Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Link
Cf-Request-Id
CF-Cache-Status
CF-RAY
ETag
Pragma
X-XSS-Protection
Expect-CT
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
P3P
Alt-Svc
X-Served-By
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Xss-Protection
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
P3p
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
X-CONTENT-TYPE-OPTIONS
Access-Control-Expose-Headers
X-CDN
X-AspNetMvc-Version
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
X-Akamai-Path-Stats
Access-Control-Max-Age
Server-Timing
X-Ws-Request-Id
X-Cache-Group
X-Dns-Prefetch-Control
X-Turbo-Charged-By
Keep-Alive
Request-Context
X-Backend
EagleId
X-Robots-Tag
X-Age
X-Server
X-Amz-Request-Id
X-AH-Environment
X-Amz-Id-2
Host-Header
X-Proxy-Cache
X-UA-Device
X-Hacker
X-Rq
Grace
X-Server-Powered-By
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
X-Vhost
Ali-Swift-Global-Savetime
X-Dispatcher
X-LiteSpeed-Cache
X-Amz-Version-Id
Allow
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
X-Nginx-Cache-Status
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
X-WebKit-CSP
X-Device
X-Cache-Spec
Cf-Railgun
X-Host
X-Page-Speed
X-Server-Id
X-Node
Cf-Edge-Cache
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
X-CST
Request-Id
X-Backend-Server
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
X-Application-Context
Xkey
Accept-CH-Lifetime
Content-Location
Rating
X-EdgeConnect-Origin-MEX-Latency
X-Cloud-Trace-Context
X-EdgeConnect-MidMile-RTT
X-Trace
X-Url
Accept-Ch
Fastly-Restarts
Accept-Ch-Lifetime
X-Country
X-Ruxit-JS-Agent
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-Clacks-Overhead
X-Vname
X-PC
X-TtlSet
RTSS
X-Amz-Server-Side-Encryption
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-FastCGI-Cache
X-ESI
X-Server-Name
Cache-Tag
X-Edge
X-B3-TraceId
X-Content-Type
X-Vcap-Request-Id
X-Amz-Rid
X-Dw-Request-Base-Id
X-Exp-Id
X-Exp-Variant
X-Cdn-Fetch
X-Kinja
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Kinja-Build
X-GoogleNews-Bot
X-Px
X-ASPNET-VERSION
Public-Key-Pins
X-D2id
X-Cnection
X-Ser
X-Navigation-Version
X-Content-Security-Policy-Report-Only
X-Powered-By-Plesk
Pagespeed
X-Middleton-Display
Display
X-Abt-Application-Version
X-Sol
Verso
X-Ac
X-Client-IP
X-Element-Page-Cache
X-Version
Arr-Disable-Session-Affinity
X-RateLimit-Remaining
X-Cache-TTL
X-GitHub-Request-Id
X-Ttl
X-Country-Code
Service-Worker-Allowed
X-NF-Request-ID
X-Middleton-Response
Response
X-Cached
