Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Xss-Protection
X-Served-By
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Iinfo
X-Buckets
X-Ua-Compatible
Status
X-Content-Security-Policy
Content-Encoding
X-CDN
Access-Control-Expose-Headers
Upgrade
X-Request-ID
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-AH-Environment
X-Backend
X-Server
X-Age
X-Turbo-Charged-By
P3p
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Id-2
X-Amz-Request-Id
EagleId
X-Hacker
X-Page-Speed
X-UA-Device
X-Server-Powered-By
X-Nginx-Cache-Status
Grace
X-Pingback
Server-Timing
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
X-LiteSpeed-Cache
Ali-Swift-Global-Savetime
Report-To
X-Amz-Version-Id
Cf-Railgun
X-Dns-Prefetch-Control
X-Server-Id
X-Rq
X-WebKit-CSP
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
X-Origin-Cache
EagleEye-TraceId
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Cache-Lookup
X-Readtime
X-Ac
X-Backend-Server
X-Node
NEL
X-Dispatcher
X-Origin-Upstream-Status
X-HW
Content-Location
Fusion-Source
Fusion-Template-Id
Fusion-Content-Id
Fusion-Component-Id
Fusion-Content-Source
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-Country
X-ORACLE-DMS-RID
X-Ruxit-JS-Agent
Allow
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Cloud-Trace-Context
Rating
X-Country-Code
X-Cnection
Accept-CH
Edge-Control
X-Url
X-Rack-Cache
RTSS
X-Clacks-Overhead
X-Px
MS-Author-Via
Accept-CH-Lifetime
X-FTR-Request-ID
X-PC
X-TtlSet
X-Vname
X-Goog-Hash
Verso
X-Powered-By-Plesk
X-Varnish-TTL
Service-Worker-Allowed
X-B3-TraceId
Host-Header
X-Kinja
X-Kinja-Build
X-Exp-Id
X-Cdn-Fetch
X-Kinja-Revision
X-Exp-Variant
X-GoogleNews-Bot
X-Kinja-Server
X-Use-Magma
Public-Key-Pins
X-GitHub-Request-Id
X-MS-InvokeApp
Arr-Disable-Session-Affinity
X-Forwarded-Proto
X-Amz-Server-Side-Encryption
Display
X-Middleton-Display
Pagespeed
Response
X-Middleton-Response
X-Sol
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-D2id
X-Amz-Rid
X-NF-Request-ID
TCN
X-CST
X-Vcap-Request-Id
X-Abt-Application-Version
X-Cached
X-Cdn
X-VARITI-CCR
Pinterest-Generated-By
X-Ttl
AR-ATIME
AR-Request-ID
AR-PoweredBy
Ar-Sid
AR-CACHE
X-ESI
X-Navigation-Version
X-Version
X-Powered-CMS
X-Fastly-Request-ID
X-Upstream
Cache-Tag
X-Pass-Why
X-Server-Name
Accept-Ch
X-Grace
X-Debug
X-Instart-Request-ID
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
Access-Control-Request-Method
X-XRDS-Location
X-MSEdge-Ref
Charset
Nginx-Cache
Content-MD5
X-Accel-Expires
X-B3-TraceId-Primal
X-Element-Page-Cache
Mrf-Cache-Status
MRF-Tech
X-Mrf-Section-Lastmod
X-Mrf-Item-Lastmod
Accept-Ch-Lifetime
Realpath
SPIisLatency
SPRequestDuration
X-Ezoic-Cdn
X-DynaTrace-JS-Agent
