Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
Content-Length
X-Frame-Options
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
CF-Cache-Status
Link
ETag
Expect-CT
Via
Age
X-Cache
CF-RAY
X-XSS-Protection
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
X-Cache-Hits
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
P3P
CF-Ray
X-UA-Compatible
X-Served-By
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-FRAME-OPTIONS
X-Drupal-Cache
X-Check
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Cacheable
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
X-DNS-Prefetch-Control
P3p
Timing-Allow-Origin
X-Ua-Compatible
X-Iinfo
X-Template
X-Language
Status
Upgrade
X-AspNetMvc-Version
X-Content-Security-Policy
X-CDN
X-Buckets
Content-Encoding
Access-Control-Expose-Headers
X-Request-ID
Access-Control-Max-Age
X-Kinja-Server-Push
Keep-Alive
X-Via
X-AH-Environment
X-Turbo-Charged-By
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
X-Cache-Group
X-Pass-Why
X-Ws-Request-Id
X-Backend
X-Age
X-Server
EagleId
X-Proxy-Cache
X-Amz-Id-2
X-Amz-Request-Id
X-Robots-Tag
Xkey
X-Page-Speed
X-Hacker
X-Server-Powered-By
Feature-Policy
X-Pingback
Server-Timing
Request-Context
X-Swift-SaveTime
X-Swift-CacheTime
X-Nginx-Cache-Status
Ali-Swift-Global-Savetime
Grace
X-Varnish-Cache
X-UA-Device
X-Amz-Version-Id
Cf-Railgun
Report-To
X-OneAgent-JS-Injection
X-LiteSpeed-Cache
X-Server-Id
X-Rq
X-Device
X-Origin-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Vhost
EagleEye-TraceId
X-Host
X-Backend-Server
X-Node
NEL
X-Response-Time
X-Dispatcher
X-Ac
X-WebKit-CSP
X-Cache-Lookup
X-Origin-Upstream-Status
X-Readtime
Surrogate-Control
Request-Id
X-Dns-Prefetch-Control
X-Ruxit-JS-Agent
Content-Location
X-Application-Context
Fusion-Content-Id
Fusion-Template-Id
Fusion-Content-Source
Fusion-Component-Id
Fusion-Source
X-HW
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-DataDome
X-Cnection
X-Country
X-Mod-Pagespeed
X-Url
X-Akam-SW-Version
Edge-Control
X-Cloud-Trace-Context
Rating
X-Rack-Cache
X-Clacks-Overhead
RTSS
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-FTR-Request-ID
X-Vname
X-TtlSet
X-PC
X-Goog-Hash
X-Country-Code
X-Varnish-TTL
X-DynaTrace
X-ASPNET-VERSION
X-Instart-Request-ID
Service-Worker-Allowed
Verso
X-GitHub-Request-Id
Allow
Fusion-Deployment-Id
Content-MD5
X-D2id
X-MS-InvokeApp
X-Kinja-Revision
X-Exp-Id
X-Kinja-Server
X-Use-Magma
X-Exp-Variant
X-GoogleNews-Bot
X-Kinja
X-Cdn-Fetch
X-Kinja-Build
Accept-CH
Pinterest-Generated-By
SPRequestGuid
X-Cached
X-Powered-By-Plesk
X-Navigation-Version
X-Forwarded-Proto
X-Server-Name
X-Vcache
X-Trace
TCN
X-Abt-Application-Version
X-Amz-Server-Side-Encryption
X-Amz-Rid
X-SharePointHealthScore
X-TEC-API-VERSION
X-TEC-API-ROOT
X-TEC-API-ORIGIN
Public-Key-Pins
X-ESI
X-Ttl
X-Fastly-Request-ID
