Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
P3p
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Backend
X-Ua-Compatible
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Dns-Prefetch-Control
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-UA-Device
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
CONTENT-SECURITY-POLICY
Allow
X-WebKit-CSP
EagleEye-TraceId
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
Accept-CH-Lifetime
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Content-Location
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Fastly-Restarts
X-MS-InvokeApp
X-Rack-Cache
X-Ruxit-JS-Agent
X-Mod-Pagespeed
Accept-Ch
X-TtlSet
X-Vname
X-PC
Accept-Ch-Lifetime
X-Clacks-Overhead
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-Amz-Server-Side-Encryption
X-Varnish-TTL
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
X-B3-TraceId
X-Dw-Request-Base-Id
X-Kinja
X-Exp-Variant
X-Cdn-Fetch
X-Kinja-Build
X-Exp-Id
X-GoogleNews-Bot
X-Kinja-Revision
X-Kinja-Server
X-Use-Magma
X-Amz-Rid
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-FastCGI-Cache
X-Edge
X-Ac
X-RateLimit-Remaining
X-Ser
X-Navigation-Version
X-Element-Page-Cache
Verso
X-Client-IP
X-Abt-Application-Version
X-Middleton-Display
Pagespeed
Display
X-Sol
X-Powered-By-Plesk
X-Ttl
X-Version
X-Cache-TTL
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
Service-Worker-Allowed
Response
X-Middleton-Response
X-Correlation-Id
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Content-Security-Policy-Report-Only
SPIisLatency
SPRequestDuration
X-Ruxit-Js-Agent
X-Kinsta-Cache
X-Cached
AR-Request-ID
AR-CACHE
AR-ATIME
AR-SID
X-Edge-Location-Klb
AR-PoweredBy
SPRequestGuid
X-SharePointHealthScore
X-Powered-CMS
X-Upstream
X-LLID
X-Server-Lifecycle-Phase
Edge-Cache-Tag
X-Instrumentation
X-Kraken-Loop-Name
X-NWS-LOG-UUID
X-RateLimit-Limit
X-Litespeed-Cache
X-Forwarded-For
Nginx-Cache
X-Cache-Key
Content-MD5
X-Id
X-MSEdge-Ref
X-Shield-Request-Id
X-TTL
MRF-Tech
Mrf-Cache-Status
TCN
X-T
X-Recruiting
S
X-B3-TraceId-Primal
X-Daa-Tunnel
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
X-Content-Digest
X-ECACHE
X-Ua-Device
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Mg-S
X-HP-Webp
X-Jurisdiction
X-HP-Trace-Id
X-Accel-Expires
X-DataDome
X-Grace
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-HS-Combine-CSS
MicrosoftSharePointTeamServices
X-Protected-By
X-HS-Hub-Id
X-HS-Content-Id
X-HS-Cache-Config
MS-Author-Via
X-Frontend
X-DynaTrace
X-Ua-Browser
X-Ab
X-Content
X-Request-Processing-Time
X-Request-Received
X-Yandex-Sdch-Disable
TP-L2-Cache
Server-Node
TP-Cache
Front-End-Https
Filters
X-Server-ID
X-Origin-Server
X-Distributor
Fastcgi-Cache
X-Mid
X-PressLabs-Stats
X-Geo-Country
X-Hits
X-ORACLE-DMS-ECID
X-Webkit-Csp
