Length
X-Cluster-Node
SD-X-WS
X-Backend-TTL
X-PHP-Host
X-NWS-UUID-VERIFY
X-NewRelic-App-Data
X-CDN-Forward
X-Labrador-Cache-Channel
X-Qloud-Router
X-Varnish-Hostname
Cache-Tv-Group
Time
Load-Balancing
User-Agent
X-Pad
X-Litespeed-Cache
X-Cache-Host
X-EC-Lua
X-Air-Hostname
S-Cnection
X-Drupal-Cache-Contexts
X-Cache-TTL-Remaining
X-Cache-Backend
X-RCS-CacheZone
X-Parent-Response-Time
X-Cache-2
FilterID
X-Proxy-Cache-Status
X-Microcachable
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Forwarded-Host
Locale
X-Ua
X-NC
X-Cache-Grace
Server-Info
X-UA
X-Release
X-RateLimit-Limit
X-Akamai-Request-ID
X-Tumblr-Pixel-3
Tracecode
X-TIME
OT-Force-Account-Verify
NGX
Proxy-Connection
Sid
X-Debug-Cache
X-FORWARDED-FOR
X-SRV
X-Soup
X-Vgn-Hpd-Reason
Cache-Key
X-Dc
X-Newrelic-Synthetics
X-Tb
AsisCache
BehaviorPad-Version
X-D
X-Connection-Hash
Content-Script-Type
X-CF-Lambda-Fn
Fastcgi-X-Cache-Version
X-CF-Lambda-Version
Content-Style-Type
CDCHOST
X-DevSite-Last-Modified
Server-Host
X-Generated-On
X-Instart-Info
X-Level-Front-Cache
X-Ms-Request-Id
X-Uri
X-G
X-External-Request-Id
X-Destination
X-Date
X-Developer
GEO-REGION-INFO
X-Dispatch
Arc-Country
X-Agile-Id
Who
Pagetype
Mobile-Detection-Method
Meta-Geo-Continent
X-A-Ccd
X-A
VivaBuild
Viewtype
T-Server
ServerName
True-Client-Country-4JS
UCS
Rendered-Blocks
MD5-Digest
X-A-Dam
X-Agile-Age
X-Agile
X-Ms-Version
X-Application
X-ARC
X-Aed
X-Accel-Expires-Debug
Machine
X-A-Dcw
M-TraceId
X-A-Dgt
X-A-Wwc
X-B-Cookie
X-Geo-Header
X-S-Cookie
X-S
X-Scheme
X-ScT
X-Vdms-Version
X-Srv
X-Rojux
X-Request-UUID
X-VG-WebServer
X-VG-WebCache
X-Rewrite-Enabled
X-ServiceProvider
X-Vdms-Path
X-Twitter-Response-Tags
X-Swa-Ws
X-Trv-Group
X-Transaction
X-Trace-Id
X-SRCache-Key
X-User
X-Session-Fingerprint
GEO-INFO
X-Skip-Cache
X-Node-Id
X-Reqid
X-Cluster-Name
Xc-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
X-Worker
X-PAYTM-SRV-ID
X-NodeID
X-Processor
X-Magnolia-Registration
X-Region-Sid
User-Cache-Control
X-Proto
X-Wikidot-Static-Cache
V-Age
X-Bip
Thinkindot-CacheControl-Type
X-Variation
X-TT-TIMESTAMP
Thinkindot-CacheControl
X-Backend-State
Thinkindot-Control
Viewport
X-VServer
Web-Mar-Node
X-Via-PopV
X-Block-Status
X-Via-PopH
We-Hiring
Vix-Hermes-Req-Id
X-VC-Cache
X-Wikidot-Backend
X-We-Are-Hiring
X-WADP-Cache
X-VG-TLSProxy
X-Varnish-Cacheable
X-SN
X-Has-Esi
X-Hash
X-Hit
X-Platform-Server
X-Generation-Time
X-Reboot
X-Gen-Mode
X-Generated-In
X-Hnp-Log
X-Is-Gdpr
X-Matched-Rule
X-Method
X-Micro-Cache
X-Logging-Id
X-Location
X-JWT-State
X-LAGOON
X-Owner
X-Fmm-Version
X-Eu-Site
X-Cache-Tags
X-Thanos
X-CGP
X-Cache-PHP
X-Cache-Info
