Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Pragma
Link
X-Powered-By
ETag
Expect-CT
X-XSS-Protection
CF-RAY
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-UA-Compatible
X-Amz-Cf-Id
P3P
X-Cache-Hits
Alt-Svc
X-Served-By
CF-Ray
X-Xss-Protection
X-Timer
X-Download-Options
X-Varnish
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Request-ID
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Iinfo
X-Content-Security-Policy
P3p
Status
Content-Encoding
X-AspNetMvc-Version
X-CDN
Upgrade
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
Access-Control-Expose-Headers
Keep-Alive
X-Via
X-Ws-Request-Id
Feature-Policy
X-Age
X-Cache-Group
X-Server
X-Backend
X-Amz-Request-Id
X-Hacker
X-Robots-Tag
X-Amz-Id-2
X-AH-Environment
X-UA-Device
Request-Context
X-Proxy-Cache
EagleId
X-Turbo-Charged-By
X-Server-Powered-By
Server-Timing
X-Nginx-Cache-Status
X-Template
Grace
X-Dns-Prefetch-Control
Host-Header
X-Language
Report-To
X-Rq
X-Page-Speed
Xkey
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Ua-Compatible
X-Pingback
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Cf-Railgun
X-LiteSpeed-Cache
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Amz-Version-Id
X-Buckets
X-Vhost
X-Host
X-WebKit-CSP
NEL
X-Backend-Server
X-Server-Id
X-Dispatcher
X-Device
Accept-CH-Lifetime
Surrogate-Control
X-Node
X-Ruxit-JS-Agent
Request-Id
Accept-CH
Content-Location
X-Response-Time
EagleEye-TraceId
X-Akam-SW-Version
X-Cache-Lookup
X-Origin-Cache
X-Ac
Allow
X-Readtime
X-Mod-Pagespeed
Rating
X-HW
X-Country
X-Application-Context
X-Cloud-Trace-Context
X-ORACLE-DMS-ECID
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
Edge-Control
X-ORACLE-DMS-RID
Pinterest-Generated-By
X-MS-InvokeApp
X-TtlSet
X-PC
X-Vname
X-Cnection
X-Country-Code
X-CST
X-Varnish-TTL
X-DataDome
X-GitHub-Request-Id
X-Content-Type
X-ASPNET-VERSION
X-Clacks-Overhead
X-D2id
X-Server-Name
X-Trace
Display
Pagespeed
X-Middleton-Display
Response
X-Middleton-Response
X-Sol
X-FastCGI-Cache
MS-Author-Via
X-Pinterest-Rid
X-Origin-Upstream-Status
Pinterest-Version
X-TTL
Fusion-Component-Id
Fusion-Template-Id
Fusion-Deployment-Id
Fusion-Content-Source
Fusion-Content-Id
Fusion-Source
X-Vcap-Request-Id
X-Px
X-Abt-Application-Version
X-ESI
X-Rack-Cache
X-Navigation-Version
Service-Worker-Allowed
Verso
X-B3-TraceId
X-Url
Arr-Disable-Session-Affinity
X-Client-IP
X-Cache-TTL
X-Element-Page-Cache