X-Request-Handler-Origin-Region
X-Microsite
X-Tt-Trace-Host
X-LB-Cache
X-Tt-Trace-Tag
X-ORACLE-DMS-RID
X-Amzn-Trace-Id
Charset
Host
X-Debug-Info
Cleartype
Cross-Origin-Opener-Policy
X-F-Cache
X-B3-Sampled
X-Git-Hash
X-Ratelimit-Reset
X-Forwarded-Proto
X-Page-Id
X-DIS-Request-ID
X-Cache-Age
Cache-Status
X-Www-Served-By
Access-Control-Allow-Method
X-Seen-By
Realpath
X-Activity-Id
X-Az
X-AppVersion
ServerID
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
Accept-Charset
X-Aspnetmvc-Version
X-MCACHE
Cache-Tags
Filterid
X-Fastly-Request-Id
X-Varnish-Age
X-Cluster-Name
X-Nginx-Upstream-Cache-Status
X-Rid
X-Content-Options
X-Type
X-Language
Retry-After
X-Oracle-Dms-Ecid
X-FB-Debug
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-App-Environment
X-Oracle-Dms-Rid
Server-Name
Country
X-Varnish-Backend
Viewport
Node
X-Upgrade-Enabled
X-Tb
X-Drupal-Cache-Tags
DC
X-Varnish-Grace
X-Mcache
X-User-Agent
Paypal-Debug-Id
X-Wix-Request-Id
X-Whom
X-TT
X-Signature
X-Origin-Cache
X-B-Cache
X-Goog-Stored-Content-Length
X-Oneagent-Js-Injection
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Mobile-URL
X-Goog-Storage-Class
X-Route-Name
X-VCache
X-Providence-Cookie
X-Flags
X-XRDS-LOCATION
X-Is-Crawler
X-B
X-Request-Guid
X-Aspnet-Duration-Ms
X-NWS-UUID-VERIFY
Protected
Permissions-Policy
X-Debug
Fastcgi-Useragent
X-Logged-In
X-Amz-Replication-Status
X-Amz-Meta-S3cmd-Attrs
X-Cache-NGX
WPO-Cache-Message
X-N
WPO-Cache-Status
X-Via-JSL
Payment
X-Load-Cache
X-XRDS-Location
Surrogate-Key
X-Contextid
X-Cache-Control
Amp-Access-Control-Allow-Source-Origin
X-Webkit-CSP
Count-Hit
Healthy
X-Node-Name
X-Erf-Bev-Bev
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Template
X-FW-Server
X-FW-Dynamic
X-FW-Serve
X-FW-Hash
X-FW-Type
X-FW-Static
X-Mobile
X-Original-Request-Id
SD-X-WS
X-Response-Served-From
Akamai-GRN
Content-Disposition
X-Proxy
Refresh
Url
X-Revision
X-Jobs
X-Cache-Time
X-G
X-Restarts
X-Framework
Uber-Trace-Id
X-Akamai-Request-ID2
X-NGENIX-Cache
X-Fastly-Request-ID
X-Cache-TTL-Remaining
X-Real-IP
X-UUID
Alternate-Protocol
X-Zen-Fury
X-Device-Type
X-Drupal-Cache-Contexts
X-Rendered-As
X-Proxy-Cache-Status
X-Debug-IsPreview
X-Cacheable-TTL
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
NGB
X-Debug-IsConnected
X-Is-Bot
X-Adobe-Content
X-Servername
X-Adobe-Loc
X-Yottaa-Optimizations
X-Instance
X-Cache-Grace
X-Yottaa-Metrics
X-Http-Reason
X-Hostname
X-Page-View
Access-Control-Request-Headers
X-Mg-Request-UUID
X-Trace-Id
X-Varnish-Server
X-Midtier
X-ECache
X-IPLB-Instance
X-B3-Traceid
Version
X-Environment-Context
X-L-Path
X-Source
X-EdgeConnect-Cache-Status
Accept-Language
X-HTML-Minification-Powered-By
X-Datadome
Ms-Operation-Id
MS-CV
X-RTag
X-Fastcgi-Cache
Frame-Options
From-Origin
X-Cache-Rule
X-Cache-Hit
X-Cache-Expired-At
X-Vgn-Hpd-Reason
