Threat Level: green Handler on Duty: Russ McRee

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-CONTENT-TYPE-OPTIONS
X-CDN
X-AspNetMvc-Version
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
Host-Header
X-Amz-Request-Id
X-Proxy-Cache
X-UA-Device
X-Amz-Id-2
X-Hacker
X-Rq
Grace
X-Dns-Prefetch-Control
X-Akamai-Path-Stats
X-Swift-CacheTime
X-Swift-SaveTime
X-Varnish-Cache
X-Server-Powered-By
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Ua-Compatible
X-Dispatcher
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-OneAgent-JS-Injection
X-Nginx-Cache-Status
Allow
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-ASPNET-VERSION
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-Trace
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
Accept-Ch-Lifetime
Fastly-Restarts
X-Country
X-Mod-Pagespeed
X-MS-InvokeApp
X-Rack-Cache
X-Vname
X-TtlSet
X-PC
X-Ruxit-JS-Agent
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-Varnish-TTL
X-ESI
X-VARITI-CCR
X-Content-Type
X-B3-TraceId
Cache-Tag
X-Vcap-Request-Id
Accept-Ch
X-Amz-Rid
X-Kinja-Server
X-Exp-Variant
X-Kinja-Revision
X-GoogleNews-Bot
X-Kinja-Build
X-Exp-Id
X-Use-Magma
X-Amz-Server-Side-Encryption
X-Kinja
X-Cdn-Fetch
X-Dw-Request-Base-Id
Public-Key-Pins
X-Cnection
X-Px
X-Ac
X-D2id
X-Element-Page-Cache
Verso
X-Navigation-Version
X-RateLimit-Remaining
X-Abt-Application-Version
X-Client-IP
X-Cache-TTL
X-Powered-By-Plesk
X-Edge
Display
Pagespeed
X-Sol
X-Middleton-Display
X-Ser
X-FastCGI-Cache
Service-Worker-Allowed
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
X-Ruxit-Js-Agent
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Correlation-Id
X-Goog-Hash
X-Ttl
X-Kinsta-Cache
AR-ATIME
AR-CACHE
SPIisLatency
SPRequestDuration
AR-Request-ID
AR-SID
AR-PoweredBy
X-Edge-Location-Klb
X-Upstream
X-Webkit-Csp
X-TTL
X-LLID
X-NWS-LOG-UUID
X-Cached
X-Ua-Device
X-Powered-CMS
X-Instrumentation
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
SPRequestGuid
X-SharePointHealthScore
Edge-Cache-Tag
Nginx-Cache
X-RateLimit-Limit
X-Cache-Key
X-Content-Security-Policy-Report-Only
X-Forwarded-For
X-Litespeed-Cache
X-MSEdge-Ref
Content-MD5
TCN
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
MS-Author-Via
X-B3-TraceId-Primal
X-Daa-Tunnel
X-Id
X-Aspnetmvc-Version
X-T
X-Recruiting
S
X-Content-Digest
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Mg-S
X-DataDome
X-Protected-By
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Accel-Expires
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Hub-Id
X-HS-Content-Id
X-Ezoic-Cdn
MicrosoftSharePointTeamServices
X-Ab
X-Content
X-Ua-Browser
X-ECACHE
X-Grace
X-Request-Processing-Time
Server-Node
X-Request-Received
X-Yandex-Sdch-Disable
X-Frontend
Front-End-Https
Filters
X-PressLabs-Stats
X-Server-ID
Fastcgi-Cache
X-Mid
X-DynaTrace
X-Geo-Country
TP-Cache
TP-L2-Cache
