Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
CF-RAY
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Link
Pragma
ETag
Expect-CT
X-Powered-By
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
X-UA-Compatible
Alt-Svc
X-Served-By
X-Xss-Protection
X-Timer
X-Download-Options
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
Content-Security-Policy-Report-Only
X-Request-ID
X-Drupal-Cache
X-Check
X-Cache-Status
X-Generator
X-Cacheable
X-DNS-Prefetch-Control
Timing-Allow-Origin
P3p
X-Content-Security-Policy
X-FRAME-OPTIONS
X-Iinfo
Status
Content-Encoding
Feature-Policy
X-AspNetMvc-Version
X-CDN
Access-Control-Expose-Headers
Upgrade
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
X-Via
X-Dns-Prefetch-Control
Keep-Alive
X-Robots-Tag
Request-Context
Server-Timing
X-Server
X-Ws-Request-Id
X-AH-Environment
X-Ua-Compatible
X-Age
X-Hacker
X-Turbo-Charged-By
X-Proxy-Cache
X-Server-Powered-By
X-Cache-Group
X-Backend
Host-Header
EagleId
X-Nginx-Cache-Status
X-Amz-Request-Id
X-Amz-Id-2
Report-To
X-Rq
X-LiteSpeed-Cache
X-UA-Device
X-Varnish-Cache
Grace
X-Page-Speed
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
X-Device
X-Pingback
X-Server-Id
EagleEye-TraceId
X-Vhost
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Cf-Railgun
X-Amz-Version-Id
X-OneAgent-JS-Injection
X-Host
X-Dispatcher
NEL
X-CST
X-Node
Allow
Surrogate-Control
X-Cache-Spec
Request-Id
X-Backend-Server
X-WebKit-CSP
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Response-Time
X-Akam-SW-Version
X-Readtime
Accept-CH
Xkey
X-HW
X-Country
Accept-Ch-Lifetime
X-Ac
Content-Location
X-Application-Context
X-Language
X-Webkit-CSP
X-Template
Rating
X-Ruxit-JS-Agent
X-Url
X-Cloud-Trace-Context
MS-Author-Via
X-Cache-Lookup
X-Mod-Pagespeed
X-B3-TraceId
Edge-Control
X-PC
X-Vname
X-TtlSet
X-Clacks-Overhead
X-ESI
X-MS-InvokeApp
X-Trace
X-Varnish-TTL
X-GitHub-Request-Id
X-Content-Type
X-ASPNET-VERSION
Fastly-Restarts
X-Cnection
Accept-Ch
X-Origin-Cache
X-Rack-Cache
X-D2id
X-Exp-Id
X-Cdn-Fetch
X-GoogleNews-Bot
X-Exp-Variant
X-Kinja-Server
X-Use-Magma
X-Kinja-Build
X-Kinja-Revision
X-Kinja
Arr-Disable-Session-Affinity
X-Country-Code
Verso
X-Goog-Hash
X-VARITI-CCR
Accept-CH-Lifetime
X-Cached
X-Server-Name
X-Powered-By-Plesk
X-Vcap-Request-Id
X-Navigation-Version
Cache-Tag
X-Amz-Rid
X-Client-IP
X-Abt-Application-Version
Service-Worker-Allowed
X-Fastly-Request-ID
X-Buckets
X-FastCGI-Cache
X-Middleton-Display
Pagespeed
X-Sol
Response
X-Middleton-Response
Display
X-ORACLE-DMS-ECID
X-Ttl
RTSS
Access-Control-Request-Method
X-Element-Page-Cache
X-MSEdge-Ref
X-Powered-CMS
X-NF-Request-ID
X-Cache-TTL
X-Dw-Request-Base-Id
X-Upstream
Public-Key-Pins
X-Version
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Edge
S
X-Kinsta-Cache
X-LLID
MRF-Tech
X-B3-TraceId-Primal
Mrf-Cache-Status