Countrycode
Liferay-Portal
X-NYM-Debug-Backend
Referer-Policy
X-App-Server
Cross-Origin-Window-Policy
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
Backend
X-Tumblr-Pixel
X-APP-VERSION
X-COUNTRY
X-IPS-LoggedIn
X-Nginx-Cache
X-FW-Version
Content-Secure-Policy
X-Hosted-By
X-UPSTREAM-Address
X-Parallel-Accel
X-Cache-Server
Upgrade-Insecure-Requests
Meta-Geo
X-Unique-Id
X-RN-RSRV
X-PCL
X-Generation-Time
X-Redis-Cache
Section-Io-Cache
X-NewRelic-App-Data
X-OCL
X-FB-TRIP-ID
X-No-Session
X-Cache-Enabled
X-Ua
X-Cluster-Node
S-Rt
TWC-Connection-Speed
X-Format
Webcakes-App-Version
Webcakes-App-Name
Property-Id
Azure-Version
X-Akamai-Edgescape
X-Be
X-AOL-HN
X-Access
WP-Super-Cache
TWC-Privacy
Webcakes-Region
Mn-Server-Ip
X-Origin-Hint
X-Section
X-Uri
Azure-RegionName
Azure-InstanceId
TWC-GeoIP-LatLong
X-Region
Azure-SlotName
X-Server-W
X-UA-Device-Type
X-ProcessESI
X-PHP-Backend
TWC-Device-Class
X-Request-Time
Azure-SiteName
X-Via-Fastly
TWC-GeoIP-Country
Apigw-Requestid
X-RemovedCookies
X-Varnish-Cache-Hits
X-Origin-Date
TWC-Locale-Group
CF-IPCountry
X-Mode
X-Content-Age
X-Say-TTL
X-Say-Cacheable
X-ProxyCache-Key
X-SayCDN-TTL
X-ProxyCache-Status
X-Sorting-Hat-ShopId
X-ShardId
X-Site-Version
X-ShopId
Locale
X-Sorting-Hat-PodId
X-PERF
X-Nginx-Cache-Key
X-Content-Powered-By
X-Debug-Cache
X-Cache-Host
X-BYPASS-REASON
X-ApacheServer
X-Forwarded-Host
X-Generated-By
X-Status
X-Locale
X-Human
Cache-Tv-Group
Eomportal-Instance
X-Shopify-Stage
Fastly-SSL
X-Alternate-Cache-Key
X-Xfnlog-Site
X-Sql-Count
X-Labrador-Cache-Channel
X-Urbn-Site-Id
X-Storage
X-Sql-Duration-Ms
X-Ratelimit-Remaining
X-Urbn-Context-Path
X-PHP-Host
X-VC-Cache
X-Extlb
X-Detected-As
X-Backend-Name
Ec-Rule-Version
X-VWS-Id
X-Cache-Action
X-LJ-Flow-ID
X-AWS-Id
X-Cache-Type
X-Cms-Context
X-SaId
X-Routing-Service
X-Web-Node
X-Varnishpool
X-Tid
X-ServerID
X-Zipkin-Id
X-Adobe-Source
X-Cache-Tags
X-Platform-Server
X-Proxied
X-JoinUs
X-GG-Cache-Date
X-Handled-By
X-Hl-Ver
CDN-EdgeStorageId
X-Timing-Wait
CDN-RequestCountryCode
CDN-RequestId
Load-Balancing
CDN-Uid
X-Proxy-Build
CDN-PullZone
CDN-Cache
CDN-CachedAt
Selected-Fe
ServedBy
X-Storefront-Renderer-Rendered
X-Edge-Location
Webserver
X-GeoCountry
SRV
X-GeoCode
X-Proto
X-LSADC-Cache
X-CDN-Forward
Fastly-Drupal-Html
Mime-Version
X-Hyper-Cache
Web-Mar-Node
X-Dc
X-Rule
Onion-Location
X-Cache-Operation
X-Cached-By
X-GEO
X-TT-LOGID
X-Cache-Remote
X-Varnish-Hostname
X-Rewrite-Enabled
SID
X-Soup
Cache-Hits
X-App-Version
X-Cdn
X-Varnish-Ttl
X-SRV
Xserver
X-Cluster
X-Pubstack
X-Accel-Buffering
X-Varnish-Hits
X-Origin-TTL
X-TA-CDN-Provider
X-Reqid
X-Origin-CC
X-Ratelimit-Limit
Country-Code
X-Envoy-Decorator-Operation
X-Magnolia-Registration
Xet-Cookie
X-Air-Trace-Id
LB
X-IPLB-Request-ID
X-Air-Hostname
X-Air-Source
X-Microcachable