X-Hits
X-Origin-Server
X-ORACLE-DMS-ECID
X-Distributor
X-ORACLE-DMS-RID
X-Ratelimit-Reset
X-Debug-Info
X-Amzn-Trace-Id
X-WebKit-CSP-Report-Only
X-Tt-Trace-Tag
X-Tt-Trace-Host
Charset
Cleartype
Host
X-Page-Id
X-F-Cache
X-Git-Hash
Pinterest-Generated-By
X-Pinterest-Rid
Pinterest-Version
X-DIS-Request-ID
X-Request-Handler-Origin-Region
Cross-Origin-Opener-Policy
X-Microsite
X-B3-Sampled
X-LB-Cache
X-Www-Served-By
X-Forwarded-Proto
Access-Control-Allow-Method
X-Cache-Age
ServerID
X-Seen-By
Cache-Tags
Cache-Status
X-Activity-Id
X-Az
X-AppVersion
Accept-Charset
X-Varnish-Age
X-Cluster-Name
Realpath
X-Language
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
Filterid
X-MCACHE
Server-Name
X-Rid
X-Content-Options
X-Type
X-Oracle-Dms-Ecid
X-Oracle-Dms-Rid
X-Nginx-Upstream-Cache-Status
X-App-Environment
Viewport
X-Varnish-Grace
Node
X-Origin-Cache
X-Upgrade-Enabled
Country
Retry-After
X-Mobile-URL
X-User-Agent
X-XRDS-LOCATION
X-Tb
X-Drupal-Cache-Tags
X-Route-Name
X-Whom
X-Is-Crawler
X-Providence-Cookie
X-Request-Guid
Paypal-Debug-Id
X-B-Cache
X-NWS-UUID-VERIFY
X-Wix-Request-Id
X-Flags
X-Aspnet-Duration-Ms
DC
X-Signature
X-FB-Debug
X-TT
X-Goog-Generation
X-Goog-Metageneration
Fastcgi-Useragent
Protected
X-Goog-Storage-Class
X-Varnish-Backend
X-Goog-Stored-Content-Length
X-Fastly-Request-Id
X-VCache
X-GUploader-UploadID
X-Goog-Stored-Content-Encoding
X-Via-JSL
X-B
X-N
X-Cache-NGX
X-Amz-Replication-Status
Payment
X-Debug
X-Contextid
X-Logged-In
X-Fastly-Request-ID
X-Fastcgi-Cache
WPO-Cache-Message
X-Load-Cache
WPO-Cache-Status
X-Template
X-Mcache
Surrogate-Key
X-FW-Hash
X-FW-Type
X-FW-Server
X-FW-Serve
X-FW-Dynamic
X-FW-Static
X-Cache-Control
Count-Hit
X-Trace-Id
X-Amz-Meta-S3cmd-Attrs
X-Node-Name
Amp-Access-Control-Allow-Source-Origin
Healthy
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Erf-Bev-Bev
SD-X-WS
X-Original-Request-Id
Permissions-Policy
X-Response-Served-From
X-Proxy
Refresh
Akamai-GRN
X-G
X-XRDS-Location
X-Cache-Time
X-Zen-Fury
X-Hostname
X-Akamai-Request-ID2
Content-Disposition
X-Is-Bot
X-Real-IP
X-Rendered-As
X-UUID
X-Revision
X-Page-View
X-Adobe-Content
X-Adobe-Loc
X-Cache-TTL-Remaining
Alternate-Protocol
X-Http-Reason
Uber-Trace-Id
X-Framework
X-Cacheable-TTL
X-Jobs
X-Mobile
X-Proxy-Cache-Status
X-Device-Type
X-Debug-IsConnected
VIX-Pulpo-Upstream-Status
NGB
X-Instance
X-Debug-IsPreview
X-Drupal-Cache-Contexts
VIX-Pulpo-Node
Access-Control-Request-Headers
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-IPLB-Instance
Url
X-Servername
X-Source
From-Origin
X-COUNTRY
X-Cache-Grace
Version
X-ECache
X-Cache-Rule
X-Varnish-Server
X-Parallel-Accel
X-B3-Traceid
X-Vgn-Hpd-Reason
X-L-Path
X-Mg-Request-UUID
X-NGENIX-Cache
X-Environment-Context
Accept-Language
X-EdgeConnect-Cache-Status
X-Cache-Expired-At
X-Cache-Hit
X-Restarts
X-Oneagent-Js-Injection
Referer-Policy