X-Ruxit-Js-Agent
SPRequestDuration
SPIisLatency
Realpath
X-Oneagent-Js-Injection
X-Accel-Expires
SPRequestGuid
X-SharePointHealthScore
X-Px
X-HP-Webp
X-Jurisdiction
X-ECACHE
X-T
X-TTL
X-MCACHE
X-Correlation-Id
X-Forwarded-Proto
X-Mid
X-Release
X-Edge-Location-Klb
X-PressLabs-Stats
X-Mg-S
X-Litespeed-Cache
Charset
X-Content-Security-Policy-Report-Only
X-Recruiting
X-Shield-Request-Id
TP-L2-Cache
Edge-Cache-Tag
TP-Cache
X-Ezoic-Cdn
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
Fastcgi-Cache
X-DynaTrace
X-Amz-Server-Side-Encryption
X-ORACLE-DMS-RID
X-Id
X-Instrumentation
X-Content-Digest
X-Server-Lifecycle-Phase
X-Kraken-Routeconfig-Destination
X-Kraken-Loop-Name
Filters
X-Request-Processing-Time
X-Request-Received
Cache-Tags
Alternate-Protocol
Content-MD5
X-Logged-In
Server-Node
Front-End-Https
X-Forwarded-For
Nginx-Cache
Server-Name
X-Cache-Key
X-Origin-Upstream-Status
X-WebKit-CSP-Report-Only
X-Amzn-Trace-Id
X-Fastcgi-Cache
TCN
Fusion-Source
Fusion-Component-Id
Fusion-Deployment-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Content-Id
AR-CACHE
AR-ATIME
AR-Request-ID
Ar-Sid
AR-PoweredBy
X-Origin-Server
X-XRDS-LOCATION
X-Contextid
X-Grace
X-Geo-Country
X-Amz-Replication-Status
X-F-Cache
Host
X-Activity-Id
X-AppVersion
X-Az
X-Rid
X-Goog-Storage-Class
X-GUploader-UploadID
X-HS-Content-Id
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-HS-Hub-Id
X-Goog-Generation
X-HS-Cache-Config
X-HS-Combine-CSS
Cleartype
X-Hostname
X-Www-Served-By
X-Frontend
X-RateLimit-Remaining
X-Protected-By
Section-Io-Cache
X-XRDS-Location
X-LB-Cache
X-Debug-Info
MicrosoftSharePointTeamServices
X-Ser
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Browser-Type
X-Aspnetmvc-Version
X-Request-Handler-Origin-Region
X-Microsite
X-Page-Id
X-Cache-Age
X-Git-Hash
Accept-Charset
X-Varnish-Age
X-Respond-Thread
X-Upgrade-Enabled
X-Source
X-Hits
X-DIS-Request-ID
Nel
X-Mobile-URL
ServerID
X-VCache
Paypal-Debug-Id
X-Tec-Api-Version
X-Tec-Api-Root
X-NWS-LOG-UUID
X-Tec-Api-Origin
X-Content-Options
X-B-Cache
X-Varnish-Backend
X-Varnish-Grace
X-Signature
X-CACHE-GROUP
X-Aspnet-Duration-Ms
X-Is-Crawler
X-Providence-Cookie
X-Flags
X-Request-Guid
X-Route-Name
X-Whom
X-N
Payment
Access-Control-Allow-Method
X-FB-Debug
Healthy
X-Kong-Upstream-Latency
X-Cache-Action
X-TT
X-Kong-Proxy-Latency
X-App-Environment
X-B3-Sampled
Viewport
X-Seen-By
Node
X-AOL-HN
X-Daa-Tunnel
X-Type
X-Load-Cache
X-Server-ID
Fastcgi-Useragent
Version
MS-CV
X-Mobile
DC
X-Cache-Expired-At
X-Webkit-Csp
Filterid
X-Distributor
X-HTML-Minification-Powered-By
DynaTrace
X-IPLB-Instance
X-Cache-Control
SRV
X-Yandex-Sdch-Disable
X-FireWall-Port
X-Ab
Retry-After
X-Original-Request-Id
X-Response-Served-From
X-Real-IP
X-Instance
X-Jobs
X-Debug
X-RemovedCookies
X-ProcessESI
X-Proxy-Cache-Status
X-Tt-Trace-Host
Refresh
X-UUID