X-Goog-Hash
SPRequestDuration
SPIisLatency
Access-Control-Request-Method
X-Kinsta-Cache
X-SharePointHealthScore
SPRequestGuid
X-Edge-Location-Klb
X-Powered-CMS
AR-CACHE
AR-PoweredBy
X-Kraken-Loop-Name
X-Upstream
X-Server-Lifecycle-Phase
X-Instrumentation
AR-ATIME
AR-Request-ID
AR-SID
X-Correlation-Id
X-LLID
Edge-Cache-Tag
X-WebKit-CSP-Report-Only
X-Forwarded-For
Content-MD5
X-NWS-LOG-UUID
X-Litespeed-Cache
X-TTL
X-Cache-Key
X-ECACHE
X-Ruxit-Js-Agent
Nginx-Cache
X-RateLimit-Limit
X-Id
X-Shield-Request-Id
TCN
X-MSEdge-Ref
S
X-Recruiting
Mrf-Cache-Status
MRF-Tech
X-T
X-Daa-Tunnel
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-B3-TraceId-Primal
X-Content-Digest
X-DataDome
X-Mg-S
X-HP-Webp
X-Jurisdiction
X-HP-Trace-Id
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Ua-Device
TP-L2-Cache
TP-Cache
X-Grace
X-Mcache
X-Accel-Expires
X-DynaTrace
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Hub-Id
Front-End-Https
X-Frontend
MicrosoftSharePointTeamServices
Filters
X-Yandex-Sdch-Disable
Server-Node
X-Protected-By
X-Request-Received
X-Request-Processing-Time
X-Ua-Browser
X-Ezoic-Cdn
X-Ab
X-Content
X-Distributor
X-Origin-Server
X-Hits
X-PressLabs-Stats
Fastcgi-Cache
X-LB-Cache
X-ORACLE-DMS-ECID
X-Geo-Country
MS-Author-Via
X-ORACLE-DMS-RID
X-Microsite
X-Request-Handler-Origin-Region
X-Amzn-Trace-Id
X-Mid
Charset
Host
X-Tt-Trace-Host
X-Webkit-Csp
X-Tt-Trace-Tag
Cross-Origin-Opener-Policy
Cleartype
Cache-Status
X-Page-Id
X-Git-Hash
X-Forwarded-Proto
X-F-Cache
X-B3-Sampled
X-Debug-Info
Realpath
X-Seen-By
X-Az
X-AppVersion
X-Activity-Id
X-Cache-Age
X-DIS-Request-ID
Access-Control-Allow-Method
X-Ratelimit-Reset
X-Fastly-Request-Id
X-Nginx-Upstream-Cache-Status
X-Www-Served-By
X-Webkit-CSP
Accept-Charset
Permissions-Policy
Filterid
X-Server-ID
ServerID
X-Aspnetmvc-Version
Cache-Tags
X-Varnish-Age
X-Rid
X-Content-Options
Pinterest-Generated-By
X-FB-Debug
Pinterest-Version
X-Cluster-Name
X-Pinterest-Rid
X-Type
Retry-After
Server-Name
X-Midtier
X-Varnish-Grace
X-App-Environment
X-Tb
X-Varnish-Backend
X-Route-Name
X-Is-Crawler
X-Aspnet-Duration-Ms
X-Flags
X-Providence-Cookie
X-Request-Guid
Viewport
X-User-Agent
X-TT
X-Drupal-Cache-Tags
Country
X-Origin-Cache
X-B
X-Wix-Request-Id
X-Amz-Meta-S3cmd-Attrs
X-B-Cache
X-Signature
DC
Paypal-Debug-Id
X-Whom
Node
Fastcgi-Useragent
X-Goog-Generation
X-GUploader-UploadID
X-Goog-Storage-Class
X-VCache
X-Goog-Stored-Content-Length
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-Debug
X-Upgrade-Enabled
