Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
P3p
X-Check
X-Cacheable
X-Request-ID
Timing-Allow-Origin
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
X-CONTENT-TYPE-OPTIONS
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-XSS-PROTECTION
X-Via
CF-Ray
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Turbo-Charged-By
Keep-Alive
X-Backend
Request-Context
X-Akamai-Path-Stats
EagleId
X-Age
X-Dns-Prefetch-Control
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-UA-Device
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Vhost
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-LiteSpeed-Cache
Allow
X-WebKit-CSP
EagleEye-TraceId
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Nginx-Cache-Status
X-Device
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Request-Id
Surrogate-Control
X-Backend-Server
Cf-Edge-Cache
Accept-CH
X-Readtime
X-Akam-SW-Version
X-Response-Time
X-Cache-Lookup
Accept-CH-Lifetime
X-HW
Xkey
X-Application-Context
X-ASPNET-VERSION
Content-Location
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Fastly-Restarts
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
Accept-Ch
X-Vname
X-PC
X-TtlSet
Accept-Ch-Lifetime
X-Clacks-Overhead
RTSS
Edge-Control
X-Server-Name
X-VARITI-CCR
X-ESI
X-Amz-Server-Side-Encryption
X-Varnish-TTL
Cache-Tag
X-B3-TraceId
X-Content-Type
X-Vcap-Request-Id
X-Dw-Request-Base-Id
X-Exp-Id
X-Kinja-Revision
X-Use-Magma
X-Exp-Variant
X-Kinja-Build
X-Kinja-Server
X-GoogleNews-Bot
X-Cdn-Fetch
X-Kinja
X-Amz-Rid
Public-Key-Pins
X-Px
X-Cnection
X-D2id
X-Edge
X-FastCGI-Cache
X-RateLimit-Remaining
X-Ac
X-Navigation-Version
X-Ser
X-Element-Page-Cache
Verso
X-Client-IP
X-Sol
X-Abt-Application-Version
Pagespeed
X-Middleton-Display
Display
X-Powered-By-Plesk
X-Ttl
X-Version
X-Litespeed-Cache
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
Service-Worker-Allowed
X-Cache-TTL
X-Middleton-Response
X-Correlation-Id
Response
X-NF-Request-ID
X-Goog-Hash
Access-Control-Request-Method
X-Content-Security-Policy-Report-Only
SPRequestDuration
SPIisLatency
X-Kinsta-Cache
X-Cached
AR-PoweredBy
AR-Request-ID
AR-CACHE
X-Edge-Location-Klb
AR-ATIME
AR-SID
SPRequestGuid
X-SharePointHealthScore
X-Powered-CMS
X-Server-Lifecycle-Phase
X-Upstream
X-Instrumentation
X-LLID
X-Kraken-Loop-Name
Edge-Cache-Tag
X-RateLimit-Limit
X-NWS-LOG-UUID
X-Ruxit-Js-Agent
X-Forwarded-For
X-Cache-Key
Nginx-Cache
Content-MD5
X-Id
X-MSEdge-Ref
X-Shield-Request-Id
MRF-Tech
Mrf-Cache-Status