Countrycode
X-RTag
MS-CV
Ms-Operation-Id
X-App-Server
X-HTML-Minification-Powered-By
X-FW-Version
X-Ratelimit-Remaining
Liferay-Portal
Frame-Options
X-NYM-Debug-Backend
Cross-Origin-Window-Policy
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
Backend
X-Tumblr-User
X-Tumblr-Pixel
X-IPS-LoggedIn
X-Cache-Action
X-ProcessESI
X-APP-VERSION
X-RemovedCookies
Content-Secure-Policy
CF-IPCountry
WP-Super-Cache
Section-Io-Cache
X-Nginx-Cache
Meta-Geo
Upgrade-Insecure-Requests
X-Redis-Cache
X-RN-RSRV
X-Cache-Server
X-UPSTREAM-Address
Cache-Tv-Group
X-Format
X-FB-TRIP-ID
X-Cache-Enabled
X-Detected-As
X-Generation-Time
X-Hosted-By
X-OCL
X-No-Session
X-Access
X-PCL
X-Section
X-Ua
Ec-Rule-Version
Webcakes-Region
X-Content-Age
Locale
X-Hyper-Cache
X-Sql-Duration-Ms
X-Urbn-Context-Path
X-Datadome
X-Say-Cacheable
Azure-InstanceId
X-Say-TTL
X-SayCDN-TTL
X-Request-Time
X-Varnish-Cache-Hits
X-Akamai-Edgescape
X-Web-Node
TWC-GeoIP-LatLong
Apigw-Requestid
TWC-Locale-Group
X-Be
X-Server-W
X-Sql-Count
Webcakes-App-Version
TWC-GeoIP-Country
X-Cluster-Node
Fastly-SSL
X-UA-Device-Type
X-Generated-By
Azure-Version
Azure-SlotName
X-Via-Fastly
X-Origin-Hint
TWC-Privacy
TWC-Device-Class
X-Human
X-AOL-HN
Webcakes-App-Name
X-PHP-Backend
Azure-SiteName
TWC-Connection-Speed
X-Uri
X-Region
X-Origin-Date
Azure-RegionName
Mn-Server-Ip
X-Urbn-Site-Id
Property-Id
X-Site-Version
Eomportal-Instance
X-Adobe-Source
X-Platform-Server
CDN-Cache
X-Cache-Tags
X-ApacheServer
CDN-EdgeStorageId
X-Cache-Host
X-Content-Powered-By
X-Xfnlog-Site
CDN-CachedAt
X-ProxyCache-Key
CDN-RequestId
CDN-Uid
X-ProxyCache-Status
X-Status
X-PERF
CDN-PullZone
X-BYPASS-REASON
X-Mode
X-Storage
CDN-RequestCountryCode
X-Nginx-Cache-Key
S-Rt
X-SaId
X-Backend-Name
X-ServerID
X-Varnishpool
X-Unique-Id
X-Tid
X-TT-LOGID
X-JoinUs
X-Cache-Type
X-Debug-Cache
X-Forwarded-Host
X-Handled-By
X-Hl-Ver
X-Zipkin-Id
X-Sorting-Hat-ShopId
X-ShardId
X-Proxied
X-Extlb
X-Routing-Service
X-ShopId
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Alternate-Cache-Key
X-Rule
X-PHP-Host
X-Webkit-CSP
X-Midtier
X-NewRelic-App-Data
X-Labrador-Cache-Channel
X-Proxy-Build
Selected-Fe
X-GG-Cache-Date
X-Timing-Wait
X-Locale
ServedBy
X-LJ-Flow-ID
X-VWS-Id
X-AWS-Id
X-VC-Cache
Webserver
X-Dc
X-Accel-Buffering
X-Cache-Operation
X-Cache-Remote
X-LSADC-Cache
X-Rewrite-Enabled
X-Edge-Location
X-Proto
SID
X-Ratelimit-Limit
X-Cms-Context
Fastly-Drupal-Html
Web-Mar-Node
X-Soup
Mime-Version
SRV
X-TA-CDN-Provider
Xserver
X-Cached-By
X-CDN-Forward
X-Storefront-Renderer-Rendered
X-Pubstack
X-Buckets
X-GEO
Onion-Location
X-Reqid
Load-Balancing
X-GeoCode
Country-Code
X-App-Version
X-Varnish-Hostname
X-GeoCountry
X-Request-Host
X-Cdn
X-Microcachable
X-Origin-CC
X-Origin-TTL
Cache-Hits
LB
Decoy-Debug-TTL
Decoy-Debug-Key
Decoy-Debug-Status
X-Cluster
Server-Info
X-Varnish-Hits
X-SRV
X-Tumblr-Pixel-3