X-Fastly-Request-ID
X-DynaTrace
X-Cached
X-Dw-Request-Base-Id
X-FTR-Request-ID
X-Webkit-CSP
X-VARITI-CCR
SPRequestGuid
X-SharePointHealthScore
X-Kinja-Build
X-Kinja-Server
X-Kinja
X-Cdn-Fetch
X-Exp-Variant
X-Exp-Id
X-GoogleNews-Bot
X-Kinja-Revision
X-Use-Magma
X-Powered-By-Plesk
X-Goog-Hash
X-Upstream
Fastly-Restarts
X-NF-Request-ID
AR-CACHE
AR-ATIME
AR-Request-ID
AR-PoweredBy
Ar-Sid
X-Debug
Content-MD5
X-Pinterest-Direct
X-MSEdge-Ref
SPIisLatency
SPRequestDuration
X-Forwarded-Proto
X-Powered-CMS
X-Version
Access-Control-Request-Method
X-Release
X-Amz-Rid
X-XRDS-Location
X-T
X-Jurisdiction
X-Edge
S
X-Content-Digest
TCN
RTSS
TP-L2-Cache
TP-Cache
Public-Key-Pins
X-Ezoic-Cdn
Cache-Tag
X-Litespeed-Cache
X-Cache-Key
Front-End-Https
X-MCACHE
X-Mid
X-Node-Name
X-Yandex-Sdch-Disable
Server-Node
X-Mg-S
X-Request-Received
X-Amz-Server-Side-Encryption
X-Request-Processing-Time
Fastcgi-Cache
X-Recruiting
Mrf-Cache-Status
MRF-Tech
X-B3-TraceId-Primal
X-HP-Webp
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Amzn-Trace-Id
X-Accel-Expires
X-Ser
X-PressLabs-Stats
X-Kinsta-Cache
X-Grace
X-Ttl
X-Request-Handler-Origin-Region
X-NWS-LOG-UUID
X-Microsite
Accept-Ch
X-Origin-Server
X-Varnish-Age
Accept-Charset
MicrosoftSharePointTeamServices
ServerID
X-Logged-In
X-DIS-Request-ID
X-Page-Id
Cf-Bgj
Edge-Cache-Tag
X-Ratelimit-Remaining
X-ECACHE
X-Shield-Request-Id
Nginx-Cache
Host
X-Content-Security-Policy-Report-Only
X-Cache-Hit
X-Hits
Powered-By-ChinaCache
Cache-Tags
X-B
X-Forwarded-For
X-Hostname
X-F-Cache
X-Server-ID
X-Mobile-URL
X-LB-Cache
X-Respond-Thread
X-AppVersion
Realpath
X-Az
Cleartype
X-Activity-Id
X-Git-Hash
X-Cached-By
X-Upgrade-Enabled
X-N
X-Content-Options
X-Cache-Age
Alternate-Protocol
X-Kong-Proxy-Latency
X-Ratelimit-Limit
X-Kong-Upstream-Latency
X-Amz-Meta-S3cmd-Attrs
X-URL
DynaTrace
X-Type
X-Rid
X-Request-Guid
Paypal-Debug-Id
X-App-Environment
X-Varnish-Backend
X-Load-Cache
X-Jobs
Fastcgi-Useragent
X-FTR-DC
Access-Control-Allow-Method
X-FTR-Realm
X-FTR-Backend-Server
X-FTR-Cache-Status
X-Country-Code-Real
X-FTR-Balancer
X-FTR-Backend
X-Seen-By
X-FTR-Expires
X-Proxy
X-WebKit-CSP-Report-Only
X-HS-Content-Id
X-HS-Cache-Config
Charset
X-HS-Hub-Id
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-GUploader-UploadID
X-Zen-Fury
X-HS-Combine-CSS
X-Goog-Generation
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-B3-Sampled
X-Akamai-Edgescape
X-FireWall-Port
