Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Pragma
X-Powered-By
ETag
Link
Expect-CT
X-XSS-Protection
Via
CF-RAY
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-UA-Compatible
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
P3P
X-Cache-Hits
Alt-Svc
X-Served-By
X-Xss-Protection
CF-Ray
X-Timer
X-Varnish
X-Download-Options
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-Check
X-Adblock-Key
X-Request-ID
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Generator
X-Cacheable
X-Kinja-Server-Push
Timing-Allow-Origin
X-DNS-Prefetch-Control
P3p
X-Iinfo
X-Content-Security-Policy
Status
X-AspNetMvc-Version
Content-Encoding
Upgrade
X-CDN
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
X-Envoy-Upstream-Service-Time
Access-Control-Expose-Headers
Keep-Alive
X-Template
X-Via
X-Language
X-Ws-Request-Id
Feature-Policy
X-Age
X-Dns-Prefetch-Control
X-Backend
X-Cache-Group
X-Hacker
X-Server
X-Amz-Request-Id
X-Robots-Tag
X-Amz-Id-2
X-AH-Environment
X-UA-Device
EagleId
X-Proxy-Cache
Request-Context
X-Turbo-Charged-By
X-Server-Powered-By
Server-Timing
X-Nginx-Cache-Status
Host-Header
Grace
X-Buckets
Report-To
Xkey
X-Page-Speed
X-Rq
X-OneAgent-JS-Injection
X-Varnish-Cache
X-Pingback
X-Swift-SaveTime
X-Swift-CacheTime
Cf-Railgun
Ali-Swift-Global-Savetime
X-LiteSpeed-Cache
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Vhost
X-Amz-Version-Id
Cf-Bgj
X-WebKit-CSP
X-Host
X-Dispatcher
X-Backend-Server
X-Device
NEL
X-Node
Surrogate-Control
X-Ruxit-JS-Agent
X-Cache-Lookup
X-Server-Id
Content-Location
X-Response-Time
Request-Id
X-Origin-Cache
X-Akam-SW-Version
Accept-CH-Lifetime
X-Ac
X-ASPNET-VERSION
EagleEye-TraceId
Accept-CH
X-Country
X-HW
X-Mod-Pagespeed
Rating
X-Readtime
X-Cloud-Trace-Context
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Application-Context
Pinterest-Generated-By
Edge-Control
Allow
X-Country-Code
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Vname
X-TtlSet
X-PC
X-DataDome
X-Url
X-Varnish-TTL
X-Cnection
X-Origin-Upstream-Status
X-MS-InvokeApp
X-GitHub-Request-Id
Fusion-Component-Id
Fusion-Deployment-Id
Fusion-Content-Source
Fusion-Template-Id
Fusion-Source
Fusion-Content-Id
X-Content-Type
X-D2id
X-Clacks-Overhead
X-Trace
X-Abt-Application-Version
X-Server-Name
Response
Display
Pinterest-Version
X-Pinterest-Rid
Pagespeed
X-Middleton-Display
X-Middleton-Response
X-Sol
X-Vcap-Request-Id
X-ESI
X-Px
X-Navigation-Version
X-FTR-Request-ID
X-Rack-Cache
Verso
X-B3-TraceId
X-DynaTrace
X-Cached
Service-Worker-Allowed
X-Webkit-CSP
MS-Author-Via
X-Fastly-Request-ID
X-Element-Page-Cache
X-Client-IP
Arr-Disable-Session-Affinity
X-Cache-TTL
X-Dw-Request-Base-Id
X-TTL
X-Powered-By-Plesk
X-Upstream
Content-MD5
X-Version
SPRequestGuid
AR-Request-ID
AR-CACHE