X-Tt-Trace-Tag
X-Accel-Buffering
X-Varnish-Server
NGB
X-Device-Type
X-Debug-IsPreview
X-Content-Powered-By
X-Debug-IsConnected
Ms-Operation-Id
X-Proxy
X-Page-View
X-Tumblr-Pixel-1
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-IPS-LoggedIn
X-Region
X-RTag
X-Cacheable-TTL
Cache
Frame-Options
Access-Control-Request-Headers
VIX-Pulpo-Upstream-Status
X-B
Uber-Trace-Id
VIX-Pulpo-Node
X-Framework
X-Adobe-Loc
X-Cluster-Name
X-Adobe-Content
X-Cache-Time
X-User-Agent
X-G
X-Wix-Request-Id
X-Zen-Fury
X-FW-Static
X-FW-Dynamic
X-FW-Hash
X-FW-Serve
X-FW-Server
X-FW-Type
Countrycode
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
Section-Origin-Responded
X-App-Version
X-Time
X-Cache-Hit
X-Vgn-Hpd-Reason
Cache-Status
Surrogate-Key
X-RateLimit-Limit
X-Nginx-Cache
X-Drupal-Cache-Tags
X-NGENIX-Cache
Eomportal-Instance
X-Azure-Ref
X-Is-Bot
Country
X-Rendered-As
X-App-Server
X-EdgeConnect-Cache-Status
X-TA-CDN-Provider
X-Mg-Request-UUID
S-Cnection
X-Oracle-Dms-Rid
X-Ms-Request-Id
X-Drupal-Cache-Contexts
X-Ms-Version
X-Rule
CF-IPCountry
Referer-Policy
X-Cache-Rule
AMP-Access-Control-Allow-Source-Origin
X-CDN-Forward
Liferay-Portal
X-Varnishpool
Meta-Geo
Selected-Fe
X-Timing-Wait
X-RN-RSRV
X-Proxy-Build
X-UPSTREAM-Address
X-ES-SERVER
X-JoinUs
SD-X-WS
From-Origin
X-SaId
X-TNCMS
X-Alternate-Cache-Key
X-Endurance-Cache-Level
X-Tumblr-Pixel-2
X-Shopify-Stage
X-R9-Blue-Green-Version
X-No-Session
X-Loop
X-Cache-TTL-Remaining
X-PHP-Backend
ServedBy
X-Pubstack
Country-Code
X-ShardId
X-Yottaa-Metrics
X-Xfnlog-Site
X-Storefront-Renderer-Rendered
X-Sorting-Hat-ShopId
X-Yottaa-Optimizations
X-ShopId
X-Sorting-Hat-PodId
X-Via-Fastly
X-Cache-Server
X-Node-Name
Xserver
Decoy-Debug-Key
Fastly-SSL
Cache-Tv-Group
Decoy-Debug-Status
Cache-Name
X-VWS-Id
X-Environment-Context
X-L-Path
Akamai-GRN
X-SayCDN-TTL
X-Say-TTL
X-OCL
X-LJ-Flow-ID
X-LAGOON
X-Handled-By
X-Cache-PHP
X-Be
X-Say-Cacheable
X-PCL
X-AWS-Id
X-Backend-Host
Protected
Decoy-Debug-TTL
X-Varnish-Hostname
X-Human
X-S-Maxage
X-Request-Time
TWC-Locale-Group
Azure-SlotName
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Connection-Speed
X-Section
Property-Id
X-Redis-Cache
X-RCS-CacheZone
TWC-Privacy
Webcakes-App-Version
X-NYM-Debug-Backend
X-Labrador-Cache-Channel
X-Hyper-Cache
X-Hl-Ver
X-Origin-Date
X-Origin-Hint
Webcakes-Region
X-Proto
X-PHP-Host
X-Access
Webcakes-App-Name
TWC-Device-Class
X-ProxyCache-Key
X-Sql-Count
Apigw-Requestid
X-Status
X-BYPASS-REASON
X-Sql-Duration-Ms
X-Cache-Operation
X-Server-W
X-ProxyCache-Status
Azure-InstanceId
Azure-SiteName
Azure-RegionName
Azure-Version
X-Hosted-By
X-Adobe-Source
X-Cached-By
X-Format
X-FB-TRIP-ID
X-Akamai-Edgescape
X-Varnish-Beresp-Grace
X-Backend-Name
X-ApacheServer
X-GG-Cache-Date
X-PERF
X-UA-Device-Type
X-Uri
Mn-Server-Ip
X-Web-Node
X-Ua-Device
X-MP-GENERATED-AT