X-VCache
Filters
X-IPLB-Instance
X-FB-Debug
X-Daa-Tunnel
X-B-Cache
X-Signature
X-Mobile
Filterid
Healthy
X-Debug-Info
X-AOL-HN
X-Varnish-Grace
X-Whom
X-Host-Name
MS-CV
DC
X-Correlation-ID
Viewport
X-Region
X-Geo-Country
AMP-Access-Control-Allow-Source-Origin
X-User-Agent
Payment
X-App-Server
Liferay-Portal
X-Response-Served-From
X-Original-Request-Id
X-Cache-Operation
X-Cache-Rule
X-Accel-Buffering
X-Frontend
X-Distributor
X-Instance
X-UUID
X-HTML-Minification-Powered-By
Surrogate-Key
X-FW-Dynamic
X-FW-Hash
X-Cacheable-TTL
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-FW-Serve
X-FW-Server
X-Amz-Replication-Status
X-Rule
X-FW-Type
X-FW-Static
X-Tumblr-Pixel-2
X-Tumblr-Pixel-0
X-Cache-Time
X-Tumblr-User
Refresh
CACHE
X-Protected-By
Accept-Ch-Lifetime
X-Content-Powered-By
X-Acc-Debug-Context
S-Cnection
Section-Io-Cache
X-Via-JSL
X-Cache-Expired-At
X-Id
X-Is-Bot
X-Wix-Request-Id
Version
X-Rendered-As
Content-Disposition
X-Tec-Api-Root
X-Cache-Action
X-Tec-Api-Version
GEO-INFO
X-Tec-Api-Origin
X-Hyper-Cache
X-Backend-Name
X-Amzn-RequestId
X-Sucuri-ID
X-Amz-Apigw-Id
Server-Name
X-XRDS-LOCATION
Nel
Retry-After
X-Endurance-Cache-Level
PB-PID
X-Air-Hostname
PB-RID
Arc-Version
Datacenter
X-Cache-Server
X-Ua
X-Ah-Environment
X-Source
X-Oneagent-Js-Injection
X-App-Version
X-Unique-Id
X-Real-IP
Eomportal-Instance
X-ProcessESI
X-EdgeConnect-Cache-Status
X-L-Path
X-Environment-Context
X-RemovedCookies
X-Framework
Frame-Options
X-Revision
X-Pinterest-Sli-Latency-Threshold
X-Pinterest-Sli-Endpoint-Name
X-Correlation-Id
Referer-Policy
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Pinterest-Sli-Response-Type
X-Sucuri-Cache
X-RTag
Ms-Operation-Id
X-Drupal-Cache-Contexts
X-Varnish-Server
Webserver
X-TIME
X-Cache-Spec
X-Drupal-Cache-Tags
X-Cache-Control
NGB
X-WA-Info
X-RN-RSRV
X-Cache-Var-Map
Meta-Geo
X-Cache-Var
X-ES-SERVER
Countrycode
X-Mode
X-Proxy-Cache-Status
Akamai-Age-Ms
DB-Nickname
X-Time-Microsecs
X-ProxyCache-Key
X-ProxyCache-Status
X-Xfnlog-Site
X-BYPASS-REASON
Cache-Tv-Group
X-R9-Blue-Green-Version
X-Qloud-Router
X-Cache-TTL-Remaining
X-Azure-Ref
X-Cache-Host
X-CDN-Forward
Webcakes-App-Version
TWC-Connection-Speed
X-Handled-By
X-FW-Version
Webcakes-App-Name
X-Cluster
TWC-GeoIP-Country
X-Hl-Ver
X-AWS-Id
TWC-Device-Class
X-Amzn-Remapped-Content-Length
X-NYM-Debug-Backend
TWC-Privacy
X-Server-W
X-Contextid
TWC-GeoIP-LatLong
X-Redis-Cache