Accept-CH-Lifetime
Nginx-Cache
X-Debug
X-MSEdge-Ref
X-Vcap-Request-Id
X-VARITI-CCR
Arr-Disable-Session-Affinity
SPIisLatency
SPRequestDuration
MS-Author-Via
Charset
X-Accel-Expires
X-Cache-TTL
X-NF-Request-ID
X-Px
X-B3-TraceId
Display
Pagespeed
X-Middleton-Response
Response
X-Middleton-Display
X-Content-Type
Realpath
NR-ENABLED
X-Sol
X-DynaTrace-JS-Agent
Edge-Cache-Tag
X-Client-IP
X-Ser
Cache-Tag
X-SRCache-Fetch-Status
X-SRCache-Store-Status
Access-Control-Request-Method
S
X-Id
X-Powered-CMS
Front-End-Https
X-Version
X-Fastcgi-Cache
X-Grace
X-Pinterest-Rid
Pinterest-Version
X-Hp-Webp
X-Jurisdiction
X-Upstream
AR-Request-ID
AR-PoweredBy
AR-ATIME
X-Webkit-Csp
X-T
X-Hits
X-Element-Page-Cache
X-Amz-Meta-S3cmd-Attrs
X-Content-Digest
X-Shield-Request-Id
X-Dw-Request-Base-Id
WPE-Backend
DynaTrace
X-Mrf-Item-Lastmod
X-Mrf-Section-Lastmod
MRF-Tech
X-B3-TraceId-Primal
Mrf-Cache-Status
Ar-Sid
Accept-Ch
AR-CACHE
Fastcgi-Cache
X-Node-Name
X-Server-ID
X-Cache-Hit
ServerID
X-Forwarded-For
X-Mobile-URL
X-Recruiting
X-FTR-Backend-Server
X-FTR-Cache-Status
X-FTR-DC
X-FTR-Balancer
X-FTR-Backend
X-Country-Code-Real
X-FTR-Realm
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Storage-Class
X-GUploader-UploadID
Powered
Server-Node
X-XRDS-Location
X-Correlation-Id
X-HS-Cache-Config
AMP-Access-Control-Allow-Source-Origin
PB-PID
PB-RID
X-Frontend
X-HS-Content-Id
TP-Cache
X-HS-Hub-Id
TP-L2-Cache
X-FTR-Expires
X-DIS-Request-ID
X-Mobile-Rewrite
Arc-Version
X-Request-Received
X-Request-Processing-Time
Upgrade-Insecure-Requests
Accept-Ch-Lifetime
Refresh
X-Ezoic-Cdn
X-Shard
X-HS-Combine-CSS
X-Amzn-Trace-Id
Alternate-Protocol
X-NWS-LOG-UUID
Server-Name
X-Request-Handler-Origin-Region
X-Microsite
X-Logged-In
Host-Header
X-Varnish-Age
X-Geo-Country
Fastly-Restarts
X-Page-Id
X-FTR-Cache-Host
X-LB-Cache
X-N
X-F-Cache
X-Akamai-Edgescape
X-B
X-User-Agent
X-Rid
Backend-Timing
X-ATS-Timestamp
X-TTL
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-Content-Security-Policy-Report-Only
MicrosoftSharePointTeamServices
X-Aspnetmvc-Version
X-Via-JSL
X-Zen-Fury
Healthy
X-Kinsta-Cache
X-ORACLE-APMCS-TAG
X-ORACLE-APMCS-REQUEST-ID
X-FastCGI-Cache
Host
X-Origin-Server
X-Varnish-Grace
X-XRDS-LOCATION
X-Request-Guid
Cache-Status
X-Cache-Key
Fastcgi-Useragent
X-Hostname
X-Jobs
X-Signature
X-Content-Options
X-Git-Hash
X-Instance
X-ATG-Version
X-B-Cache
X-TT
X-B3-Sampled
X-AOL-HN
Section-Io-Cache
X-Whom
X-FB-Debug
X-App-Environment
X-Varnish-Backend
X-Type
X-Amz-Replication-Status
Paypal-Debug-Id
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Revision
X-Cache-Action
Actual-Object-TTL
X-Debug-Info
X-Tumblr-User
Access-Control-Allow-Method
Frame-Options
X-Seen-By
X-WebKit-CSP-Report-Only
X-Cluster
X-Cache-Age
X-Cache-Rule
X-Cache-Operation
Liferay-Portal
X-Content-Powered-By
X-Endurance-Cache-Level
