Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
P3p
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
X-Amz-Request-Id
Host-Header
X-Proxy-Cache
X-Akamai-Path-Stats
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Server-Powered-By
X-Swift-CacheTime
X-Swift-SaveTime
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
Allow
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-WebKit-CSP
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Pingback
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Readtime
X-Akam-SW-Version
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Accept-Ch-Lifetime
Fastly-Restarts
X-MS-InvokeApp
X-Mod-Pagespeed
X-Rack-Cache
X-Vname
X-PC
X-TtlSet
X-Clacks-Overhead
X-Ruxit-JS-Agent
X-Server-Name
Edge-Control
RTSS
X-Varnish-TTL
X-VARITI-CCR
X-ESI
X-Content-Type
Cache-Tag
X-Vcap-Request-Id
Accept-Ch
X-B3-TraceId
X-Amz-Server-Side-Encryption
X-Kinja-Server
X-Kinja-Revision
X-Kinja-Build
X-Use-Magma
X-Exp-Id
X-GoogleNews-Bot
X-Exp-Variant
X-Kinja
X-Cdn-Fetch
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Cnection
X-Ac
X-RateLimit-Remaining
X-D2id
X-Element-Page-Cache
X-Navigation-Version
Verso
X-Abt-Application-Version
X-Edge
X-Client-IP
Pagespeed
X-Middleton-Display
X-Powered-By-Plesk
Display
X-Sol
X-Cache-TTL
X-Ser
X-FastCGI-Cache
X-Version
Service-Worker-Allowed
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
X-Ruxit-Js-Agent
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Ttl
X-Kinsta-Cache
X-Correlation-Id
SPRequestDuration
SPIisLatency
X-Edge-Location-Klb
AR-CACHE
AR-Request-ID
AR-PoweredBy
AR-ATIME
AR-SID
X-Upstream
X-Cached
X-Webkit-Csp
X-TTL
X-RateLimit-Limit
X-Instrumentation
X-NWS-LOG-UUID
X-Server-Lifecycle-Phase
X-Content-Security-Policy-Report-Only
X-Kraken-Loop-Name
X-LLID
X-SharePointHealthScore
X-Powered-CMS
SPRequestGuid
Edge-Cache-Tag
Nginx-Cache
X-Cache-Key
X-Forwarded-For
X-Litespeed-Cache
TCN
Content-MD5
X-MSEdge-Ref
X-Id
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
X-Daa-Tunnel
X-B3-TraceId-Primal
X-T
MS-Author-Via
X-Recruiting
S
X-Content-Digest
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Mg-S
X-TEC-API-VERSION
X-Ua-Device
X-Protected-By
X-Jurisdiction
X-HP-Trace-Id
X-HP-Webp
MicrosoftSharePointTeamServices
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Ezoic-Cdn
X-DataDome
X-Accel-Expires
X-HS-Combine-CSS
X-HS-Hub-Id
X-HS-Cache-Config
X-HS-Content-Id
X-Frontend
X-Content
X-Ua-Browser
X-Grace
X-Ab
Front-End-Https
X-Request-Received
X-Request-Processing-Time
Server-Node
X-Yandex-Sdch-Disable
Filters
X-ECACHE
X-ORACLE-DMS-ECID
X-PressLabs-Stats
X-Mid
X-DynaTrace
TP-Cache
TP-L2-Cache
X-Server-ID
Fastcgi-Cache
X-ORACLE-DMS-RID
X-Origin-Server
X-Geo-Country
X-Hits
X-Distributor
X-WebKit-CSP-Report-Only
X-Ratelimit-Reset