X-TTL
TCN
X-T
X-Recruiting
S
X-B3-TraceId-Primal
X-Daa-Tunnel
X-TEC-API-ROOT
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Content-Digest
X-ECACHE
X-Ua-Device
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Mg-S
X-Jurisdiction
X-HP-Webp
X-HP-Trace-Id
X-Accel-Expires
X-DataDome
X-Grace
X-Ezoic-Cdn
MS-Author-Via
MicrosoftSharePointTeamServices
X-HS-Hub-Id
X-HS-Combine-CSS
X-HS-Cache-Config
X-Protected-By
X-HS-Content-Id
X-Content
X-Ab
X-Frontend
X-Ua-Browser
X-DynaTrace
X-Request-Received
X-Request-Processing-Time
TP-Cache
Server-Node
X-Yandex-Sdch-Disable
TP-L2-Cache
Filters
Front-End-Https
X-Server-ID
X-PressLabs-Stats
X-Origin-Server
X-Distributor
Fastcgi-Cache
X-WebKit-CSP-Report-Only
X-Mid
X-Geo-Country
X-Hits
X-Webkit-Csp
X-Request-Handler-Origin-Region
X-Microsite
X-LB-Cache
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Amzn-Trace-Id
Charset
Host
X-Debug-Info
Cleartype
X-Page-Id
Cross-Origin-Opener-Policy
X-B3-Sampled
X-F-Cache
X-Git-Hash
X-Forwarded-Proto
X-ORACLE-DMS-ECID
X-Cache-Age
X-DIS-Request-ID
X-ORACLE-DMS-RID
X-Seen-By
X-Www-Served-By
Cache-Status
Access-Control-Allow-Method
Realpath
X-Activity-Id
X-Az
X-AppVersion
X-Ratelimit-Reset
Pinterest-Version
Pinterest-Generated-By
ServerID
X-Pinterest-Rid
Accept-Charset
X-Aspnetmvc-Version
X-Mcache
X-Oracle-Dms-Ecid
X-Oracle-Dms-Rid
Filterid
X-Fastly-Request-Id
X-Varnish-Age
Cache-Tags
X-Cluster-Name
X-Nginx-Upstream-Cache-Status
X-Rid
X-Content-Options
X-Type
X-Language
Retry-After
X-FB-Debug
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-App-Environment
Server-Name
Country
X-Upgrade-Enabled
X-User-Agent
X-Varnish-Backend
Viewport
Node
X-MCACHE
X-Tb
X-Varnish-Grace
Paypal-Debug-Id
X-Drupal-Cache-Tags
DC
X-Wix-Request-Id
X-TT
X-Whom
X-B-Cache
X-Origin-Cache
X-Signature
X-Mobile-URL
X-GUploader-UploadID
X-Oneagent-Js-Injection
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length
X-Goog-Generation
X-Providence-Cookie
X-Is-Crawler
X-Request-Guid
X-Route-Name
X-Aspnet-Duration-Ms
X-B
X-XRDS-LOCATION
X-VCache
X-Flags
X-NWS-UUID-VERIFY
Permissions-Policy
Protected
X-Debug
Fastcgi-Useragent
X-Amz-Meta-S3cmd-Attrs
X-Logged-In
X-Cache-NGX
X-Amz-Replication-Status
X-N
WPO-Cache-Status
X-Via-JSL
WPO-Cache-Message
Payment
X-Load-Cache
X-XRDS-Location
Surrogate-Key
X-Contextid
X-Cache-Control
Amp-Access-Control-Allow-Source-Origin
Count-Hit
X-Webkit-CSP
Healthy
X-Node-Name
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Template