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-SharePointHealthScore
SPRequestGuid
X-Shield-Request-Id
S
Pinterest-Version
X-Pinterest-Rid
X-Hp-Webp
X-Jurisdiction
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Id
X-Recruiting
X-Kinsta-Cache
X-Trace
X-TTL
X-T
X-Client-IP
X-Content-Digest
Fastcgi-Cache
X-Node-Name
X-Logged-In
X-Cache-Key
X-FastCGI-Cache
X-Server-ID
X-NWS-LOG-UUID
TP-L2-Cache
X-Mobile-URL
TP-Cache
X-Cache-Hit
X-Frontend
Server-Node
X-Request-Processing-Time
X-Hostname
X-Request-Received
X-Cache-Age
ServerID
X-Oneagent-Js-Injection
X-Amzn-Trace-Id
Front-End-Https
Fastly-Restarts
X-FTR-Cache-Status
X-FTR-Balancer
X-Country-Code-Real
X-FTR-Realm
X-FTR-DC
X-FTR-Backend
X-FTR-Backend-Server
X-Forwarded-For
Edge-Cache-Tag
X-FTR-Expires
X-Goog-Metageneration
X-Goog-Stored-Content-Encoding
X-Yandex-Sdch-Disable
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
Server-Name
Powered
PB-PID
PB-RID
Arc-Version
X-Request-Handler-Origin-Region
X-Microsite
X-Revision
X-Content-Security-Policy-Report-Only
X-User-Agent
X-DIS-Request-ID
X-Page-Id
X-Hits
Filters
X-F-Cache
X-Jobs
X-LB-Cache
X-Zen-Fury
X-Akamai-Edgescape
DynaTrace
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-ORACLE-APMCS-REQUEST-ID
X-Erf-Bev-Bev
X-Mobile-Rewrite
X-Erf-Bev-Bev-Is-Generated
X-ORACLE-APMCS-TAG
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Cache-Config
X-HS-Hub-Id
X-Content-Powered-By
Alternate-Protocol
X-Origin-Server
X-Geo-Country
Accept-Charset
X-Correlation-Id
AMP-Access-Control-Allow-Source-Origin
X-Fastcgi-Cache
X-Varnish-Age
X-FTR-Cache-Host
X-N
X-Daa-Tunnel
X-B
X-RateLimit-Remaining
Cache-Tags
X-Varnish-Backend
X-Ruxit-Js-Agent
X-Rid
Retry-After
X-WebKit-CSP-Report-Only
X-Varnish-Grace
X-Type
X-Amz-Replication-Status
X-Git-Hash
DC
Section-Io-Cache
Surrogate-Key
X-Signature
X-TT
Paypal-Debug-Id
X-B-Cache
X-App-Environment
X-Whom
X-FB-Debug
Host
X-Content-Options
X-Request-Guid
X-Via-JSL
MicrosoftSharePointTeamServices
X-AppVersion
X-ATS-Timestamp
X-Activity-Id
Backend-Timing
X-Az
X-Esi
X-Edge
X-Status
X-Debug-Info
Frame-Options
X-Ser
Fastcgi-Useragent
Actual-Object-TTL
X-IPLB-Instance
X-ATG-Version
Healthy
X-Endurance-Cache-Level
X-App-Server
X-HTML-Minification-Powered-By
X-Webkit-CSP
X-Contextid
Srv
X-AOL-HN
X-Amzn-RequestId
Nel
X-Cache-Action
X-Seen-By
X-ECACHE
Refresh
X-B3-Sampled
X-Pinterest-Direct
From-Origin
X-Amz-Apigw-Id
Access-Control-Allow-Method
X-Upgrade-Enabled
X-Tumblr-Pixel
X-Response-Served-From
X-Cache-Rule
X-Host-Name
X-Accel-Buffering
X-Protected-By
X-Tumblr-Pixel-0
X-Tumblr-User
X-ProcessESI
X-Cache-Operation
X-RemovedCookies
X-Instance
X-Drupal-Cache-Tags
X-Is-Bot
X-Cacheable-TTL
