Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
CF-RAY
ETag
Pragma
Expect-CT
X-XSS-Protection
X-Powered-By
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
P3p
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CONTENT-TYPE-OPTIONS
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
Keep-Alive
Request-Context
EagleId
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-Proxy-Cache
X-Akamai-Path-Stats
X-Amz-Id-2
X-UA-Device
X-Hacker
Grace
X-Rq
X-Dns-Prefetch-Control
X-Server-Powered-By
X-Swift-CacheTime
X-Swift-SaveTime
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
EagleEye-TraceId
Allow
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-Nginx-Cache-Status
X-OneAgent-JS-Injection
X-Device
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Pingback
X-Aws-Lambda-Call-Status
Surrogate-Control
Request-Id
X-Backend-Server
Accept-CH
X-Akam-SW-Version
X-Readtime
Cf-Edge-Cache
X-Cache-Lookup
X-Response-Time
X-HW
Xkey
X-Application-Context
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Trace
Accept-Ch-Lifetime
Fastly-Restarts
X-Country
X-MS-InvokeApp
X-Mod-Pagespeed
X-Rack-Cache
X-Vname
X-PC
X-TtlSet
X-Clacks-Overhead
X-Ruxit-JS-Agent
X-Server-Name
RTSS
Edge-Control
X-Varnish-TTL
X-VARITI-CCR
X-ESI
X-B3-TraceId
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
Accept-Ch
X-Amz-Server-Side-Encryption
X-GoogleNews-Bot
X-Kinja-Server
X-Cdn-Fetch
X-Use-Magma
X-Kinja
X-Kinja-Revision
X-Exp-Variant
X-Exp-Id
X-Kinja-Build
X-Amz-Rid
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Cnection
X-Ac
X-RateLimit-Remaining
X-D2id
X-Element-Page-Cache
X-Navigation-Version
Verso
X-Edge
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
Pagespeed
Display
X-Sol
X-Middleton-Display
X-Cache-TTL
X-Ser
X-FastCGI-Cache
X-Version
Service-Worker-Allowed
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
X-Country-Code
X-Ruxit-Js-Agent
X-Middleton-Response
Response
X-NF-Request-ID
X-Correlation-Id
Access-Control-Request-Method
X-Goog-Hash
X-Ttl
SPIisLatency
SPRequestDuration
X-Kinsta-Cache
X-Edge-Location-Klb
AR-PoweredBy
AR-Request-ID
AR-ATIME
AR-SID
AR-CACHE
X-Cached
X-Upstream
X-Webkit-Csp
X-RateLimit-Limit
X-TTL
X-LLID
X-Server-Lifecycle-Phase
X-Instrumentation
X-NWS-LOG-UUID
X-Kraken-Loop-Name
X-Content-Security-Policy-Report-Only
X-Ua-Device
SPRequestGuid
X-SharePointHealthScore
X-Powered-CMS
Edge-Cache-Tag
Nginx-Cache
X-Forwarded-For
X-Cache-Key
X-Litespeed-Cache
TCN
Content-MD5
X-MSEdge-Ref