Server-Info
X-Tumblr-Pixel-3
X-Buckets
X-Tumblr-Pixel-2
X-MP-GENERATED-AT
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
Cache
X-Request-Host
DB-Nickname
X-Ms-Request-Id
X-Newrelic-Synthetics
X-CSRF-Token
X-Tt-Logid
X-Amz-Apigw-Id
X-Amzn-RequestId
Source
X-Ms-Version
X-B3-SpanId
X-Tx-Id
X-Endurance-Cache-Level
X-Vtex-Processado-Em
X-Epic-Correlation-Id
Cdncip
X-Vtex-Remote-Cache
X-Esi-Check
X-Ig-Push-State
X-VG-WebCache
BehaviorPad-Version
X-Ec-GeoHdr
X-Ec-Fail
DCR-Processing-Time-Ms
X-Vdms-Version
X-NAPM-TraceId
X-Orig-Expires
X-External-Request-Id
X-Forwarded-Path
Cmsid
Cmstype
X-Hash
X-Vdms-Path
X-Origin-Response-Time
X-Gzip
Cdnsip
X-Geo-Header
A
Xc-Version
X-Ftr-Request-Id
DCR-Decision-By
X-HS-Content-Campaign-Id
X-Via-NSCOPI
X-User
Surrogated-Key
X-Cdn-Srv
X-Cache-NE
T-Server
X-PAYTM-SRV-ID
X-CF-Lambda-Fn
X-Processor
Rendered-Blocks
Sslversion
X-S-Cookie
X-A
X-A-Dam
X-Rojux
X-A-Wwc
X-Aed
X-AK-Request-ID
X-ARC
X-S
X-A-Dcw
X-A-Dgt
X-Cache-Id
X-B-Cookie
X-ScT
X-CF-Lambda-Version
X-Tenant
Host-ID
Lang
MD5-Digest
Fastcgi-X-Cache-Version
X-Destination
Expiry
X-Application
X-Developer
X-TIM-N
Meta-Geo-Continent
X-SRCache-Key
X-Connection-Hash
X-Session-Fingerprint
X-SD-PageType
X-Conf
Pramga
Odigeo-Trace-Id
X-D
Mobile-Detection-Method
NM-Fastcgi-Cache
X-Shop-Environment
X-PBS-Appsvrname
X-A-Ccd
X-NCache
X-Bc-Bl
X-RCS-CacheZone
X-Ckpd-Fst-Backend
X-Clara-WADP
Fastly-GeoIP-CountryCode
X-CacheTTL
X-Cache-Info
X-Core-Mission
X-Core-Value
X-Device-Os
X-DPWN-IS-SECURE
X-Developers
X-DefHash
X-DefElseHash
X-Cache-Bucket
X-Cache-Backend
Producers
Server-Host
Platform
Memcached
Mail-Subject
State
We-Hiring
Is-Eu
X-Amzn-Remapped-Content-Length
Wxu-Next-Region
Wxu-Next-Hostname
Wxu-Next-Commit
Machine
X-Fastly-Cache
X-TrackingId
X-V-Cache
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Sigma
X-Sigma-Backend
X-Variation
X-Varnish-CookieHashed-On
X-WADP-Cache
X-Worker
X-Via-Ucdn
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-Server-IP
X-Scheme
X-Irp-Debug
X-Mvc-Supplant-Cachable
X-GeoIP
X-Gdpr
X-Fetched-On
X-Fmm-Version
X-Node-Id
X-NodeID
X-Rocket-Build-Number
X-SB
X-Origin-Time
X-Origin-Expires
X-Nyt-Route
Environment
X-Origin
Adler-Geo
X-Skip-Cache
AKAMAI
X-Azure-Ref
CDN
X-Varnish-Beresp-Grace
X-Time
Cache-Name
X-Served-From
DynaTrace
X-SIPLIST1
X-Cache-Date
X-Cdn-Origin
X-Request-URI
X-Region-Sid
X-CGP
X-Rocket-Nginx-Serving-Static
Apple-News-Services-Host
Apple-News-Services-Handled
X-Branch-Name
X-GeoIP-City
X-VarnishDD-TTL
X-Aicache-OS
X-Viewer-Country
X-R9-Blue-Green-Version
X-Wikidot-Static-Cache
X-Wikidot-Backend
Apple-News-Services-Request-Url
X-Thinkindot-L3
X-Block-Status
X-Rebelmouse-Surrogate-Control
X-BBC-Edge-Cache-Status
X-Slack-Backend
X-Auto-Login
X-Sn-Servicetimems
Apple-News-Services-Parsed-Url
