Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Xss-Protection
X-Served-By
Alt-Svc
X-Request-Id
X-Varnish
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Iinfo
X-Buckets
X-Ua-Compatible
Status
X-Content-Security-Policy
X-CDN
Content-Encoding
Upgrade
Access-Control-Expose-Headers
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-Request-ID
X-AH-Environment
X-Backend
X-Server
X-Turbo-Charged-By
X-Age
P3p
X-Cache-Group
X-Robots-Tag
Feature-Policy
X-Proxy-Cache
Request-Context
Xkey
X-Amz-Id-2
X-Amz-Request-Id
EagleId
X-Hacker
X-Page-Speed
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
Grace
X-Pingback
Server-Timing
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
X-LiteSpeed-Cache
Ali-Swift-Global-Savetime
Report-To
X-Amz-Version-Id
Cf-Railgun
X-Dns-Prefetch-Control
X-Server-Id
X-WebKit-CSP
X-Rq
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Origin-Cache
EagleEye-TraceId
X-OneAgent-JS-Injection
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Ac
X-Backend-Server
X-Readtime
X-Cache-Lookup
X-Node
NEL
X-Origin-Upstream-Status
X-Dispatcher
X-HW
Fusion-Template-Id
Fusion-Source
Fusion-Content-Source
Fusion-Content-Id
Fusion-Component-Id
Content-Location
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-Country
X-ORACLE-DMS-RID
Allow
X-Ruxit-JS-Agent
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Cloud-Trace-Context
Rating
X-Country-Code
X-Cnection
Edge-Control
X-Url
X-Rack-Cache
X-Clacks-Overhead
Accept-CH
X-Px
RTSS
MS-Author-Via
Accept-CH-Lifetime
X-Vname
X-FTR-Request-ID
X-PC
X-TtlSet
X-Goog-Hash
Verso
X-Powered-By-Plesk
Service-Worker-Allowed
X-Varnish-TTL
X-B3-TraceId
Public-Key-Pins
X-Exp-Variant
X-Cdn-Fetch
X-GitHub-Request-Id
X-GoogleNews-Bot
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Kinja
X-Exp-Id
X-MS-InvokeApp
Arr-Disable-Session-Affinity
X-Forwarded-Proto
X-Amz-Server-Side-Encryption
Display
Pagespeed
X-Sol
X-Middleton-Display
Response
X-Middleton-Response
X-DynaTrace
X-Cache-TTL
X-Pass-Why
X-D2id
Host-Header
Pinterest-Generated-By
X-Amz-Rid
X-Content-Type
X-NF-Request-ID
X-CST
TCN
X-Vcap-Request-Id
X-Abt-Application-Version
X-Cached
X-Ttl
X-VARITI-CCR
AR-ATIME
AR-PoweredBy
AR-Request-ID
Accept-Ch
AR-CACHE
Ar-Sid
X-ESI
X-Navigation-Version
X-Version
X-Fastly-Request-ID
Cache-Tag
X-Powered-CMS
X-Server-Name
X-Upstream
X-Instart-Request-ID
Accept-Ch-Lifetime
X-Debug
X-Grace
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
Access-Control-Request-Method
X-MSEdge-Ref
Charset
X-Accel-Expires
Nginx-Cache
X-XRDS-Location
Content-MD5
SPRequestDuration
SPIisLatency
Realpath
X-Mrf-Item-Lastmod
MRF-Tech
Mrf-Cache-Status
X-Mrf-Section-Lastmod
X-B3-TraceId-Primal
X-Element-Page-Cache
X-Ezoic-Cdn