AR-ATIME
X-SharePointHealthScore
AR-PoweredBy
Ar-Sid
X-FastCGI-Cache
Fastly-Restarts
X-NF-Request-ID
X-Forwarded-Proto
X-Debug
X-CST
X-VARITI-CCR
X-Cdn-Fetch
X-Kinja
X-Exp-Variant
X-Exp-Id
X-Kinja-Build
Accept-Ch
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-GoogleNews-Bot
X-T
X-Goog-Hash
X-Jurisdiction
X-XRDS-Location
Access-Control-Request-Method
X-Powered-CMS
X-MSEdge-Ref
TP-L2-Cache
TP-Cache
X-Release
X-Content-Digest
X-Edge
SPIisLatency
SPRequestDuration
S
TCN
X-Amz-Rid
X-Ttl
X-Pinterest-Direct
RTSS
X-NWS-LOG-UUID
Cache-Tag
X-Server-ID
Public-Key-Pins
X-Node-Name
X-Ezoic-Cdn
Fastcgi-Cache
X-Yandex-Sdch-Disable
X-PressLabs-Stats
X-Request-Received
X-Request-Processing-Time
X-Mid
X-MCACHE
X-Cache-Key
Server-Node
X-Accel-Expires
Front-End-Https
X-Amzn-Trace-Id
X-Ratelimit-Remaining
X-Logged-In
X-Ser
X-Recruiting
X-Kinsta-Cache
X-Microsite
X-Cache-Hit
X-Request-Handler-Origin-Region
ServerID
X-Origin-Server
Accept-Charset
X-Page-Id
X-B3-TraceId-Primal
Mrf-Cache-Status
MRF-Tech
X-SRCache-Fetch-Status
X-SRCache-Store-Status
Host
X-Mg-S
Alternate-Protocol
X-B
Accept-Ch-Lifetime
X-Varnish-Age
X-ECACHE
X-Mobile-URL
X-Grace
X-Content-Security-Policy-Report-Only
X-Hostname
X-Amz-Server-Side-Encryption
X-DIS-Request-ID
Nginx-Cache
X-Shield-Request-Id
X-Ratelimit-Limit
Edge-Cache-Tag
Filterid
X-FTR-Realm
X-FTR-Balancer
X-FTR-DC
X-FTR-Backend-Server
X-FTR-Backend
X-Country-Code-Real
X-FTR-Cache-Status
X-FireWall-Port
X-FTR-Expires
Realpath
X-HP-Webp
X-Forwarded-For
X-Content-Options
X-Seen-By
X-Load-Cache
X-Hits
X-Git-Hash
X-F-Cache
X-LB-Cache
X-AppVersion
X-Az
X-Activity-Id
X-Jobs
X-N
X-App-Environment
X-Request-Guid
X-Type
MicrosoftSharePointTeamServices
X-Varnish-Backend
X-Varnish-Grace
Fastcgi-Useragent
Paypal-Debug-Id
X-Rid
X-Daa-Tunnel
Cache-Tags
X-Zen-Fury
DynaTrace
X-Proxy
X-WebKit-CSP-Report-Only
Cleartype
X-Upgrade-Enabled
Access-Control-Allow-Method
X-TEC-API-VERSION
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Litespeed-Cache
X-Cached-By
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-FB-Debug
X-Akamai-Edgescape
X-App-Server
X-Id
X-Cache-Age
X-Amz-Meta-S3cmd-Attrs
Powered-By-ChinaCache
X-Geo-Country
DC
X-Cache-Rule
X-Cache-Operation
Content-Disposition
X-Host-Name
X-Correlation-ID
X-Goog-Generation
X-HS-Hub-Id
X-HS-Cache-Config
X-Respond-Thread
X-Content-Powered-By
X-GUploader-UploadID
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
X-Goog-Metageneration
X-HS-Content-Id
X-HS-Combine-CSS
X-IPLB-Instance
X-User-Agent
X-B3-Sampled
X-Signature
X-Response-Served-From
X-Accel-Buffering
X-AOL-HN
X-Wix-Request-Id
X-Original-Request-Id
X-B-Cache
Healthy
X-Debug-Info
X-Whom
X-Region
MS-CV
AMP-Access-Control-Allow-Source-Origin
Akamai-Age-Ms
X-HTML-Minification-Powered-By