Trailer
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Contextid
Source
X-Esi
X-AppVersion
X-Activity-Id
X-Amz-Apigw-Id
X-Az
Tracecode
X-Daa-Tunnel
X-PHP-Backend
X-Tt-Trace-Host
X-Host-Name
X-Tt-Trace-Tag
X-FireWall-Port
X-SERVER
X-Framework
X-WA-Info
X-Upgrade-Enabled
X-IPLB-Instance
Accept-Charset
Retry-After
DC
X-Mobile
NGB
X-Accel-Buffering
X-Response-Served-From
From-Origin
X-RemovedCookies
X-ProcessESI
X-Cached-By
Srv
X-Amzn-Requestid
X-UUID
X-Is-Bot
X-Rendered-As
X-Adobe-Loc
X-Adobe-Content
X-Cacheable-TTL
X-RateLimit-Remaining
Surrogate-Key
Payment
X-FW-Hash
X-FW-Static
X-FW-Type
X-FW-Serve
X-FW-Server
X-Cache-NE
Eomportal-Instance
X-GeoIP
X-Region
X-Environment-Context
X-Tumblr-Pixel-1
X-Varnish-Server
X-Tumblr-Pixel-2
X-RequestSource
X-L-Path
X-UA-Device-Type
X-Handled-By
Filters
Xserver
X-B3-Traceid
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Wix-Request-Id
X-Presslabs-Stats
X-Time-Microsecs
X-Origin-Response-Time
X-Cache-TTL-Remaining
X-Varnish-Hostname
X-APP-VERSION
X-Unique-Id
Filterid
X-Srv
X-Proxy
X-NGENIX-Cache
X-Cache-Server
X-EdgeConnect-Cache-Status
X-Webkit-CSP
Datacenter
MS-CV
X-Akamai-Transformed
X-Backend-Name
X-Cache-Time
X-Cache-Control
Server-Info
Version
X-Cache-2
Cache-Tv-Group
X-Status
X-Mode
X-Cache-Enabled
S-Cnection
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-PressLabs-Stats
X-CCM
X-Cache-Var-Map
X-Cache-Var
X-Path-Route
X-ES-SERVER
Meta-Geo
X-Oss-Hash-Crc64ecma
X-Oss-Object-Type
X-TNCMS
X-Oss-Server-Time
X-Oss-Request-Id
X-Oss-Storage-Class
X-Detected-As
Ec-Rule-Version
X-TIME
Webserver
X-IP
X-RN-RSRV
X-Loop
X-Say-Cacheable
ServedBy
X-Redis-Cache
S-Rt
X-Adobe-Source
X-R9-Blue-Green-Version
X-ApacheServer
X-Debug-Cache
X-PERF
X-Human
X-Real-IP
X-Web-Node
X-Forwarded-Host
X-Proto
Country
X-Say-TTL
X-FC-Vary-Parameters
OT-Force-Account-Verify
X-FW-Dynamic
X-Via-Fastly
X-SayCDN-TTL
Cache-Tags
X-TX-ID
Cleartype
X-Hl-Ver
Cache-Key
Access-Control-Request-Headers
X-ServerID
Content-Disposition
X-AWS-Id
Webcakes-App-Name
X-Cache-Status-Check
NGX
Section-Origin-Responded
Section-Io-Origin-Time-Seconds
X-Device-Type
Section-Io-Origin-Status
X-ShardId
X-RCS-CacheZone
X-Akamai-Request-ID2
X-EIG-Tracking-Id
Odigeo-Trace-Id
Section-Io-Id
X-Cache-Config
X-Alternate-Cache-Key
Origin-Edge-Control
TWC-Privacy
Webcakes-Region
X-Amzn-Remapped-Content-Length
Decoy-Debug-Key
Webcakes-App-Version
X-Locale
X-ProxyCache-Status
X-LJ-Flow-ID
Decoy-Debug-Status
X-ProxyCache-Key
X-Hosted-By
TWC-Device-Class
X-Origin
X-Origin-Hint
Cache-Hits
X-Pubstack
TWC-GeoIP-Country
TWC-GeoIP-LatLong
DB-Nickname
X-Proxy-Cache-Status
TWC-Locale-Group
X-ShopId
Decoy-Debug-TTL
X-Soup
X-Tb
TWC-Connection-Speed
Property-Id
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Shopify-Generated-Cart-Token
X-Shopify-Stage
X-Site-Version