Xet-Cookie
X-MP-GENERATED-AT
X-Ms-Version
X-Ms-Request-Id
X-Tumblr-Pixel-2
X-Magnolia-Registration
X-Envoy-Decorator-Operation
X-Air-Source
X-NCache
X-Air-Hostname
X-Air-Trace-Id
X-CSRF-Token
DynaTrace
X-Bc-Bl
X-Amz-Apigw-Id
X-Amzn-RequestId
X-Time
X-B3-SpanId
DB-Nickname
X-Endurance-Cache-Level
X-RCS-CacheZone
DCR-Decision-By
DCR-Processing-Time-Ms
X-ARC
X-Application
X-From
X-Forwarded-Path
X-PBS-Appsvrname
X-Epic-Correlation-Id
X-Esi-Check
X-External-Request-Id
X-Processor
X-Ftr-Request-Id
X-SD-PageType
X-Aed
X-R9-Blue-Green-Version
X-A-Wwc
X-AK-Request-ID
Fastcgi-X-Cache-Version
X-Rojux
Expiry
X-S
X-S-Cookie
X-B-Cookie
X-PAYTM-SRV-ID
Source
Cache-Name
X-Conf
X-Connection-Hash
X-CF-Lambda-Version
X-CF-Lambda-Fn
A
X-NAPM-TraceId
X-Cache-NE
X-Cdn-Srv
X-D
X-Orig-Expires
X-Developer
Cdnsip
X-Ec-Fail
X-Ec-GeoHdr
Cdncip
X-Origin-Response-Time
X-Cache-Id
BehaviorPad-Version
X-Cache-Bucket
X-Destination
X-Session-Fingerprint
X-ScT
X-Vdms-Version
NM-Fastcgi-Cache
T-Server
Odigeo-Trace-Id
X-HS-Content-Campaign-Id
Mobile-Detection-Method
X-Tenant
X-Shop-Environment
Meta-Geo-Continent
X-Ig-Push-State
X-VG-WebCache
Pramga
Sslversion
Rendered-Blocks
Xc-Version
X-Webstats-RespID
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Surrogated-Key
X-SRCache-Key
X-Vdms-Path
X-A-Ccd
Host-ID
X-TIM-N
X-TrackingId
X-A-Dam
X-Gzip
X-A-Dgt
X-Geo-Header
X-A-Dcw
Lang
X-A
X-User
X-Varnish-Beresp-Grace
X-Azure-Ref
Cache
X-Tx-Id
Apple-News-Services-Handled
Machine
Wxu-Next-Hostname
Apple-News-Services-Host
State
Platform
Cmstype
Cmsid
Apple-News-Services-Parsed-Url
Producers
AKAMAI
Apple-News-Services-Request-Url
User-Cache-Control
X-Cache-Backend
We-Hiring
Environment
X-Block-Status
Web-Mar-Region
Wxu-Next-Region
Mail-Subject
Wxu-Next-Commit
Memcached
X-Amzn-Remapped-Content-Length
Is-Eu
Adler-Geo
X-Developers
X-Varnish-CookieHashed-On
X-Sigma
X-Rocket-Build-Number
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
X-Variation
X-V-Cache
X-Sigma-Backend
X-Has-Esi
X-Slack-Backend
X-Hash
X-Hnp-Log
X-JWT-State
X-Is-Gdpr
Fastly-GeoIP-CountryCode
X-Worker
X-Irp-Debug
MD5-Digest
X-Cache-Info
X-Wix-Viewer-Type
X-WADP-Cache
X-Node-Id
X-VG-TLSProxy
Server-Host
X-Fetched-On
X-Ec-Custom-Error
X-SVT-ORM-RULES
X-GeoIP
X-Origin-Time
X-Origin-Expires
X-Device-Os
X-DPWN-IS-SECURE
CDN
X-DefHash
X-DefElseHash
X-Nyt-Route
X-NodeID
X-Clara-WADP
X-Core-Value
X-Origin
X-Fastly-Cache
X-Fmm-Version
X-Scheme
X-SB
X-LAGOON
X-Server-IP
X-SVT-ORM-VERSION
X-Gen-Mode
X-Location
X-Mvc-Supplant-Cachable
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-Gdpr
X-Ckpd-Fst-Backend
X-ZONE
X-Varnish-Ttl
X-Proxy-Cache-Info
X-Proxy-Upstream
X-Policy
X-Pod-Name
X-Platform
X-Qloud-Router
X-RateLimit-Limit-Second
X-Request-URI
X-TNCMS
X-Rebelmouse-Surrogate-Control
X-RateLimit-Remaining-Second
X-Minions-Version
X-VarnishDD-TTL
X-Loop
X-Eu-Site