Payment
X-UUID
X-VCache
X-Rendered-As
X-Ua
X-FW-Type
X-Is-Bot
X-Frontend
X-FW-Hash
X-FW-Server
X-FW-Serve
X-FW-Static
X-FW-Dynamic
X-Cacheable-TTL
X-Distributor
X-Mobile
X-Rule
X-Cache-Time
X-Endurance-Cache-Level
X-Instance
Datacenter
Refresh
NGB
X-Amz-Apigw-Id
X-Tumblr-Pixel-2
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Tumblr-User
X-Amzn-RequestId
Surrogate-Key
X-Via-JSL
Countrycode
X-App-Version
X-XRDS-LOCATION
Nel
S-Cnection
X-Acc-Debug-Context
X-Protected-By
Liferay-Portal
Viewport
PB-RID
Filters
PB-PID
Arc-Version
Charset
X-Varnish-Server
X-Ah-Environment
X-Backend-Name
X-Oneagent-Js-Injection
X-Hyper-Cache
X-Tec-Api-Origin
X-Tec-Api-Root
X-Tec-Api-Version
X-PHP-Backend
X-Cache-Expired-At
X-Cache-Server
X-Azure-Ref
X-Amz-Replication-Status
X-NewRelic-App-Data
Section-Io-Cache
Retry-After
X-Cache-Action
Referer-Policy
X-Fastcgi-Cache
X-Proxy-Cache-Status
X-Source
X-WA-Info
X-Sucuri-ID
X-EdgeConnect-Cache-Status
X-Cache-Control
Version
GEO-INFO
Eomportal-Instance
Powered
X-RemovedCookies
X-Environment-Context
X-L-Path
X-ProcessESI
X-Yottaa-Optimizations
X-Real-IP
X-DynaTrace-JS-Agent
Meta-Geo
X-Yottaa-Metrics
X-Cache-Var-Map
X-Framework
X-ES-SERVER
X-Cache-Var
X-RN-RSRV
X-From
Ms-Operation-Id
X-RTag
X-Revision
Frame-Options
X-GeoIP
X-Air-Hostname
X-Unique-Id
X-Time
X-Mode
Uber-Trace-Id
X-Cache-TTL-Remaining
X-R9-Blue-Green-Version
X-Qloud-Router
X-Xfnlog-Site
X-Correlation-Id
X-Cache-Host
X-Time-Microsecs
X-Labrador-Cache-Channel
Ec-Rule-Version
DB-Nickname
X-Human
X-Hosted-By
X-FW-Version
X-VWS-Id
Mn-Server-Ip
Cross-Origin-Window-Policy
X-ProxyCache-Status
X-PHP-Host
X-PCL
X-OCL
X-Hp-Webp
X-ProxyCache-Key
X-LJ-Flow-ID
X-Loop
Cache-Tv-Group
X-TNCMS
Server-Name
X-Cluster
X-Debug-Cache
X-Server-W
X-BYPASS-REASON
X-AWS-Id
X-FB-TRIP-ID
X-Origin-Hint
TWC-GeoIP-LatLong
X-Zipkin-Id
X-Amzn-Remapped-Content-Length
X-Locale
Webcakes-App-Name
X-Proxy-Build
X-Proxied
X-Status
X-Redis-Cache
X-NYM-Debug-Backend
TWC-Locale-Group
X-Routing-Service
X-Site-Version
TWC-Privacy
X-Timing-Wait
Selected-Fe
Webcakes-Region
TWC-Device-Class
TWC-Connection-Speed
X-Detected-As
X-CSRF-Token
X-Handled-By
TWC-GeoIP-Country
Property-Id
Webcakes-App-Version
X-Proto
X-Format
X-Ratelimit-Reset
X-ServerID
X-Via-Fastly
X-Section
X-Generated-By
X-Access
X-BCube-Filmed-By
X-Drupal-Cache-Contexts
X-Be
X-Device-Type
FSS-Cache
Cache
X-Sucuri-Cache
X-Cache-PHP
X-No-Session
X-JoinUs
X-SaId
X-ATG-Version
X-Hl-Ver
X-FTR-Cache-Host
X-Drupal-Cache-Tags
X-Contextid
Webserver
X-Varnish-Cache-Hits
From-Origin
X-CDN-Forward
X-Esi
X-URL
X-NCache
CF-Cached-On
X-Origin
X-NWS-UUID-VERIFY
OT-Force-Account-Verify
X-Adobe-Loc
X-Adobe-Content
X-NC
X-Oss-Server-Time
X-Oss-Storage-Class
X-AIR-PT
CACHE