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-DynaTrace-JS-Agent
S
X-SharePointHealthScore
SPRequestGuid
X-Shield-Request-Id
Pinterest-Version
X-Pinterest-Rid
X-Hp-Webp
X-Jurisdiction
X-Cdn
X-Oneagent-Js-Injection
X-Amz-Meta-S3cmd-Attrs
X-Recruiting
X-Dw-Request-Base-Id
X-Id
X-Client-IP
X-Trace
X-Kinsta-Cache
X-T
X-TTL
X-Node-Name
X-FastCGI-Cache
Fastcgi-Cache
X-Content-Digest
X-Logged-In
X-Cache-Key
X-Server-ID
X-Mobile-URL
TP-L2-Cache
TP-Cache
X-NWS-LOG-UUID
Server-Node
X-Cache-Hit
X-Request-Processing-Time
X-Request-Received
X-Frontend
X-Cache-Age
X-Hostname
ServerID
Front-End-Https
X-Amzn-Trace-Id
X-FTR-Cache-Status
X-Country-Code-Real
Edge-Cache-Tag
X-Forwarded-For
Fastly-Restarts
X-FTR-Backend
X-FTR-Backend-Server
X-FTR-Realm
X-FTR-Balancer
X-FTR-DC
X-Goog-Metageneration
X-Goog-Generation
X-FTR-Expires
X-Goog-Storage-Class
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Yandex-Sdch-Disable
Server-Name
Powered
Arc-Version
PB-RID
PB-PID
X-Microsite
X-Request-Handler-Origin-Region
DynaTrace
X-User-Agent
Filters
X-Content-Security-Policy-Report-Only
X-Revision
X-DIS-Request-ID
X-Jobs
X-Zen-Fury
X-Ruxit-Js-Agent
X-Page-Id
X-Akamai-Edgescape
X-F-Cache
X-Hits
X-LB-Cache
X-Correlation-Id
X-Mobile-Rewrite
X-ORACLE-APMCS-REQUEST-ID
X-ORACLE-APMCS-TAG
X-HS-Combine-CSS
X-HS-Cache-Config
X-HS-Content-Id
X-HS-Hub-Id
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
Accept-Charset
X-Content-Powered-By
X-Origin-Server
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Geo-Country
Alternate-Protocol
X-Fastcgi-Cache
X-Varnish-Age
X-N
AMP-Access-Control-Allow-Source-Origin
X-B
X-FTR-Cache-Host
X-Daa-Tunnel
X-Varnish-Backend
Cache-Tags
X-RateLimit-Remaining
X-Rid
Backend-Timing
X-ATS-Timestamp
X-Az
X-AppVersion
X-Activity-Id
X-WebKit-CSP-Report-Only
DC
X-Type
X-Via-JSL
MicrosoftSharePointTeamServices
X-Amz-Replication-Status
X-FB-Debug
Surrogate-Key
X-Whom
X-Git-Hash
X-TT
Section-Io-Cache
Paypal-Debug-Id
Retry-After
X-B-Cache
X-Signature
X-Status
X-App-Environment
Host
X-Content-Options
X-Edge
X-Varnish-Grace
X-Debug-Info
X-Esi
Frame-Options
Fastcgi-Useragent
X-Request-Guid
X-ATG-Version
Actual-Object-TTL
X-Ser
X-App-Server
Healthy
X-IPLB-Instance
X-Endurance-Cache-Level
X-AOL-HN
X-Amzn-RequestId
X-Contextid
X-HTML-Minification-Powered-By
Srv
Nel
X-Cache-Action
X-Seen-By
X-ECACHE
X-B3-Sampled
X-Pinterest-Direct
From-Origin
Refresh
X-Host-Name
Access-Control-Allow-Method
X-Upgrade-Enabled
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Drupal-Cache-Tags
X-Amz-Apigw-Id
X-ProcessESI
X-RemovedCookies
X-Cache-Rule
X-Response-Served-From
X-Accel-Buffering
X-Instance
X-Cache-Operation
X-Protected-By
VIX-Pulpo-Node
X-Mid
VIX-Pulpo-Upstream-Status