Origin-Cache-Control
X-BYPASS-REASON
X-Vgn-Hpd-Reason
Now
Akamai-GRN
X-CST
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Generated
X-VWS-Id
X-JoinUs
X-Proxied
X-Content-Age
X-MP-GENERATED-AT
X-Format
X-Proxy-Build
X-FB-TRIP-ID
X-Timing-Wait
X-Www-Served-By
X-Xfnlog-Site
X-BCube-Filmed-By
X-NYM-Debug-Backend
X-Cache-Remote
X-Zipkin-Id
Azure-InstanceId
Azure-Version
Azure-SlotName
Azure-SiteName
Azure-RegionName
X-NCache
X-HTML-Minification-Powered-By
Cross-Origin-Window-Policy
Mn-Server-Ip
Selected-Fe
X-Access
X-Routing-Service
X-Request-Time
X-Section
X-SaId
X-Viewer-Country
X-Ua-Device
Node
X-Amzn-RequestId
X-Rule
X-Backend-TTL
GEO-INFO
X-Cache-NGX
X-No-Session
X-Microcachable
X-Varnish-Hits
X-Akamai-Request-ID
X-Pad
X-EC-Lua
X-Cdn
X-NewRelic-App-Data
X-Generated-By
X-IPS-LoggedIn
Accept-Language
X-Drupal-Cache-Tags
X-Geo
Nel
Cf-Ipcountry
X-From
Time
X-NWS-UUID-VERIFY
X-CF-Powered-By
X-Azure-Ref
X-RateLimit-Limit
X-NC
Ms-Operation-Id
X-RTag
X-Source
X-Dc
X-Uri
X-Old-Content-Length
User-Agent
X-CACHE-KEY
X-VCT
X-PHP-Host
X-Labrador-Cache-Channel
FilterID
Uber-Trace-Id
X-PCL
X-OCL
X-Qloud-Router
X-Cache-Grace
Cache-Name
X-Varnish-Cache-Hits
X-Nginx-Cache
X-Time
X-GoCache-CacheStatus
X-Newrelic-Synthetics
X-CS
Proxy-Connection
X-App-Server
X-Hyper-Cache
Geo-Info
X-Drupal-Cache-Contexts
X-SS-Set-Cookie
X-Info
Cache
Viewtype
True-Client-Country-4JS
VivaBuild
Request-EU
ServerName
Rendered-Blocks
Request-Country
T-Server
Machine
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
Apple-News-Services-Host
Apple-News-Services-Handled
X-MCACHE
A
Arc-Country
AsisCache
MD5-Digest
Meta-Geo-Continent
GEO-REGION-INFO
Fastcgi-X-Cache-Version
BehaviorPad-Version
Mobile-Detection-Method
X-CF-Lambda-Fn
X-Rojux
X-S
X-S-Cookie
X-ScT
X-Rocket-Nginx-Bypass
X-Rewrite-Enabled
X-Reboot
X-Region-Sid
X-Request-URI
X-Request-UUID
X-Session-Fingerprint
X-SRCache-Key
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-VG-WebCache
X-Vdms-Version
X-Transaction
X-Trv-Group
X-Twitter-Response-Tags
X-Processor
X-PAYTM-SRV-ID
X-Aed
X-Application
X-ARC
X-B-Cookie
X-Accel-Expires-Debug
X-A-Wwc
X-A-Ccd
X-A-Dam
X-A-Dcw
X-A-Dgt
X-Cdn-Srv
X-Edge
X-DPWN-IS-SECURE
X-External-Request-Id
X-G
X-GeoIP-Country-Code
X-Destination
X-Date
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-A
X-Developer
X-Edge-Location
X-Storage
User-Cache-Control
X-Magnolia-Registration
X-Cluster-Name
Thinkindot-Control
X-JWT-State
Thinkindot-CacheControl-Type
X-ServiceProvider
X-Served-From
X-Servername
X-CDN-Forward
Web-Mar-Node
Viewport
X-Slack-Backend
N-Cache
X-Trafficlayer-App-Version
X-ECACHE
X-VG-TLSProxy
X-VServer
X-Trafficlayer-App-Scope
X-Trafficlayer-App-Name
X-Sn-Servicetimems
Server-Host
Rt-Fastcgi-Cache
X-Thinkindot-L3
X-Request-Host
X-Block-Status
X-Li-Fabric
X-GeoIP-City
X-Geo-Header
