Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
Accept-Ranges
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Report-To
NEL
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Check
X-Cacheable
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
Feature-Policy
X-Iinfo
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-CDN
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-CONTENT-TYPE-OPTIONS
X-AspNetMvc-Version
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
EagleId
Keep-Alive
Request-Context
X-Ua-Compatible
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
Host-Header
X-Proxy-Cache
X-Amz-Request-Id
X-UA-Device
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Swift-SaveTime
X-Swift-CacheTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-Akamai-Path-Stats
X-LiteSpeed-Cache
X-Amz-Version-Id
CONTENT-SECURITY-POLICY
X-Dispatcher
X-WebKit-CSP
EagleEye-TraceId
X-Nginx-Cache-Status
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-OneAgent-JS-Injection
X-Cache-Spec
X-Device
Cf-Railgun
Allow
X-Page-Speed
X-Host
X-Node
X-Pingback
X-Server-Id
X-Aws-Lambda-Call-Status
Accept-CH
X-CST
Surrogate-Control
X-Backend-Server
Request-Id
X-ASPNET-VERSION
X-Akam-SW-Version
X-Readtime
X-HW
X-Cache-Lookup
X-Response-Time
X-Application-Context
Xkey
Accept-CH-Lifetime
Content-Location
Cf-Edge-Cache
X-Cloud-Trace-Context
Rating
X-Trace
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
Fastly-Restarts
X-Country
Accept-Ch-Lifetime
X-Mod-Pagespeed
X-PC
X-TtlSet
X-Vname
X-MS-InvokeApp
X-Ruxit-JS-Agent
X-Rack-Cache
X-Server-Name
X-Clacks-Overhead
Edge-Control
RTSS
X-Varnish-TTL
X-ESI
X-B3-TraceId
X-Content-Type
X-VARITI-CCR
X-Vcap-Request-Id
Cache-Tag
X-Exp-Id
X-Amz-Rid
X-Kinja
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Exp-Variant
X-GoogleNews-Bot
X-Kinja-Build
X-Cdn-Fetch
X-Cnection
X-Ac
Public-Key-Pins
X-Dw-Request-Base-Id
X-Px
X-Amz-Server-Side-Encryption
X-Element-Page-Cache
X-D2id
Verso
X-Navigation-Version
X-RateLimit-Remaining
Accept-Ch
X-Abt-Application-Version
X-Cache-TTL
X-Client-IP
X-Powered-By-Plesk
X-FastCGI-Cache
Service-Worker-Allowed
X-Sol
X-Middleton-Display
Pagespeed
Display
X-Country-Code
X-Ser
X-GitHub-Request-Id
X-Version
X-Edge
Arr-Disable-Session-Affinity
X-Ruxit-Js-Agent
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Correlation-Id
X-Ttl
X-Upstream
AR-Request-ID
AR-CACHE
AR-ATIME
AR-SID
AR-PoweredBy
X-Kinsta-Cache
X-Edge-Location-Klb
SPRequestDuration
SPIisLatency
X-Webkit-Csp
X-Ua-Device
X-TTL
X-Cached