X-Region
Content-Disposition
X-MCACHE
Odigeo-Trace-Id
X-Time
X-Environment-Context
Eomportal-Instance
X-Cacheable-TTL
X-L-Path
X-Rule
X-UUID
MS-CV
X-Varnish-Server
Payment
X-Rendered-As
Source
Datacenter
X-Is-Bot
X-WA-Info
X-FW-Server
X-Adobe-Content
X-FW-Serve
X-FW-Static
X-FW-Hash
X-Cache-Time
X-FW-Type
X-Adobe-Loc
X-FW-Dynamic
Countrycode
X-PressLabs-Stats
X-Litespeed-Cache
Xserver
X-Release
X-Cache-Control
X-Proxy
X-EdgeConnect-Cache-Status
X-Cached-By
Cache-Status
X-Cache-Server
Uber-Trace-Id
X-Akamai-Request-ID2
X-Load-Cache
X-UnsetCookies
X-GeoIP
X-Mobile
X-Akamai-Transformed
X-VCache
X-Webkit-CSP
X-Azure-Ref
X-NewRelic-App-Data
Access-Control-Request-Headers
X-PHP-Backend
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Origin-Response-Time
Version
X-SERVER-NAME
X-Mode
X-Handled-By
X-Cluster
X-Wix-Request-Id
X-NWS-UUID-VERIFY
X-NGENIX-Cache
X-Cache-NGX
X-Air-Hostname
Liferay-Portal
Accept-Language
X-Backend-Name
NGB
X-IPS-LoggedIn
Cache
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-Framework
X-Correlation-ID
X-FireWall-Port
X-VWS-Id
X-Cache-Remote
Cross-Origin-Window-Policy
X-CSRF-Token
X-Path-Route
X-PERF
X-Proxied
X-Zipkin-Id
X-URL
Load-Balancing
X-LJ-Flow-ID
X-UPSTREAM-Address
X-Cache-Var
X-Cache-Status-Check
X-ES-SERVER
Meta-Geo
X-RN-RSRV
X-Routing-Service
X-Adobe-Source
X-ApacheServer
X-AWS-Id
Filterid
X-UA-Device-Type
X-Via-Fastly
X-Cache-Var-Map
X-CCM
X-Locale
X-Storage
X-Ua
ServedBy
X-MP-GENERATED-AT
Cache-Hits
Mn-Server-Ip
X-R9-Blue-Green-Version
X-Qloud-Router
X-Www-Served-By
X-PCL
DSUID
X-Viewer-Country
X-OCL
X-Bc-Bl
Section-Origin-Responded
X-RTag
X-Access
X-Real-IP
X-Pubstack
X-Site-Version
Decoy-Debug-Status
Section-Io-Origin-Time-Seconds
X-Section
X-Format
X-Cache-Config
Cleartype
Decoy-Debug-TTL
Akamai-GRN
Ms-Operation-Id
Cache-Name
Section-Io-Origin-Status
Section-Io-Id
Now
X-TX-ID
Decoy-Debug-Key
X-XRDS-LOCATION
X-RateLimit-Limit
Property-Id
X-Info
X-Human
TWC-Privacy
X-Labrador-Cache-Channel
TWC-Locale-Group
X-No-Session
X-NCache
X-Hl-Ver
Webcakes-App-Version
X-CS
Webserver
X-BYPASS-REASON
Fastly-SSL
Webcakes-Region
X-Origin-Hint
X-EIG-Tracking-Id
X-Device-Type
Webcakes-App-Name
TWC-GeoIP-LatLong
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Shopify-Stage
X-ShopId
TWC-Device-Class
TWC-Connection-Speed
Cache-Tv-Group
X-Web-Node
X-Varnish-Cache-Hits
X-ShardId
X-ServerID
X-ProxyCache-Status
X-ProxyCache-Key
X-Alternate-Cache-Key
X-Redis-Cache
TWC-GeoIP-Country
X-SayCDN-TTL
X-Say-TTL
X-Say-Cacheable
X-PHP-Host
X-JoinUs
X-Proxy-Build
X-Origin
X-SaId
X-Time-Microsecs
X-Timing-Wait
Selected-Fe
X-Hosted-By
X-Content-Age
X-Cache-Enabled
X-Detected-As
X-FB-TRIP-ID
X-From
X-BCube-Filmed-By
X-FW-Version
S-Rt