X-Cache-Bucket
X-Thinkindot-L3
X-Cache-FS-Status
X-Clara-WADP
X-SIPLIST1
X-Device-Os
X-Dispatcher-Server
X-Distil-CS
X-SD-PageType
X-Servername
X-Clientip
X-Cms-Context
X-Core-Value
X-Branch-Name
X-Epic-Correlation-Id
Mail-Subject
Magicmarker
L5d-Success-Class
Memcached
C-Via
NM-Fastcgi-Cache
N-Cache
Apple-News-Services-Parsed-Url
Kp-EeAlive
IsBot
Ha-Gx-Prefs
FNAC-ModuleRouting
X-TA-CDN-Provider
HA-Ipaddr
Fastly-Drupal-HTML
Is-Eu
Esi-Enabled
Apple-News-Services-Host
Apple-News-Services-Request-Url
AKAMAI
On-Server
Rt-Fastcgi-Cache
Node
Apple-News-Services-Handled
Adler-Geo
Release
Platform
Apigw-Requestid
X-Envoy-Decorator-Operation
Geo-Info
X-Fastly-Cache
X-GoCache-CacheStatus
X-Li-Fabric
Fastly-SIE
X-Irp-Debug
X-Origin-Expires
X-Origin-Date
Fastly-SWR
X-Cache-URL
X-Nginx-Cache-Key
Cache-Cookie-Set-From
X-Mvc-Supplant-Cachable
X-Developers
Cache-Cookie-Set-Idcheck
X-LI-UUID
X-Li-Pop
X-Distributor
Cache-Cookie-Set-Lfrom
X-Envoy-Upstream-Healthchecked-Cluster
Gh-Request-Id
W
X-Response-By
Wxu-Next-Commit
Wxu-Next-Hostname
X-Req
X-Request-Host
Server-Ext
RNT-Machine
Server-ID
Server-Hostname
X-Slack-Backend
X-Server-W
RNT-Time
Sever-Int
L
Wxu-Next-Region
X-Policy
X-Backend-Host
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
X-Auto-Login
X-BBXSRF
X-Webstats-RespID
X-TrackingId
Cf-Ipcountry
X-Varnish-Authentication
X-Server-IP
X-LI-Proto
X-Cache-ASPX
X-RateLimit-Limit-Second
X-Var-Ttl
X-App
X-Be
X-Refresh
X-RateLimit-Remaining-Second
X-Core-Mission
X-App-Name
Cache-Host
X-Contensis-Viewer-Groups
X-DC
X-VCT
X-Compress-Hint
Ohc-File-Size
CacheControlHeader
X-Varnish-Beresp-Grace
X-Mvc-Supplant-OutputCached
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Status
X-Cdn-Srv
X-Wa
X-Nc
X-S-Maxage
Server-Surrogate-Control
X-FPC
X-Generated-By
X-TH-Server
Server-Cache-Control
X-Sucuri-ID
HostName
NtCoent-Length
X-Bc
X-Cache-Debug
Memory
X-Esi-Check
X-Cache-Id
X-Zone
X-Loc
X-Gzip
LB
X-Origin-CC
X-Origin-TTL
SRV
X-B3-Traceid
X-CACHE-KEY
X-NU-AKA-ACS-Version
X-Rocket-Nginx-Bypass
Ohc-Response-Time
X-Configured-By
X-AIR-PT
Locid
Request-Country
Heartbleed
X-BC
X-ZONE
X-Varnish-Ttl
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-MSEdge-Features
X-Webkit-CSP
X-Key
Request-EU
X-MSEdge-Flight
X-Storefront-Renderer-Rendered
CACHE
X-Request-URI
X-Svr
X-Edge-Location
X-Debug-Panamera-Sitecode
X-Debug-Panamera-Host
X-Shopify-Generated-Cart-Token
X-Varnish-Hits
X-CF-Powered-By
X-COUNTRY
Pragrma
X-Pjax-Url
MIME-Version
X-Amzn-Requestid
X-Gamma-Serve
X-Varnish-URL
WZWS-RAY
Resin-Trace
X-Servedbyhost
X-Nginx-Cache
FSS-Cache
Referer-Policy
X-Batcache