X-FW-Server
X-FW-Type
X-FW-Static
X-FW-Serve
X-FW-Dynamic
X-FW-Hash
X-Mobile
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
Akamai-GRN
Content-Disposition
X-Proxy
Refresh
X-Restarts
X-Cache-Time
Url
X-Jobs
X-G
X-Revision
X-Cache-TTL-Remaining
X-UUID
X-NGENIX-Cache
X-Framework
Alternate-Protocol
X-Fastly-Request-ID
X-Akamai-Request-ID2
X-Real-IP
X-Zen-Fury
Uber-Trace-Id
X-Is-Bot
X-Servername
VIX-Pulpo-Node
NGB
X-Rendered-As
X-Adobe-Loc
X-Adobe-Content
VIX-Pulpo-Upstream-Status
X-Proxy-Cache-Status
X-Device-Type
X-Debug-IsPreview
X-Debug-IsConnected
X-Cacheable-TTL
X-Drupal-Cache-Contexts
Access-Control-Request-Headers
X-Yottaa-Optimizations
X-Instance
X-Cache-Grace
X-Yottaa-Metrics
X-Http-Reason
X-Hostname
X-Page-View
X-Mg-Request-UUID
X-Trace-Id
X-Midtier
X-Varnish-Server
X-ECache
X-IPLB-Instance
X-B3-Traceid
X-L-Path
Version
X-Environment-Context
X-Source
X-EdgeConnect-Cache-Status
X-HTML-Minification-Powered-By
Accept-Language
MS-CV
X-Datadome
Countrycode
Ms-Operation-Id
X-RTag
Frame-Options
X-Fastcgi-Cache
From-Origin
X-Cache-Rule
X-Cache-Hit
X-Cache-Expired-At
X-Vgn-Hpd-Reason
X-NYM-Debug-Backend
Referer-Policy
Liferay-Portal
X-App-Server
Cross-Origin-Window-Policy
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Backend
X-Tumblr-Pixel-1
X-Tumblr-User
X-COUNTRY
X-IPS-LoggedIn
X-Nginx-Cache
X-FW-Version
Content-Secure-Policy
X-Hosted-By
X-Parallel-Accel
Upgrade-Insecure-Requests
Meta-Geo
X-Unique-Id
X-Cache-Server
X-RN-RSRV
X-UPSTREAM-Address
Section-Io-Cache
X-OCL
X-No-Session
X-Redis-Cache
X-PCL
X-NewRelic-App-Data
X-Generation-Time
X-FB-TRIP-ID
X-APP-VERSION
X-Cache-Enabled
X-Origin-Hint
X-Origin-Date
X-Format
WP-Super-Cache
X-ProcessESI
X-UA-Device-Type
X-Uri
X-Varnish-Cache-Hits
X-Via-Fastly
X-Server-W
X-Section
X-Cluster-Node
X-Region
X-RemovedCookies
X-Request-Time
X-PHP-Backend
X-Be
Property-Id
S-Rt
Apigw-Requestid
TWC-Connection-Speed
Mn-Server-Ip
Azure-Version
Azure-RegionName
Azure-SiteName
Azure-SlotName
TWC-Device-Class
TWC-GeoIP-Country
X-Access
X-Akamai-Edgescape
X-AOL-HN
Webcakes-Region
Webcakes-App-Version
TWC-GeoIP-LatLong
TWC-Privacy
Webcakes-App-Name
Azure-InstanceId
TWC-Locale-Group
X-Mode
CF-IPCountry
X-Content-Age
X-Say-TTL
X-SayCDN-TTL
X-Say-Cacheable
X-PHP-Host
X-Labrador-Cache-Channel
X-ApacheServer
X-Urbn-Context-Path
Eomportal-Instance
X-Storage
X-Sorting-Hat-ShopId
X-Status
X-Site-Version
X-BYPASS-REASON
Cache-Tv-Group
Locale
X-Content-Powered-By