X-Forwarded-Site
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Gamma-Serve
X-Generated-On
X-Level-Front-Cache
X-Httpd
X-HN
X-GeoIP-City
X-Via-NSCOPI
X-Viewer-Country
X-Core-Mission
X-Loc
X-CacheTTL
X-BBC-Edge-Cache-Status
Traceparent
X-Pool
X-Rocket-Nginx-Serving-Static
X-VServer
X-Thinkindot-L3
X-Skip-Cache
X-Served-From
Thinkindot-Control
Thinkindot-CacheControl-Type
Origin
Origin-CC
L
Kp-EeAlive
CloudFront-Viewer-Country
Origin-EX
Release
Thinkindot-CacheControl
TDXMobile
Ssr
Req-Svc-Chain
X-Csrf-Jwt
X-Rebelmouse-Cache-Control
Fastly-SWR
X-Aicache-OS
Ha-Gx-Prefs
HA-Ipaddr
L5d-Success-Class
Fastly-SIE
Fastcgi-Cache-TTL
CDCHOST
X-Branch-Name
Cluster
X-Auto-Login
Locid
Gh-Request-Id
X-CGP
Svr
PFcat
V-Age
Vix-Hermes-Req-Id
Redirect-Candidate
X-Region-Sid
X-SIPLIST1
HostName
Arc-Country
X-Men
X-Via-Ucdn
X-Optimistic-Header
X-IPLB-Request-ID
X-Dispatcher-Number
X-Cdn-Origin
X-Cache-Date
Server-Ext
Server-Hostname
NGX
IsBot
X-Sn-Servicetimems
Sever-Int
N-Cache
DSUID
X-Scale
X-EC-Lua
X-Tec-Api-Version
X-Xrds-Location
X-TraceId
X-Tec-Api-Root
X-Tec-Api-Origin
X-Response-By
X-Owner
Ohc-File-Size
X-NC
X-Old-Content-Length
X-WP-CF-Super-Cache-Cache-Control
X-Refresh
X-WP-CF-Super-Cache
AMP-Access-Control-Allow-Source-Origin
Pics-Label
X-DW
X-DSS
X-DI
Memory
X-DB
X-Parent-Response-Time
X-RPM
X-Tb-Optimization-Total-Bytes-Saved
X-RSL
X-RPS
X-CS
Time
X-Srv
X-VC
X-Akamai-Transformed
X-Newrelic-Synthetics
X-Udemy-Cache-App-Namespace
X-Date
X-Ad-Defer-Variation
X-Ah-Environment
Servername
Env
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-BCube-Filmed-By
X-CACHE-KEY
X-Mvc-Supplant-OutputCached
Candidate-Md5Url
X-LB-NoCache
X-Edge-Pop
Datacenter
Cache-Key
X-Accel-Expires-Debug
X-Tt-Logid
Ms-Author-Via
X-TIME
CPC-Age
X-SplitTest
X-Contensis-Viewer-Groups
CPC-Cache
VNS-Age
X-Generated-In
X-Cache-ASPX
X-GeoIP-Region-Code
X-GeoIP-Country-Code
GEO-INFO
VNS-Cache
X-Cache-Debug
Fastly-Backend-Name
X-WA-Info
X-Amz-Meta-Cb-Modifiedtime
GeoIp-Country-Code
XM
Geo-Info
X-Varnish-Authentication
X-Cache-Status-Check
X-S-Maxage
X-Micro-Cache
X-Servedbyhost
Path
X-API-Version
X-Via-Poph
X-Via-Popn
X-Via-Popv
Fusion-Component-Id
Fusion-Content-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Source
Fusion-Deployment-Id
X-AIR-PT
ITXSESSIONID
X-HA-Backend
Geoip-Latitude
Lb
CacheControlHeader
Ohc-Cache-HIT
X-RateLimit-Reset
X-Vc
Client
Cache-Host
X-VCL-Version
X-TH-Server
X-Action
True-Client-Country-4JS
X-Cs
Ngx.Var.Host
X-Backend-TTL
Server-ID
True-Client-IP
X-VHOST
X-DC
X-Varnish-Beresp-TTL
X-Trace-ID
X-Api-Version
FSS-Cache
Hostname
X-Proxy-CacheRZ
XkeyRZ
X-Presslabs-Stats
X-Clientip
Edge-Cache
X-Req
X-Provided-By
Powered-By
My-App
X-TX-ID
X-Zone
X-FireWall-Port
X-Fpc
X-Pass-Why
X-Webkit-Csp-Report-Only
X-Origin-Upstream-Status
X-NGINX-Cache
X-Varnish-Beresp-Ttl
X-Up
X-PX
X-FPC
X-B3-Spanid
