Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Xss-Protection
X-Served-By
Alt-Svc
X-Request-Id
X-Varnish
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Drupal-Cache
X-Check
Content-Security-Policy-Report-Only
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Iinfo
X-Ua-Compatible
X-Buckets
Status
X-Content-Security-Policy
X-CDN
Content-Encoding
Upgrade
Access-Control-Expose-Headers
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-Request-ID
X-AH-Environment
X-Server
X-Turbo-Charged-By
X-Backend
X-Age
P3p
X-Cache-Group
X-Robots-Tag
X-Proxy-Cache
Feature-Policy
Xkey
Request-Context
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Hacker
X-Page-Speed
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
X-Pingback
Grace
Server-Timing
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Report-To
X-LiteSpeed-Cache
X-Amz-Version-Id
X-WebKit-CSP
Cf-Railgun
X-Dns-Prefetch-Control
X-Server-Id
X-Rq
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Origin-Cache
EagleEye-TraceId
X-OneAgent-JS-Injection
X-Host
X-Device
Surrogate-Control
X-Response-Time
X-Vhost
X-Backend-Server
X-Cache-Lookup
X-Ac
X-Readtime
X-Origin-Upstream-Status
X-Node
NEL
X-Dispatcher
X-HW
Fusion-Template-Id
Fusion-Content-Source
Fusion-Component-Id
Fusion-Source
Fusion-Content-Id
Request-Id
X-Mod-Pagespeed
Content-Location
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-Country
X-ORACLE-DMS-RID
Allow
X-Ruxit-JS-Agent
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Cloud-Trace-Context
Rating
X-Country-Code
X-Cnection
X-Url
Edge-Control
X-Clacks-Overhead
X-Rack-Cache
X-Pass-Why
X-Px
RTSS
X-FTR-Request-ID
MS-Author-Via
Accept-CH
X-PC
X-Vname
X-TtlSet
X-Goog-Hash
X-Powered-By-Plesk
Verso
X-B3-TraceId
Service-Worker-Allowed
Accept-CH-Lifetime
Public-Key-Pins
X-GitHub-Request-Id
X-Kinja-Server
X-Use-Magma
X-Kinja
X-GoogleNews-Bot
X-Exp-Variant
X-Exp-Id
X-Kinja-Build
X-Cdn-Fetch
X-Kinja-Revision
X-Varnish-TTL
X-MS-InvokeApp
Arr-Disable-Session-Affinity
X-DynaTrace
Pagespeed
X-Middleton-Display
Response
X-Sol
X-Forwarded-Proto
Display
X-Middleton-Response
X-Amz-Server-Side-Encryption
X-Cache-TTL
X-D2id
X-Amz-Rid
X-CST
Accept-Ch
TCN
X-Abt-Application-Version
X-Vcap-Request-Id
Pinterest-Generated-By
X-NF-Request-ID
X-Content-Type
X-VARITI-CCR
X-Cached
X-Ttl
X-Navigation-Version
AR-ATIME
AR-Request-ID
X-ESI
AR-PoweredBy
Cache-Tag
Accept-Ch-Lifetime
X-Fastly-Request-ID
Ar-Sid
AR-CACHE
X-Version
X-Server-Name
X-Instart-Request-ID
X-Upstream
X-Grace
X-Powered-CMS
X-Debug
X-MSEdge-Ref
X-Accel-Expires
X-TEC-API-ORIGIN
Access-Control-Request-Method
X-TEC-API-VERSION
X-TEC-API-ROOT
Host-Header
Nginx-Cache
Charset
SPIisLatency
SPRequestDuration
S
Content-MD5
Realpath
X-SRCache-Store-Status
X-SRCache-Fetch-Status