X-LLID
X-NWS-LOG-UUID
X-Kraken-Loop-Name
X-Server-Lifecycle-Phase
X-Instrumentation
X-Powered-CMS
Nginx-Cache
Edge-Cache-Tag
X-RateLimit-Limit
TCN
X-Cache-Key
MS-Author-Via
SPRequestGuid
X-SharePointHealthScore
X-Forwarded-For
X-Litespeed-Cache
MRF-Tech
Mrf-Cache-Status
X-MSEdge-Ref
Content-MD5
X-B3-TraceId-Primal
X-Shield-Request-Id
X-Content-Security-Policy-Report-Only
X-T
X-Id
X-Aspnetmvc-Version
X-Daa-Tunnel
X-Recruiting
X-Mg-S
S
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Content-Digest
X-Protected-By
X-DataDome
X-Jurisdiction
X-HP-Trace-Id
X-HP-Webp
X-SRCache-Fetch-Status
X-SRCache-Store-Status
MicrosoftSharePointTeamServices
X-Frontend
X-HS-Cache-Config
X-HS-Hub-Id
X-Ezoic-Cdn
X-HS-Content-Id
X-Yandex-Sdch-Disable
X-Ab
X-Content
X-Ua-Browser
Server-Node
X-HS-Combine-CSS
X-Request-Received
Front-End-Https
X-Request-Processing-Time
Filters
X-Grace
X-Accel-Expires
X-Mid
Fastcgi-Cache
X-Server-ID
X-ORACLE-DMS-ECID
X-ECACHE
X-ORACLE-DMS-RID
X-Hits
X-Geo-Country
X-PressLabs-Stats
X-Origin-Server
X-Ratelimit-Reset
TP-Cache
TP-L2-Cache
X-Distributor
Pinterest-Version
X-Pinterest-Rid
Pinterest-Generated-By
X-Debug-Info
X-Tt-Trace-Host
X-Amzn-Trace-Id
X-Tt-Trace-Tag
Charset
Cleartype
Host
X-Page-Id
X-DynaTrace
X-DIS-Request-ID
X-F-Cache
X-Git-Hash
Cross-Origin-Opener-Policy
X-B3-Sampled
X-Www-Served-By
X-LB-Cache
X-Forwarded-Proto
Access-Control-Allow-Method
Cache-Tags
X-Cache-Age
ServerID
X-Seen-By
X-Microsite
X-Request-Handler-Origin-Region
X-Language
X-Cluster-Name
X-Kong-Upstream-Latency
X-Activity-Id
X-Kong-Proxy-Latency
X-AppVersion
X-Az
Server-Name
Accept-Charset
X-Varnish-Age
X-WebKit-CSP-Report-Only
Realpath
Cache-Status
X-Oracle-Dms-Ecid
Filterid
X-Rid
X-Oracle-Dms-Rid
X-Type
X-Content-Options
X-App-Environment
X-Mobile-URL
Country
Viewport
X-User-Agent
Node
X-Nginx-Upstream-Cache-Status
X-Varnish-Grace
X-FB-Debug
X-Upgrade-Enabled
X-Wix-Request-Id
X-Origin-Cache
X-Tb
X-Via-JSL
Paypal-Debug-Id
X-Request-Guid
X-Providence-Cookie
X-Route-Name
X-Signature
X-Whom
X-Is-Crawler
X-Flags
X-B-Cache
DC
X-Drupal-Cache-Tags
X-Aspnet-Duration-Ms
X-XRDS-LOCATION
X-TT
X-NWS-UUID-VERIFY
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-Goog-Metageneration
Protected
X-Goog-Generation
X-VCache
Fastcgi-Useragent
Retry-After
X-Fastly-Request-Id
X-MCACHE
X-Varnish-Backend
X-Cache-NGX
Payment
X-Amz-Replication-Status
X-B
X-Contextid
X-Debug
X-Fastly-Request-ID
X-Template
X-Logged-In
X-Fastcgi-Cache
X-Mcache
WPO-Cache-Message
WPO-Cache-Status
X-FW-Serve