X-Generated-On
X-Has-Esi
X-Level-Front-Cache
X-Is-Gdpr
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-Hnp-Log
X-Gen-Mode
X-Li-Pop
X-Cdn-Origin
X-Cache-Expired-At
Memcached
X-Backend-State
X-Core-Value
X-DevSite-Last-Modified
X-LI-Proto
X-LI-UUID
X-Matched-Rule
X-Pinterest-Direct
Thinkindot-CacheControl
Content-Style-Type
Content-Script-Type
X-FW-Version
X-Cache-Bucket
Cache-Cookie-Set-From
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-Idcheck
X-Varnish-Beresp-Status
X-S-Maxage
X-Varnish-Beresp-Grace
X-Proxy-Upstream
X-Platform-Server
X-Cms-Context
X-Cluster-Node
X-Clientip
X-OVcl
X-Core-Mission
X-CGP
X-Owner
X-CUA
X-Irp-Debug
X-OVcl-Cache
X-Cache-Tags
X-Fmm-Version
X-Bc-Bl
X-Req
X-Fastly-Cache
X-Agile-Id
X-App-Name
X-Bip
AKAMAI
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
Adler-Geo
X-Debug-Cookies
X-Cache-FS-Status
X-Rebelmouse-Surrogate-Control
X-RateLimit-Limit-Second
X-Origin-Expires
X-Gamma-Serve
X-Generated-In
X-Varnish-Authentication
X-Tumblr-Pixel-3
X-TrackingId
X-Fetched-On
X-Server-W
X-WADP-Cache
X-We-Are-Hiring
X-LAGOON
X-Instart-Info
X-Instart-Isnd
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Webstats-RespID
X-Hash
X-Logging-Id
X-Eu-Site
X-APP
X-NX-Host
X-Dispatch
X-Device-Os
X-Developers
Fastly-SWR
X-Origin-Date
X-Dispatcher-Server
X-Distil-CS
X-Ms-Request-Id
X-Epic-Correlation-Id
X-Micro-Cache
X-Ms-Version
X-Nginx-Cache-Key
X-Distributor
X-NodeID
X-Debug-Log
X-Agile-Age
Mail-Subject
X-VC-Cache
X-Varnish-Cacheable
Fastly-Drupal-HTML
Fastly-SIE
Locale
Locid
X-Variation
X-BBXSRF
X-TT-TIMESTAMP
X-Agile
Countrycode
X-Urbn-Context-Path
Platform
X-Var-Ttl
X-Urbn-Site-Id
L5d-Success-Class
X-Backend-Host
On-Server
X-Auto-Login
Gh-Request-Id
SD-X-WS
Server-Cache-Control
FNAC-ModuleRouting
Server-Surrogate-Control
Group
Ha-Gx-Prefs
IsBot
Kp-EeAlive
Is-Eu
X-WebServer
HA-Ipaddr
Heartbleed
X-Trace-Id
X-Cache-ASPX
We-Hiring
Wxu-Next-Commit
Country-Code
X-Sigma-Backend
Cache-Host
X-SIPLIST1
Wxu-Next-Hostname
Wxu-Next-Region
X-Debug-Cache-Store
X-Rocket-Build-Number
X-Scheme
X-Debug-Cache-Fetch
X-Sigma
X-Debug-Cache-Expiry
V-Age
W
RNT-Machine
Server-ID
RNT-Time
X-Swa-Ws
X-Skip-Cache
X-SN
X-Thanos
CDCHOST
X-Contensis-Viewer-Groups
X-Clara-WADP
X-Cache-URL
X-Cache-Info
Proxy-Firewall
X-Response-By
X-Hit
X-Generation-Time
PFcat
X-Sucuri-ID
X-UnsetCookies
X-C
X-Varnish-Beresp-Ttl
X-UA
Vix-Hermes-Req-Id
X-Refresh
CF-Cached-On
X-Mid
X-CSRF-Token
X-Node-Id
X-FORWARDED-FOR
X-RESPONSE-TIME
Mime-Version
Request-Time
X-Cache-PHP
X-SERVER-NAME
X-Vdms-Path
NM-Fastcgi-Cache
Powered-By-ChinaCache
X-CLOUD-TRACE-CONTEXT
X-TA-CDN-Provider
X-Varnish-URL
M-TraceId
X-B3-Spanid
Pramga
X-Parent-Response-Time
X-Lb-Id
X-Ua
X-DC
X-ND-Cache
Pagetype
X-Nc
X-Service
Sever-Int
X-VCache
Origin
Cloudfront-Viewer-Country
Server-Hostname
Server-Ext