Mrf-Cache-Status
X-B3-TraceId-Primal
X-Mrf-Section-Lastmod
MRF-Tech
X-Mrf-Item-Lastmod
X-SharePointHealthScore
SPRequestGuid
X-Ezoic-Cdn
X-Element-Page-Cache
X-DynaTrace-JS-Agent
X-Client-IP
X-XRDS-Location
X-FastCGI-Cache
Pinterest-Version
X-Pinterest-Rid
X-Shield-Request-Id
X-Jurisdiction
X-Hp-Webp
X-Cdn
X-Dw-Request-Base-Id
X-Id
X-Trace
X-Recruiting
X-Oneagent-Js-Injection
X-Amz-Meta-S3cmd-Attrs
X-T
X-Kinsta-Cache
X-Node-Name
X-TTL
Fastcgi-Cache
X-Content-Digest
X-Logged-In
X-Cache-Key
X-Server-ID
X-Mobile-URL
X-NWS-LOG-UUID
TP-L2-Cache
TP-Cache
X-ASPNET-VERSION
X-Request-Processing-Time
X-Request-Received
X-Cache-Hit
Server-Node
X-Cache-Age
X-Frontend
ServerID
X-FTR-Realm
X-FTR-DC
X-FTR-Backend-Server
X-Country-Code-Real
X-FTR-Cache-Status
X-FTR-Backend
X-FTR-Balancer
X-Hostname
X-Amzn-Trace-Id
Front-End-Https
Edge-Cache-Tag
X-FTR-Expires
X-Goog-Generation
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Goog-Storage-Class
X-Forwarded-For
X-Goog-Stored-Content-Length
Fastly-Restarts
Server-Name
PB-RID
Arc-Version
PB-PID
Powered
X-Yandex-Sdch-Disable
DynaTrace
X-Microsite
X-Request-Handler-Origin-Region
X-Zen-Fury
X-DIS-Request-ID
Filters
X-Revision
X-Content-Security-Policy-Report-Only
X-User-Agent
X-Page-Id
X-Akamai-Edgescape
X-Jobs
X-F-Cache
X-LB-Cache
X-Mobile-Rewrite
X-Hits
X-ORACLE-APMCS-TAG
X-ORACLE-APMCS-REQUEST-ID
Accept-Charset
X-Ruxit-Js-Agent
X-HS-Hub-Id
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Cache-Config
X-Content-Powered-By
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Geo-Country
X-Origin-Server
X-ATS-Timestamp
X-Varnish-Age
Backend-Timing
AMP-Access-Control-Allow-Source-Origin
X-N
X-B
Alternate-Protocol
X-FTR-Cache-Host
Nel
X-Correlation-Id
X-Via-JSL
MicrosoftSharePointTeamServices
X-Erf-Bev-Bev
X-Varnish-Backend
X-Erf-Bev-Bev-Is-Generated
X-Daa-Tunnel
X-Rid
Cache-Tags
X-Az
X-Activity-Id
X-Litespeed-Cache
X-AppVersion
DC
X-Type
X-WebKit-CSP-Report-Only
X-Amz-Replication-Status
X-FB-Debug
X-TT
X-Whom
Paypal-Debug-Id
Surrogate-Key
Retry-After
X-Git-Hash
X-Ser
X-ATG-Version
X-Fastcgi-Cache
X-Varnish-Grace
Section-Io-Cache
X-Signature
X-B-Cache
X-Debug-Info
X-App-Environment
X-Edge
X-Esi
X-RateLimit-Remaining
X-Status
Host
Actual-Object-TTL
X-Content-Options
Frame-Options
X-App-Server
X-Request-Guid
Fastcgi-Useragent
Healthy
X-AOL-HN
X-Contextid
X-IPLB-Instance
X-Endurance-Cache-Level
X-Amzn-RequestId
X-Seen-By
X-Cache-Action
X-HTML-Minification-Powered-By
Srv
X-Pinterest-Direct
X-B3-Sampled
X-Host-Name
Refresh
X-Upgrade-Enabled
From-Origin
X-ECACHE
X-Tumblr-User
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Amz-Apigw-Id
Access-Control-Allow-Method
X-Instance
X-Response-Served-From
X-RemovedCookies
X-ProcessESI
X-Cache-Rule