X-Request-Handler-Origin-Region
X-Microsite
X-Debug-Info
X-Amzn-Trace-Id
Charset
X-Tt-Trace-Tag
Cleartype
X-Tt-Trace-Host
Host
X-Page-Id
X-Git-Hash
X-LB-Cache
X-DIS-Request-ID
X-F-Cache
X-B3-Sampled
Cross-Origin-Opener-Policy
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
X-Www-Served-By
X-Forwarded-Proto
X-Cache-Age
Access-Control-Allow-Method
ServerID
X-Seen-By
Cache-Status
X-Az
X-Activity-Id
X-MCACHE
X-AppVersion
Realpath
Cache-Tags
X-Cluster-Name
Accept-Charset
X-Varnish-Age
X-XRDS-LOCATION
Filterid
X-Rid
X-Language
X-Aspnetmvc-Version
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-Content-Options
X-Type
Server-Name
X-Nginx-Upstream-Cache-Status
X-App-Environment
Retry-After
X-Upgrade-Enabled
Country
X-Varnish-Grace
X-Tb
Viewport
X-Origin-Cache
Node
X-User-Agent
X-Whom
X-Flags
X-Is-Crawler
X-FB-Debug
X-Drupal-Cache-Tags
X-Aspnet-Duration-Ms
X-B-Cache
X-Mobile-URL
X-Providence-Cookie
X-Wix-Request-Id
X-NWS-UUID-VERIFY
X-Signature
X-Route-Name
X-Request-Guid
Paypal-Debug-Id
DC
X-Varnish-Backend
X-TT
X-Goog-Storage-Class
X-Goog-Metageneration
X-Goog-Generation
X-Oracle-Dms-Ecid
X-Goog-Stored-Content-Encoding
X-VCache
X-Goog-Stored-Content-Length
X-Fastly-Request-Id
X-GUploader-UploadID
X-Oracle-Dms-Rid
Protected
Fastcgi-Useragent
X-N
X-B
X-Via-JSL
X-Amz-Replication-Status
X-Debug
X-Logged-In
Payment
X-Cache-NGX
X-Fastly-Request-ID
X-Contextid
X-Fastcgi-Cache
X-Load-Cache
WPO-Cache-Message
WPO-Cache-Status
Surrogate-Key
X-Mcache
X-Amz-Meta-S3cmd-Attrs
X-Cache-Control
Count-Hit
X-Template
X-FW-Type
X-FW-Hash
X-FW-Static
X-FW-Server
X-FW-Dynamic
X-FW-Serve
Permissions-Policy
X-Trace-Id
X-Node-Name
X-ECache
Healthy
X-B3-Traceid
X-Erf-Bev-Bev
X-Browser-Type
Amp-Access-Control-Allow-Source-Origin
X-Erf-Bev-Bev-Is-Generated
SD-X-WS
X-G
X-Original-Request-Id
X-Response-Served-From
X-Mobile
X-Proxy
X-Jobs
Content-Disposition
Refresh
Akamai-GRN
X-Cache-Time
X-Real-IP
X-Hostname
X-Rendered-As
X-Revision
Uber-Trace-Id
X-XRDS-Location
X-Framework
X-Is-Bot
X-Akamai-Request-ID2
X-Cacheable-TTL
X-UUID
X-Zen-Fury
X-Proxy-Cache-Status
X-Page-View
X-Http-Reason
X-Adobe-Loc
X-Cache-TTL-Remaining
Alternate-Protocol
X-Adobe-Content
X-Drupal-Cache-Contexts
X-Instance
Access-Control-Request-Headers
X-Device-Type
NGB
X-Debug-IsConnected
VIX-Pulpo-Node
X-Debug-IsPreview
VIX-Pulpo-Upstream-Status
Url
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-IPLB-Instance
X-Servername
X-Cache-Grace
Version
X-Source
X-NGENIX-Cache
X-Restarts
X-Varnish-Server
X-Mg-Request-UUID
X-Environment-Context
X-L-Path
X-Cache-Rule
From-Origin
Accept-Language
X-Vgn-Hpd-Reason
X-Cache-Hit
X-EdgeConnect-Cache-Status
Countrycode
X-Parallel-Accel
X-Oneagent-Js-Injection
X-Cache-Expired-At
Ms-Operation-Id
MS-CV
X-RTag
X-HTML-Minification-Powered-By
Referer-Policy
Frame-Options