X-Amzn-Remapped-Content-Length
X-Geo
Server-Info
X-Cache-Host
DB-Nickname
X-Generated
X-NYM-Debug-Backend
X-IP
X-Hyper-Cache
X-FC-Vary-Parameters
X-TNCMS
Azure-SiteName
Azure-SlotName
Azure-InstanceId
Azure-RegionName
X-Loop
Azure-Version
X-APP-VERSION
Geo-Info
Origin-Cache-Control
X-RequestSource
X-Drupal-Cache-Contexts
X-Xfnlog-Site
X-Cache-2
Time
Ec-Rule-Version
X-Cache-TTL-Remaining
X-Goog-Meta-Goog-Reserved-File-Mtime
Origin-Edge-Control
Country
X-EC-Lua
User-Agent
SD-X-WS
X-Urbn-Site-Id
Locale
X-Urbn-Context-Path
X-Pad
X-Unique-Id
Apigw-Requestid
X-Cluster-Node
X-Varnish-Hostname
X-Source
X-Old-Content-Length
X-Cache-NE
FilterID
Upgrade-Insecure-Requests
X-Debug-Cache
X-App-Version
X-Parent-Response-Time
X-Presslabs-Stats
X-Akamai-Request-ID
X-Vcache
X-Soup
X-RCS-CacheZone
X-Cache-Backend
Proxy-Connection
X-Proto
X-DC
X-Tb
X-Cache-PHP
X-Proxy-Cache-Status
X-Cache-Grace
X-CDN-Forward
X-Srv
X-Forwarded-Host
X-Backend-TTL
X-Nc
Cache-Key
X-Storefront-Renderer-Rendered
X-Tumblr-Pixel-3
X-App
Mobile-Detection-Method
X-Generated-On
X-Scheme
Meta-Geo-Continent
X-Level-Front-Cache
MD5-Digest
X-Matched-Rule
X-Geo-Header
Pagetype
Xc-Version
T-Server
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
ServerName
Machine
X-G
Server-Host
Rendered-Blocks
FNAC-ModuleRouting
X-S
X-NodeID
X-Nginx-Cache-Key
Arc-Country
X-Rojux
X-Rewrite-Enabled
X-Processor
X-PAYTM-SRV-ID
X-Reqid
X-Method
AsisCache
GEO-REGION-INFO
IsBot
X-S-Cookie
Thinkindot-Control
Fastcgi-X-Cache-Version
BehaviorPad-Version
Content-Script-Type
Content-Style-Type
M-TraceId
VivaBuild
X-Accel-Expires-Debug
X-Aed
X-Application
X-Swa-Ws
X-Developer
X-A-Wwc
X-A-Dcw
X-A-Dgt
X-Thinkindot-L3
X-Region-Sid
X-Destination
X-CF-Lambda-Fn
X-D
X-Connection-Hash
X-SRCache-Key
X-SIPLIST1
X-ARC
X-Date
X-B-Cookie
X-A-Dam
X-Trace-Id
X-VG-WebServer
X-External-Request-Id
X-Dispatch
X-VG-WebCache
X-Vtex-Processado-Em
X-ScT
UCS
Viewtype
X-CF-Lambda-Version
Who
X-ServiceProvider
X-Twitter-Response-Tags
X-Trv-Group
X-Transaction
X-A-Ccd
X-Session-Fingerprint
X-A
X-Vdms-Version
X-Vdms-Path
X-Vtex-Remote-Cache
True-Client-Country-4JS
X-SRV
NR-ENABLED
WPE-Backend
X-FORWARDED-FOR
X-Uri
NGX
Wxu-Next-Hostname
Wxu-Next-Commit
X-Agile-Age
We-Hiring
X-Cache-Bucket
Wxu-Next-Region
Vix-Hermes-Req-Id
X-Bip
X-Agile-Id
X-Agile
V-Age
NM-Fastcgi-Cache
On-Server
N-Cache
Mail-Subject
Magicmarker
Release
RNT-Machine
Sever-Int
X-Cache-FS-Status
Server-Hostname
Server-Ext
RNT-Time
Viewport
X-Compress-Hint
X-Response-By
X-SD-PageType
X-Req
X-RateLimit-Remaining-Second
X-Policy
X-RateLimit-Limit-Second
X-Skip-Cache
X-SN
X-VC-Cache
X-Worker
X-Varnish-Cacheable
X-User
X-Thanos
X-Owner
X-Logging-Id
X-Device-Os
X-DevSite-Last-Modified
X-Developers
X-Core-Value