X-Origin-Hint
X-PHP-Host
X-GeoIP
TWC-Locale-Group
Cross-Origin-Window-Policy
Ec-Rule-Version
X-PCL
X-Labrador-Cache-Channel
Property-Id
X-LJ-Flow-ID
X-OCL
X-Status
Mn-Server-Ip
X-VWS-Id
X-Human
Webcakes-Region
X-Route-Name
X-Aspnet-Duration-Ms
X-Flags
X-Is-Crawler
X-Providence-Cookie
X-Locale
X-Loop
X-Hosted-By
Selected-Fe
X-Access
X-FB-TRIP-ID
X-Format
X-Proxied
X-Be
X-Zipkin-Id
X-No-Session
X-Proto
X-ServerID
X-Via-Fastly
X-TNCMS
X-Site-Version
X-Routing-Service
X-Timing-Wait
X-Proxy-Build
X-Section
X-From
X-NewRelic-App-Data
X-Detected-As
X-Adobe-Content
X-Adobe-Loc
X-TT
X-AIR-PT
Uber-Trace-Id
X-DynaTrace-JS-Agent
FSS-Cache
X-LLID
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Cache-PHP
X-Debug-Cache
X-Device-Type
X-Generated-By
X-ATG-Version
X-BCube-Filmed-By
VIX-Pulpo-Upstream-Status
X-NC
X-Ratelimit-Reset
VIX-Pulpo-Node
X-PHP-Backend
Upgrade-Insecure-Requests
Azure-RegionName
Azure-Version
X-Esi
Azure-SiteName
Azure-InstanceId
Azure-SlotName
X-Aspnetmvc-Version
X-Varnish-Cache-Hits
Access-Control-Request-Headers
OT-Force-Account-Verify
X-ID
From-Origin
X-CSRF-Token
X-B3-Traceid
X-UPSTREAM-Address
X-NCache
Cache-Status
X-Akamai-Transformed
X-Page-View
X-Oss-Hash-Crc64ecma
X-Origin
X-Oss-Server-Time
X-GoCache-CacheStatus
X-Adobe-Source
SD-X-WS
X-CCM
X-Oss-Storage-Class
X-Oss-Object-Type
CF-Cached-On
X-Oss-Request-Id
X-Cache-2
X-Backend-TTL
X-COUNTRY
X-G
X-Varnishpool
X-LAGOON
X-Shopify-Stage
X-ShopId
X-Storefront-Renderer-Rendered
X-ShardId
X-ApacheServer
X-Alternate-Cache-Key
Country
X-Cache-Grace
X-Forwarded-Host
X-Pubstack
X-PERF
X-Sorting-Hat-ShopId
X-Soup
X-Sorting-Hat-PodId
X-Web-Node
X-Storage
X-JoinUs
X-SaId
X-Say-Cacheable
Powered
X-Cluster-Name
Fastly-SSL
X-Backend-Host
Decoy-Debug-Status
Decoy-Debug-TTL
SRV
X-APP-VERSION
X-SayCDN-TTL
Decoy-Debug-Key
X-Say-TTL
Node
X-FTR-Cache-Host
X-IP
Cache
X-ECache
X-Ruxit-Js-Agent
X-GEO
X-EC-Lua
X-TX-ID
X-Erf-Bev-Bev-Is-Generated
X-Cache-Enabled
X-Viewer-Country
X-Via-CDN
X-Erf-Bev-Bev
X-A-Dgt
X-ScT
X-S-Cookie
X-Session-Fingerprint
X-CF-Lambda-Fn
X-B-Cookie
X-Aed
X-CF-Lambda-Version
X-Application
X-A-Wwc
X-Cache-NE
X-Destination
X-RCS-CacheZone
X-Processor
X-Request-UUID
X-Rewrite-Enabled
X-Rojux
X-PBS-Appsvrname
X-S
X-D
X-A-Dcw
X-External-Request-Id
X-PAYTM-SRV-ID
X-Connection-Hash
X-A
X-Vtex-Remote-Cache
X-Vtex-Processado-Em
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