Content-Disposition
X-Mid
X-MCACHE
VIX-Pulpo-Node
X-Rendered-As
Odigeo-Trace-Id
VIX-Pulpo-Upstream-Status
X-Region
X-WA-Info
X-Time
X-UUID
X-Environment-Context
X-L-Path
Payment
X-FW-Dynamic
X-FW-Hash
X-FW-Server
X-Rule
X-FW-Static
X-FW-Type
X-FW-Serve
X-Varnish-Server
Eomportal-Instance
Datacenter
MS-CV
X-Adobe-Content
X-Release
Countrycode
X-Adobe-Loc
X-Cache-Time
Source
Uber-Trace-Id
X-Litespeed-Cache
Xserver
X-Proxy
X-Cached-By
X-Akamai-Request-ID2
X-EdgeConnect-Cache-Status
X-Load-Cache
X-Cache-Server
X-Cache-Control
X-PressLabs-Stats
X-UnsetCookies
X-Mobile
X-GeoIP
X-Akamai-Transformed
X-PHP-Backend
Cache-Status
X-Azure-Ref
Access-Control-Request-Headers
X-NewRelic-App-Data
X-Yottaa-Metrics
X-Correlation-ID
X-Yottaa-Optimizations
X-Origin-Response-Time
X-Tt-Trace-Host
X-Tt-Trace-Tag
Version
X-VCache
Accept-Language
X-SERVER-NAME
X-Wix-Request-Id
X-Air-Hostname
X-Handled-By
X-Mode
X-NGENIX-Cache
X-Cache-NGX
X-Cluster
Liferay-Portal
X-Backend-Name
X-NWS-UUID-VERIFY
Cache
X-Framework
X-IPS-LoggedIn
X-Ua
X-CSRF-Token
X-Tumblr-Pixel-2
NGB
X-Tumblr-Pixel-1
X-Cache-Remote
X-Locale
X-VWS-Id
X-URL
X-LJ-Flow-ID
X-PERF
Cross-Origin-Window-Policy
X-Proxied
Filterid
X-FireWall-Port
X-Path-Route
X-Via-Fastly
X-Zipkin-Id
X-Routing-Service
X-Cache-Var
X-Adobe-Source
X-RateLimit-Limit
X-AWS-Id
X-ApacheServer
X-RN-RSRV
X-Cache-Var-Map
X-UA-Device-Type
Meta-Geo
X-UPSTREAM-Address
X-ES-SERVER
Load-Balancing
X-CCM
X-Qloud-Router
DSUID
X-Real-IP
Mn-Server-Ip
X-MP-GENERATED-AT
ServedBy
X-TX-ID
X-Cache-Status-Check
Server-Info
X-Detected-As
Cache-Hits
X-Site-Version
X-Viewer-Country
X-Www-Served-By
Cleartype
X-SayCDN-TTL
X-Web-Node
Akamai-GRN
X-Section
Cache-Name
Cache-Tv-Group
X-Pubstack
Section-Origin-Responded
X-IP
X-Storage
Section-Io-Origin-Time-Seconds
X-Info
X-Human
X-Cache-Config
X-Access
X-Format
X-OCL
X-PCL
Decoy-Debug-Status
X-Say-Cacheable
Decoy-Debug-Key
X-Redis-Cache
X-R9-Blue-Green-Version
Section-Io-Origin-Status
Section-Io-Id
Now
X-Say-TTL
Decoy-Debug-TTL
X-Device-Type
X-CS
X-Cache-Enabled
X-BYPASS-REASON
S-Rt
Property-Id
X-Labrador-Cache-Channel
Webcakes-App-Name
X-FW-Version
X-EIG-Tracking-Id
X-Bc-Bl
X-Alternate-Cache-Key
TWC-Locale-Group
TWC-Privacy
Webcakes-Region
Webcakes-App-Version
TWC-GeoIP-LatLong
TWC-GeoIP-Country
Webserver
TWC-Connection-Speed
TWC-Device-Class
Fastly-SSL
X-Hosted-By
X-ShopId
X-PHP-Host
X-Origin-Hint
X-ProxyCache-Key
X-ShardId
X-ServerID
X-ProxyCache-Status
X-Shopify-Stage
X-Sorting-Hat-PodId
X-NCache
X-Sorting-Hat-ShopId
X-Varnish-Cache-Hits
X-Cache-Host
X-Timing-Wait
X-Time-Microsecs
X-BCube-Filmed-By
X-TNCMS
X-Content-Age
X-No-Session
X-Generated
X-Hl-Ver
X-JoinUs
X-From
X-FC-Vary-Parameters