X-Wa
HitType
X-MSEdge-Features
PICS-Label
X-MSEdge-Flight
X-Varnish-Ttl
HostName
X-FPC
X-Load-Cache
Environment
X-Method
X-Pjax-Url
X-Worker
Magicmarker
X-Protected-By
X-Via-PopV
X-Via-PopH
X-SRV
X-Ratelimit-Remaining
X-Envoy-Upstream-Healthchecked-Cluster
X-Branch-Name
X-Request-Start
X-App-Version
X-HS-Status
X-C-Zone
X-C-Key
X-Be
X-GEO
X-Wix-Viewer-Type
Memory
Geoip-Latitude
X-Policy
Fastly-Backend-Name
Geoip-City
X-Up
Dt-Cache-Category
X-Servedbyhost
GeoIp-Country-Code
X-Zone
X-Planisys-CDN-Rules
X-ECache
X-Bc
X-Planisys-CDN-TTL
X-Origin-CC
X-Planisys-CDN-Cache
X-BACKEND-TTL
X-Origin-TTL
Hostname
X-URL
X-CSRF-TOKEN
XServer
X-Newrelic-App-Data
X-Myra-Origin2
X-Azure-Ref-OriginShield
NtCoent-Length
Esi-Enabled
X-VCL-Version
X-Server-Time
Pragrma
Cteonnt-Length
X-Referer
Who
Cdn-Host
X-Reqid
X-TT-LOGID
Cdn-Request-Time
Ttl
X-Edge-Server
X-Litespeed-Cache
X-Edge-O15-RID
X-Cdn-Forward
X-Cache-Metadata
X-Via-Ucdn
TTL
X-Correlation-ID
X-Cache-Host
Cdn
X-Dynatrace-Js-Agent
SRV
Lb
X-Country-IP
X-Fastly-Country-Code
X-Oneagent-Js-Injection
X-Vcl-Version
Cdnsip
UCS
X-NU-AKA-ACS-Version
Resin-Trace
GeoIP-Country-Code
Cdncip
X-AK-Request-ID
Release
X-Ratelimit-Limit
X-ServedByHost
X-Pf-Uncompressing
X-SVT-ORM-VERSION
X-ZONE
Load-Balancing
X-BC
GeoIP-City
X-SVT-ORM-RULES
GeoIP-Latitude
Product
X-NGINX-Cache
CACHE
X-Air-Hostname
X-Swift-Error
Ohc-File-Size
X-AIR-PT
X-Tec-Api-Version
X-Esi-Check
X-Tec-Api-Root
X-Tec-Api-Origin
X-Cache-Id
X-Configured-By
Sid
X-Ruxit-Js-Agent
LB
X-Server-IP
X-Node-ID
X-TH-Server
X-Gzip
X-COUNTRY
X-WPE-Loopback-Upstream-Addr
X-Datadome
X-Cache-Debug
FSS-Cache
Dnion-Transfer-Encoding
RequestId
X-Tb-Optimization-Total-Bytes-Saved
X-PJAX-URL
Pics-Label
IBM-Web2-Location
Ohc-Cache-HIT
Warning
X-BE
X-Fpc
MIME-Version
C-Via
X-VarnishDD-TTL
X-WA
X-B3-SpanId
X-RAMCache
Server-Int
X-Powered-Y
X-Svr
X-Fastly-Backend-Reqs
X-Fastly-Request-Id
X-Location
My-App
X-Varnish-Beresp-TTL
X-Varnish-Url
Powered-By
Lfy
X-Ocache
X-Sucuri-Cache
X-Apw-Access-Object
X-Mvc-Supplant-Cachable
X-PF-Uncompressing
X-SD-PageType
X-UPSTREAM-Address
X-Apw-Access-Action
X-Apw-Access-Token
X-MID
X-Apw-Hits
X-Unique-ID
X-Zalando-Child-Request-Id
Xet-Cookie
X-ElasticPress-Search
Amp-Access-Control-Allow-Source-Origin
Fastly-SSL
X-ElasticPress-Query
Fastly-Soc-X-Request-Id
X-LiteSpeed-Cache-Control
Cneonction
X-Page-Impression-Id
X-Mvc-Supplant-OutputCached
X-Agile-Brick-Ok
Requestid
X-Cache-Backend
X-Flow-Id
CF-IPCountry
X-DB
X-DSS
X-DI
X-DW
X-Aicache-OS
X-Action
X-B3-Parentspanid
X-RSL
X-Check-Cacheable
X-Nananana
L
X-RPS
X-Debug-Controller
X-RPM
CDN
X-Debug-Revision
X-Compress-Hint
X-Sucuri-Id
X-Request-Url
URI
X-Dw-Trace-Id
X-Fastly-Cache-Hits
DataCenter
X-Flog
SN
X-ABtesting
CloudFront-Viewer-Country
X-LB-ID
X-MiniProfiler-Ids
X-Hello
X-Request-URL
FSS-Proxy