X-Worker
Apple-News-Services-Host
Apple-News-Services-Handled
X-Vdms-Path
X-Trv-Group
X-VG-WebCache
X-VG-WebServer
DCR-Decision-By
DCR-Processing-Time-Ms
Rendered-Blocks
Xc-Version
X-Vdms-Version
X-A-Ccd
Mobile-Detection-Method
Meta-Geo-Continent
Fastcgi-X-Cache-Version
Host-ID
Machine
MD5-Digest
X-A-Dam
X-ARC
X-Tumblr-Pixel-3
X-B3-Spanid
X-NWS-UUID-VERIFY
X-Cdn
X-Cache-Config
X-Time
X-IPS-LoggedIn
CDN-Cache
X-Auto-Login
Adler-Geo
X-Ms-Version
X-Ms-Request-Id
X-Generation-Time
Platform
X-Microcachable
X-Clara-WADP
X-Fmm-Version
X-DefElseHash
X-CUA
X-Core-Value
X-Cms-Context
X-DefHash
X-DPWN-IS-SECURE
CDN-CachedAt
X-Fastly-Cache
X-Cache-Debug
X-Envoy-Decorator-Operation
X-Cache-Bucket
X-Micro-Cache
X-Servername
X-Platform-Server
X-VG-TLSProxy
CDN-PullZone
X-WADP-Cache
Is-Eu
X-Varnish-Remaining-TTL
CDN-Uid
X-Varnish-CookieHashed-On
X-Variation
CDN-RequestId
CDN-RequestCountryCode
X-Varnish-CookieINHashed-On
Gh-Request-Id
X-Rebelmouse-Cache-Control
Fastly-SIE
CDN-EdgeStorageId
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Ttl
Fastly-SWR
CloudFront-Viewer-Country
X-Rebelmouse-Surrogate-Control
Backend
X-Cache-Backend
Fastly-Drupal-HTML
X-Cache-Id
X-Cache-NGX
X-Bip
Rt-Fastcgi-Cache
PFcat
Origin
NM-Fastcgi-Cache
Wxu-Next-Commit
Wxu-Next-Hostname
L
X-Branch-Name
X-Backend-State
Wxu-Next-Region
X-Cache-Date
X-Generated-On
X-Request-Host
X-Request-Start
X-Skip-Cache
X-Policy
X-OVcl-Cache
X-Method
X-Old-Content-Length
X-OVcl
X-SN
X-Thanos
X-Wikidot-Static-Cache
X-Irp-Debug
X-Platform
X-Wikidot-Backend
X-Webstats-RespID
X-Varnish-Cacheable
X-VarnishDD-TTL
X-Location
X-LI-UUID
X-Gamma-Serve
Fastly-Backend-Name
X-Geo-Header
X-Fastly-Backend
X-Esi-Check
X-Developers
X-Dispatcher-Server
X-Gzip
X-Has-Esi
X-Level-Front-Cache
X-Li-Fabric
X-Li-Pop
X-JWT-State
X-Is-Gdpr
X-HN
X-HS-Content-Campaign-Id
X-Clientip
X-Owner
CacheControlHeader
Akamai-GRN
AKAMAI
X-Fastcgi-Cache
C-Via
X-Bc-Bl
X-UA
X-Csrf-Jwt
X-CGP
X-Varnish-Ttl
X-PF-Uncompressing
X-Eu-Site
X-DC
X-Core-Mission
X-Mvc-Supplant-Cachable
X-Content-Age
X-Cache-Tags
X-Reqid
X-Hash
L5d-Success-Class
X-Render-Time
X-Slack-Backend
Pagetype
X-Cache-Remote
HA-Ipaddr
Ha-Gx-Prefs
X-CS
X-Wa
XServer
X-Refresh
X-Sql-Duration-Ms
X-Twitter-Response-Tags
X-Sql-Count
X-Transaction
X-EIG-Tracking-Id
FSS-Proxy
UCS
X-TA-CDN-Provider
X-Aicache-OS
X-Minions-Version
Country-Code
X-Amz-Meta-Cb-Modifiedtime
X-SRV
X-Ftr-Cache-Host