Fastly-SSL
X-Nginx-Cache-Key
X-PERF
X-ProxyCache-Key
X-Xfnlog-Site
X-ProxyCache-Status
X-Locale
X-Human
X-Sql-Duration-Ms
X-Sorting-Hat-PodId
X-Debug-Cache
X-Sql-Count
X-Generated-By
X-Forwarded-Host
X-Cache-Host
X-Ratelimit-Remaining
X-Alternate-Cache-Key
X-Urbn-Site-Id
X-ShardId
X-ShopId
X-Shopify-Stage
X-VC-Cache
X-Varnishpool
X-Ua
X-Detected-As
X-Cache-Type
X-Backend-Name
X-SaId
X-VWS-Id
X-LJ-Flow-ID
X-AWS-Id
X-Routing-Service
X-ServerID
X-Cache-Action
X-Zipkin-Id
X-Adobe-Source
X-Tid
X-Proxied
X-Web-Node
X-Cache-Tags
X-Cms-Context
Ec-Rule-Version
X-Platform-Server
X-Hl-Ver
X-JoinUs
X-Extlb
X-Handled-By
X-GG-Cache-Date
CDN-Uid
Selected-Fe
CDN-Cache
CDN-RequestId
CDN-EdgeStorageId
X-Timing-Wait
Load-Balancing
CDN-RequestCountryCode
CDN-PullZone
X-Proxy-Build
CDN-CachedAt
ServedBy
X-Storefront-Renderer-Rendered
X-Edge-Location
Webserver
X-Proto
X-App-Version
X-GeoCountry
X-GeoCode
SRV
Mime-Version
Fastly-Drupal-Html
X-Hyper-Cache
X-LSADC-Cache
X-CDN-Forward
Web-Mar-Node
X-Rule
Onion-Location
X-Dc
X-Cached-By
X-Cache-Operation
X-TT-LOGID
X-Cache-Remote
X-GEO
SID
X-Varnish-Hostname
X-Rewrite-Enabled
Cache-Hits
X-Cdn
X-Soup
X-Varnish-Ttl
X-SRV
Xserver
X-Cluster
X-Accel-Buffering
X-Pubstack
X-Varnish-Hits
X-Origin-CC
X-TA-CDN-Provider
X-Origin-TTL
Xet-Cookie
X-Reqid
X-Ratelimit-Limit
Country-Code
X-Magnolia-Registration
X-Envoy-Decorator-Operation
X-Air-Hostname
Server-Info
X-Microcachable
LB
X-Air-Source
X-IPLB-Request-ID
X-Air-Trace-Id
X-Buckets
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
X-MP-GENERATED-AT
Decoy-Debug-TTL
X-CSRF-Token
Decoy-Debug-Key
Decoy-Debug-Status
DB-Nickname
X-Request-Host
Cache
Source
X-Newrelic-Synthetics
X-Amz-Apigw-Id
X-Ms-Request-Id
X-Ms-Version
X-Tt-Logid
X-Amzn-RequestId
X-Tx-Id
X-B3-SpanId
X-Time
X-Endurance-Cache-Level
X-Via-NSCOPI
A
Lang
X-Origin-Response-Time
Meta-Geo-Continent
BehaviorPad-Version
MD5-Digest
DCR-Processing-Time-Ms
Cmsid
Cmstype
DCR-Decision-By
Fastcgi-X-Cache-Version
Cdnsip
Expiry
Host-ID
Cdncip
X-CF-Lambda-Fn
X-PAYTM-SRV-ID
X-Orig-Expires
X-PBS-Appsvrname
X-Processor
X-S
X-Rojux
X-NAPM-TraceId
X-Ig-Push-State
X-Ftr-Request-Id
X-Forwarded-Path
X-Geo-Header
X-Gzip
X-HS-Content-Campaign-Id
X-Hash
X-S-Cookie
X-ScT
X-Vdms-Version
X-Vdms-Path
X-VG-WebCache
X-Vtex-Processado-Em
Xc-Version
X-Vtex-Remote-Cache
X-User
X-TrackingId
X-Session-Fingerprint
X-SD-PageType
X-Shop-Environment
X-SRCache-Key
X-TIM-N
X-Tenant
X-External-Request-Id
X-Esi-Check