X-App-Server
X-Datadome
Liferay-Portal
X-NYM-Debug-Backend
X-FW-Version
Cross-Origin-Window-Policy
X-Tumblr-User
X-Tumblr-Pixel-1
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-IPS-LoggedIn
Backend
X-Nginx-Cache
Content-Secure-Policy
X-ProcessESI
X-COUNTRY
X-APP-VERSION
X-RemovedCookies
X-Cache-Action
X-Midtier
Section-Io-Cache
WP-Super-Cache
X-Cache-Server
Cache-Tv-Group
X-Hosted-By
Upgrade-Insecure-Requests
X-Redis-Cache
X-RN-RSRV
CF-IPCountry
Meta-Geo
X-UPSTREAM-Address
X-Web-Node
X-UA-Device-Type
X-Region
X-PCL
X-Content-Age
X-Generation-Time
X-Cache-Enabled
X-OCL
X-Detected-As
X-FB-TRIP-ID
X-Ua
X-No-Session
X-Cluster-Node
X-Shopify-Stage
X-Origin-Date
X-Sorting-Hat-PodId
X-Unique-Id
X-Say-TTL
Apigw-Requestid
X-Via-Fastly
X-PHP-Backend
X-Sorting-Hat-ShopId
X-Varnish-Cache-Hits
X-Storage
X-Akamai-Edgescape
X-ShardId
TWC-Device-Class
X-Alternate-Cache-Key
Webcakes-Region
X-Access
X-Origin-Hint
Webcakes-App-Version
X-ShopId
Azure-InstanceId
X-Sql-Count
X-Sql-Duration-Ms
X-AOL-HN
X-Be
Azure-SlotName
TWC-Privacy
Mn-Server-Ip
X-Uri
X-Server-W
X-Section
Property-Id
X-Urbn-Site-Id
X-Site-Version
TWC-GeoIP-LatLong
X-Generated-By
TWC-Locale-Group
X-Urbn-Context-Path
X-SayCDN-TTL
S-Rt
X-Nginx-Cache-Key
Azure-Version
Webcakes-App-Name
X-Say-Cacheable
Azure-SiteName
X-Human
TWC-GeoIP-Country
X-Format
Locale
Fastly-SSL
X-Request-Time
Ec-Rule-Version
Azure-RegionName
TWC-Connection-Speed
X-Mode
CDN-Uid
Eomportal-Instance
X-ApacheServer
CDN-RequestId
X-Adobe-Source
CDN-RequestCountryCode
CDN-Cache
CDN-CachedAt
CDN-EdgeStorageId
CDN-PullZone
X-Cache-Host
X-Cache-Tags
X-ProxyCache-Key
X-ProxyCache-Status
X-Status
X-Xfnlog-Site
X-Platform-Server
X-PERF
X-Debug-Cache
X-Forwarded-Host
X-NewRelic-App-Data
X-Content-Powered-By
X-BYPASS-REASON
X-Hl-Ver
X-JoinUs
X-Handled-By
X-Extlb
X-Backend-Name
X-Cache-Type
X-Hyper-Cache
X-Proxied
X-Zipkin-Id
X-Varnishpool
X-Routing-Service
X-Tid
X-SaId
X-ServerID
X-TT-LOGID
X-Locale
X-PHP-Host
X-Labrador-Cache-Channel
Selected-Fe
X-Proxy-Build
X-Timing-Wait
X-Dc
X-Ratelimit-Remaining
X-LJ-Flow-ID
X-VWS-Id
ServedBy
X-Webkit-CSP
X-Rule
X-AWS-Id
X-VC-Cache
X-Cache-Operation
X-GG-Cache-Date
X-Storefront-Renderer-Rendered
X-Edge-Location
X-Cms-Context
X-LSADC-Cache
Webserver
X-Accel-Buffering
SID
X-Proto
X-CDN-Forward
X-Cached-By
SRV
X-Rewrite-Enabled
Web-Mar-Node
X-Soup
Mime-Version
X-Cache-Remote
Fastly-Drupal-Html
Onion-Location
Load-Balancing
X-GeoCode
X-GeoCountry
Xserver
X-Varnish-Hostname
X-App-Version
X-Pubstack
X-GEO
X-Reqid
Cache-Hits
Country-Code
X-TA-CDN-Provider
X-Buckets
X-Cdn
X-Request-Host
X-Origin-CC
X-Cluster
X-Origin-TTL
Decoy-Debug-Key
X-Microcachable
Decoy-Debug-Status
X-Varnish-Hits
Decoy-Debug-TTL
Server-Info
X-MP-GENERATED-AT
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-Ratelimit-Limit