X-Language
X-Oracle-Dms-Ecid
X-Oracle-Dms-Rid
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-NWS-UUID-VERIFY
X-Mobile-URL
X-Amz-Replication-Status
X-Logged-In
Protected
Payment
X-Cache-NGX
X-N
X-Load-Cache
Amp-Access-Control-Allow-Source-Origin
Surrogate-Key
X-Cache-Control
WPO-Cache-Status
WPO-Cache-Message
X-XRDS-LOCATION
Count-Hit
Alternate-Protocol
X-XRDS-Location
X-Contextid
X-NGENIX-Cache
Healthy
X-Node-Name
X-Via-JSL
X-Mobile
X-Restarts
X-Proxy
X-Browser-Type
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
Content-Disposition
SD-X-WS
X-Original-Request-Id
X-Response-Served-From
X-MCACHE
X-FW-Type
X-FW-Static
X-FW-Hash
X-FW-Dynamic
X-FW-Server
X-FW-Serve
X-G
Refresh
Akamai-GRN
X-UUID
X-Revision
X-Akamai-Request-ID2
X-Page-View
X-Adobe-Content
Url
Uber-Trace-Id
X-Zen-Fury
X-Adobe-Loc
X-Jobs
X-Cache-Time
X-Servername
X-Mg-Request-UUID
X-Debug-IsConnected
X-Real-IP
X-Cacheable-TTL
X-Cache-TTL-Remaining
X-Debug-IsPreview
VIX-Pulpo-Node
X-Http-Reason
X-Framework
VIX-Pulpo-Upstream-Status
X-Device-Type
X-Rendered-As
X-Is-Bot
X-Varnish-Server
Access-Control-Request-Headers
X-Yottaa-Optimizations
X-Cache-Grace
X-Proxy-Cache-Status
X-Yottaa-Metrics
X-Drupal-Cache-Contexts
NGB
X-Environment-Context
X-L-Path
X-Instance
X-HTML-Minification-Powered-By
X-Hostname
X-Ratelimit-Remaining
X-IPLB-Instance
Frame-Options
Version
X-COUNTRY
X-Template
X-EdgeConnect-Cache-Status
Referer-Policy
X-Source
X-Fastly-Request-ID
Countrycode
X-ECache
X-B3-Traceid
X-RTag
MS-CV
Ms-Operation-Id
Liferay-Portal
Accept-Language
X-Trace-Id
X-Oneagent-Js-Injection
X-NYM-Debug-Backend
X-Datadome
X-App-Server
X-Cache-Rule
X-Cache-Expired-At
X-Cache-Hit
Cross-Origin-Window-Policy
From-Origin
X-Tumblr-User
X-Tumblr-Pixel
X-Hosted-By
X-Tumblr-Pixel-0
X-Tumblr-Pixel-1
X-Vgn-Hpd-Reason
Backend
X-IPS-LoggedIn
X-Unique-Id
X-APP-VERSION
X-RemovedCookies
X-ProcessESI
X-Status
X-Nginx-Cache
Meta-Geo
WP-Super-Cache
Section-Io-Cache
X-Ratelimit-Limit
X-RN-RSRV
Load-Balancing
X-Cache-Server
Upgrade-Insecure-Requests
X-UPSTREAM-Address
X-FW-Version
Content-Secure-Policy
X-LJ-Flow-ID
X-AWS-Id
X-No-Session
X-VWS-Id
X-FB-TRIP-ID
X-PCL
X-OCL
X-Content-Age
X-Content-Powered-By
X-Be
X-Cache-Enabled
X-Labrador-Cache-Channel
X-AOL-HN
X-Access
X-Sql-Count
X-Sql-Duration-Ms
X-UA-Device-Type
X-Redis-Cache
X-Request-Time
Mn-Server-Ip
X-Via-Fastly
X-PHP-Host
X-PHP-Backend
CF-IPCountry
X-Ua
X-Section
Apigw-Requestid
X-Akamai-Edgescape
X-Platform-Server
X-PERF
X-Origin-Date
X-Nginx-Cache-Key