X-FW-Static
X-FW-Hash
X-FW-Dynamic
X-N
X-Load-Cache
X-FW-Type
X-FW-Server
Surrogate-Key
X-Hostname
X-Cache-Control
Amp-Access-Control-Allow-Source-Origin
Count-Hit
X-Node-Name
X-Trace-Id
X-Browser-Type
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
SD-X-WS
X-Original-Request-Id
X-Response-Served-From
Refresh
X-Amz-Meta-S3cmd-Attrs
X-Proxy
Healthy
Akamai-GRN
X-Revision
X-Jobs
X-Rendered-As
X-Zen-Fury
VIX-Pulpo-Node
X-UUID
X-XRDS-Location
X-Real-IP
X-Mobile
X-Parallel-Accel
VIX-Pulpo-Upstream-Status
X-Cache-Time
Uber-Trace-Id
X-G
X-Is-Bot
X-Akamai-Request-ID2
X-Cacheable-TTL
X-Http-Reason
X-Framework
X-Cache-TTL-Remaining
X-Page-View
Alternate-Protocol
X-Yottaa-Optimizations
Content-Disposition
X-Proxy-Cache-Status
X-Instance
X-Debug-IsConnected
NGB
X-Yottaa-Metrics
X-Drupal-Cache-Contexts
X-Device-Type
X-Debug-IsPreview
Access-Control-Request-Headers
X-Adobe-Loc
X-Adobe-Content
X-IPLB-Instance
X-Cache-Rule
From-Origin
Url
X-Servername
X-Vgn-Hpd-Reason
X-Source
Permissions-Policy
X-COUNTRY
Version
X-Cache-Grace
X-ECache
X-B3-Traceid
X-Cache-Expired-At
Accept-Language
X-Varnish-Server
X-Cache-Hit
X-L-Path
Referer-Policy
X-Environment-Context
X-Oneagent-Js-Injection
X-Mg-Request-UUID
X-EdgeConnect-Cache-Status
X-Restarts
X-Ratelimit-Remaining
X-NGENIX-Cache
Countrycode
X-App-Server
X-RTag
X-FW-Version
MS-CV
Ms-Operation-Id
Cross-Origin-Window-Policy
X-Cache-Action
X-IPS-LoggedIn
X-Tumblr-Pixel-1
Backend
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel
Liferay-Portal
X-NYM-Debug-Backend
X-HTML-Minification-Powered-By
Frame-Options
X-RemovedCookies
X-ProcessESI
CF-IPCountry
Content-Secure-Policy
X-Hyper-Cache
WP-Super-Cache
Section-Io-Cache
X-APP-VERSION
X-RN-RSRV
Meta-Geo
X-Nginx-Cache
X-Cache-Server
X-PCL
X-OCL
Upgrade-Insecure-Requests
X-Redis-Cache
X-UPSTREAM-Address
Ec-Rule-Version
X-Cache-Enabled
X-Access
X-Content-Age
Apigw-Requestid
X-Format
Cache-Tv-Group
X-Rule
X-Cluster-Node
X-Detected-As
X-FB-TRIP-ID
X-Section
X-Ua
X-Generation-Time
X-No-Session
X-Web-Node
Mn-Server-Ip
Property-Id
Webcakes-Region
Azure-RegionName
X-UA-Device-Type
Azure-InstanceId
X-Urbn-Context-Path
X-ApacheServer
X-Urbn-Site-Id
X-Origin-Date
X-Human
X-Hosted-By
X-Uri
X-Varnish-Cache-Hits
Azure-SiteName
X-Via-Fastly
X-Sql-Count
X-Generated-By
X-Site-Version
Azure-SlotName
X-Sql-Duration-Ms
X-AOL-HN
TWC-GeoIP-LatLong
TWC-Connection-Speed
X-Say-Cacheable
X-Storage
X-PHP-Backend
TWC-Privacy
Webcakes-App-Name
TWC-GeoIP-Country
TWC-Device-Class
TWC-Locale-Group
X-Akamai-Edgescape