Kp-EeAlive
X-Cluster-Name
X-Dispatcher-Server
X-LAGOON
X-Loc
X-Hash
X-Generation-Time
X-Generated-In
X-Cms-Context
X-Location
Apple-News-Services-Request-Url
Apple-News-Services-Handled
AKAMAI
CacheControlHeader
LB
X-Magnolia-Registration
X-AIR-PT
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
CDCHOST
Cache-Cookie-Set-Lfrom
Cache-Cookie-Set-Idcheck
Cache-Cookie-Set-From
Node
OT-Force-Account-Verify
X-Envoy-Decorator-Operation
X-Origin-CC
X-Hit
User-Cache-Control
Cf-Ipcountry
X-Be
X-Origin-TTL
X-Var-Ttl
X-VG-TLSProxy
C-Via
X-WADP-Cache
S-Cnection
X-Cache-URL
X-Cache-Id
X-Cache-Debug
X-Block-Status
X-Cache-Info
X-Backend-State
X-CGP
X-Cache-Tags
X-Auto-Login
Adler-Geo
X-Origin-Expires
X-Origin-Date
X-Node-Id
X-Micro-Cache
X-Newrelic-Synthetics
X-Servername
X-Request-UUID
Is-Eu
X-Server-W
X-Hnp-Log
X-Gzip
X-Epic-Correlation-Id
X-Distributor
X-Distil-CS
X-Core-Mission
X-Esi-Check
X-Eu-Site
X-Gen-Mode
X-TH-Server
X-Fmm-Version
X-Clara-WADP
X-Variation
X-Wikidot-Backend
Gh-Request-Id
X-Wikidot-Static-Cache
Ha-Gx-Prefs
Platform
HA-Ipaddr
W
Fastly-Drupal-HTML
Web-Mar-Node
L5d-Success-Class
Sid
Fastly-SWR
X-SVT-ORM-VERSION
X-TrackingId
Rt-Fastcgi-Cache
Fastly-SIE
X-NC
X-Clientip
X-Contensis-Viewer-Groups
X-JWT-State
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
X-Reboot
X-Request-Host
X-Mvc-Supplant-Cachable
X-Slack-Backend
Memcached
X-Irp-Debug
X-Is-Gdpr
X-SVT-ORM-RULES
X-Has-Esi
X-Fastly-Cache
X-Cache-ASPX
X-Configured-By
X-Backend-Host
X-NU-AKA-ACS-Version
X-Branch-Name
X-TA-CDN-Provider
X-We-Are-Hiring
X-Varnish-Authentication
X-VServer
X-Webstats-RespID
X-BBXSRF
X-Cdn-Forward
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Status
X-Varnish-Beresp-Ttl
Referer-Policy
HostName
X-Key
X-Edge-Location
X-LI-Proto
X-LI-UUID
X-GoCache-CacheStatus
X-Li-Pop
X-Li-Fabric
X-Microcachable
X-Wa
X-Dc
Pragrma
X-Instart-Info
X-ZONE
X-Platform-Server
X-BC
X-Via-PopV
MIME-Version
X-Via-PopH
X-Refresh
X-Varnish-URL
X-Envoy-Upstream-Healthchecked-Cluster
X-Ms-Version
X-Servedbyhost
X-TT-TIMESTAMP
X-Via-CDN
X-Ms-Request-Id
X-Up
X-UA
Fastly-Backend-Name
X-Nginx-Cache
NtCoent-Length
X-Ua-Device
X-MSEdge-Features
X-BACKEND-TTL
X-Mvc-Supplant-OutputCached
X-MSEdge-Flight
X-Batcache
Esi-Enabled
Memory
X-Minions-Version
GEO-INFO
X-Vgn-Hpd-Reason
X-B3-Traceid
X-Unique-ID
Server-ID
L
X-ElasticPress-Query
Tracecode
X-App-Name
X-Bc
X-Zone
X-Sucuri-ID
X-Server-IP
Cache-Host
X-Aicache-OS
X-Pjax-Url
Ohc-File-Size
X-ND-Cache
X-VCL-Version
CACHE
X-TIME
X-Cdn-Srv
X-Debug-Panamera-Host
X-Svr
X-Debug-Panamera-Sitecode
X-COUNTRY
Server-Surrogate-Control
DCR-Processing-Time-Ms
DCR-Decision-By
GeoIP-Country-Code
X-Generated-By
Server-Cache-Control
FSS-Cache
X-S-Maxage