X-RateLimit-Remaining-Second
X-Loc
X-Level-Front-Cache
X-Minions-Version
X-Eu-Site
X-Planisys-CDN-Cache
X-Ec-Custom-Error
X-Forwarded-Site
X-LAGOON
X-HN
X-Generated-On
X-Gen-Mode
X-Hnp-Log
X-Httpd
X-Gamma-Serve
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-Datadog-Trace-Id
X-RateLimit-Limit-Second
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Csrf-Jwt
Kp-EeAlive
X-Qloud-Router
X-Proxy-Upstream
X-Platform
X-Dispatcher-Number
X-Pod-Name
X-Policy
X-Proxy-Cache-Info
X-Pool
X-Rebelmouse-Cache-Control
X-VG-TLSProxy
Candidate-Md5Url
CloudFront-Viewer-Country
Cluster
CDCHOST
Origin-CC
Origin-EX
Cache-Key
Redirect-Candidate
X-TNCMS
X-Loop
Req-Svc-Chain
X-Wix-Viewer-Type
Release
Origin
X-BCube-Filmed-By
Gh-Request-Id
Ha-Gx-Prefs
Fastly-SWR
Fastly-SIE
Fastcgi-Cache-TTL
HA-Ipaddr
IsBot
Ohc-File-Size
N-Cache
Datacenter
L5d-Success-Class
L
Ssr
PFcat
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Thinkindot-Control
Vix-Hermes-Req-Id
User-Cache-Control
V-Age
X-Has-Esi
TDXMobile
Traceparent
Web-Mar-Region
Svr
X-Is-Gdpr
X-JWT-State
X-Cache-Status-Check
Server-Ext
VNS-Age
X-SplitTest
VNS-Cache
X-Optimistic-Header
NGX
X-From
X-Webstats-RespID
XM
CPC-Cache
X-Owner
CPC-Age
X-VServer
X-Scale
Sever-Int
X-Ad-Defer-Variation
Server-Hostname
DSUID
GEO-INFO
X-ZONE
HostName
X-Location
X-WA-Info
X-WP-CF-Super-Cache-Cache-Control
Fastly-Backend-Name
X-WP-CF-Super-Cache
Pics-Label
X-Parent-Response-Time
X-CS
X-Refresh
X-CACHE-KEY
X-Tb-Optimization-Total-Bytes-Saved
Locid
X-Contensis-Viewer-Groups
X-Cache-ASPX
Env
X-Ah-Environment
X-Micro-Cache
X-NC
X-VC
X-TIME
X-EC-Lua
Ms-Author-Via
X-Varnish-Authentication
X-Men
X-LB-NoCache
X-Response-By
X-Udemy-Cache-App-Namespace
Arc-Country
Servername
AMP-Access-Control-Allow-Source-Origin
X-AIR-PT
X-Edge-Pop
X-Old-Content-Length
X-Amz-Meta-Cb-Modifiedtime
Memory
Path
X-Servedbyhost
Time
X-Tec-Api-Origin
Lb
X-Tec-Api-Root
X-Tec-Api-Version
X-Xrds-Location
X-RPM
X-RPS
X-Srv
X-DB
X-DSS
X-DI
X-RSL
X-Via-Poph
Cache-Host
Ngx.Var.Host
X-Generated-In
X-TraceId
X-Via-Popn
X-Via-Popv
X-DW
X-Mvc-Supplant-OutputCached
Ohc-Cache-HIT
X-Trace-ID
X-Accel-Expires-Debug
X-HA-Backend
ITXSESSIONID
X-Date
X-Akamai-Transformed
X-Presslabs-Stats
GeoIp-Country-Code
X-Api-Version
X-RateLimit-Reset
XkeyRZ
X-Proxy-CacheRZ
X-Vc
X-DC
X-GeoIP-Country-Code
Client
True-Client-IP
X-Varnish-Beresp-TTL
X-GeoIP-Region-Code
X-S-Maxage
X-VCL-Version
X-Clientip
X-Cache-Debug
FSS-Cache
X-API-Version
X-Cs
X-VHOST
Hostname
Geoip-Latitude
Server-ID
Fusion-Content-Id
Fusion-Component-Id
Fusion-Content-Source
Fusion-Source
Fusion-Deployment-Id
X-Zone
Fusion-Template-Id
CacheControlHeader
X-Fpc
X-FireWall-Port
X-Action
X-Dmc
X-TH-Server
True-Client-Country-4JS
X-Traceid
X-Render-Time
X-MSEdge-Flight
Powered-By
X-MSEdge-Features
X-Webkit-Csp-Report-Only