NtCoent-Length
X-LB-ID
X-MSEdge-Features
X-CSRF-TOKEN
X-MSEdge-Flight
X-Dmc
Test
X-Traceid
DataCenter
Cf-Int-Pingora-Origin-Digest
X-Dynatrace
X-Render-Time
X-HS-Status
X-Cdn-Request-ID
X-INCAP-ABP
X-Correlation-ID
X-Beluga-Node
X-Li-Fabric
X-Beluga-Trace
X-Li-Pop
C-Via
X-LI-UUID
Server-Id
User-Agent
X-Beluga-Status
X-Webkit-CSP-Report-Only
X-Vcl-Version
X-Beluga-Cache-Status
X-UnsetCookies
X-Beluga-Response-Time
X-Beluga-Record
Proxy-Connection
X-Via-PopN
Tube-Got-Results
Tube-Got-Eval
X-Gateway-Cache-Key
X-Gateway-Cache-Status
X-Gateway-Request-Id
Tube-Get-Contents
X-Via-PopH
Click-Count-Action-Start
X-ND-Cache
Click-Count-Error
Rip
Srvid
X-Gateway-Skip-Cache
Tube-Return
WZWS-RAY
X-Ha-Backend
OT-Force-Account-Verify
X-Via-PopV
X-CLOUD-TRACE-CONTEXT
X-URL
X-DynaTrace-JS-Agent
HIT
X-Time-Microsecs
Esi-Enabled
X-Alfa-Service
X-Service
X-CUA
X-RAMCache
X-ServedByHost
Resin-Trace
X-Check-Cacheable
Tcn
X-Geo
X-Platform-Cluster
X-Fragments
Uri
X-Qnm-Cache
X-M-Reqid
X-Platform-Processor
GeoIP-Latitude
GeoIP-Country-Code
Sid
On-Server
Tracecode
X-M-Log
Target-Params
Cf-Device-Type
X-Platform-Router
X-Akamai-Pragma-Client-IP
MIME-Version
X-Proxy-Cache-Hk
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
Epwk-X-Cache
X-CCDN-Origin-Time
X-Azure-Ref-OriginShield
X-Var-Ttl
Lfy
X-Fastly-Backend
X-FC-Vary-Parameters
X-Sucuri-Cache
X-ATG-Version
Srv
X-LI-Proto
X-Fetch-By
X-Sucuri-ID
X-Cdn-Forward
Fastly-Drupal-HTML
X-TRACE-ID
X-APP
ENV
X-Backend-Host
X-Fastly-Backend-Reqs
X-LiteSpeed-Cache-Control
Cdn
X-Esi
X-ID
X-Li-Proto
X-B3-Traceid-Primal
X-Lb-Nocache
X-NU-AKA-ACS-Version
X-Cache-Expires
X-Backend-State
X-Edge-POP
XServer
X-App
WebServer
X-Varnish-Beresp-Status
ServerName
Magicmarker
Section-Origin-Responded
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
Section-Io-Id
X-Srcache-Fetch-Status
X-Srcache-Store-Status
X-MG-S
X-HostName
CF-Cached-On
X-ElasticPress-Query
Inserted-Into-Cache-At
X-Newrelic-App-Data
X-Yottaa-OS
PICS-Label
X-Acquia-Application-UUID
X-Request-Start
D-Url-Rewrites
X-Edge-Origin-Shield-Region
X-Acquia-Purge-Tags
X-Vcache
Wpo-Cache-Status
Wpo-Cache-Message
Cf-Ipcountry
X-Iplb-Instance
X-Iplb-Request-Id
M-TraceId
X-Edge-Origin-Shield-Bytes
Server-Ttl
X-Acquia-Application-Trace
X-Serial
X-Nc
X-Cache-CFC
X-Acquia-Site
X-CF-Powered-By
Warning
Servedby
X-Wp-Cf-Super-Cache-Cache-Control
X-Fastly-Cache-Hits
X-Vercel-Id
X-Wp-Cf-Super-Cache
X-Vercel-Cache
Fastcgi-Cache-Ttl
Vha6-Origin
Content-Style-Type
X-IN-APIGATEWAY
X-Dist-Code
X-B3-Parentspanid
X-BBC-Origin-Response-Status
X-IN-APIGATEWAYSSL
X-Litespeed-Cache-Control
X-Snapshot-Date
Ngx
Cneonction
X-Request-Url
X-Release
X-Thanos
Content-Script-Type
X-Back
X-Th-Server
X-Storefront-Renderer-Verified
X-Dw-Trace-Id
X-Bip
X-Swift-Error
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
CountryCode
X-Request-URL