X-Www-Served-By
X-NODE
Hostname
X-Date
X-NU-AKA-ACS-Version
X-Via-Popn
X-Accel-Expires-Debug
NGX
Surrogated-Key
X-Via-Poph
X-NGENIX-Cache
X-Hp-Webp
X-S-Maxage
Cache-Hits
X-Vgn-Hpd-Variations-Key
X-Presslabs-Stats
X-Req
X-LI-Proto
Protected
X-Up
X-RateLimit-Remaining
X-Vgn-Hpd-Cached
X-Edge-Location
X-Servedbyhost
X-Check-Cacheable
X-Cdn-Srv
X-LB-ID
X-FPC
X-Debug-Cache-Store
Memcached
Group
Ufe-Result
X-Debug-Cache-Fetch
X-Mvc-Supplant-OutputCached
X-Dc
We-Hiring
Mail-Subject
X-Cache-URL
Time
X-Via-SSL
X-Via-Edge
X-Proxy-Upstream
X-Svr
On-Server
ServedBy
Geoip-Latitude
GeoIp-Country-Code
Edge-Copy-Time
X-Varnish-Hostname
X-Nginx-Cache
X-Ua-Device
X-CACHE-AGE
HostName
Now
X-Request-Time
X-BC
X-CSRF-TOKEN
X-Dynatrace-Js-Agent
X-ZONE
X-Agile-Age
X-Agile-Id
X-Pass-Why
T-Server
X-Agile
X-Webkit-Csp
X-VCL-Version
X-NGINX-Cache
X-Cluster-Node
X-Acc-Rdl
X-Uri
SID
X-Cs
X-FORWARDED-FOR
X-MP-GENERATED-AT
Section-Io-Origin-Time-Seconds
Section-Io-Id
Section-Io-Origin-Status
Pics-Label
Section-Origin-Responded
WZWS-RAY
Server-Host
M-TraceId
N-Cache
X-UnsetCookies
X-Varnish-Hits
ProcessTime
Magicmarker
X-SB
X-LiteSpeed-Cache-Control
X-Via-Popv
X-Datadome
X-Cdn-Forward
X-VC
X-Bc
X-TT-LOGID
Ohc-File-Size
X-Zone
Arc-Country
X-APP
X-HS-Status
X-CF-Powered-By
X-Erf-Stays-Bingo-Pdp-Web
Apigw-Requestid
X-Info
X-Srv
DSUID
Ohc-Cache-HIT
X-UA-Device-Type
Cache-Name
Xserver
NtCoent-Length
Cdn-Host
User-Cache-Control
X-We-Are-Hiring
VivaBuild
Cteonnt-Length
Viewtype
X-Edge-Server
Cdn-Request-Time
X-Origin-Date
CountryCode
Odigeo-Trace-Id
User-Agent
W
X-RunCloud-Cache
Processtime
X-MSEdge-Features
X-MSEdge-Flight
X-Action
Memory
Tracecode
CF-IPCountry
X-Via-Ucdn
LB
Server-Info
Srv
X-DW
X-Magnolia-Registration
Sid
WWW-Authenticate
X-DB
X-DI
X-DSS
Ssr
X-RPS
X-RSL
X-RPM
X-Tb
S-Rt
CDN
X-Oss-Cdn-Auth
X-Newrelic-App-Data
X-HOST
WebServer
Lfy
X-Vgn-Hpd-Ssi
X-HITS
X-Dynatrace
X-Matched-Rule
IsBot
Instruction
X-Origin-TTL
CDCHOST
Locid
X-Loc
X-SVT-ORM-VERSION
MIME-Version
X-Pjax-Url
X-Cache-Hfrom
X-Node-Id
Path
X-SVT-ORM-RULES
X-Scheme
X-Thinkindot-L3
X-Nginx-Cache-Key
X-Cc-Via
X-Origin-Expires
X-Cc-Req-Id
X-Hnp-Log
X-Vcl-Version
D-Cc-Upstream
X-SIPLIST1
X-Origin-CC
X-Nyt-Route
X-Origin-Time
X-SRCache-Key
X-Cache-Hm
Amp-Access-Control-Allow-Source-Origin
X-VServer
X-Unique-ID
X-BBC-Edge-Cache-Status
X-Varnish-Authentication
X-SD-PageType
X-Response-By
X-API-Version
X-BBXSRF
X-Block-Status