X-Envoy-Decorator-Operation
X-CSRF-Token
X-Ms-Request-Id
X-Ms-Version
X-Magnolia-Registration
X-Air-Trace-Id
X-SRV
X-Air-Hostname
X-Air-Source
X-Amz-Apigw-Id
X-Amzn-RequestId
Cache
DB-Nickname
X-Time
LB
X-NCache
Xet-Cookie
X-RCS-CacheZone
DynaTrace
X-Bc-Bl
X-Endurance-Cache-Level
DCR-Decision-By
X-Esi-Check
X-Epic-Correlation-Id
X-Gzip
Cdncip
X-Fetched-On
Cmstype
Cdnsip
X-ARC
X-Ec-Fail
X-External-Request-Id
X-AK-Request-ID
X-Device-Os
X-Hash
X-D
X-Aed
BehaviorPad-Version
X-Ec-GeoHdr
X-Destination
X-Application
X-A-Wwc
Cmsid
X-Ftr-Request-Id
X-Developer
X-Forwarded-Path
X-Geo-Header
X-Cache-Bucket
X-TIM-N
X-Tenant
Rendered-Blocks
X-TrackingId
X-CF-Lambda-Version
X-User
X-B3-SpanId
X-SVT-ORM-VERSION
Surrogated-Key
X-Shop-Environment
Lang
Sslversion
X-SVT-ORM-RULES
X-SRCache-Key
X-CF-Lambda-Fn
X-Cdn-Srv
Mobile-Detection-Method
X-Vtex-Remote-Cache
X-Cache-NE
X-Cache-Id
Xc-Version
Odigeo-Trace-Id
X-Vtex-Processado-Em
Meta-Geo-Continent
Pramga
MD5-Digest
X-Vdms-Path
X-Vdms-Version
X-VG-WebCache
X-Session-Fingerprint
T-Server
Expiry
X-A-Ccd
X-A
X-NAPM-TraceId
Fastcgi-X-Cache-Version
X-Node-Id
X-A-Dam
X-A-Dcw
X-HS-Content-Campaign-Id
DCR-Processing-Time-Ms
X-Ig-Push-State
NM-Fastcgi-Cache
X-A-Dgt
X-Core-Mission
X-Orig-Expires
X-Rojux
Host-ID
X-S
X-S-Cookie
X-SD-PageType
X-ScT
X-Processor
X-B-Cookie
X-Conf
X-Connection-Hash
A
X-PAYTM-SRV-ID
X-PBS-Appsvrname
X-Varnish-Beresp-Grace
Source
X-R9-Blue-Green-Version
Cache-Name
X-Tx-Id
Release
Server-Host
TDXMobile
State
Platform
Origin-CC
Origin-EX
X-Cache-Date
Thinkindot-CacheControl
Producers
Thinkindot-CacheControl-Type
Wxu-Next-Commit
Wxu-Next-Hostname
Wxu-Next-Region
X-Block-Status
Web-Mar-Region
We-Hiring
X-Cache-Backend
Thinkindot-Control
User-Cache-Control
X-Amzn-Remapped-Content-Length
X-Irp-Debug
X-Scheme
X-SB
X-Server-IP
X-Sigma
X-Sigma-Backend
X-Rocket-Build-Number
X-Planisys-CDN-TTL
X-Origin-Response-Time
X-Origin-Expires
X-Origin-Time
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Skip-Cache
X-Slack-Backend
X-WADP-Cache
X-VServer
X-Webstats-RespID
X-Wix-Viewer-Type
X-Worker
X-Varnish-Remaining-TTL
X-Varnish-CookieINHashed-On
X-TNCMS
X-Thinkindot-L3
X-V-Cache
X-Variation
X-Varnish-CookieHashed-On
X-Origin
X-Nyt-Route
X-DPWN-IS-SECURE
X-Dispatcher-Number
X-Ec-Custom-Error
X-Fastly-Cache
X-Fmm-Version
X-Developers
X-DefHash
X-Ckpd-Fst-Backend
X-CacheTTL
X-Clara-WADP
X-Core-Value
X-DefElseHash
X-From
X-Gdpr
X-Location
X-LAGOON
X-Loop
X-Mvc-Supplant-Cachable
X-NodeID
X-JWT-State
X-Is-Gdpr
X-Gen-Mode
X-GeoIP
X-Has-Esi
X-Hnp-Log
X-Cache-Info
Traceparent
X-Azure-Ref
Machine
Mail-Subject
AKAMAI
CloudFront-Viewer-Country
Is-Eu
Environment
Memcached
Adler-Geo
CDN
X-IPLB-Request-ID
Fastly-GeoIP-CountryCode
X-Varnish-Ttl
X-ZONE
HostName
X-Platform
X-RateLimit-Limit-Second
X-Minions-Version