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-Oss-Request-Id
X-GoCache-CacheStatus
X-TA-CDN-Provider
Azure-Version
X-Tt-Trace-Tag
X-TT
Azure-SlotName
X-Tt-Trace-Host
X-IPS-LoggedIn
Azure-SiteName
Azure-InstanceId
Azure-RegionName
VIX-Pulpo-Node
X-EIG-Tracking-Id
VIX-Pulpo-Upstream-Status
X-Akamai-Transformed
X-Bc-Bl
X-IP
X-EC-Lua
X-TIME
X-Cache-Enabled
X-CCM
X-Adobe-Source
X-APP-VERSION
SD-X-WS
X-ECache
Access-Control-Request-Headers
X-Backend-Host
X-Cache-2
X-Ruxit-Js-Agent
X-ShardId
X-Alternate-Cache-Key
X-Cache-Backend
X-ShopId
X-Tumblr-Pixel-3
Upgrade-Insecure-Requests
X-Storefront-Renderer-Rendered
X-Sorting-Hat-ShopId
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Cdn
X-Backend-TTL
X-ApacheServer
X-Vgn-Hpd-Cached
X-Vgn-Hpd-Variations-Key
X-PERF
X-Soup
X-Cache-Grace
X-Viewer-Country
Node
X-Forwarded-Host
X-Pubstack
X-A-Dcw
DCR-Decision-By
X-A-Dgt
X-A-Dam
X-Aed
Apple-News-Services-Parsed-Url
Apple-News-Services-Request-Url
X-G
X-A-Wwc
Meta-Geo-Continent
Rendered-Blocks
Machine
MD5-Digest
Mobile-Detection-Method
Host-ID
X-A
X-A-Ccd
Apple-News-Services-Host
Fastcgi-X-Cache-Version
DCR-Processing-Time-Ms
X-ARC
Fastly-SSL
X-Storage
Decoy-Debug-TTL
Decoy-Debug-Status
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-Say-Cacheable
X-Say-TTL
X-SayCDN-TTL
X-Cache-NE
Decoy-Debug-Key
X-Destination
X-B-Cookie
X-Application
X-D
X-Web-Node
Cache-Status
X-Connection-Hash
X-Varnishpool
Apple-News-Services-Handled
X-External-Request-Id
X-Worker
X-S
X-S-Cookie
X-ScT
X-Aspnet-Duration-Ms
Xc-Version
X-Rojux
X-PBS-Appsvrname
X-Processor
X-RCS-CacheZone
X-Request-UUID
X-Flags
X-Is-Crawler
X-VG-WebCache
X-Vdms-Version
X-VG-WebServer
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
X-Vdms-Path
X-Twitter-Response-Tags
X-Providence-Cookie
X-Transaction
X-Route-Name
X-Trv-Group
X-PAYTM-SRV-ID
X-Rewrite-Enabled
X-Cluster-Name
CDN-RequestCountryCode
X-Rebelmouse-Cache-Control
X-Rebelmouse-Surrogate-Control
CDN-PullZone
X-Fmm-Version
X-Fastly-Cache
X-Micro-Cache
CloudFront-Viewer-Country
CDN-Uid
CDN-RequestId
CDN-EdgeStorageId
CDN-CachedAt
Adler-Geo
X-Servername
X-TX-ID
X-Cache-Bucket
X-Generation-Time
X-LAGOON
CDN-Cache
X-Accel-Expires-Debug
X-Variation
X-VG-TLSProxy
X-Clara-WADP
Is-Eu
X-DPWN-IS-SECURE
Surrogated-Key
X-Envoy-Decorator-Operation
X-Ms-Version
X-Ms-Request-Id
Platform
X-Date
X-WADP-Cache
Fastly-SWR
Fastly-SIE
Country
Time
X-Cache-Config
Backend
X-Varnish-Beresp-Status
X-UA
X-Varnish-Beresp-Grace
X-NGENIX-Cache
X-Varnish-Beresp-Ttl
X-Hash
X-Webstats-RespID
X-Auto-Login
NM-Fastcgi-Cache
X-Li-Pop
X-Bip
X-Backend-State
Country-Code
Origin
Akamai-GRN
L
X-Wikidot-Backend
Rt-Fastcgi-Cache
Wxu-Next-Commit
Wxu-Next-Hostname
Wxu-Next-Region
X-Li-Fabric
Fastly-Drupal-HTML
X-LI-UUID