X-ProxyCache-Key
X-ProxyCache-Status
X-Say-TTL
X-Say-Cacheable
X-Region
X-Human
X-Generated-By
X-ApacheServer
X-Adobe-Source
S-Rt
Locale
X-BYPASS-REASON
X-Cache-Tags
X-Forwarded-Host
X-Format
X-Cms-Context
X-SayCDN-TTL
X-Site-Version
Webcakes-App-Version
Webcakes-App-Name
TWC-Privacy
TWC-Locale-Group
Webcakes-Region
X-Cluster-Node
X-Varnish-Cache-Hits
X-Server-W
X-Origin-Hint
TWC-GeoIP-Country
TWC-Device-Class
X-Urbn-Site-Id
X-Urbn-Context-Path
X-Storage
X-Uri
X-VC-Cache
TWC-Connection-Speed
Property-Id
X-Xfnlog-Site
Eomportal-Instance
TWC-GeoIP-LatLong
X-Mode
X-Alternate-Cache-Key
X-ShopId
X-ShardId
X-Sorting-Hat-PodId
X-Shopify-Stage
X-Sorting-Hat-ShopId
X-GG-Cache-Date
X-Hl-Ver
X-JoinUs
X-GeoCountry
X-Cache-Type
X-Dc
X-Debug-Cache
X-Detected-As
X-GeoCode
X-SaId
X-Cache-Host
Azure-SlotName
X-Edge-Location
X-Generation-Time
X-Storefront-Renderer-Rendered
X-Locale
Azure-SiteName
Azure-RegionName
X-Tid
X-ServerID
X-Varnishpool
X-Web-Node
Azure-InstanceId
Fastly-SSL
Azure-Version
X-NewRelic-App-Data
X-Proxied
X-Handled-By
X-Routing-Service
X-Zipkin-Id
X-Proto
X-Extlb
X-Backend-Name
Selected-Fe
X-Timing-Wait
X-Proxy-Build
CDN-CachedAt
Cache-Tv-Group
CDN-EdgeStorageId
CDN-Uid
CDN-PullZone
CDN-RequestId
ServedBy
CDN-RequestCountryCode
X-CDN-Forward
Webserver
CDN-Cache
Fastly-Drupal-Html
Ec-Rule-Version
X-App-Version
Web-Mar-Node
X-LSADC-Cache
Onion-Location
X-IPLB-Request-ID
X-Cache-Action
X-GEO
X-Magnolia-Registration
X-Varnish-Hostname
X-Cached-By
Cache-Hits
X-Tt-Logid
SID
X-Cache-Operation
X-Envoy-Decorator-Operation
SRV
Mime-Version
X-Hyper-Cache
X-Cache-Remote
X-Cluster
X-Varnish-Hits
X-Air-Source
LB
X-Air-Trace-Id
X-Air-Hostname
X-Rewrite-Enabled
X-Cdn
X-Fastcgi-Cache
X-SRV
X-Soup
X-Origin-TTL
X-Origin-CC
X-Rule
X-Parallel-Accel
DB-Nickname
Xet-Cookie
Cache
Xserver
X-Microcachable
Source
Server-Info
X-Accel-Buffering
X-Reqid
X-MP-GENERATED-AT
X-Pubstack
X-Xrds-Location
X-Tumblr-Pixel-2
X-TA-CDN-Provider
Country-Code
X-Via-NSCOPI
X-CSRF-Token
X-Buckets
Decoy-Debug-TTL
X-Skip-Cache
X-Tx-Id
Decoy-Debug-Key
Decoy-Debug-Status
X-Tumblr-Pixel-3
X-B3-SpanId
X-Endurance-Cache-Level
X-TT-LOGID
X-Origin-Response-Time
X-Request-Host
X-BCube-Filmed-By
NM-Fastcgi-Cache
X-Orig-Expires
X-Processor
Pramga
X-PAYTM-SRV-ID
X-NAPM-TraceId
X-Tenant
Odigeo-Trace-Id
X-Vtex-Remote-Cache
X-TrackingId
X-PBS-Appsvrname
MD5-Digest
X-Developer
DCR-Decision-By
X-Ec-Fail
Cdnsip
X-Ec-GeoHdr
Cdncip
DCR-Processing-Time-Ms
X-Destination
X-Connection-Hash
X-D
X-Conf