X-Backend-TTL
X-TX-ID
NtCoent-Length
X-PX
X-B3-Spanid
X-INCAP-ABP
X-CSRF-TOKEN
X-Gateway-Cache-Status
X-Gateway-Skip-Cache
X-Gateway-Cache-Key
X-Gateway-Request-Id
Test
C-Via
X-DynaTrace-JS-Agent
Rip
X-Service
Tcn
Geo-Info
Edge-Cache
X-Req
X-M-Reqid
X-NGINX-Cache
X-M-Log
X-Qnm-Cache
Click-Count-Error
X-Cdn-Request-ID
X-FPC
Tube-Got-Eval
Tube-Get-Contents
X-Pass-Why
My-App
Click-Count-Action-Start
Esi-Enabled
X-HS-Status
Tube-Got-Results
Tube-Return
X-Origin-Upstream-Status
X-Correlation-ID
HIT
X-Beluga-Status
X-Beluga-Cache-Status
On-Server
X-Beluga-Record
User-Agent
Server-Id
X-Beluga-Response-Time
X-Beluga-Trace
X-Webkit-CSP-Report-Only
X-Beluga-Node
X-Alfa-Service
Cf-Int-Pingora-Origin-Digest
X-Provided-By
X-Vcl-Version
OT-Force-Account-Verify
Uri
X-Up
X-TRACE-ID
X-Varnish-Beresp-Ttl
Proxy-Connection
X-URL
Srvid
X-LB-ID
Resin-Trace
X-Proxy-Cache-Hk
GeoIP-Latitude
X-Ha-Backend
X-Via-PopV
X-Via-PopN
X-Via-PopH
X-CLOUD-TRACE-CONTEXT
X-Check-Cacheable
GeoIP-Country-Code
X-APP
Sid
X-Edge-Origin-Shield-Bytes
X-Akamai-Pragma-Client-IP
Cdn
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
X-CCDN-CacheTTL
Epwk-X-Cache
X-LI-UUID
X-RAMCache
X-Li-Fabric
X-LI-Proto
X-Li-Pop
Srv
X-Edge-Origin-Shield-Region
X-ServedByHost
X-UnsetCookies
WebServer
X-Cdn-Forward
DataCenter
X-Geo
X-Edge-POP
X-Time-Microsecs
X-ND-Cache
WZWS-RAY
X-Fetch-By
M-TraceId
X-Backend-Host
Warning
MIME-Version
X-Esi
Cf-Device-Type
ENV
ServerName
X-Lb-Nocache
X-B3-Traceid-Primal
X-CUA
X-Fastly-Backend-Reqs
Server-Ttl
X-App
XServer
X-HostName
X-MG-S
Fastly-Drupal-HTML
X-Dw-Trace-Id
X-Newrelic-App-Data
CountryCode
PICS-Label
X-ElasticPress-Query
X-Platform-Processor
Tracecode
CF-Cached-On
X-HITS
X-ATG-Version
X-Platform-Router
DT-Hot-News
Target-Params
X-Request-Url
X-Yottaa-OS
Section-Io-Id
X-Fragments
Section-Io-Origin-Time-Seconds
X-Platform-Cluster
Section-Io-Origin-Status
Section-Origin-Responded
X-Azure-Ref-OriginShield
X-Thanos
X-Bip
X-LiteSpeed-Cache-Control
Inserted-Into-Cache-At
X-Sucuri-ID
X-Sucuri-Cache
X-Serial
X-FC-Vary-Parameters
X-Vcache
X-Iplb-Instance
Dt-Hot-News
X-Fastly-Backend
X-Akamai-Request-ID
X-Iplb-Request-Id
Cf-Ipcountry
X-Nc
D-Url-Rewrites
Lfy
X-CF-Powered-By
X-Var-Ttl
Wp-Super-Cache
Servedby
Cdn-Uid
Cdn-Edgestorageid
Cdn-Cachedat
X-Air-Pt
Cdn-Cache
Cdn-Requestid
Cdn-Pullzone
Cdn-Requestcountrycode
X-Vercel-Cache
Content-Script-Type
X-Vercel-Id
True-Client-Ip
X-Release
X-IN-APIGATEWAY
X-IN-APIGATEWAYSSL
Vha6-Origin
Hit
Content-Style-Type
X-BBC-Origin-Response-Status
X-Snapshot-Date
X-Th-Server
Fastcgi-Cache-Ttl
X-NU-AKA-ACS-Version
X-Dist-Code
X-Cache-Expires
Cneonction
Ngx
X-Request-URL
X-Varnish-Beresp-Status
X-Storefront-Renderer-Verified
X-Wp-Cf-Super-Cache-Cache-Control
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-Back