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
X-Daa-Tunnel
X-B3-TraceId-Primal
X-Id
X-T
X-Recruiting
MS-Author-Via
S
X-Content-Digest
X-Mg-S
X-ECACHE
X-TEC-API-ROOT
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-Protected-By
X-HP-Trace-Id
X-HP-Webp
X-Jurisdiction
MicrosoftSharePointTeamServices
X-Ezoic-Cdn
X-DataDome
X-Accel-Expires
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Frontend
X-HS-Cache-Config
X-HS-Combine-CSS
X-HS-Hub-Id
X-HS-Content-Id
X-Content
X-Ua-Browser
X-Ab
X-Grace
X-Request-Received
X-Request-Processing-Time
Front-End-Https
X-Yandex-Sdch-Disable
Server-Node
Filters
X-Mid
X-DynaTrace
X-Server-ID
Fastcgi-Cache
TP-L2-Cache
TP-Cache
X-Hits
X-Origin-Server
X-Geo-Country
X-Distributor
X-WebKit-CSP-Report-Only
X-PressLabs-Stats
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Ratelimit-Reset
X-Request-Handler-Origin-Region
X-Debug-Info
X-Microsite
X-Amzn-Trace-Id
X-Tt-Trace-Tag
Cleartype
X-Tt-Trace-Host
Charset
X-Git-Hash
X-Page-Id
Host
X-DIS-Request-ID
X-F-Cache
X-LB-Cache
X-B3-Sampled
Cross-Origin-Opener-Policy
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
X-Forwarded-Proto
X-Www-Served-By
X-Cache-Age
ServerID
Access-Control-Allow-Method
X-Seen-By
Cache-Status
X-AppVersion
X-Activity-Id
Realpath
X-MCACHE
X-Az
Cache-Tags
X-Cluster-Name
X-Varnish-Age
Accept-Charset
Filterid
X-Rid
X-Aspnetmvc-Version
X-Language
X-Kong-Upstream-Latency
X-Oracle-Dms-Ecid
X-Kong-Proxy-Latency
X-Oracle-Dms-Rid
Server-Name
X-Nginx-Upstream-Cache-Status
X-Content-Options
X-Type
X-App-Environment
Retry-After
X-Upgrade-Enabled
X-Origin-Cache
Country
X-Varnish-Grace
Viewport
X-Tb
Node
X-XRDS-LOCATION
X-Request-Guid
X-Providence-Cookie
X-User-Agent
X-Mobile-URL
X-Whom
X-Route-Name
X-Wix-Request-Id
X-FB-Debug
X-Aspnet-Duration-Ms
X-Signature
Paypal-Debug-Id
DC
X-NWS-UUID-VERIFY
X-B-Cache
X-Flags
X-Is-Crawler
X-Drupal-Cache-Tags
X-Varnish-Backend
X-TT
X-Goog-Metageneration
X-Goog-Storage-Class
X-Goog-Generation
X-Goog-Stored-Content-Encoding
X-VCache
X-Fastly-Request-Id
X-Goog-Stored-Content-Length
X-GUploader-UploadID
Protected
Fastcgi-Useragent
X-N
X-B
X-Via-JSL
X-Debug
X-Amz-Replication-Status
X-Cache-NGX
Payment
X-Logged-In
X-Fastly-Request-ID
X-Contextid
X-Load-Cache
WPO-Cache-Message
X-Fastcgi-Cache
WPO-Cache-Status
Surrogate-Key
X-Mcache
X-Amz-Meta-S3cmd-Attrs
Count-Hit
X-Template
X-Cache-Control
Permissions-Policy
X-FW-Static
X-FW-Server
X-FW-Serve
X-FW-Hash
X-FW-Dynamic
X-FW-Type
X-Trace-Id