X-Developer
X-Gen-Mode
X-Gdpr
X-Contensis-Viewer-Groups
X-Cache-Info
X-Cache-ASPX
X-Cache-Expires
X-Server-IP
X-Browser-Type
Sever-Int
SR-User-Adfree
X-Varnish-Url
Server-ID
X-User
Server-Ext
Server-Hostname
Geo-Info
Thinkindot-CacheControl
V-Age
Vix-Hermes-Req-Id
Web-Mar-Node
Thinkindot-CacheControl-Type
True-Client-Country-4JS
Thinkindot-Control
X-Request-URI
X-Hit
X-Geo
X-Webkit-CSP-Report-Only
X-Generated-In
X-Azure-Ref-OriginShield
Pramga
Cache-Host
Release
X-Cdn-Origin
X-Sn-Servicetimems
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Device-Os
X-Fetched-On
A
X-Trace-Id
X-Swa-Ws
X-Var-Ttl
X-Newrelic-Synthetics
X-Fastly-Country-Code
X-NodeID
X-FC-Vary-Parameters
X-GeoIP-City
X-Traceid
X-CACHE-KEY
GeoIP-Latitude
Lb
GeoIP-Country-Code
X-Lb-Id
X-Oracle-Dms-Rid
X-Akamai-Request-ID2
X-Provided-By
Source
X-Envoy-Upstream-Healthchecked-Cluster
Cdn
X-Fpc
X-Nc
X-Epic-Correlation-Id
X-Via-NSCOPI
Cf-Device-Type
X-Cache-Tag
X-Origin-Response-Time
Accept-Language
X-Li-Proto
FNAC-ModuleRouting
X-ServedByHost
X-Men
X-Fastly-Request-Id
Expiry
Kp-EeAlive
X-StackifyID
X-Rocket-Build-Number
Server-Ttl
X-TH-Server
X-Sigma
X-Served-From
X-SERVER-NAME
Cache-Key
X-Sigma-Backend
X-Via-PopV
X-Via-PopN
X-Via-PopH
Esi-Enabled
X-Amzn-Remapped-Date
X-Akamai-Pragma-Client-IP
X-Amzn-Remapped-Connection
Actual-Object-TTL
X-ORACLE-APMCS-REQUEST-ID
Url
X-Key
X-Vgn-Hpd-Reason
Content-Style-Type
X-Instart-Request-ID
X-Parent-Response-Time
Cache-Provider
Content-Script-Type
X-No-Cache
X-ServiceProvider
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Akamai-Request-ID
X-MiniProfiler-Ids
Xkeyi7
X-Proxy-Cachei7
X-Batcache
X-Mobile-Rewrite
X-VC-Cache
Req-Svc-Chain
X-Agile-Brick-Ok
X-ElasticPress-Query
X-Yottaa-OS
X-Request-URL
X-B3-SpanId
Content-Secure-Policy
X-Tt-Logid
Location
X-WA
EpKe-Alive
Tcn
X-Vcache
X-BBC-Origin-Response-Status
X-B3-Parentspanid
X-RateLimit-Limit
X-HostName
Origin-Cache-Control
X-ND-Cache
Origin-Edge-Control
X-Instart-Info
X-Dispatch
BehaviorPad-Version
Inserted-Into-Cache-At
URI
X-Apw-Access-Token
X-Apw-Hits
X-Varnish-Beresp-TTL
X-Apw-Access-Object
X-Apw-Access-Action
X-PJAX-URL
Who
Proxy-Firewall
X-Selected-Host-Header
X-Selected-Name
X-Geo-Region
X-Selected-Scheme
DataCenter
X-TraceId
Vha6-Origin
X-RAMCache
X-Dw-Trace-Id
Mime-Version
Powered-By
HitType
Cf-Alt-Svc
X-C
Pragrma
Resin-Trace
X-Snapshot-Date
PICS-Label
Xet-Cookie
NnCoection