Amp-Access-Control-Allow-Source-Origin
X-Trace-Id
X-Content-Age
X-WA-Info
X-Dc
X-ATG-Version
X-B3-SpanId
X-FW-Version
X-Revision
X-Cache-Enabled
X-Soup
X-SRV
X-CSRF-Token
X-Edge-Location
X-Mode
Backend
X-ServerID
X-Time-Microsecs
X-Cache-Type
X-Info
X-Tumblr-Pixel-3
Who
X-CACHE-KEY
X-CS
X-Bc-Bl
X-Cache-NGX
X-Microcachable
X-TT-LOGID
X-Varnish-Beresp-Status
X-Debug-Cache
X-Detected-As
X-Akamai-Transformed
X-Proxied
X-Zipkin-Id
X-Datadome
X-Routing-Service
X-Storage
X-Aws-Lambda-Call-Status
X-Platform
X-Azure-Ref-OriginShield
Web-Mar-Node
X-Cache-Host
X-Unique-ID
X-APP-VERSION
X-Varnish-Cache-Hits
X-Via-JSL
X-Amzn-RequestId
X-DataDome
X-Amz-Apigw-Id
X-Amzn-Remapped-Content-Length
OT-Force-Account-Verify
Server-Info
X-B3-Traceid
X-Extlb
X-Generation-Time
X-Locale
DataCenter
X-Varnish-Hits
Cross-Origin-Opener-Policy
X-Varnish-Beresp-Ttl
X-Cluster-Node
X-Origin-TTL
X-Site-Version
X-Parallel-Accel
Count-Hit
GEO-INFO
X-Origin-CC
X-Destination
X-Processor
MD5-Digest
X-Vdms-Path
X-Developer
M-TraceId
X-NAPM-TraceId
X-Cms-Context
X-Connection-Hash
X-Proxy-Upstream
Meta-Geo-Continent
Mobile-Detection-Method
X-PBS-Appsvrname
X-Core-Value
X-Magnolia-Registration
X-Air-Source
Odigeo-Trace-Id
X-External-Request-Id
X-D
X-PAYTM-SRV-ID
X-Air-Hostname
X-Air-Trace-Id
Geo-Info
CDN-PullZone
CDN-RequestCountryCode
CDN-EdgeStorageId
CDN-CachedAt
CDN-Cache
CDN-RequestId
CDN-Uid
X-Geo-Header
Content-Disposition
X-Generated-On
DCR-Decision-By
DCR-Processing-Time-Ms
CDCHOST
Expiry
X-Level-Front-Cache
Apple-News-Services-Handled
A
X-From
X-Varnish-Url
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Fastcgi-X-Cache-Version
BehaviorPad-Version
Fastly-Backend-Name
Apple-News-Services-Request-Url
Host-ID
X-Vdms-Version
X-Aed
X-Rojux
X-VG-WebServer
X-Vtex-Remote-Cache
X-S
X-Rewrite-Enabled
X-TEC-API-ROOT
X-B-Cookie
X-Bip
X-ARC
X-Application
X-TEC-API-VERSION
X-Sucuri-ID
X-A-Wwc
X-A
X-SRCache-Key
X-A-Ccd
X-Session-Fingerprint
X-TEC-API-ORIGIN
X-Service
X-EC-Lua
X-S-Cookie
X-A-Dgt
X-A-Dcw
X-ScT
X-Cache-Ttl
X-A-Dam
X-BCube-Filmed-By
X-AIR-PT
X-CF-Lambda-Fn
X-Cache-Bucket
Surrogated-Key
T-Server
X-VG-WebCache
X-Cache-NE
X-Request-URI
X-Thanos
X-CF-Lambda-Version
X-Vtex-Processado-Em
Rendered-Blocks
X-Ratelimit-Reset
X-Tb
X-Pass-Why
User-Cache-Control
Path
Pics-Label
X-Clientip
Esi-Enabled
Pagetype
Server-Host
X-GoCache-CacheStatus
X-Generated-By
X-Clara-WADP
X-Cache-Info
PFcat
X-Backend-State
X-Fastly-Cache
X-Envoy-Decorator-Operation
Location
Memcached
X-Developers
UCS
X-Branch-Name
X-Fmm-Version
X-Aicache-OS
X-Cache-Debug
X-Accel-Expires-Debug
Fastly-SWR
X-Gamma-Serve
X-Forwarded-Site
X-Date
Fastly-SIE
AKAMAI
X-Rebelmouse-Cache-Control
X-VG-TLSProxy
X-Rebelmouse-Surrogate-Control
X-Req
X-Amz-Meta-S3cmd-Attrs
X-NU-AKA-ACS-Version
X-Var-Ttl
X-VarnishDD-TTL
X-TrackingId