X-Node-Name
Healthy
X-Browser-Type
Amp-Access-Control-Allow-Source-Origin
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-Response-Served-From
SD-X-WS
X-Original-Request-Id
X-G
X-Proxy
Akamai-GRN
Content-Disposition
Refresh
X-Cache-Time
X-Jobs
X-Mobile
X-Hostname
X-Real-IP
X-Cacheable-TTL
X-Zen-Fury
X-Rendered-As
X-Revision
X-Akamai-Request-ID2
X-XRDS-Location
X-UUID
Uber-Trace-Id
X-Framework
X-Is-Bot
X-Page-View
X-Http-Reason
X-Adobe-Content
X-Proxy-Cache-Status
X-Cache-TTL-Remaining
X-Adobe-Loc
Alternate-Protocol
NGB
VIX-Pulpo-Node
X-Instance
X-Debug-IsPreview
X-Drupal-Cache-Contexts
X-Device-Type
X-Debug-IsConnected
VIX-Pulpo-Upstream-Status
Access-Control-Request-Headers
X-Yottaa-Optimizations
Url
X-Yottaa-Metrics
X-Servername
X-IPLB-Instance
X-Cache-Grace
X-COUNTRY
X-Source
Version
X-NGENIX-Cache
X-Restarts
X-Varnish-Server
X-Mg-Request-UUID
X-ECache
X-L-Path
X-Environment-Context
X-B3-Traceid
From-Origin
X-Cache-Rule
Accept-Language
X-Cache-Hit
X-Vgn-Hpd-Reason
X-EdgeConnect-Cache-Status
X-Parallel-Accel
Countrycode
X-Oneagent-Js-Injection
X-Cache-Expired-At
MS-CV
X-RTag
Ms-Operation-Id
X-HTML-Minification-Powered-By
Referer-Policy
X-App-Server
Frame-Options
X-Datadome
X-NYM-Debug-Backend
Liferay-Portal
X-FW-Version
X-Tumblr-Pixel-1
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
Cross-Origin-Window-Policy
Backend
X-IPS-LoggedIn
X-APP-VERSION
X-ProcessESI
Content-Secure-Policy
X-RemovedCookies
WP-Super-Cache
X-Midtier
Section-Io-Cache
X-Cache-Action
X-Nginx-Cache
CF-IPCountry
Cache-Tv-Group
X-Redis-Cache
X-Cache-Server
Meta-Geo
X-Hosted-By
X-UPSTREAM-Address
X-RN-RSRV
Upgrade-Insecure-Requests
X-Region
X-No-Session
X-Web-Node
X-Detected-As
X-Generation-Time
X-Cache-Enabled
X-PCL
X-Ua
X-OCL
X-Content-Age
X-UA-Device-Type
X-FB-TRIP-ID
X-Cluster-Node
X-Access
TWC-Locale-Group
Locale
Azure-Version
Azure-SlotName
Azure-RegionName
Azure-SiteName
Property-Id
Fastly-SSL
TWC-Device-Class
TWC-GeoIP-Country
TWC-GeoIP-LatLong
TWC-Connection-Speed
S-Rt
Ec-Rule-Version
Azure-InstanceId
Apigw-Requestid
Webcakes-App-Version
X-ShardId
X-Alternate-Cache-Key
Webcakes-Region
X-AOL-HN
X-Akamai-Edgescape
X-ShopId
X-Shopify-Stage
X-Unique-Id
TWC-Privacy
Webcakes-App-Name
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Be
X-Sql-Count
X-Server-W
X-Site-Version
X-Section
X-SayCDN-TTL
X-Request-Time
X-Say-TTL
Mn-Server-Ip
X-Sql-Duration-Ms
X-Varnish-Cache-Hits
X-Via-Fastly
X-Uri
X-Urbn-Site-Id
X-Storage
X-Urbn-Context-Path