Fastcgi-X-Cache-Version
Expiry
Host-ID
Candidate-Md5Url
X-Epic-Correlation-Id
X-Geo-Header
X-Cdn-Srv
X-Ig-Push-State
Meta-Geo-Continent
X-Cache-NE
Mobile-Detection-Method
X-CF-Lambda-Fn
Lang
BehaviorPad-Version
Cache-Key
X-External-Request-Id
A
X-CF-Lambda-Version
X-Forwarded-Path
X-Cache-Status-Check
DynaTrace
Datacenter
X-Vtex-Processado-Em
X-SD-PageType
X-AK-Request-ID
X-A-Ccd
X-ARC
X-A-Wwc
X-SRCache-Key
X-Vdms-Version
X-SplitTest
X-A
Xc-Version
X-Aed
X-A-Dam
X-ScT
Sslversion
X-A-Dcw
X-Application
X-User
X-TIM-N
X-Vdms-Path
X-S
X-A-Dgt
X-Shop-Environment
X-B-Cookie
X-Rojux
T-Server
X-Amz-Apigw-Id
X-S-Cookie
Surrogated-Key
Rendered-Blocks
X-VG-WebCache
X-Session-Fingerprint
X-Amzn-RequestId
X-Newrelic-Synthetics
X-Ckpd-Fst-Backend
Kp-EeAlive
X-Varnish-Beresp-Grace
X-Azure-Ref
XM
X-SB
AKAMAI
Adler-Geo
X-Fetched-On
X-DPWN-IS-SECURE
X-DefHash
X-Wix-Viewer-Type
X-DefElseHash
Environment
X-Sigma-Backend
X-Sigma
X-Developers
X-Device-Os
X-Worker
X-V-Cache
Is-Eu
X-Ad-Defer-Variation
Cmstype
Cmsid
X-Esi-Check
X-Has-Esi
X-Core-Value
Wxu-Next-Commit
X-Ms-Version
X-Varnish-Remaining-TTL
We-Hiring
X-Variation
X-NodeID
Server-Host
Platform
Producers
Wxu-Next-Hostname
Wxu-Next-Region
X-Origin
X-Cache-Id
X-Varnish-CookieINHashed-On
X-Ms-Request-Id
X-HS-Content-Campaign-Id
X-Bc-Bl
Memcached
X-Hash
X-Varnish-CookieHashed-On
X-Irp-Debug
X-Is-Gdpr
X-GeoIP
Redirect-Candidate
Mail-Subject
X-JWT-State
X-Gzip
X-Rocket-Build-Number
X-Time
X-CacheTTL
X-Block-Status
X-BBC-Edge-Cache-Status
X-Cdn-Origin
X-Core-Mission
X-Aicache-OS
X-Branch-Name
X-Clara-WADP
VNS-Cache
X-Cache-Date
X-Cache-Bucket
X-CGP
X-Cache-Info
X-RCS-CacheZone
X-Gdpr
X-Nyt-Route
VNS-Age
X-Region-Sid
X-Request-URI
X-Amzn-Remapped-Content-Length
X-Rebelmouse-Surrogate-Control
X-Rebelmouse-Cache-Control
X-Qloud-Router
X-Pool
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Origin-Time
X-Rocket-Nginx-Serving-Static
Fastly-Backend-Name
X-SVT-ORM-RULES
X-VG-TLSProxy
X-SVT-ORM-VERSION
X-Thinkindot-L3
X-VarnishDD-TTL
X-TNCMS
X-VServer
X-Sn-Servicetimems
X-Served-From
X-Scheme
X-WADP-Cache
X-SIPLIST1
X-Slack-Backend
X-Policy
X-Platform
X-Ftr-Request-Id
X-Forwarded-Site
X-Gamma-Serve
X-Gen-Mode
X-GeoIP-City
X-Generated-On
X-Fmm-Version
X-Fastly-Cache
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Datadog-Trace-Id
X-Ec-Custom-Error
X-Eu-Site
X-HN
X-Hnp-Log
X-Origin-Expires
X-Node-Id
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
X-NCache
X-Mvc-Supplant-Cachable
X-Level-Front-Cache