X-Request-Host
X-Epic-Correlation-Id
X-Varnish-Ttl
X-Scheme
X-Served-From
X-WADP-Cache
Cache-Host
X-Request-UUID
State
Req-Svc-Chain
Ec-Rule-Version
X-Cluster
X-Platform-Server
X-Micro-Cache
X-Is-Gdpr
X-Location
X-HN
X-Hash
X-Men
Cmstype
Cmsid
X-JWT-State
X-Has-Esi
Upgrade-Insecure-Requests
X-Servername
X-HS-Content-Campaign-Id
X-Irp-Debug
Origin
X-Cache-Grace
X-Thinkindot-L3
X-Rocket-Build-Number
X-Cache-Id
X-Block-Status
X-Hnp-Log
X-Generated-In
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Slack-Backend
Fastcgi-Cache-TTL
Fastly-Drupal-HTML
L
X-SVT-ORM-VERSION
Kp-EeAlive
X-Sigma
My-App
X-Sigma-Backend
X-Old-Content-Length
X-VC-Cache
X-Origin
X-Origin-Expires
X-Owner
X-Fastly-Backend
X-Variation
X-SVT-ORM-RULES
X-Esi-Check
X-DPWN-IS-SECURE
X-Mvc-Supplant-Cachable
X-Device-Os
X-Csrf-Jwt
X-Minions-Version
X-Gen-Mode
X-Viewer-Country
X-CGP
X-Eu-Site
X-Li-Fabric
X-Li-Pop
X-RateLimit-Remaining-Second
X-Gzip
X-Policy
X-LI-UUID
X-RateLimit-Limit-Second
X-Cache-Tags
Wxu-Next-Region
HA-Ipaddr
Cf-Device-Type
Adler-Geo
Svr
TDXMobile
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
Platform
PB-RID
NM-Fastcgi-Cache
Cache-Key
NGX
C-Via
Arc-Version
PB-PID
Arc-Country
CacheControlHeader
Thinkindot-Control
L5d-Success-Class
Ha-Gx-Prefs
X-TX-ID
Is-Eu
Wxu-Next-Commit
We-Hiring
Gh-Request-Id
Vix-Hermes-Req-Id
True-Client-Country-4JS
Wxu-Next-Hostname
Mail-Subject
DSUID
Source
X-NWS-UUID-VERIFY
Webserver
X-GeoIP-City
X-FC-Vary-Parameters
CPC-Cache
X-Fetched-On
X-Forwarded-Host
X-GeoIP
X-Nginx-Cache-Key
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-Qloud-Router
X-User
X-SIPLIST1
X-Skip-Cache
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Via-NSCOPI
X-Ratelimit-Limit
X-Varnish-Remaining-TTL
X-PF-Uncompressing
X-Planisys-CDN-Cache
X-VServer
CPC-Age
VNS-Age
Sever-Int
Locid
X-DefElseHash
VNS-Cache
X-Loc
X-DefHash
Server-Hostname
IsBot
Release
Server-Ext
V-Age
SID
Tcn
X-Goog-Meta-Goog-Reserved-File-Mtime
Url
X-Mvc-Supplant-OutputCached
X-CLOUD-TRACE-CONTEXT
X-Shop-Environment
S-Rt
X-Via-Popv
X-OVcl-Cache
X-Via-Poph
X-Via-Popn
X-Tenant
X-Vc
X-OVcl
X-Forwarded-Path
Powered-By-ChinaCache
NtCoent-Length
Cache-Hits
X-Orig-Expires
X-TraceId
X-PJAX-URL
Cross-Origin-Window-Policy
X-Unique-Id
DB-Nickname
Cf-Bgj
MIME-Version
X-Ratelimit-Remaining
X-Refresh
XServer
X-Ua
X-Backend-TTL
Magicmarker
X-Ftr-Request-Id
X-ZONE
X-Zone
X-ID
X-Internal-Host
X-Geo
X-Conf
Content-Secure-Policy
X-NC
Memory
Time
X-GEO
X-LB-ID
WebServer
X-NCache
Geoip-Latitude
GeoIp-Country-Code
X-Method
X-BBC-Edge-Cache-Status
X-Dispatcher-Server
HostName
X-Ckpd-Fst-Backend
X-HP-Trace-Id
X-TIME
X-Worker
X-Srv
X-Servedbyhost
Server-ID
X-IP
X-V-Cache
X-DC
Ssr
X-NewRelic-App-Data
X-Auto-Login
Hostname
X-LSADC-Cache
X-Qnm-Cache
X-M-Log
X-Li-Proto
X-M-Reqid
LB
X-Rocket-Nginx-Serving-Static