X-A-Dcw
X-A-Dam
X-A-Dgt
X-A-Wwc
X-AK-Request-ID
X-Aed
X-A-Ccd
T-Server
Odigeo-Trace-Id
NM-Fastcgi-Cache
Pramga
Rendered-Blocks
Surrogated-Key
Sslversion
X-Application
X-ARC
X-Destination
X-D
X-Developer
X-Ec-Fail
X-Epic-Correlation-Id
X-Ec-GeoHdr
X-Connection-Hash
X-Conf
X-Cache-Id
X-B-Cookie
X-Cache-NE
X-Cdn-Srv
X-CF-Lambda-Version
Mobile-Detection-Method
X-A
X-RCS-CacheZone
X-NCache
X-Bc-Bl
X-CacheTTL
X-WADP-Cache
X-Cache-Info
X-Cache-Bucket
X-Amzn-Remapped-Content-Length
X-Cache-Backend
X-Ckpd-Fst-Backend
X-Clara-WADP
X-DefHash
X-Developers
X-DefElseHash
X-Core-Value
X-Core-Mission
X-Worker
Wxu-Next-Region
Mail-Subject
Memcached
Machine
Is-Eu
Fastly-GeoIP-CountryCode
Platform
Producers
Wxu-Next-Commit
Wxu-Next-Hostname
We-Hiring
State
Server-Host
X-Device-Os
X-DPWN-IS-SECURE
X-Sigma
X-Sigma-Backend
X-Server-IP
X-Scheme
X-SB
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Varnish-CookieINHashed-On
X-Varnish-Remaining-TTL
X-Varnish-CookieHashed-On
X-Variation
X-V-Cache
X-Rocket-Build-Number
X-Origin-Time
X-Fmm-Version
X-Gdpr
X-Fetched-On
X-Fastly-Cache
Environment
X-GeoIP
X-Irp-Debug
X-Nyt-Route
X-Origin-Expires
X-NodeID
X-Node-Id
X-Mvc-Supplant-Cachable
X-Via-Ucdn
X-Origin
X-Skip-Cache
Adler-Geo
AKAMAI
X-Varnish-Beresp-Grace
Cache-Name
X-Azure-Ref
Apple-News-Services-Handled
Apple-News-Services-Host
X-Block-Status
X-Branch-Name
X-Cache-Date
X-Rebelmouse-Surrogate-Control
X-Cdn-Origin
X-Request-URI
X-CGP
X-Rocket-Nginx-Serving-Static
X-BBC-Edge-Cache-Status
X-Region-Sid
X-Served-From
X-Generated-On
X-VG-TLSProxy
X-VarnishDD-TTL
X-R9-Blue-Green-Version
Apple-News-Services-Request-Url
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Aicache-OS
X-Thinkindot-L3
X-SIPLIST1
DynaTrace
X-Auto-Login
X-Slack-Backend
Apple-News-Services-Parsed-Url
X-Sn-Servicetimems
X-Rebelmouse-Cache-Control
X-Qloud-Router
X-Loc
X-Level-Front-Cache
X-Eu-Site
X-Minions-Version
HostName
X-Ec-Custom-Error
X-LAGOON
X-Httpd
X-Gen-Mode
X-GeoIP-City
X-Gamma-Serve
X-HN
X-Forwarded-Site
X-Hnp-Log
X-Planisys-CDN-Cache
X-Dispatcher-Number
X-Datadog-Parent-Id
X-Datadog-Sampling-Priority
X-Proxy-Upstream
X-Csrf-Jwt
X-RateLimit-Limit-Second
Web-Mar-Region
X-Datadog-Trace-Id
X-Proxy-Cache-Info
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Platform
X-Pod-Name
X-Pool
X-Policy
X-RateLimit-Remaining-Second
X-Viewer-Country
Origin-EX
CDCHOST
Origin-CC
Origin
Candidate-Md5Url
CloudFront-Viewer-Country
Cache-Key
Req-Svc-Chain
X-TNCMS