X-Loop
X-Proxy-Build
X-NYM-Debug-Backend
X-FB-TRIP-ID
X-SaId
X-Origin
Selected-Fe
X-RTag
X-Amzn-Remapped-Content-Length
DB-Nickname
Ms-Operation-Id
X-Hyper-Cache
Origin-Cache-Control
Azure-SiteName
X-Geo
Azure-SlotName
Azure-RegionName
X-APP-VERSION
Ec-Rule-Version
Azure-Version
Azure-InstanceId
X-Cache-TTL-Remaining
X-Cache-2
X-Drupal-Cache-Contexts
X-Xfnlog-Site
X-Unique-Id
X-XRDS-LOCATION
Time
X-Urbn-Context-Path
Locale
X-Urbn-Site-Id
Apigw-Requestid
Geo-Info
X-Goog-Meta-Goog-Reserved-File-Mtime
SD-X-WS
X-RequestSource
Origin-Edge-Control
Country
X-Pad
X-Presslabs-Stats
X-Vcache
X-Source
User-Agent
X-Varnish-Hostname
X-Cluster-Node
X-Old-Content-Length
X-EC-Lua
X-App-Version
X-Debug-Cache
X-Cache-NE
Upgrade-Insecure-Requests
X-Soup
FilterID
X-Akamai-Request-ID
X-RCS-CacheZone
X-Proto
X-Tb
X-Parent-Response-Time
X-CDN-Forward
X-Cache-Backend
Proxy-Connection
X-Backend-TTL
X-Cache-PHP
X-DC
X-Cache-Grace
X-SRV
X-Storefront-Renderer-Rendered
X-App
X-Proxy-Cache-Status
X-Forwarded-Host
Cache-Key
LB
X-External-Request-Id
X-A-Ccd
True-Client-Country-4JS
UCS
X-DevSite-Last-Modified
X-Dispatch
X-Aed
Content-Script-Type
X-Swa-Ws
X-Geo-Header
Fastcgi-X-Cache-Version
Content-Style-Type
X-G
X-Developer
X-Uri
Xc-Version
X-Trace-Id
X-Destination
Who
X-B-Cookie
T-Server
X-CF-Lambda-Version
X-A-Dcw
X-A-Dam
AsisCache
Arc-Country
X-CF-Lambda-Fn
VivaBuild
X-A-Wwc
X-Date
X-A-Dgt
BehaviorPad-Version
X-D
X-Connection-Hash
Viewtype
X-Accel-Expires-Debug
X-ARC
X-Application
FNAC-ModuleRouting
X-Response-By
Rendered-Blocks
X-Rewrite-Enabled
X-VG-WebCache
X-A
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
X-Newrelic-Synthetics
IsBot
X-Region-Sid
X-Rojux
X-Vdms-Version
X-S-Cookie
Machine
X-Scheme
M-TraceId
X-Twitter-Response-Tags
X-ScT
X-Trv-Group
X-Vdms-Path
X-Transaction
X-SD-PageType
X-S
MD5-Digest
X-Processor
ServerName
X-Nginx-Cache-Key
X-SIPLIST1
Mobile-Detection-Method
Meta-Geo-Continent
X-Tumblr-Pixel-3
N-Cache
X-SRCache-Key
GEO-REGION-INFO
X-Method
X-Session-Fingerprint
X-NodeID
X-FORWARDED-FOR
X-PAYTM-SRV-ID
X-Magnolia-Registration
X-Nc
X-Origin-CC
X-Srv
X-Origin-TTL
On-Server
NM-Fastcgi-Cache
Viewport
Thinkindot-CacheControl
Thinkindot-Control
NGX
Thinkindot-CacheControl-Type
Wxu-Next-Region
Sever-Int
Release
Vix-Hermes-Req-Id
Server-Host
V-Age
Server-Hostname
RNT-Time
Wxu-Next-Commit
RNT-Machine
Pagetype
Server-Ext
Wxu-Next-Hostname
X-Policy
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Req
X-Reqid
X-Owner
X-Node-Id
X-Logging-Id
X-Matched-Rule
X-Micro-Cache
X-Servername
X-ServiceProvider
X-Varnish-Cacheable
X-VC-Cache
X-WADP-Cache
X-Worker
X-User
X-Thinkindot-L3
X-Skip-Cache
X-SN
X-Thanos
X-Loc
X-Level-Front-Cache