X-Newrelic-Synthetics
X-Tx-Id
X-Trv-Group
X-Wa
X-Tb-Optimization-Total-Bytes-Saved
X-Nc
X-Traceid
X-Render-Time
X-Platform-Router
X-Platform-Processor
X-Platform-Cluster
X-App
X-SD-PageType
X-Vcl-Version
Resin-Trace
X-Node-Id
X-Cache-Remote
Ohc-File-Size
Env
Environment
X-HITS
X-Datadog-Parent-Id
X-MSEdge-Flight
X-Via-CDN
X-Datadog-Sampling-Priority
X-CACHE-AGE
X-VCL-Version
X-APP
X-Origin-Response-Time
X-Dynatrace
X-Datadog-Trace-Id
X-MSEdge-Features
X-VHOST
X-NodeID
X-Cache-Config
X-FTR-Request-ID
Datacenter
X-Via-Ucdn
X-Reqid
X-HostName
X-BBC-Origin-Response-Status
Sid
X-ServerName
X-Nyt-Route
Cluster
X-WA
X-API-Version
X-Varnish-Beresp-TTL
X-Origin-Time
X-Server-IP
X-Gdpr
CF-Cached-On
X-DynaTrace-JS-Agent
X-Correlation-ID
X-ND-Cache
Rt-Fastcgi-Cache
X-Wix-Viewer-Type
X-LI-Proto
X-Edge-Pop
X-Pod-Name
Viewtype
Candidate-Md5Url
VivaBuild
Cf-Ipcountry
X-ElasticPress-Query
X-Cdn-Forward
Machine
Web-Mar-Region
X-HS-Status
X-Cache-Var-Map
X-Akamai-Pragma-Client-IP
N-Cache
X-Cache-Var
Ms-Author-Via
X-Cs
FSS-Cache
CDN
X-Dynatrace-Js-Agent
X-ServedByHost
Server-Id
On-Server
X-NGINX-Cache
GeoIP-Country-Code
Proxy-Connection
GeoIP-Latitude
X-Webkit-CSP-Report-Only
Cdn
Servername
WZWS-RAY
X-Pjax-Url
X-Lb-Id
X-Check-Cacheable
X-CCM
X-Swa-Ws
X-FTR-Balancer
X-FTR-Backend-Server
X-FTR-Cache-Status
X-FTR-DC
Xc-Version
X-Oss-Server-Time
X-FTR-Realm
X-Country-Code-Real
X-FTR-Backend
X-Oss-Object-Type
X-Oss-Storage-Class
X-URL
X-Oss-Request-Id
X-Oss-Hash-Crc64ecma
X-Esi
X-Xrds-Location
X-CSRF-TOKEN
Ohc-Cache-HIT
X-Fastly-Backend-Reqs
X-Fastly-Request-Id
X-Via-PopH
X-VC
X-Via-PopV
Tracecode
WWW-Authenticate
X-Cache-Backend
X-Varnish-Cacheable
X-EIG-Tracking-Id
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-Via-PopN
Onion-Location
URI
X-CUA
X-SN
Mime-Version
Cteonnt-Length
CountryCode
X-Swift-Error
X-Fpc
X-FTR-Expires
X-FORWARDED-FOR
X-Region-Sid
CACHE
X-Cache-ASPX
X-Varnish-Authentication
Instruction
SR-User-Adfree
X-Contensis-Viewer-Groups
X-Air-Pt
X-DW
X-Depends-On
X-RPS
X-DSS
X-RPM
X-Snapshot-Date
Shield-Pop
X-Fastly-Cache-Hits
Ohc-Response-Time
Warning
X-Action
X-RSL
X-DB
X-DI
X-Dw-Trace-Id
Server-Ttl
X-Tid
X-SB
X-LiteSpeed-Cache-Control
X-Pf-Uncompressing
X-TIM-N
X-Webstats-RespID
X-UnsetCookies
X-StackifyID
X-Yottaa-OS
Redirect-Candidate
WP-Super-Cache
X-Request-Start
X-ElasticPress-Search
X-UA
X-Provided-By
X-CCDN-Origin-Time
W
X-Acquia-Application-Trace
X-Up
Xet-Cookie
X-Mg-Request-Id
X-Hcs-Proxy-Type
X-Cache-Status-Check
Content-Style-Type
X-C
X-Apw-Access-Action
Lfy
Content-Script-Type
CloudFront-Viewer-Country
X-TH-Server
X-Matched-Rule
X-MiniProfiler-Ids
X-Cache-Expires
X-Apw-Access-Object
X-Apw-Access-Token
X-Tt-Logid
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
ServerName
X-Pad
X-Acquia-Site
X-Core-Mission
X-Apw-Hits
X-CCDN-CacheTTL
Vha6-Origin