X-Loc
X-RateLimit-Remaining-Second
X-Aicache-OS
CDCHOST
X-Pod-Name
X-Proxy-Upstream
X-Qloud-Router
Cluster
X-Proxy-Cache-Info
DSUID
X-Pool
X-Policy
X-BBC-Edge-Cache-Status
X-Eu-Site
X-Forwarded-Site
X-Gamma-Serve
X-Cdn-Origin
X-Datadog-Trace-Id
X-Datadog-Parent-Id
X-CGP
X-Datadog-Sampling-Priority
X-Generated-On
X-GeoIP-City
X-Httpd
Apple-News-Services-Request-Url
X-Auto-Login
X-HN
Apple-News-Services-Parsed-Url
Apple-News-Services-Handled
Apple-News-Services-Host
X-Branch-Name
X-Level-Front-Cache
Fastly-SWR
Server-Ext
X-VarnishDD-TTL
X-VG-TLSProxy
Server-Hostname
X-Sn-Servicetimems
Fastcgi-Cache-TTL
X-SIPLIST1
Sever-Int
X-Via-NSCOPI
X-Viewer-Country
N-Cache
Origin
NGX
X-Via-Ucdn
PFcat
Req-Svc-Chain
Redirect-Candidate
L5d-Success-Class
Ssr
Vix-Hermes-Req-Id
V-Age
Gh-Request-Id
X-Region-Sid
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
Fastly-SIE
X-Csrf-Jwt
L
X-Request-URI
X-Rocket-Nginx-Serving-Static
IsBot
Kp-EeAlive
Ha-Gx-Prefs
Svr
X-Served-From
HA-Ipaddr
X-WP-CF-Super-Cache
X-Scale
Ohc-File-Size
X-Srv
X-WP-CF-Super-Cache-Cache-Control
X-Optimistic-Header
X-Tec-Api-Version
X-Tec-Api-Root
X-Newrelic-Synthetics
X-Tec-Api-Origin
AMP-Access-Control-Allow-Source-Origin
X-Refresh
X-NC
X-TraceId
Arc-Country
X-Men
Locid
X-EC-Lua
X-Tb-Optimization-Total-Bytes-Saved
X-Owner
Pics-Label
Candidate-Md5Url
X-Ad-Defer-Variation
X-VC
Cache-Key
X-BCube-Filmed-By
X-Wikidot-Backend
X-Response-By
X-Parent-Response-Time
X-Old-Content-Length
Datacenter
X-Wikidot-Static-Cache
X-CS
X-CACHE-KEY
X-RPM
X-RSL
GEO-INFO
Servername
X-DI
X-LB-NoCache
X-DW
X-Mvc-Supplant-OutputCached
X-DSS
X-Tt-Logid
X-DB
X-Cache-ASPX
X-Contensis-Viewer-Groups
CPC-Age
CPC-Cache
Env
VNS-Age
XM
X-SplitTest
VNS-Cache
X-Ah-Environment
X-RPS
X-Edge-Pop
Lb
X-TIME
Ms-Author-Via
X-Cache-Status-Check
X-Udemy-Cache-App-Namespace
X-Generated-In
X-Varnish-Authentication
X-Date
Fastly-Backend-Name
Time
X-Accel-Expires-Debug
X-WA-Info
Memory
X-Akamai-Transformed
GeoIp-Country-Code
X-Micro-Cache
X-Amz-Meta-Cb-Modifiedtime
X-GeoIP-Country-Code
X-GeoIP-Region-Code
X-Xrds-Location
X-Via-Poph
Path
X-Via-Popn
X-AIR-PT
X-S-Maxage
X-Via-Popv
X-Cache-Debug
X-Servedbyhost
Ohc-Cache-HIT
X-API-Version
ITXSESSIONID
X-HA-Backend
Geoip-Latitude
Fusion-Source
Fusion-Content-Source
Fusion-Content-Id
X-RateLimit-Reset
Fusion-Template-Id
X-Vc
Geo-Info
Fusion-Component-Id
Fusion-Deployment-Id
Client
FSS-Cache
Cache-Host
X-Cs
Ngx.Var.Host
True-Client-IP
X-VCL-Version
CacheControlHeader
X-Api-Version
X-Action
True-Client-Country-4JS
X-TH-Server
X-Varnish-Beresp-TTL
X-Proxy-CacheRZ
XkeyRZ
X-VHOST
X-Backend-TTL
X-DC
Server-ID
X-Trace-ID
X-Clientip
Hostname
X-Correlation-ID
X-Presslabs-Stats
X-FireWall-Port
X-TX-ID
X-Req
X-Zone
Edge-Cache
X-B3-Spanid
X-FPC
X-Fpc
My-App
Powered-By
X-Webkit-Csp-Report-Only
NtCoent-Length