X-Drupal-Cache-Tags
X-Accel-Buffering
Source
X-Cache-Operation
X-Region
Odigeo-Trace-Id
X-MCACHE
X-Mid
X-Rule
MS-CV
Eomportal-Instance
X-Protected-By
X-UUID
X-Cacheable-TTL
Payment
VIX-Pulpo-Node
VIX-Pulpo-Upstream-Status
X-Is-Bot
X-Varnish-Server
X-Rendered-As
X-WA-Info
X-FW-Hash
Countrycode
X-Adobe-Content
X-Cache-Time
X-FW-Server
X-FW-Serve
X-Adobe-Loc
X-L-Path
X-PressLabs-Stats
Datacenter
X-Environment-Context
X-FW-Static
X-FW-Dynamic
X-FW-Type
X-Time
X-VCache
Cache-Status
Content-Disposition
X-Cache-Control
Xserver
X-Cache-Server
X-Correlation-ID
X-GeoIP
X-Cached-By
X-Akamai-Transformed
X-Proxy
X-Akamai-Request-ID2
X-XRDS-LOCATION
Uber-Trace-Id
X-UnsetCookies
X-EdgeConnect-Cache-Status
X-Wix-Request-Id
X-Load-Cache
X-Mobile
X-Origin-Response-Time
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Yottaa-Optimizations
X-Yottaa-Metrics
X-Release
Access-Control-Request-Headers
X-PHP-Backend
X-SERVER-NAME
X-Azure-Ref
X-Cluster
NGB
X-Handled-By
Version
X-Mode
Filterid
X-NewRelic-App-Data
X-NGENIX-Cache
X-APP-VERSION
X-Backend-Name
X-Tumblr-Pixel-1
X-Tumblr-Pixel-2
X-IPS-LoggedIn
X-Cache-NGX
Accept-Language
X-Cache-Remote
X-Air-Hostname
X-NWS-UUID-VERIFY
Cache
Liferay-Portal
Meta-Geo
X-RN-RSRV
X-UPSTREAM-Address
Cross-Origin-Window-Policy
X-ES-SERVER
X-URL
X-FireWall-Port
X-Path-Route
Load-Balancing
X-Via-Fastly
X-Cache-Status-Check
X-Framework
X-Adobe-Source
X-Cache-Var
X-CSRF-Token
X-Cache-Var-Map
X-CCM
X-No-Session
X-MP-GENERATED-AT
X-R9-Blue-Green-Version
X-Www-Served-By
X-Locale
X-UA-Device-Type
DSUID
Cache-Hits
X-PCL
X-RTag
X-Site-Version
X-Viewer-Country
X-Storage
X-OCL
X-Bc-Bl
Cleartype
Cache-Name
Ms-Operation-Id
Now
ServedBy
Mn-Server-Ip
X-Real-IP
X-LJ-Flow-ID
X-PERF
X-RequestSource
X-AWS-Id
X-VWS-Id
X-ApacheServer
X-Routing-Service
Webserver
X-Zipkin-Id
X-Proxied
X-Cache-Config
X-BYPASS-REASON
Section-Origin-Responded
X-Alternate-Cache-Key
Section-Io-Origin-Time-Seconds
X-TX-ID
Decoy-Debug-TTL
Decoy-Debug-Status
X-Section
Section-Io-Id
Section-Io-Origin-Status
X-Device-Type
Decoy-Debug-Key
X-Info
X-ShopId
X-ShardId
X-ServerID
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Access
X-Varnish-Cache-Hits
X-Sorting-Hat-ShopId
X-Redis-Cache
X-Format
X-Web-Node
X-Human
X-Hl-Ver
X-NCache
X-ProxyCache-Key
X-Pubstack
X-ProxyCache-Status
X-EIG-Tracking-Id
X-FW-Version
Akamai-GRN
S-Rt
X-Origin
X-Qloud-Router
X-Proxy-Build
X-Ua
X-BCube-Filmed-By
X-SaId
X-Origin-Hint
X-NYM-Debug-Backend
X-FB-TRIP-ID
X-Detected-As
X-Cache-Enabled
X-FC-Vary-Parameters
X-From
X-JoinUs
Selected-Fe
X-Say-TTL
X-Say-Cacheable
TWC-Locale-Group
TWC-Privacy
X-SayCDN-TTL
TWC-GeoIP-LatLong
TWC-GeoIP-Country
TWC-Connection-Speed
TWC-Device-Class
Webcakes-App-Name
Webcakes-App-Version
X-Time-Microsecs
Webcakes-Region