Release
Redirect-Candidate
X-Wix-Viewer-Type
X-BCube-Filmed-By
N-Cache
Gh-Request-Id
Ha-Gx-Prefs
Fastly-SWR
Fastly-SIE
Fastcgi-Cache-TTL
HA-Ipaddr
IsBot
Ohc-File-Size
Cluster
Datacenter
L5d-Success-Class
L
X-Loop
PFcat
Traceparent
Svr
Thinkindot-Control
Thinkindot-CacheControl-Type
User-Cache-Control
Kp-EeAlive
TDXMobile
V-Age
Vix-Hermes-Req-Id
Thinkindot-CacheControl
X-Is-Gdpr
Ssr
X-JWT-State
X-Has-Esi
X-Cache-Status-Check
CPC-Cache
VNS-Age
NGX
X-Owner
XM
X-From
GEO-INFO
X-SplitTest
X-Webstats-RespID
CPC-Age
X-Optimistic-Header
VNS-Cache
Server-Ext
X-Scale
Server-Hostname
DSUID
X-VServer
CDN
X-Ad-Defer-Variation
Sever-Int
X-ZONE
X-WA-Info
X-WP-CF-Super-Cache
X-VC
Fastly-Backend-Name
X-WP-CF-Super-Cache-Cache-Control
X-Location
X-Parent-Response-Time
X-CS
Pics-Label
X-Refresh
X-Tb-Optimization-Total-Bytes-Saved
X-CACHE-KEY
Locid
X-Contensis-Viewer-Groups
X-NC
X-Micro-Cache
X-Cache-ASPX
X-Ah-Environment
Env
X-EC-Lua
Ms-Author-Via
X-Men
X-Varnish-Authentication
X-LB-NoCache
X-Response-By
X-Webkit-Csp-Report-Only
X-Udemy-Cache-App-Namespace
Arc-Country
Servername
X-RateLimit-Reset
AMP-Access-Control-Allow-Source-Origin
X-AIR-PT
X-Servedbyhost
X-Edge-Pop
X-Mvc-Supplant-OutputCached
X-Old-Content-Length
Path
X-Amz-Meta-Cb-Modifiedtime
X-Tec-Api-Origin
X-TIME
X-Xrds-Location
X-Tec-Api-Root
Lb
X-Tec-Api-Version
X-Srv
X-DI
X-TraceId
Time
X-Via-Popv
X-RPM
X-RPS
X-DSS
X-RSL
Ngx.Var.Host
X-Generated-In
Cache-Host
X-DB
X-DW
Memory
X-Via-Poph
X-Via-Popn
Ohc-Cache-HIT
X-Trace-ID
X-Varnish-Beresp-TTL
X-Accel-Expires-Debug
X-Akamai-Transformed
ITXSESSIONID
X-HA-Backend
X-Date
X-Proxy-CacheRZ
XkeyRZ
X-API-Version
GeoIp-Country-Code
X-S-Maxage
X-DC
X-GeoIP-Country-Code
X-GeoIP-Region-Code
Client
X-VCL-Version
FSS-Cache
True-Client-IP
X-Vc
X-Cache-Debug
X-Api-Version
X-Clientip
X-Cs
X-VHOST
Geoip-Latitude
Server-ID
Fusion-Content-Source
X-Zone
Fusion-Component-Id
Fusion-Content-Id
Fusion-Deployment-Id
Fusion-Source
Fusion-Template-Id
CacheControlHeader
X-Fpc
Hostname
X-Presslabs-Stats
True-Client-Country-4JS
X-Dmc
X-Action
X-TH-Server
X-FireWall-Port
X-Traceid
X-MSEdge-Flight
Powered-By
X-MSEdge-Features
X-Render-Time
X-Backend-TTL
X-TX-ID
NtCoent-Length
X-PX
X-INCAP-ABP
X-B3-Spanid
Rip
Test
X-Gateway-Cache-Status
X-Gateway-Cache-Key
X-DynaTrace-JS-Agent
X-Service
Geo-Info
C-Via
Tcn
X-Req
X-Gateway-Request-Id
Edge-Cache
X-Gateway-Skip-Cache
X-M-Reqid
X-NGINX-Cache
Esi-Enabled
My-App
Tube-Get-Contents
X-Qnm-Cache