Webcakes-App-Version
Locale
Fastly-SSL
Azure-Version
X-Request-Time
S-Rt
X-Region
X-Say-TTL
X-SayCDN-TTL
X-PERF
X-Server-W
X-Origin-Hint
X-Be
X-Unique-Id
X-Mode
CDN-PullZone
CDN-RequestCountryCode
CDN-RequestId
CDN-EdgeStorageId
CDN-CachedAt
CDN-Cache
CDN-Uid
Webserver
X-Forwarded-Host
X-Cache-Tags
X-Cache-Host
X-BYPASS-REASON
X-Cache-Type
X-Content-Powered-By
X-ProxyCache-Key
Eomportal-Instance
X-Debug-Cache
X-Nginx-Cache-Key
X-Platform-Server
X-Xfnlog-Site
X-ProxyCache-Status
X-Status
X-Extlb
X-Tid
X-JoinUs
X-Alternate-Cache-Key
X-Varnishpool
X-Zipkin-Id
X-Sorting-Hat-ShopId
X-Backend-Name
X-Hl-Ver
X-Routing-Service
X-SaId
X-Sorting-Hat-PodId
X-ServerID
X-ShopId
X-Proxied
X-Shopify-Stage
X-ShardId
X-TT-LOGID
X-Adobe-Source
X-Proxy-Build
X-Cache-Operation
X-Webkit-CSP
X-Timing-Wait
X-Handled-By
X-Accel-Buffering
ServedBy
Selected-Fe
X-Labrador-Cache-Channel
X-PHP-Host
X-Cache-Remote
X-Dc
X-GG-Cache-Date
X-Locale
X-VWS-Id
SID
X-Rewrite-Enabled
X-Ratelimit-Limit
Xserver
X-AWS-Id
X-LSADC-Cache
X-LJ-Flow-ID
X-VC-Cache
X-Datadome
X-NewRelic-App-Data
X-Pubstack
X-Soup
X-Cached-By
X-Buckets
Fastly-Drupal-Html
Mime-Version
SRV
X-Edge-Location
LB
Web-Mar-Node
X-CDN-Forward
X-Proto
Country-Code
X-GEO
X-Storefront-Renderer-Rendered
X-Reqid
X-Request-Host
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
Onion-Location
X-Microcachable
X-TA-CDN-Provider
X-Cms-Context
X-Varnish-Hostname
X-App-Version
X-Origin-CC
X-Origin-TTL
Server-Info
Xet-Cookie
Cache-Hits
X-Ms-Version
X-Midtier
X-Ms-Request-Id
X-Tumblr-Pixel-3
X-Tumblr-Pixel-2
X-NCache
X-GeoCountry
X-GeoCode
X-MP-GENERATED-AT
Load-Balancing
X-Cluster
X-Varnish-Hits
DynaTrace
X-Bc-Bl
X-Air-Source
X-B3-SpanId
X-Air-Hostname
X-CSRF-Token
X-Air-Trace-Id
X-Varnish-Beresp-Grace
X-SRV
X-Envoy-Decorator-Operation
X-R9-Blue-Green-Version
Cache-Name
X-Amz-Apigw-Id
X-Amzn-RequestId
X-RCS-CacheZone
X-Magnolia-Registration
X-Origin-Response-Time
X-Azure-Ref
X-Endurance-Cache-Level
Odigeo-Trace-Id
Pramga
Surrogated-Key
Sslversion
Mobile-Detection-Method
Rendered-Blocks
NM-Fastcgi-Cache
DCR-Processing-Time-Ms
A
DCR-Decision-By
BehaviorPad-Version
DB-Nickname
Cmstype
T-Server
Cdncip
Expiry
Lang
Cmsid
Host-ID
Fastcgi-X-Cache-Version
Cdnsip
Meta-Geo-Continent
X-Forwarded-Path
X-Processor
X-PBS-Appsvrname
X-Rojux
X-S
X-ScT
X-S-Cookie
X-PAYTM-SRV-ID
X-Orig-Expires
X-Ig-Push-State
X-HS-Content-Campaign-Id
X-LAGOON
X-Men
X-NodeID
X-NAPM-TraceId
X-SD-PageType
X-Session-Fingerprint
X-VG-WebCache
X-Vdms-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Webstats-RespID