X-VCL-Version
Fastly-Backend-Name
X-GEO
X-Cdn-Forward
GeoIp-Country-Code
Geoip-Latitude
X-Up
X-WebServer
X-App-Version
X-Minions-Version
X-BACKEND-TTL
Lfy
Mime-Version
X-Proxy-Upstream
Product
X-Sucuri-Cache
Hostname
X-NGINX-Cache
X-BE
X-ND-Cache
My-App
X-Aicache-OS
Cteonnt-Length
X-Cdn-Origin
X-Fetched-On
X-ElasticPress-Query
GeoIP-Country-Code
X-Sn-Servicetimems
X-Via-CDN
HitType
X-GeoIP-Country-Code
X-Vcl-Version
X-Edge-Server
GeoIP-Latitude
X-ServedByHost
Powered-By-ChinaCache
CF-Cached-On
Cdn-Request-Time
Cdn-Host
X-Ratelimit-Remaining
X-HS-Status
SN
X-PJAX-URL
X-Varnish-Url
Ohc-Cache-HIT
X-CSRF-TOKEN
X-Shard
X-Fastly-Country-Code
X-Oss-Object-Type
X-Oss-Server-Time
X-Oss-Storage-Class
X-ECache
DCR-Decision-By
X-Oss-Request-Id
DCR-Processing-Time-Ms
X-Oss-Hash-Crc64ecma
X-Check-Cacheable
X-Unique-ID
X-Azure-Ref-OriginShield
Pramga
Location
X-Fastly-Backend-Reqs
X-Pf-Uncompressing
X-Fastly-Cache-Status
X-PF-Uncompressing
X-Served-From
Group
Amp-Access-Control-Allow-Source-Origin
X-Request-Start
X-Ratelimit-Limit
X-CACHE-AGE
URI
X-B3-Spanid
Cdn
Dt-Cache-Category
X-Via-Ucdn
X-LB-ID
X-Newrelic-App-Data
X-IN-APIGATEWAYSSL
X-Request-Time
X-IN-APIGATEWAY
X-Fpc
X-VarnishDD-TTL
X-OVcl
PFcat
CloudFront-Viewer-Country
Country-Code
X-OVcl-Cache
XServer
X-Via-NSCOPI
X-Swift-Error
X-Debug-Cache-Fetch
Geoip-City
X-Vgn-Hpd-Variations-Key
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
X-Vgn-Hpd-Cached
X-Vgn-Hpd-Ssi
X-DPWN-IS-SECURE
A
X-Debug-Cache-Store
X-B3-SpanId
Cf-Alt-Svc
CF-IPCountry
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Varnish-Beresp-TTL
X-Platform
X-C
X-Instart-Isnd
PICS-Label
X-Ocache
X-Tb-Optimization-Total-Bytes-Saved
X-Render-Time
Origin
X-WR-MODIFICATION
X-WPE-Loopback-Upstream-Addr
Lb
X-Varnishpool
X-Ratelimit-Reset
X-LiteSpeed-Cache-Control
Host-ID
WWW-Authenticate
X-Cache-Expired-At
Proxy-Firewall
X-Debug-Ysi-Auth
X-Country-IP
Request-Time
X-APP
X-StackifyID
X-Cache-Tag
X-Apw-Hits
SID
X-Sigma-Backend
X-Sigma
Server-Ttl
X-Rocket-Build-Number
X-Debug-Xas-Auth
X-Apw-Access-Token
X-Debug-Cache-Bypass
X-Debug-Cache-Status
X-Debug-Cache-String
X-Debug-Do-Not-Cache-Uri
X-Apw-Access-Object
X-WA
X-Apw-Access-Action
X-Ftr-Cache-Host
Cloudfront-Viewer-Country
TTL
X-Action
X-DW
NnCoection
X-DSS
X-DI
X-RPM
X-RPS
X-Cache-Hfrom
X-Cache-Hm
X-RSL
X-DB
X-Acquia-Site
Region
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
X-Acquia-Application-Trace
Cneonction
X-Akamai-ERPolicy
X-B3-Parentspanid
X-Li-Proto
X-Akamai-ERRuleID
Req-ID
X-Request-URL
X-VC
X-SB
X-Nananana
X-Html-Edge-Cache
X-ElasticPress-Search
X-Dw-Trace-Id
X-Varnish-ID