X-Cache-FS-Status
X-Cache-Info
X-Cache-URL
X-Clara-WADP
X-Cache-Bucket
X-Bip
X-Agile-Age
X-Agile-Id
X-Backend-State
X-Cms-Context
X-Compress-Hint
X-Generated-On
X-Generation-Time
X-Hash
X-LAGOON
X-Generated-In
X-Fmm-Version
X-Developers
X-Device-Os
X-Dispatcher-Server
X-Agile
We-Hiring
Cache-Cookie-Set-Idcheck
Cache-Cookie-Set-From
Cache-Cookie-Set-Lfrom
CacheControlHeader
CDCHOST
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
X-AIR-PT
AKAMAI
Apple-News-Services-Handled
Apple-News-Services-Host
X-NC
OT-Force-Account-Verify
Mail-Subject
Kp-EeAlive
Magicmarker
X-Cluster-Name
X-Hit
User-Cache-Control
X-Request-UUID
X-Server-W
X-TH-Server
X-Request-Host
X-Block-Status
Node
X-Auto-Login
X-Slack-Backend
X-Distributor
X-Distil-CS
X-Be
X-Envoy-Decorator-Operation
X-Wikidot-Static-Cache
X-Rebelmouse-Surrogate-Control
X-Clientip
X-Location
X-CGP
Referer-Policy
X-Is-Gdpr
X-Fastly-Cache
X-Core-Value
X-Core-Mission
X-Hnp-Log
X-Mvc-Supplant-Cachable
X-Cache-Id
X-Rebelmouse-Cache-Control
X-Gzip
X-Origin-Expires
X-Cache-Tags
X-NU-AKA-ACS-Version
X-Origin-Date
X-Has-Esi
X-Gen-Mode
Fastly-SWR
X-VG-TLSProxy
X-VServer
X-Epic-Correlation-Id
Fastly-SIE
Sid
Fastly-Drupal-HTML
X-Esi-Check
Gh-Request-Id
HA-Ipaddr
X-Webstats-RespID
X-Wikidot-Backend
Ha-Gx-Prefs
Rt-Fastcgi-Cache
X-Eu-Site
X-We-Are-Hiring
X-Variation
Is-Eu
L5d-Success-Class
X-SVT-ORM-RULES
W
C-Via
X-SVT-ORM-VERSION
Web-Mar-Node
X-JWT-State
Adler-Geo
X-Var-Ttl
Platform
X-TrackingId
X-Li-Fabric
X-GoCache-CacheStatus
X-Li-Pop
X-LI-UUID
X-LI-Proto
X-Edge-Location
X-Contensis-Viewer-Groups
Cf-Ipcountry
X-Varnish-Authentication
X-Key
X-Reboot
X-TA-CDN-Provider
X-BBXSRF
X-Cache-ASPX
X-Backend-Host
Memcached
X-Irp-Debug
X-Varnish-Beresp-Status
S-Cnection
X-Varnish-Beresp-Grace
X-Varnish-Beresp-Ttl
X-Wa
X-Cache-Debug
X-Configured-By
X-Branch-Name
Pragrma
X-Dc
HostName
MIME-Version
X-Cdn-Forward
NR-ENABLED
WPE-Backend
X-Instart-Info
X-Refresh
X-Varnish-URL
X-Microcachable
X-Via-CDN
X-ZONE
X-BC
Fastly-Backend-Name
X-Via-PopV
X-Via-PopH
X-Envoy-Upstream-Healthchecked-Cluster
GEO-INFO
X-Platform-Server
X-Up
X-Servedbyhost
X-Ms-Version
X-Ms-Request-Id
X-Minions-Version
X-Mvc-Supplant-OutputCached
X-Nginx-Cache
X-Batcache
X-TT-TIMESTAMP
X-Ua-Device
X-MSEdge-Features
X-MSEdge-Flight
X-Vgn-Hpd-Reason
Memory
X-ElasticPress-Query
X-B3-Traceid
X-UA
X-Aicache-OS
NtCoent-Length
Esi-Enabled
X-Bc
X-Zone
X-Sucuri-ID
L
X-ND-Cache
X-VCL-Version
X-Pjax-Url
X-App-Name
Server-ID
X-BACKEND-TTL
CACHE
X-TIME
X-Unique-ID
X-Debug-Panamera-Sitecode
DCR-Processing-Time-Ms
X-Debug-Panamera-Host
X-Server-IP
GeoIP-Country-Code
Cache-Host
DCR-Decision-By
Ohc-File-Size
GeoIP-Latitude
X-CF-Powered-By
X-GEO