X-Vdms-Path
X-User
X-SRCache-Key
X-Shop-Environment
X-Tenant
X-TIM-N
X-TrackingId
X-Hash
X-Gzip
X-ARC
X-Application
X-B-Cookie
X-Cache-Bucket
X-Cdn-Srv
X-Cache-NE
X-AK-Request-ID
X-Aed
X-A-Dam
X-A-Ccd
X-A-Dcw
X-A-Dgt
X-A-Wwc
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Esi-Check
X-Epic-Correlation-Id
X-External-Request-Id
X-From
X-Geo-Header
X-Ftr-Request-Id
X-Ec-GeoHdr
X-Ec-Fail
X-Connection-Hash
X-Conf
X-D
X-Destination
X-Developer
X-A
X-Cache-Id
X-Via-NSCOPI
X-Tx-Id
X-Is-Gdpr
Platform
X-JWT-State
X-Location
Producers
X-Has-Esi
X-GeoIP
Server-Host
X-Hnp-Log
X-Irp-Debug
X-Loop
X-Mvc-Supplant-Cachable
X-Origin-Time
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Planisys-CDN-TTL
Mail-Subject
Memcached
X-Node-Id
X-Nyt-Route
X-Origin
X-Origin-Expires
State
X-Gen-Mode
X-Core-Value
X-Core-Mission
X-DefElseHash
X-DefHash
Web-Mar-Region
X-Clara-WADP
X-Ckpd-Fst-Backend
X-Block-Status
X-Cache-Backend
X-Amzn-Remapped-Content-Length
X-Cache-Info
We-Hiring
Vix-Hermes-Req-Id
X-Fmm-Version
X-Gdpr
X-Varnish-Ttl
Svr
X-Fetched-On
X-Fastly-Cache
V-Age
User-Cache-Control
X-Device-Os
X-DPWN-IS-SECURE
Is-Eu
Machine
X-SVT-ORM-VERSION
Apple-News-Services-Handled
X-Worker
X-Wix-Viewer-Type
X-SVT-ORM-RULES
Apple-News-Services-Host
X-Sigma-Backend
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
X-Slack-Backend
X-WADP-Cache
X-TNCMS
AKAMAI
Adler-Geo
X-Varnish-Remaining-TTL
X-VG-TLSProxy
X-Varnish-CookieINHashed-On
X-Varnish-CookieHashed-On
X-V-Cache
X-Variation
X-Viewer-Country
Source
X-Sigma
Wxu-Next-Commit
X-Rocket-Build-Number
X-Request-URI
Wxu-Next-Hostname
X-Developers
Wxu-Next-Region
Environment
Fastly-GeoIP-CountryCode
X-Scheme
X-Server-IP
X-SB
CDN
X-Ec-Custom-Error
X-Cache-Date
X-Eu-Site
X-Pod-Name
X-Datadog-Trace-Id
X-Branch-Name
X-CGP
X-Datadog-Sampling-Priority
X-Csrf-Jwt
X-Datadog-Parent-Id
X-VServer
Locid
X-Cdn-Origin
X-GeoIP-City
X-Region-Sid
X-Rebelmouse-Surrogate-Control
X-BBC-Edge-Cache-Status
X-Response-By
X-Old-Content-Length
X-Rocket-Nginx-Serving-Static
X-Policy
X-Pool
X-Qloud-Router
X-RateLimit-Limit-Second
X-Proxy-Upstream
X-Proxy-Cache-Info
X-Rebelmouse-Cache-Control
X-Served-From
X-Minions-Version
X-RateLimit-Remaining-Second
X-TIME
X-Generated-On
X-Gamma-Serve
X-Forwarded-Site
X-HN
X-Thinkindot-L3
X-Level-Front-Cache
X-Loc
X-Skip-Cache
X-Sn-Servicetimems
X-Httpd
X-VarnishDD-TTL
X-Platform
Fastcgi-Cache-TTL
Thinkindot-CacheControl
TDXMobile
Fastly-SIE
Fastly-SWR
Thinkindot-CacheControl-Type
Thinkindot-Control