X-PHP-Backend
X-Say-Cacheable
X-Nginx-Cache-Key
X-Human
X-Origin-Date
X-Generated-By
X-Format
X-Origin-Hint
X-Mode
CDN-PullZone
CDN-RequestCountryCode
CDN-EdgeStorageId
X-Debug-Cache
CDN-Cache
X-Content-Powered-By
X-Status
X-Cache-Tags
X-NewRelic-App-Data
CDN-CachedAt
CDN-Uid
X-Xfnlog-Site
CDN-RequestId
X-BYPASS-REASON
X-Cache-Host
Eomportal-Instance
X-PERF
X-ApacheServer
X-Forwarded-Host
X-Adobe-Source
X-ProxyCache-Status
X-ProxyCache-Key
X-Platform-Server
X-Extlb
X-Varnishpool
X-Zipkin-Id
X-Handled-By
X-Hyper-Cache
X-Routing-Service
X-Backend-Name
X-Proxied
X-JoinUs
X-SaId
X-Cache-Type
X-Hl-Ver
X-ServerID
X-Tid
X-Locale
X-Labrador-Cache-Channel
X-PHP-Host
X-TT-LOGID
X-Dc
X-Proxy-Build
X-Ratelimit-Remaining
X-Timing-Wait
Selected-Fe
X-VWS-Id
X-AWS-Id
X-LJ-Flow-ID
ServedBy
X-Webkit-CSP
X-Rule
X-VC-Cache
X-GG-Cache-Date
X-Cache-Operation
X-Edge-Location
X-Storefront-Renderer-Rendered
X-LSADC-Cache
X-Cms-Context
Webserver
SID
X-Accel-Buffering
X-Proto
SRV
Web-Mar-Node
X-Rewrite-Enabled
X-CDN-Forward
X-Cached-By
Fastly-Drupal-Html
Mime-Version
X-Soup
X-Cache-Remote
Load-Balancing
Onion-Location
Xserver
X-GeoCountry
X-GeoCode
X-Varnish-Hostname
X-Pubstack
X-App-Version
X-GEO
Cache-Hits
X-Reqid
X-TA-CDN-Provider
Country-Code
X-Buckets
X-Cdn
X-Request-Host
X-Cluster
X-Origin-TTL
X-Origin-CC
X-Varnish-Hits
X-Microcachable
Decoy-Debug-Status
Decoy-Debug-TTL
Decoy-Debug-Key
Server-Info
X-SRV
X-Envoy-Decorator-Operation
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
LB
X-Ratelimit-Limit
X-MP-GENERATED-AT
X-Ms-Version
X-Magnolia-Registration
X-Ms-Request-Id
X-Air-Hostname
X-Air-Trace-Id
X-Air-Source
X-B3-SpanId
X-CSRF-Token
X-Amzn-RequestId
X-NCache
X-Amz-Apigw-Id
DB-Nickname
Cache
Xet-Cookie
X-Time
X-Endurance-Cache-Level
X-RCS-CacheZone
X-Tec-Api-Version
X-Tec-Api-Origin
X-Tec-Api-Root
X-Bc-Bl
DynaTrace
Odigeo-Trace-Id
Pramga
X-A-Ccd
DCR-Decision-By
T-Server
X-A
Surrogated-Key
Sslversion
Rendered-Blocks
X-A-Dam
A
Cdnsip
BehaviorPad-Version
Lang
Fastcgi-X-Cache-Version
Host-ID
Expiry
MD5-Digest
Mobile-Detection-Method
NM-Fastcgi-Cache
Meta-Geo-Continent
Cdncip
Cmsid
Cmstype
DCR-Processing-Time-Ms
X-D
X-Rojux
X-Processor
X-S
X-S-Cookie
X-SD-PageType
X-ScT
X-PBS-Appsvrname
X-PAYTM-SRV-ID
X-Ig-Push-State
X-HS-Content-Campaign-Id
X-NAPM-TraceId
X-Node-Id
X-Orig-Expires
X-Session-Fingerprint
X-Shop-Environment
X-Vdms-Version
X-Vdms-Path
X-VG-WebCache
X-Vtex-Processado-Em
Xc-Version
X-Vtex-Remote-Cache
X-User
X-TrackingId