X-Provided-By
X-Pass-Why
X-Dmc
X-PX
X-Origin-Upstream-Status
X-Varnish-Beresp-Ttl
X-MSEdge-Features
X-MSEdge-Flight
X-Render-Time
X-Traceid
X-INCAP-ABP
X-Up
Test
Cf-Int-Pingora-Origin-Digest
X-NGINX-Cache
X-CSRF-TOKEN
C-Via
X-Cdn-Request-ID
X-HS-Status
X-LB-ID
Server-Id
User-Agent
DataCenter
X-Vcl-Version
X-M-Reqid
Click-Count-Action-Start
Tube-Get-Contents
Click-Count-Error
Tube-Got-Results
Tube-Got-Eval
Rip
X-Beluga-Response-Time
X-Beluga-Trace
X-Beluga-Status
X-Gateway-Cache-Key
Tube-Return
X-Service
X-Gateway-Cache-Status
X-Gateway-Request-Id
X-Webkit-CSP-Report-Only
X-Beluga-Record
X-Gateway-Skip-Cache
X-Beluga-Node
X-Beluga-Cache-Status
X-DynaTrace-JS-Agent
X-UnsetCookies
Proxy-Connection
OT-Force-Account-Verify
X-Via-PopH
Uri
Tcn
X-Qnm-Cache
HIT
X-LI-UUID
X-Via-PopV
X-M-Log
X-Via-PopN
X-Li-Pop
Esi-Enabled
X-Ha-Backend
X-Li-Fabric
X-Time-Microsecs
X-ND-Cache
X-URL
X-Alfa-Service
Srvid
X-ServedByHost
WZWS-RAY
Resin-Trace
On-Server
X-RAMCache
X-Geo
X-CLOUD-TRACE-CONTEXT
X-Dynatrace
GeoIP-Country-Code
GeoIP-Latitude
X-CUA
Sid
X-Check-Cacheable
MIME-Version
X-Akamai-Pragma-Client-IP
X-APP
X-ATG-Version
X-Proxy-Cache-Hk
X-Fetch-By
WebServer
X-LI-Proto
X-CCDN-Origin-Time
Tracecode
X-Fragments
Epwk-X-Cache
X-Hcs-Proxy-Type
Srv
Target-Params
Cf-Device-Type
X-Platform-Cluster
X-Platform-Processor
X-Platform-Router
X-CCDN-CacheTTL
Fastly-Drupal-HTML
X-Cdn-Forward
X-TRACE-ID
X-Sucuri-ID
Lfy
X-Sucuri-Cache
X-Var-Ttl
ENV
X-Backend-Host
X-Fastly-Backend
X-Fastly-Backend-Reqs
X-FC-Vary-Parameters
Cdn
X-Esi
X-Edge-Origin-Shield-Bytes
X-Azure-Ref-OriginShield
X-Cache-Expires
X-Lb-Nocache
X-App
ServerName
X-B3-Traceid-Primal
X-Edge-POP
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
XServer
Section-Io-Origin-Status
X-Varnish-Beresp-Status
Section-Io-Id
X-Srcache-Fetch-Status
X-Edge-Origin-Shield-Region
X-Srcache-Store-Status
X-LiteSpeed-Cache-Control
X-MG-S
X-HostName
X-Yottaa-OS
X-ElasticPress-Query
M-TraceId
Inserted-Into-Cache-At
X-Backend-State
PICS-Label
CF-Cached-On
Magicmarker
X-NU-AKA-ACS-Version
X-Li-Proto
X-Newrelic-App-Data
Dt-Hot-News
D-Url-Rewrites
X-CF-Powered-By
X-Acquia-Site
X-Acquia-Application-Trace
Wpo-Cache-Status
Server-Ttl
X-Nc
Wpo-Cache-Message
Cf-Ipcountry
X-Serial
X-Iplb-Instance
X-Acquia-Application-UUID
X-Iplb-Request-Id
X-Dw-Trace-Id
X-Vcache
X-Acquia-Purge-Tags
Warning
Servedby
Fastcgi-Cache-Ttl
X-Wp-Cf-Super-Cache-Cache-Control
X-Vercel-Id
X-Vercel-Cache
X-B3-Parentspanid
X-Wp-Cf-Super-Cache
X-Fastly-Cache-Hits
X-IN-APIGATEWAYSSL
X-Release
X-BBC-Origin-Response-Status
X-Request-URL
CountryCode
Content-Script-Type
X-Th-Server
X-Back
Content-Style-Type
X-Dist-Code
X-Request-Url
X-Request-Start
X-Storefront-Renderer-Verified
X-IN-APIGATEWAY
X-Litespeed-Cache-Control
Cneonction
X-Snapshot-Date
Ngx
X-Cache-CFC