CDCHOST
Cache
Origin
Cluster
Traceparent
Gh-Request-Id
Ssr
N-Cache
Redirect-Candidate
PFcat
Origin-EX
Origin-CC
Release
Req-Svc-Chain
HA-Ipaddr
Ha-Gx-Prefs
Kp-EeAlive
L
L5d-Success-Class
Arc-Country
CloudFront-Viewer-Country
X-Aicache-OS
X-Auto-Login
X-TraceId
X-Optimistic-Header
DSUID
NGX
X-Srv
HostName
MD5-Digest
X-RPM
X-RPS
X-RSL
X-DW
X-Time
X-EC-Lua
X-DSS
X-DI
X-DB
X-Xrds-Location
X-Parent-Response-Time
X-Tec-Api-Origin
X-Tec-Api-Version
X-Tec-Api-Root
X-Date
X-Owner
X-Dispatcher-Number
GEO-INFO
X-CacheTTL
X-NC
AMP-Access-Control-Allow-Source-Origin
X-WP-CF-Super-Cache
X-Accel-Expires-Debug
X-WP-CF-Super-Cache-Cache-Control
X-Tb-Optimization-Total-Bytes-Saved
X-ZONE
Sever-Int
X-GeoIP-Region-Code
X-SIPLIST1
X-Via-Ucdn
X-GeoIP-Country-Code
X-Akamai-Transformed
X-Refresh
Pics-Label
X-VC
Env
IsBot
X-Scale
Server-Ext
Server-Hostname
X-CS
Memory
X-Tt-Logid
Time
X-Mvc-Supplant-OutputCached
X-Edge-Pop
X-Ah-Environment
Servername
X-LB-NoCache
Ms-Author-Via
X-Newrelic-Synthetics
X-Udemy-Cache-App-Namespace
X-Wikidot-Backend
X-Wikidot-Static-Cache
X-Cache-Debug
Ohc-File-Size
X-API-Version
X-IPLB-Request-ID
Fusion-Content-Id
Fusion-Deployment-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Source
Fusion-Component-Id
X-CACHE-KEY
Candidate-Md5Url
GeoIp-Country-Code
Cache-Key
Datacenter
X-Amz-Meta-Cb-Modifiedtime
X-Generated-In
Geo-Info
X-Ad-Defer-Variation
CacheControlHeader
X-BCube-Filmed-By
X-Servedbyhost
X-SplitTest
XM
X-TH-Server
X-S-Maxage
X-Action
True-Client-Country-4JS
VNS-Age
X-Via-Popn
X-Via-Poph
X-Cache-ASPX
X-Contensis-Viewer-Groups
CPC-Age
CPC-Cache
X-Via-Popv
VNS-Cache
X-HA-Backend
X-Backend-TTL
X-Varnish-Authentication
X-WA-Info
ITXSESSIONID
Fastly-Backend-Name
Geoip-Latitude
X-RateLimit-Reset
X-Vc
X-Micro-Cache
Path
X-VCL-Version
X-Presslabs-Stats
X-Cs
X-Cache-Status-Check
Client
FSS-Cache
X-Zone
X-Dynatrace
X-AIR-PT
Server-ID
X-Varnish-Beresp-TTL
X-Provided-By
Edge-Cache
X-Req
X-VHOST
Hostname
Cache-Host
X-DC
X-Trace-ID
My-App
Ngx.Var.Host
Lb
True-Client-IP
X-Origin-Upstream-Status
Ohc-Cache-HIT
X-Pass-Why
X-FireWall-Port
NtCoent-Length
X-Fpc
X-TX-ID
X-Up
DataCenter
X-Proxy-CacheRZ
X-Webkit-Csp-Report-Only
X-Api-Version
XkeyRZ
X-LB-ID
X-Clientip
X-NGINX-Cache
X-Varnish-Beresp-Ttl
X-FPC
X-B3-Spanid
Powered-By
X-PX
X-CSRF-TOKEN
X-LI-UUID
Test
X-Li-Pop
X-Traceid
OT-Force-Account-Verify
X-Li-Fabric
X-Cdn-Request-ID
Cf-Int-Pingora-Origin-Digest
X-ND-Cache
X-UnsetCookies
X-Correlation-ID
X-Beluga-Trace
X-Beluga-Status
Server-Id
X-Beluga-Response-Time