X-LAGOON
X-Loc
X-Loop
X-Minions-Version
X-Csrf-Jwt
Thinkindot-CacheControl-Type
L
X-AIR-PT
IsBot
HA-Ipaddr
Ha-Gx-Prefs
Machine
NGX
X-Varnish-Ttl
Origin-EX
Origin-CC
Origin
Fastly-SWR
Fastly-SIE
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
CDCHOST
CloudFront-Viewer-Country
Fastly-GeoIP-CountryCode
Fastcgi-Cache-TTL
CPC-Cache
CPC-Age
PFcat
L5d-Success-Class
Svr
State
X-EC-Lua
Ssr
Thinkindot-CacheControl
Vix-Hermes-Req-Id
V-Age
User-Cache-Control
Traceparent
Thinkindot-Control
Sever-Int
TDXMobile
Server-Hostname
Req-Svc-Chain
Server-Ext
Release
X-Proxy-Cache-Info
Ohc-File-Size
X-Pod-Name
X-Scale
X-Dispatcher-Number
X-Proxy-Upstream
X-Via-Ucdn
X-Wikidot-Static-Cache
HostName
Cache-Name
X-Wikidot-Backend
X-Viewer-Country
DSUID
X-Micro-Cache
X-Cache-Backend
Gh-Request-Id
X-Auto-Login
Cluster
N-Cache
X-R9-Blue-Green-Version
X-WA-Info
X-Owner
Web-Mar-Region
X-Optimistic-Header
X-Correlation-ID
X-WP-CF-Super-Cache-Cache-Control
CDN
X-WP-CF-Super-Cache
Pics-Label
X-CS
X-ZONE
GEO-INFO
Cache-Host
X-Server-IP
X-Httpd
X-Refresh
X-VC
Ngx.Var.Host
XkeyRZ
X-CACHE-KEY
X-Proxy-CacheRZ
X-LB-NoCache
Servername
X-NC
X-Parent-Response-Time
X-Ah-Environment
X-TIME
Path
Ms-Author-Via
X-Cache-ASPX
X-Contensis-Viewer-Groups
X-Webstats-RespID
Env
X-Edge-Pop
X-From
X-Servedbyhost
X-Mvc-Supplant-OutputCached
X-Udemy-Cache-App-Namespace
X-Srv
X-Tb-Optimization-Total-Bytes-Saved
X-RateLimit-Reset
X-Location
X-Generated-In
Memory
Time
X-Clientip
X-Varnish-Authentication
Lb
X-Tec-Api-Version
X-TraceId
X-Tec-Api-Origin
X-Amz-Meta-Cb-Modifiedtime
X-Via-Poph
X-API-Version
X-Via-Popn
Locid
X-Tec-Api-Root
X-Via-Popv
Ohc-Cache-HIT
ITXSESSIONID
X-Varnish-Beresp-TTL
X-Men
X-Response-By
GeoIp-Country-Code
X-S-Maxage
Arc-Country
X-Vc
AMP-Access-Control-Allow-Source-Origin
X-Presslabs-Stats
X-Dmc
X-Akamai-Transformed
X-Old-Content-Length
True-Client-IP
X-RSL
X-RPS
Server-ID
X-Date
X-HA-Backend
Geoip-Latitude
X-RPM
X-Accel-Expires-Debug
X-DI
X-DSS
X-DB
X-DW
Client
X-Zone
X-VCL-Version
X-Cs
X-VHOST
X-DynaTrace-JS-Agent
X-TRACE-ID
X-Trace-ID
Hostname
X-Render-Time
X-Fpc
X-MSEdge-Features
X-MSEdge-Flight
X-URL
C-Via
X-GeoIP-Region-Code
X-INCAP-ABP
X-GeoIP-Country-Code
Rip
X-DC
X-Gateway-Request-Id
X-Service
X-Gateway-Skip-Cache
Click-Count-Action-Start
Click-Count-Error
Tube-Get-Contents
FSS-Cache
Tube-Return
X-Cache-Debug
X-Gateway-Cache-Status
X-Gateway-Cache-Key
Tube-Got-Results
Tube-Got-Eval
Fusion-Source
Fusion-Content-Id
Fusion-Component-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Deployment-Id