X-SVT-ORM-RULES
X-SRCache-Key
X-SVT-ORM-VERSION
X-Tenant
X-TIM-N
X-Hash
X-Gzip
X-Cache-Id
X-Cache-Bucket
X-Cdn-Srv
X-CF-Lambda-Fn
X-Conf
X-CF-Lambda-Version
X-B-Cookie
X-ARC
X-A-Wwc
X-A-Dgt
X-Aed
X-AK-Request-ID
X-Application
X-Connection-Hash
X-Core-Mission
X-Fetched-On
X-External-Request-Id
X-Forwarded-Path
X-Ftr-Request-Id
X-Geo-Header
X-Esi-Check
X-Epic-Correlation-Id
X-Developer
X-Destination
X-Device-Os
X-Ec-Fail
X-Ec-GeoHdr
X-A-Dcw
X-Cache-NE
X-Varnish-Beresp-Grace
Source
Cache-Name
CDN
X-Tx-Id
X-R9-Blue-Green-Version
X-Planisys-CDN-TTL
Web-Mar-Region
Wxu-Next-Region
Wxu-Next-Hostname
Wxu-Next-Commit
X-TNCMS
X-Thinkindot-L3
X-Planisys-CDN-Cache
X-Block-Status
X-Worker
X-Wix-Viewer-Type
X-Amzn-Remapped-Content-Length
X-Planisys-CDN-Rules
User-Cache-Control
X-Webstats-RespID
Platform
Producers
Origin-EX
Origin-CC
Memcached
X-Rocket-Build-Number
Release
Server-Host
Thinkindot-Control
X-Azure-Ref
Thinkindot-CacheControl-Type
Thinkindot-CacheControl
State
TDXMobile
Traceparent
X-Origin-Response-Time
X-Gen-Mode
X-GeoIP
X-Mvc-Supplant-Cachable
X-Gdpr
X-From
X-Fastly-Cache
X-Fmm-Version
X-Has-Esi
X-Hnp-Log
X-Loop
X-Location
X-LAGOON
X-JWT-State
X-Irp-Debug
X-Is-Gdpr
X-NodeID
X-Nyt-Route
X-CacheTTL
X-Origin
X-Ckpd-Fst-Backend
X-Cache-Info
X-Origin-Expires
X-Origin-Time
Mail-Subject
X-Clara-WADP
X-Core-Value
X-DPWN-IS-SECURE
X-Ec-Custom-Error
X-Dispatcher-Number
X-Developers
X-DefElseHash
X-DefHash
X-Cache-Date
We-Hiring
X-Varnish-CookieHashed-On
X-WADP-Cache
AKAMAI
CloudFront-Viewer-Country
X-SB
Fastly-GeoIP-CountryCode
X-Variation
Environment
Adler-Geo
X-Varnish-CookieINHashed-On
X-Skip-Cache
X-Slack-Backend
X-IPLB-Request-ID
X-Sigma-Backend
X-VServer
X-Varnish-Remaining-TTL
X-Server-IP
X-Sigma
Is-Eu
X-Scheme
Machine
X-V-Cache
X-ZONE
X-Varnish-Ttl
X-Cdn-Origin
X-Via-Ucdn
CDCHOST
Redirect-Candidate
Apple-News-Services-Parsed-Url
X-CGP
X-Cache-Backend
Apple-News-Services-Request-Url
X-Branch-Name
X-Auto-Login
DSUID
X-Sn-Servicetimems
X-Aicache-OS
PFcat
Cluster
X-Region-Sid
X-BBC-Edge-Cache-Status
X-Level-Front-Cache
Apple-News-Services-Host
X-Csrf-Jwt
X-VG-TLSProxy
X-Viewer-Country
X-Gamma-Serve
X-Rocket-Nginx-Serving-Static
X-Generated-On
X-GeoIP-City
X-Httpd
X-Minions-Version
X-HN
X-SIPLIST1
X-Forwarded-Site
N-Cache
X-Datadog-Trace-Id
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-Platform
Origin
X-Request-URI
X-Eu-Site
NGX
X-VarnishDD-TTL
Apple-News-Services-Handled
X-Served-From
V-Age
Fastly-SWR
X-Proxy-Cache-Info