X-Svr
X-COUNTRY
X-Cdn-Srv
X-PF-Uncompressing
X-Fastly-Cache-Status
X-Client-Ip
Powered-By-ChinaCache
Tracecode
Pramga
FSS-Cache
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-FPC
X-Oss-Request-Id
HitType
Server-Surrogate-Control
X-Oss-Storage-Class
X-Oss-Server-Time
Location
X-Generated-By
Server-Cache-Control
X-BE
X-Ratelimit-Reset
X-S-Maxage
Hostname
X-Varnishpool
Ohc-Response-Time
X-Azure-Ref-OriginShield
Resin-Trace
X-LB-ID
X-Sucuri-Cache
X-Check-Cacheable
X-VCT
X-Rocket-Nginx-Bypass
X-Varnish-Ttl
X-VarnishDD-TTL
X-OVcl
PFcat
X-OVcl-Cache
X-Original-Request-Id
Cteonnt-Length
X-Instart-Isnd
Locid
X-Fastly-Backend-Reqs
Heartbleed
Request-EU
X-Fastly-Country-Code
X-Fpc
Request-Country
X-Varnish-Hits
X-Cache-Expired-At
X-Edge-Server
Cdn-Request-Time
X-Render-Time
X-Platform
X-Request-URI
X-Vgn-Hpd-Cached
X-Vgn-Hpd-Ssi
X-Vgn-Hpd-Variations-Key
Cdn-Host
X-HS-Status
X-VHOST
X-Newrelic-App-Data
X-PJAX-URL
Lfy
CF-Cached-On
X-CSRF-TOKEN
X-CUA
GeoIp-Country-Code
Geoip-Latitude
X-Gamma-Serve
X-Vcl-Version
Amp-Access-Control-Allow-Source-Origin
SRV
X-Pf-Uncompressing
X-Ratelimit-Remaining
Pics-Label
SN
Epwk-X-Cache
X-Shopify-Generated-Cart-Token
X-CACHE-AGE
X-Oracle-Dms-Rid
X-WebServer
X-CLOUD-TRACE-CONTEXT
WZWS-RAY
WWW-Authenticate
X-CACHE-KEY
X-RunCloud-Cache
X-ECache
Backend
X-Proxy-Upstream
X-StackifyID
Product
Backend-Name
X-NGINX-Cache
X-Fetched-On
X-Via-Popv
X-ServedByHost
Mime-Version
URI
X-Sn-Servicetimems
X-Cdn-Origin
XServer
X-Via-Poph
X-Csrf-Jwt
X-Varnish-Url
My-App
X-Ratelimit-Limit
X-Amzn-Remapped-Date
X-Amzn-Remapped-Connection
X-Ftr-Cache-Host
X-Tec-Api-Origin
CloudFront-Viewer-Country
A
X-GeoIP-Country-Code
X-Tec-Api-Root
X-Tec-Api-Version
X-Oss-Cdn-Auth
Ohc-Cache-HIT
X-Sigma-Backend
X-Debug-Cache-Store
X-Debug-Cache-Fetch
X-Rocket-Build-Number
X-B3-SpanId
X-Request-Time
X-Sigma
Dt-Cache-Category
Lb
PICS-Label
Host-ID
Cloudfront-Viewer-Country
X-Cache-Tag
Server-Ttl
X-Request-Start
X-Debug-Do-Not-Cache-Uri
X-Debug-Xas-Auth
X-Debug-Ysi-Auth
X-LiteSpeed-Cache-Control
X-Debug-Cache-String
X-Debug-Cache-Bypass
SID
X-Tb-Optimization-Total-Bytes-Saved
X-B3-Spanid
X-Nananana
X-Debug-Cache-Status
X-Swift-Error
X-Cache-Version
Group
X-Apw-Access-Token
CF-IPCountry
Cdn
X-Acquia-Application-UUID
X-Served-From
X-Varnish-Beresp-TTL
X-Apw-Hits
X-WA
X-Acquia-Site
X-Acquia-Purge-Tags
X-Acquia-Application-Trace
X-DPWN-IS-SECURE
Cneonction
X-Apw-Access-Object
Proxy-Firewall
X-Apw-Access-Action
X-Snapshot-Date
X-Cache-Hfrom
Dnion-Transfer-Encoding
FSS-Proxy
Warning
X-Dw-Trace-Id
X-WR-MODIFICATION
X-VC
Cf-Alt-Svc
X-Html-Edge-Cache
X-Request-URL
X-ElasticPress-Search
X-Cache-Hm
X-SB
X-Varnish-ID
Inserted-Into-Cache-At