Click-Count-Error
X-Pass-Why
Tube-Return
X-CSRF-TOKEN
X-M-Log
Click-Count-Action-Start
Tube-Got-Results
X-FPC
Tube-Got-Eval
X-Cdn-Request-ID
X-Correlation-ID
X-Origin-Upstream-Status
On-Server
X-Beluga-Response-Time
User-Agent
Server-Id
X-HS-Status
X-Beluga-Cache-Status
X-Beluga-Node
X-Beluga-Status
X-Beluga-Record
X-Beluga-Trace
HIT
X-Webkit-CSP-Report-Only
X-Up
OT-Force-Account-Verify
X-Vcl-Version
Uri
X-Provided-By
X-Alfa-Service
Cf-Int-Pingora-Origin-Digest
X-TRACE-ID
X-Akamai-Pragma-Client-IP
X-Check-Cacheable
X-URL
X-Via-PopV
GeoIP-Latitude
Srvid
X-Proxy-Cache-Hk
X-Via-PopN
X-Ha-Backend
GeoIP-Country-Code
Proxy-Connection
X-LB-ID
X-Via-PopH
Resin-Trace
Cdn
X-CLOUD-TRACE-CONTEXT
X-Varnish-Beresp-Ttl
X-APP
Sid
X-Edge-Origin-Shield-Bytes
X-CCDN-CacheTTL
X-UnsetCookies
Srv
X-Hcs-Proxy-Type
X-CCDN-Origin-Time
Epwk-X-Cache
X-RAMCache
X-ServedByHost
X-LI-UUID
X-Li-Pop
X-Li-Fabric
X-Edge-Origin-Shield-Region
X-LI-Proto
DataCenter
X-Cache-Ttl
WebServer
X-Geo
X-Cdn-Forward
WZWS-RAY
X-Backend-Host
X-Edge-POP
M-TraceId
X-Fetch-By
X-Time-Microsecs
X-ND-Cache
MIME-Version
X-Esi
Warning
X-CUA
Server-Ttl
XServer
X-Lb-Nocache
X-Fastly-Backend-Reqs
ENV
X-App
Cf-Device-Type
X-B3-Traceid-Primal
ServerName
Fastly-Drupal-HTML
X-HostName
X-Serial
X-MG-S
X-Platform-Processor
CF-Cached-On
X-Dw-Trace-Id
X-HITS
X-ElasticPress-Query
PICS-Label
X-Platform-Router
Target-Params
Tracecode
X-Request-Url
X-Platform-Cluster
X-LiteSpeed-Cache-Control
DT-Hot-News
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Newrelic-App-Data
X-Yottaa-OS
X-Fragments
X-ATG-Version
Section-Io-Origin-Status
X-Azure-Ref-OriginShield
X-Thanos
X-Bip
Inserted-Into-Cache-At
X-Akamai-Request-ID
True-Client-Ip
Dt-Hot-News
D-Url-Rewrites
Lfy
X-CF-Powered-By
X-Sucuri-Cache
X-Sucuri-ID
X-Var-Ttl
X-FC-Vary-Parameters
X-Fastly-Backend
X-Vcache
X-Iplb-Request-Id
X-Iplb-Instance
Cf-Ipcountry
X-Nc
Cdn-Edgestorageid
Wp-Super-Cache
Cdn-Cachedat
X-UA
Cdn-Uid
Servedby
Cdn-Requestid
Cdn-Requestcountrycode
Cdn-Cache
X-Air-Pt
Cdn-Pullzone
X-Vercel-Cache
X-Th-Server
X-Vercel-Id
X-Snapshot-Date
Hit
X-IN-APIGATEWAYSSL
X-Request-Start
X-IN-APIGATEWAY
Vha6-Origin
X-Cache-Expires
X-Back
X-Storefront-Renderer-Verified
X-Wp-Cf-Super-Cache
CountryCode
X-Request-URL
Ngx
Cneonction
X-BBC-Origin-Response-Status
X-Dist-Code
Fastcgi-Cache-Ttl
X-NU-AKA-ACS-Version
Content-Script-Type
Content-Style-Type
X-Wp-Cf-Super-Cache-Cache-Control
X-Release
X-Fastly-Cache-Hits
X-Varnish-Beresp-Status