Vix-Hermes-Req-Id
Svr
Server-Hostname
Fastly-SIE
Gh-Request-Id
Sever-Int
L
X-Proxy-Upstream
X-Qloud-Router
Ssr
HA-Ipaddr
X-Loc
Ha-Gx-Prefs
IsBot
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
L5d-Success-Class
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
Kp-EeAlive
Req-Svc-Chain
X-Policy
X-Pod-Name
Server-Ext
Fastcgi-Cache-TTL
X-Pool
HostName
X-WP-CF-Super-Cache
X-Via-NSCOPI
Ohc-File-Size
X-Optimistic-Header
X-Xrds-Location
X-Scale
X-WP-CF-Super-Cache-Cache-Control
X-CS
X-Newrelic-Synthetics
X-NC
X-EC-Lua
X-Tb-Optimization-Total-Bytes-Saved
Locid
X-Owner
X-Refresh
AMP-Access-Control-Allow-Source-Origin
X-Men
X-TraceId
Pics-Label
Arc-Country
X-Ad-Defer-Variation
X-VC
Cache-Key
X-Old-Content-Length
Candidate-Md5Url
Datacenter
X-Parent-Response-Time
X-Srv
X-Response-By
X-Wikidot-Static-Cache
X-BCube-Filmed-By
X-Wikidot-Backend
X-CACHE-KEY
CPC-Age
X-DB
X-Tt-Logid
X-Mvc-Supplant-OutputCached
X-LB-NoCache
X-RPM
X-Ah-Environment
X-RPS
GEO-INFO
X-RSL
CPC-Cache
X-DW
X-DI
VNS-Age
Env
VNS-Cache
X-SplitTest
X-DSS
Servername
XM
X-Edge-Pop
Ms-Author-Via
X-TIME
X-Cache-Status-Check
X-Udemy-Cache-App-Namespace
X-WA-Info
X-Date
Time
X-Cache-ASPX
X-Accel-Expires-Debug
X-Generated-In
X-Contensis-Viewer-Groups
Fastly-Backend-Name
Memory
X-Akamai-Transformed
X-Via-Poph
X-Micro-Cache
X-Amz-Meta-Cb-Modifiedtime
GeoIp-Country-Code
X-Varnish-Authentication
X-Via-Popn
X-GeoIP-Region-Code
X-Via-Popv
X-GeoIP-Country-Code
Lb
X-Servedbyhost
X-S-Maxage
X-AIR-PT
X-Cache-Debug
Path
Ohc-Cache-HIT
ITXSESSIONID
X-HA-Backend
Geoip-Latitude
X-API-Version
X-Presslabs-Stats
Fusion-Template-Id
X-RateLimit-Reset
Fusion-Source
Fusion-Deployment-Id
Fusion-Content-Id
Fusion-Content-Source
Geo-Info
Fusion-Component-Id
X-Vc
Client
True-Client-IP
Cache-Host
FSS-Cache
X-VCL-Version
CacheControlHeader
Ngx.Var.Host
X-Api-Version
True-Client-Country-4JS
Server-ID
X-Action
X-TH-Server
X-VHOST
Hostname
XkeyRZ
X-Cs
X-Proxy-CacheRZ
X-Varnish-Beresp-TTL
X-Backend-TTL
X-Trace-ID
X-Clientip
X-DC
X-FireWall-Port
X-Fpc
Edge-Cache
X-Zone
X-Req
X-TX-ID
X-Webkit-Csp-Report-Only
Powered-By
My-App
NtCoent-Length
X-NGINX-Cache
X-Provided-By
X-B3-Spanid
X-PX
X-Varnish-Beresp-Ttl
X-FPC
X-Pass-Why
X-Dmc
X-Origin-Upstream-Status
X-CSRF-TOKEN
X-Traceid
X-INCAP-ABP
X-MSEdge-Features
X-Up
X-Render-Time
X-MSEdge-Flight
Test
Cf-Int-Pingora-Origin-Digest
X-LB-ID
X-HS-Status
C-Via
X-Cdn-Request-ID
X-Correlation-ID
DataCenter
X-Vcl-Version
X-Webkit-CSP-Report-Only
Tube-Got-Results