X-MSEdge-Features
WZWS-RAY
X-Dmc
X-Beluga-Record
X-MSEdge-Flight
X-Time-Microsecs
X-CUA
X-Webkit-CSP-Report-Only
X-Beluga-Cache-Status
User-Agent
X-Vcl-Version
X-Beluga-Node
Cf-Device-Type
X-Ha-Backend
X-Via-PopV
X-Via-PopN
X-Via-PopH
X-RAMCache
X-INCAP-ABP
Target-Params
X-Fragments
Tracecode
Uri
Proxy-Connection
X-Render-Time
X-Azure-Ref-OriginShield
X-CLOUD-TRACE-CONTEXT
Lfy
Resin-Trace
X-HS-Status
X-URL
X-ATG-Version
X-Platform-Cluster
X-ServedByHost
C-Via
X-Fastly-Backend
Rip
X-Var-Ttl
Srvid
X-Sucuri-Cache
X-Sucuri-ID
X-Platform-Router
X-Platform-Processor
X-FC-Vary-Parameters
X-Geo
X-Akamai-Pragma-Client-IP
X-Check-Cacheable
Tube-Return
Tube-Got-Results
X-Gateway-Skip-Cache
X-Gateway-Request-Id
GeoIP-Country-Code
X-Gateway-Cache-Key
Click-Count-Error
X-Service
X-Gateway-Cache-Status
Click-Count-Action-Start
GeoIP-Latitude
Tube-Get-Contents
Sid
Tube-Got-Eval
MIME-Version
X-NU-AKA-ACS-Version
X-Cdn-Forward
X-DynaTrace-JS-Agent
X-LI-Proto
X-CCDN-Origin-Time
X-M-Log
X-Varnish-Beresp-Status
X-M-Reqid
X-Qnm-Cache
X-Alfa-Service
X-Li-Proto
HIT
X-CCDN-CacheTTL
Epwk-X-Cache
Esi-Enabled
X-Fetch-By
X-Proxy-Cache-Hk
X-Hcs-Proxy-Type
X-TRACE-ID
Fastly-Drupal-HTML
X-Backend-Host
On-Server
X-Fastly-Backend-Reqs
Srv
ENV
Section-Io-Id
Magicmarker
X-Backend-State
Section-Io-Origin-Status
Section-Origin-Responded
Section-Io-Origin-Time-Seconds
Cdn
X-Esi
X-ID
X-Cache-CFC
ServerName
X-Edge-POP
XServer
PICS-Label
X-App
X-Lb-Nocache
X-Cache-Expires
X-Request-Start
X-B3-Traceid-Primal
X-MG-S
X-Srcache-Store-Status
X-LiteSpeed-Cache-Control
X-Srcache-Fetch-Status
X-Newrelic-App-Data
X-APP
X-Thanos
CF-Cached-On
X-Bip
X-Yottaa-OS
Server-Ttl
X-ElasticPress-Query
Tcn
D-Url-Rewrites
X-BBC-Origin-Response-Status
Wpo-Cache-Status
X-Acquia-Application-Trace
X-Vcache
Cf-Ipcountry
X-Serial
Wpo-Cache-Message
Inserted-Into-Cache-At
X-Iplb-Request-Id
X-Iplb-Instance
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Nc
X-Acquia-Site
Servedby
X-HostName
Warning
Fastcgi-Cache-Ttl
X-Request-URL
X-Fastly-Cache-Hits
X-Wp-Cf-Super-Cache
X-Wp-Cf-Super-Cache-Cache-Control
Content-Script-Type
X-Litespeed-Cache-Control
Cneonction
X-IN-APIGATEWAYSSL
X-IN-APIGATEWAY
X-B3-Parentspanid
Ngx
X-Release
X-Request-Url
M-TraceId
X-Dist-Code
X-Snapshot-Date
X-Cache-Config
X-Akamai-ERRuleID
X-Th-Server
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
X-Storefront-Renderer-Verified
X-CF-Powered-By
X-Back
Content-Style-Type
CountryCode
X-Akamai-ERPolicy
X-Dw-Trace-Id
X-Swift-Error
X-Akamai-Request-ID