X-CS
Fastly-SSL
Property-Id
X-Timing-Wait
Cache-Tv-Group
X-PHP-Host
X-Labrador-Cache-Channel
X-Loop
X-Content-Age
X-TNCMS
X-IP
X-Generated
X-Amzn-Remapped-Content-Length
DB-Nickname
X-Hosted-By
X-Hyper-Cache
X-Cache-Host
Azure-InstanceId
Azure-RegionName
Azure-Version
Azure-SiteName
Azure-SlotName
Origin-Edge-Control
Origin-Cache-Control
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Geo
Country
Ec-Rule-Version
X-Xfnlog-Site
NR-ENABLED
X-Drupal-Cache-Contexts
WPE-Backend
X-Unique-Id
X-Cache-2
X-Source
Geo-Info
Time
User-Agent
Server-Info
X-Old-Content-Length
X-RateLimit-Limit
SD-X-WS
X-Varnish-Hostname
X-Cluster-Node
X-Cache-TTL-Remaining
X-Pad
X-Urbn-Context-Path
Locale
X-Cache-NE
X-Urbn-Site-Id
X-Parent-Response-Time
X-Presslabs-Stats
Upgrade-Insecure-Requests
X-Srv
X-EC-Lua
X-Debug-Cache
X-Cache-Backend
FilterID
X-Akamai-Request-ID
Apigw-Requestid
X-RCS-CacheZone
X-Soup
X-Webkit-CSP
X-Cache-Grace
X-Proxy-Cache-Status
X-Forwarded-Host
Proxy-Connection
X-Tb
X-Proto
X-Nc
X-Newrelic-Synthetics
X-Backend-TTL
X-CDN-Forward
X-TA-CDN-Provider
X-App-Version
X-Cache-PHP
X-Tumblr-Pixel-3
S-Cnection
NGX
X-Vtex-Processado-Em
Content-Script-Type
Machine
BehaviorPad-Version
M-TraceId
GEO-REGION-INFO
Fastcgi-X-Cache-Version
Content-Style-Type
Xc-Version
X-Vtex-Remote-Cache
MD5-Digest
X-Vdms-Version
X-VG-WebCache
X-VG-WebServer
AsisCache
Arc-Country
Meta-Geo-Continent
Who
X-Processor
X-Region-Sid
X-B-Cookie
X-PAYTM-SRV-ID
X-Matched-Rule
X-Reqid
X-ARC
X-A-Wwc
X-Rewrite-Enabled
X-Accel-Expires-Debug
X-Aed
X-Application
X-CF-Lambda-Fn
X-Level-Front-Cache
X-Developer
X-Destination
X-DevSite-Last-Modified
X-External-Request-Id
X-Dispatch
X-Date
X-G
X-Generated-On
X-Geo-Header
X-CF-Lambda-Version
X-Connection-Hash
X-D
X-Rojux
X-S
Thinkindot-Control
Thinkindot-CacheControl-Type
UCS
X-Trv-Group
X-Transaction
Thinkindot-CacheControl
X-Twitter-Response-Tags
Rendered-Blocks
Pagetype
Server-Host
X-Vdms-Path
T-Server
Viewtype
X-Thinkindot-L3
X-A-Ccd
X-S-Cookie
X-A-Dam
X-A-Dcw
X-A-Dgt
X-A
X-Scheme
X-SRCache-Key
X-Swa-Ws
VivaBuild
X-Session-Fingerprint
X-ScT
Mobile-Detection-Method
ServerName
X-Cluster-Name
X-Uri
X-FORWARDED-FOR
OT-Force-Account-Verify
Cache-Key
X-Be
Viewport
X-Response-By
True-Client-Country-4JS
X-Dc
We-Hiring
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-From
CacheControlHeader
X-Worker
AKAMAI
IsBot
X-Logging-Id
Release
Mail-Subject
X-VC-Cache
N-Cache
X-Dispatcher-Server
NM-Fastcgi-Cache
Cf-Ipcountry
X-Location
X-Device-Os
X-Skip-Cache
X-SN
X-Thanos
X-Trace-Id
X-ServiceProvider
Cache-Cookie-Set-Idcheck
X-Cms-Context
X-Branch-Name
X-Nginx-Cache-Key
X-Method
X-Bip
X-SIPLIST1
X-Cache-FS-Status
X-Hash
X-Generation-Time
Sid
X-NodeID
X-AIR-PT
X-Owner
X-Node-Id
X-Agile
X-Agile-Age