Esi-Enabled
X-FireWall-Port
NtCoent-Length
Powered-By
X-Webkit-Csp-Report-Only
X-Api-Version
X-NGINX-Cache
X-TX-ID
X-M-Reqid
X-B3-Spanid
CacheControlHeader
On-Server
HIT
X-PX
X-Qnm-Cache
X-M-Log
X-Action
Srv
X-Alfa-Service
X-Edge-Origin-Shield-Bytes
X-CSRF-TOKEN
True-Client-Country-4JS
Tcn
Test
X-Edge-Origin-Shield-Region
X-TH-Server
X-Backend-TTL
X-Cdn-Request-ID
X-Proxy-Cache-Hk
X-FPC
OT-Force-Account-Verify
X-Traceid
Cdn
Server-Id
X-Beluga-Record
X-Beluga-Cache-Status
X-HS-Status
X-Beluga-Response-Time
User-Agent
X-Beluga-Node
X-Vcl-Version
Edge-Cache
Geo-Info
X-Check-Cacheable
X-Beluga-Trace
X-Beluga-Status
X-Akamai-Pragma-Client-IP
X-Pass-Why
GeoIP-Latitude
GeoIP-Country-Code
X-Req
X-Varnish-Beresp-Ttl
X-Origin-Upstream-Status
X-Via-PopV
My-App
Proxy-Connection
Srvid
Resin-Trace
Uri
X-Via-PopN
X-Via-PopH
X-App
X-Ha-Backend
X-CLOUD-TRACE-CONTEXT
DT-Hot-News
Server-Ttl
X-APP
Sid
MIME-Version
Cf-Int-Pingora-Origin-Digest
M-TraceId
X-Up
X-Bip
X-Thanos
X-Hcs-Proxy-Type
X-ServedByHost
X-CCDN-Origin-Time
X-CCDN-CacheTTL
Epwk-X-Cache
WebServer
X-Cdn-Forward
X-LB-ID
ENV
X-Fastly-Backend-Reqs
X-Request-Start
True-Client-Ip
X-Backend-Host
X-Esi
X-ID
Warning
X-Provided-By
X-B3-Traceid-Primal
X-Li-Fabric
X-Li-Pop
X-LI-UUID
X-LI-Proto
X-Geo
X-Edge-POP
X-Lb-Nocache
XServer
ServerName
X-HostName
Dt-Hot-News
X-ElasticPress-Query
X-HITS
X-Vercel-Cache
X-Vercel-Id
PICS-Label
X-Akamai-Request-ID
X-UnsetCookies
X-CACHE-AGE
X-Nc
X-Serial
X-RAMCache
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Dw-Trace-Id
X-Webkit-CSP-Report-Only
Section-Io-Origin-Status
CF-Cached-On
Section-Io-Id
X-CF-Powered-By
X-Newrelic-App-Data
X-Fetch-By
Magicmarker
Fastly-Drupal-HTML
X-LiteSpeed-Cache-Control
X-Yottaa-OS
X-CMSURLCustom
X-Request-Url
X-ND-Cache
X-Vcache
X-IN-APIGATEWAYSSL
X-Iplb-Instance
X-Iplb-Request-Id
D-Url-Rewrites
X-IN-APIGATEWAY
Inserted-Into-Cache-At
X-Varnish-Beresp-Status
X-Time-Microsecs
X-Cc-Via
Canary
WZWS-RAY
Servedby
Cdn-Cache
Wp-Super-Cache
Cdn-Requestid
Cdn-Uid
Cdn-Pullzone
Cdn-Requestcountrycode
Cdn-Edgestorageid
Cdn-Cachedat
X-MiniProfiler-Ids
X-Snapshot-Date
Vha6-Origin
X-LiteSpeed-Tag
CountryCode
X-Back
X-Th-Server
X-Storefront-Renderer-Verified
Content-Style-Type
Content-Script-Type
X-BBC-Origin-Response-Status
X-Release
X-Request-URL
Cf-Device-Type
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Wp-Cf-Super-Cache
X-Azure-Ref-OriginShield
X-CUA
X-Dist-Code
DataCenter
X-Wp-Cf-Super-Cache-Cache-Control