Pramga
X-FPC
X-Oss-Hash-Crc64ecma
Location
X-PF-Uncompressing
Powered-By-ChinaCache
X-Fastly-Cache-Status
X-Oss-Request-Id
GeoIP-Latitude
X-Oss-Server-Time
X-Oss-Storage-Class
X-CF-Powered-By
Ohc-Response-Time
X-Oss-Object-Type
X-Azure-Ref-OriginShield
X-VCT
X-GEO
X-Check-Cacheable
HitType
X-Rocket-Nginx-Bypass
X-Webkit-Csp
X-LB-ID
Resin-Trace
X-BE
X-Ratelimit-Reset
X-Varnishpool
Hostname
Request-Country
X-Sucuri-Cache
Heartbleed
Locid
X-Varnish-Ttl
Request-EU
X-VarnishDD-TTL
PFcat
X-Varnish-Hits
Cteonnt-Length
X-Client-Ip
Amp-Access-Control-Allow-Source-Origin
X-Request-URI
X-Fpc
X-Vgn-Hpd-Cached
X-OVcl-Cache
X-OVcl
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Ssi
X-Edge-Server
Cdn-Request-Time
X-Fastly-Backend-Reqs
Cdn-Host
Lfy
X-Instart-Isnd
X-Original-Request-Id
X-Platform
X-VHOST
X-Fastly-Country-Code
X-Render-Time
X-PJAX-URL
X-HS-Status
X-Cache-Expired-At
X-Gamma-Serve
X-Newrelic-App-Data
CF-Cached-On
X-CSRF-TOKEN
X-Shopify-Generated-Cart-Token
Geoip-Latitude
GeoIp-Country-Code
SN
SRV
X-Vcl-Version
X-Ratelimit-Remaining
X-Pf-Uncompressing
WZWS-RAY
X-CUA
X-WebServer
X-CLOUD-TRACE-CONTEXT
X-Proxy-Upstream
X-Oracle-Dms-Rid
Pics-Label
X-CACHE-AGE
Product
Epwk-X-Cache
X-Ftr-Cache-Host
Mime-Version
WWW-Authenticate
My-App
X-Sn-Servicetimems
X-ECache
X-NGINX-Cache
X-Fetched-On
X-CACHE-KEY
X-Cdn-Origin
Ohc-Cache-HIT
X-Amzn-Remapped-Connection
X-ServedByHost
X-Ratelimit-Limit
X-Varnish-Url
X-Amzn-Remapped-Date
XServer
Backend
URI
X-GeoIP-Country-Code
X-RunCloud-Cache
X-StackifyID
X-Csrf-Jwt
X-Via-Poph
CloudFront-Viewer-Country
X-Oss-Cdn-Auth
X-Via-Popv
Dt-Cache-Category
A
X-B3-SpanId
X-Tec-Api-Version
Backend-Name
X-Tec-Api-Origin
X-Tec-Api-Root
X-Ftr-Request-Id
X-Debug-Cache-Fetch
X-Debug-Cache-Store
X-Request-Start
Lb
X-Swift-Error
X-Cache-Tag
Cloudfront-Viewer-Country
PICS-Label
X-Request-Time
Server-Ttl
X-B3-Spanid
X-Debug-Xas-Auth
X-Debug-Do-Not-Cache-Uri
X-Debug-Ysi-Auth
X-LiteSpeed-Cache-Control
X-Rocket-Build-Number
X-Sigma
X-Debug-Cache-Status
X-Debug-Cache-Bypass
Cdn
X-Served-From
SID
X-Tb-Optimization-Total-Bytes-Saved
X-Sigma-Backend
X-Nananana
X-Debug-Cache-String
Host-ID
Group
X-Cache-Version
X-Cache-Hfrom
X-Apw-Hits
X-WA
X-WR-MODIFICATION
X-Cache-Hm
X-Ftr-Backend-Server
X-Ftr-Realm
X-Ftr-Dc
X-Ftr-Balancer
X-Acquia-Application-Trace
X-Ftr-Backend
Dnion-Transfer-Encoding
Cneonction
X-Apw-Access-Action
X-Acquia-Site
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
Proxy-Firewall
X-Apw-Access-Object
X-Apw-Access-Token
X-Varnish-Beresp-TTL
Inserted-Into-Cache-At
X-Snapshot-Date
Warning
FSS-Proxy
CF-IPCountry
X-Request-URL
Req-ID
X-ElasticPress-Search
X-Varnish-ID
X-Via-Ucdn
Origin
X-Html-Edge-Cache
X-SB
X-Dw-Trace-Id
Cf-Alt-Svc
X-VC