X-Vcache
X-Agile-Id
X-Core-Value
X-Envoy-Decorator-Operation
X-DC
X-Hit
X-Microcachable
X-Cache-Tags
Rt-Fastcgi-Cache
X-Origin-Date
X-Clara-WADP
X-Var-Ttl
X-Rebelmouse-Cache-Control
X-RateLimit-Remaining-Second
Platform
X-Cache-Bucket
X-Rebelmouse-Surrogate-Control
X-User
X-Clientip
X-Backend-State
V-Age
X-Origin-Expires
X-Request-UUID
W
Vix-Hermes-Req-Id
X-SD-PageType
X-RateLimit-Limit-Second
X-Auto-Login
X-Variation
X-Micro-Cache
X-Magnolia-Registration
X-Servername
X-TH-Server
X-WADP-Cache
Server-Hostname
Adler-Geo
Sever-Int
X-JWT-State
Server-Ext
RNT-Time
Magicmarker
CDCHOST
RNT-Machine
On-Server
Wxu-Next-Commit
Wxu-Next-Hostname
X-Req
X-Varnish-Cacheable
X-Generated-In
X-Has-Esi
X-Policy
X-Developers
Wxu-Next-Region
X-Fmm-Version
X-Compress-Hint
X-Is-Gdpr
FNAC-ModuleRouting
C-Via
L5d-Success-Class
X-LAGOON
X-Wikidot-Backend
Apple-News-Services-Request-Url
Is-Eu
X-CGP
X-Eu-Site
X-VG-TLSProxy
X-Distil-CS
X-Distributor
X-Epic-Correlation-Id
X-Wikidot-Static-Cache
Kp-EeAlive
Apple-News-Services-Parsed-Url
Apple-News-Services-Handled
Fastly-SWR
Fastly-SIE
Fastly-Drupal-HTML
Gh-Request-Id
Apple-News-Services-Host
HA-Ipaddr
Ha-Gx-Prefs
X-Storefront-Renderer-Rendered
X-Varnish-Beresp-Status
User-Cache-Control
X-Varnish-Beresp-Grace
X-App
X-Varnish-Beresp-Ttl
X-Hnp-Log
X-Fastly-Cache
X-Mvc-Supplant-Cachable
X-Gen-Mode
X-Irp-Debug
X-Instart-Info
X-Contensis-Viewer-Groups
X-NC
X-Cache-Info
X-Cache-URL
X-Server-W
X-Loc
X-VServer
X-We-Are-Hiring
X-Core-Mission
X-Cache-Debug
Node
X-Webstats-RespID
X-TrackingId
X-Varnish-Authentication
X-Reboot
X-Slack-Backend
X-Backend-Host
X-Request-Host
Web-Mar-Node
X-Cache-ASPX
X-Block-Status
X-BBXSRF
X-Origin-CC
X-Cdn-Forward
X-Origin-TTL
HostName
X-Gzip
X-Esi-Check
X-Cache-Id
X-LI-Proto
X-GoCache-CacheStatus
X-SRV
X-Via-PopH
X-Via-PopV
X-Li-Pop
X-LI-UUID
X-Li-Fabric
X-Platform-Server
Memcached
LB
X-SVT-ORM-VERSION
X-Configured-By
X-SVT-ORM-RULES
X-NU-AKA-ACS-Version
X-Ms-Request-Id
X-Wa
X-UA
X-TT-TIMESTAMP
X-Envoy-Upstream-Healthchecked-Cluster
X-Ms-Version
X-ZONE
Tracecode
X-BC
X-Edge-Location
X-Key
X-Vgn-Hpd-Reason
Referer-Policy
Esi-Enabled
X-Refresh
Pragrma
GEO-INFO
MIME-Version
NtCoent-Length
L
Ohc-File-Size
X-BACKEND-TTL
X-Varnish-URL
X-Mvc-Supplant-OutputCached
Server-ID
X-Ua-Device
X-MSEdge-Features
X-App-Name
X-TIME
X-Server-IP
X-Via-CDN
Fastly-Backend-Name
X-Servedbyhost
Cache-Host
X-MSEdge-Flight
X-B3-Traceid
X-Nginx-Cache
X-Up
Memory
X-Bc
X-Zone
X-Sucuri-ID
X-Minions-Version
Server-Surrogate-Control
X-Varnish-Ttl
X-Cdn-Srv
X-Batcache
Server-Cache-Control
CACHE
X-VCT
X-Unique-ID
X-S-Maxage
X-FPC
X-Svr
X-ND-Cache
X-Pjax-Url
X-Debug-Panamera-Sitecode
X-Generated-By
X-Debug-Panamera-Host
Ohc-Response-Time
X-ElasticPress-Query
X-Oss-Hash-Crc64ecma