Tube-Got-Eval
Tube-Get-Contents
Rip
Tube-Return
X-Gateway-Cache-Key
X-Service
X-Gateway-Skip-Cache
X-Gateway-Request-Id
X-Gateway-Cache-Status
Click-Count-Action-Start
Click-Count-Error
X-Beluga-Record
Server-Id
X-Beluga-Node
X-Beluga-Cache-Status
User-Agent
X-Beluga-Status
X-Beluga-Response-Time
X-Beluga-Trace
X-DynaTrace-JS-Agent
X-M-Reqid
Esi-Enabled
HIT
Proxy-Connection
X-Qnm-Cache
X-M-Log
X-Ha-Backend
X-Li-Fabric
X-UnsetCookies
Tcn
X-Li-Pop
OT-Force-Account-Verify
X-LI-UUID
X-Alfa-Service
X-ND-Cache
WZWS-RAY
Uri
X-Via-PopN
Srvid
On-Server
X-URL
X-Via-PopV
X-RAMCache
X-Via-PopH
Resin-Trace
X-Time-Microsecs
X-ServedByHost
X-Dynatrace
X-Geo
X-CLOUD-TRACE-CONTEXT
GeoIP-Country-Code
GeoIP-Latitude
X-CUA
Sid
X-Check-Cacheable
MIME-Version
X-Akamai-Pragma-Client-IP
X-Proxy-Cache-Hk
Tracecode
X-Hcs-Proxy-Type
Epwk-X-Cache
X-CCDN-CacheTTL
X-CCDN-Origin-Time
X-ATG-Version
X-LI-Proto
X-Platform-Router
Cf-Device-Type
X-Fetch-By
X-APP
Srv
X-Platform-Processor
Target-Params
WebServer
X-Platform-Cluster
X-Fragments
X-TRACE-ID
X-Cdn-Forward
Fastly-Drupal-HTML
X-Var-Ttl
X-Backend-Host
X-Sucuri-ID
X-FC-Vary-Parameters
Lfy
X-Fastly-Backend
X-Fastly-Backend-Reqs
X-Sucuri-Cache
ENV
X-ID
X-Esi
X-Azure-Ref-OriginShield
Cdn
X-Edge-Origin-Shield-Bytes
X-B3-Traceid-Primal
X-Cache-Expires
Section-Io-Origin-Status
XServer
ServerName
X-App
X-Varnish-Beresp-Status
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Lb-Nocache
X-Edge-POP
Section-Io-Id
X-HostName
X-LiteSpeed-Cache-Control
X-Edge-Origin-Shield-Region
X-Srcache-Fetch-Status
X-MG-S
X-Srcache-Store-Status
X-NU-AKA-ACS-Version
X-Li-Proto
X-Backend-State
Inserted-Into-Cache-At
X-Newrelic-App-Data
M-TraceId
PICS-Label
CF-Cached-On
X-ElasticPress-Query
Magicmarker
X-Yottaa-OS
Dt-Hot-News
X-Nc
Cf-Ipcountry
X-CF-Powered-By
D-Url-Rewrites
X-Serial
X-Acquia-Application-UUID
X-Acquia-Purge-Tags
X-Iplb-Instance
X-Acquia-Site
Wpo-Cache-Message
X-Acquia-Application-Trace
X-Vcache
Server-Ttl
X-Iplb-Request-Id
X-Dw-Trace-Id
Wpo-Cache-Status
Servedby
Warning
Ngx
X-Wp-Cf-Super-Cache
X-Vercel-Cache
X-Vercel-Id
X-Wp-Cf-Super-Cache-Cache-Control
X-Fastly-Cache-Hits
Fastcgi-Cache-Ttl
Cneonction
X-Th-Server
X-IN-APIGATEWAY
X-Cache-CFC
X-IN-APIGATEWAYSSL
X-Request-Url
X-Release
X-Dist-Code
X-BBC-Origin-Response-Status
X-B3-Parentspanid
CountryCode
X-Storefront-Renderer-Verified
X-Request-URL
X-Snapshot-Date
X-Litespeed-Cache-Control
X-Back
Content-Script-Type
Content-Style-Type
X-Request-Start