X-HS-Content-Campaign-Id
C-Via
X-Varnish-Cacheable
X-Up
X-SN
X-Owner
X-OVcl-Cache
X-Core-Mission
X-Cms-Context
X-Fastly-Backend
X-Req
X-Render-Time
X-Wikidot-Static-Cache
X-Core-Value
X-OVcl
X-Esi-Check
X-Minions-Version
X-Microcachable
X-Old-Content-Length
X-Dispatcher-Server
X-CUA
X-Varnish-Ttl
X-Request-Host
X-Clientip
X-Gzip
X-Platform-Server
X-Skip-Cache
X-Slack-Backend
X-Cache-Id
X-Thanos
X-Cache-NGX
X-UPSTREAM-Address
X-Method
Now
X-DefElseHash
X-Eu-Site
X-Developers
X-Edge-Location
We-Hiring
Ufe-Result
X-Amz-Meta-Cb-Modifiedtime
X-Varnish-CookieHashed-On
X-Varnish-Remaining-TTL
X-Cache-Date
X-Level-Front-Cache
PFcat
X-DefHash
X-Reqid
X-Has-Esi
X-VarnishDD-TTL
X-Gamma-Serve
X-Irp-Debug
X-Platform
X-Policy
X-CGP
X-Cache-URL
X-HN
X-Generated-On
X-Varnish-CookieINHashed-On
X-Csrf-Jwt
X-JWT-State
X-Request-Start
X-Content-Age
X-Is-Gdpr
X-Cdn-Srv
X-Cache-Tags
Fastly-Backend-Name
Group
HA-Ipaddr
AKAMAI
L5d-Success-Class
X-CS
Gh-Request-Id
Memcached
Mail-Subject
CacheControlHeader
Ha-Gx-Prefs
X-CACHE-AGE
FSS-Proxy
X-Mvc-Supplant-Cachable
X-Location
X-Geo-Header
X-Proxy-Upstream
X-Aicache-OS
X-Wa
Pagetype
UCS
X-Pinterest-Sli-Response-Type
X-DC
X-Pinterest-Sli-Latency-Threshold
X-Pinterest-Sli-Endpoint-Name
X-Branch-Name
X-Session-Fingerprint
X-Refresh
X-Cache-Debug
X-NODE
X-Via-Popn
X-LB-ID
X-PF-Uncompressing
X-Via-Poph
X-Agile-Age
X-Agile
X-Agile-Id
X-Page-View
X-BC
X-ZONE
X-B3-Traceid
X-B3-Spanid
X-RateLimit-Remaining
HostName
X-GEO
X-Servedbyhost
X-Debug-Cache-Store
X-LI-Proto
SRV
NGX
M-TraceId
X-Debug-Cache-Fetch
X-Ftr-Cache-Host
X-Datadome
X-Mvc-Supplant-OutputCached
X-Ua-Device
Hostname
X-Nginx-Cache
X-Dc
X-Via-CDN
X-Instart-Request-ID
Arc-Country
X-SERVER
X-Cdn-Forward
Xserver
X-Request-Time
Cdn-Host
VivaBuild
X-Edge-Server
X-Check-Cacheable
Cdn-Request-Time
Viewtype
X-Varnish-Hostname
X-SERVER-NAME
X-Via-Ucdn
X-VCL-Version
X-Sql-Count
X-Zone
X-NU-AKA-ACS-Version
X-Sql-Duration-Ms
X-Bc
X-FPC
X-RunCloud-Cache
Srv
X-SRV
Memory
X-COUNTRY
WebServer
X-Cluster-Node
X-Action
X-APP
X-UnsetCookies
X-LiteSpeed-Cache-Control
X-HS-Status
X-CF-Powered-By
X-RPS
X-Cache-Remote
X-RSL
X-Via-Edge
X-FORWARDED-FOR
X-ID
X-Dynatrace-Js-Agent
X-Via-Popv
X-Vgn-Hpd-Ssi
WWW-Authenticate
Edge-Copy-Time
X-DW
X-Via-SSL
X-DI
X-DB
X-RPM
X-DSS
X-Cs
X-NGINX-Cache
SID
X-Www-Served-By
X-Srv
XServer
X-MP-GENERATED-AT
X-LLID
X-ORACLE-APMCS-REQUEST-ID
X-CSRF-TOKEN
GeoIp-Country-Code
On-Server
X-Svr
X-Oss-Cdn-Auth
Geoip-Latitude
NtCoent-Length
ProcessTime
Actual-Object-TTL
X-Vcache
ServedBy
Cache-Hits
X-S-Maxage
X-Geo
X-Presslabs-Stats
X-We-Are-Hiring
Apigw-Requestid
Geo-Info
User-Agent
X-Unique-ID
X-Hit
GeoIP-Latitude
Sid
GeoIP-Country-Code
Server-Info
Processtime
X-Akamai-Request-ID2
W
Amp-Access-Control-Allow-Source-Origin