X-VCL-Version
X-Oss-Object-Type
X-Oss-Request-Id
X-Oss-Server-Time
FSS-Cache
X-Oss-Storage-Class
X-COUNTRY
X-GEO
X-Rocket-Nginx-Bypass
X-CF-Powered-By
X-Aicache-OS
Resin-Trace
DCR-Processing-Time-Ms
Heartbleed
Locid
DCR-Decision-By
Request-EU
GeoIP-Country-Code
Request-Country
Cteonnt-Length
X-Varnish-Hits
X-Azure-Ref-OriginShield
X-PF-Uncompressing
GeoIP-Latitude
X-Request-URI
Pramga
Location
Powered-By-ChinaCache
Lfy
X-Fastly-Cache-Status
Hostname
X-BE
X-Shopify-Generated-Cart-Token
X-Sucuri-Cache
X-LB-ID
X-Check-Cacheable
HitType
X-Fastly-Country-Code
X-Gamma-Serve
PFcat
X-Varnishpool
X-Ratelimit-Reset
Cdn-Host
X-VarnishDD-TTL
X-Edge-Server
Amp-Access-Control-Allow-Source-Origin
GeoIp-Country-Code
Geoip-Latitude
Cdn-Request-Time
X-Ratelimit-Remaining
X-NODE
CF-Cached-On
X-VHOST
WZWS-RAY
X-PJAX-URL
X-Newrelic-App-Data
X-Fastly-Backend-Reqs
X-Fpc
X-HS-Status
X-Vcl-Version
X-OVcl
X-Vgn-Hpd-Ssi
X-WebServer
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
X-OVcl-Cache
X-CSRF-TOKEN
X-Instart-Isnd
Mime-Version
X-Platform
X-Proxy-Upstream
Product
SRV
X-Ratelimit-Limit
X-ECache
X-Tec-Api-Origin
X-Render-Time
Ohc-Cache-HIT
X-Pf-Uncompressing
My-App
X-Cdn-Origin
X-Tec-Api-Root
X-Fetched-On
X-Tec-Api-Version
X-Cache-Expired-At
X-Sn-Servicetimems
X-Original-Request-Id
X-NGINX-Cache
X-CACHE-AGE
X-GeoIP-Country-Code
X-Oracle-Dms-Rid
X-CLOUD-TRACE-CONTEXT
X-Ftr-Cache-Host
SN
X-CACHE-KEY
Dt-Cache-Category
X-Amzn-Remapped-Date
WWW-Authenticate
X-CUA
X-ServedByHost
X-Amzn-Remapped-Connection
X-Oss-Cdn-Auth
X-Varnish-Url
XServer
URI
X-Swift-Error
A
Pics-Label
X-Request-Start
CloudFront-Viewer-Country
Epwk-X-Cache
X-B3-SpanId
Cf-Alt-Svc
X-StackifyID
X-Cache-Tag
Group
X-Served-From
X-B3-Spanid
X-Client-Ip
Cdn
Backend
PICS-Label
X-RunCloud-Cache
X-Debug-Cache-Fetch
X-Debug-Cache-Store
Backend-Name
X-WR-MODIFICATION
X-Amzn-Requestid
Lb
X-WA
Server-Ttl
Cloudfront-Viewer-Country
X-Debug-Xas-Auth
X-Apw-Access-Object
X-Apw-Access-Action
X-Debug-Cache-Bypass
X-Tb-Optimization-Total-Bytes-Saved
X-Apw-Access-Token
X-Csrf-Jwt
SID
X-Apw-Hits
X-Debug-Cache-String
X-Debug-Cache-Status
X-Debug-Do-Not-Cache-Uri
X-Nananana
X-LiteSpeed-Cache-Control
X-Request-Time
X-Debug-Ysi-Auth
X-Via-Ucdn
X-Cache-Version
X-Via-Popv
Inserted-Into-Cache-At
X-Via-Poph
Proxy-Firewall
X-Via-NSCOPI
NnCoection
X-Acquia-Site
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Acquia-Application-Trace
X-IN-APIGATEWAYSSL
X-Cache-Hfrom
X-Varnish-Beresp-TTL
X-Cache-Hm
X-IN-APIGATEWAY
Cneonction
Country-Code
Origin
X-WPE-Loopback-Upstream-Addr
X-APP
X-DPWN-IS-SECURE
Warning
CF-IPCountry
X-Snapshot-Date
X-Varnish-ID
X-Ocache
X-B3-Parentspanid
Geoip-City
X-Html-Edge-Cache
X-Dw-Trace-Id
X-SB
X-Request-URL
X-VC
X-ElasticPress-Search
Req-ID