T-Server
Ohc-File-Size
X-Pass-Why
LB
X-MSEdge-Flight
X-Epic-Correlation-Id
X-MSEdge-Features
X-HOST
CF-IPCountry
N-Cache
Server-Host
X-Envoy-Upstream-Healthchecked-Cluster
Pics-Label
X-Tb
S-Rt
X-FC-Vary-Parameters
X-HITS
X-Varnish-Hits
X-Fpc
WZWS-RAY
Accept-Language
X-Vcl-Version
Cdn
X-Mobile-Rewrite
Magicmarker
X-VC
X-SB
X-Cache-Hm
X-Pjax-Url
X-Cache-Hfrom
Protected
X-Webkit-CSP-Report-Only
X-Nc
CDN
X-Info
Cteonnt-Length
X-Fastly-Country-Code
X-Erf-Stays-Bingo-Pdp-Web
X-Key
A
Esi-Enabled
X-CACHE-KEY
X-Uri
Ohc-Cache-HIT
X-Erf-Bev-Bev
Origin-Edge-Control
Lb
X-Erf-Bev-Bev-Is-Generated
Origin-Cache-Control
X-Newrelic-App-Data
X-Newrelic-Synthetics
X-Amzn-Remapped-Connection
X-Amzn-Remapped-Date
Proxy-Firewall
X-Via-NSCOPI
User-Cache-Control
Tracecode
X-Dispatch
X-TT-LOGID
X-Instart-Info
X-Acc-Rdl
X-StackifyID
Section-Origin-Responded
Section-Io-Id
Section-Io-Origin-Status
Odigeo-Trace-Id
DSUID
X-Li-Proto
Section-Io-Origin-Time-Seconds
X-Provided-By
X-Geo-Region
Ssr
X-B3-SpanId
Powered-By
X-ServedByHost
Cache-Name
X-Dynatrace
X-UA-Device-Type
X-TH-Server
Server-Ttl
Cache-Key
X-Served-From
X-Akamai-Pragma-Client-IP
HitType
X-RAMCache
X-Origin-Date
X-Cache-Tag
Lfy
D-Cc-Upstream
X-GeoIP-City
V-Age
X-Gen-Mode
X-Cc-Via
X-Cc-Req-Id
X-Origin-CC
X-Goog-Meta-Goog-Reserved-File-Mtime
X-Hnp-Log
X-Generated
X-Node-Id
Vix-Hermes-Req-Id
X-Nginx-Cache-Key
X-Matched-Rule
X-Loc
X-Men
X-Nyt-Route
X-Gdpr
X-Developer
Release
Thinkindot-CacheControl-Type
Server-Ext
Server-Hostname
SR-User-Adfree
Sever-Int
Server-ID
Path
MIME-Version
CDCHOST
True-Client-Country-4JS
X-Origin-Expires
FNAC-ModuleRouting
Instruction
Locid
Thinkindot-Control
IsBot
X-Scheme
X-Origin-TTL
X-Cache-ASPX
X-Traceid
X-User
X-Magnolia-Registration
Fastcgi-Cache-TTL
X-Block-Status
X-Thinkindot-L3
BehaviorPad-Version
X-Cache-Expires
X-Varnish-Authentication
X-Via-PopV
X-Via-PopN
X-Via-PopH
X-VServer
X-Lb-Id
X-Varnish-Url
X-Cache-Info
X-SVT-ORM-VERSION
X-SVT-ORM-RULES
X-Response-By
X-Rocket-Build-Number
X-TrackingId
X-Request-URI
X-Contensis-Viewer-Groups
Thinkindot-CacheControl
Web-Mar-Node
X-API-Version
X-SD-PageType
X-Server-IP
X-SIPLIST1
X-BBXSRF
X-SRCache-Key
X-Origin-Time
X-Sigma-Backend
X-BBC-Edge-Cache-Status
X-Sigma
Cache-Provider
X-No-Cache
X-NodeID
X-Sn-Servicetimems
X-ServiceProvider
X-Swa-Ws
X-Trace-Id
X-VC-Cache
X-Var-Ttl
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Fetched-On
X-ElasticPress-Query
X-Generated-In
X-Cdn-Origin
X-Parent-Response-Time
X-Device-Os
Pramga
X-Agile-Brick-Ok
X-Azure-Ref-OriginShield
X-Tt-Logid
X-App
Xet-Cookie
X-Batcache
X-LiteSpeed-Tag
CountryCode
X-WA
Cache-Host
Kp-EeAlive
X-Cache-Spec
Tcn
Dnion-Transfer-Encoding
X-Varnish-Beresp-TTL
X-RateLimit-Limit
X-PJAX-URL
X-Pf-Uncompressing
Cf-Alt-Svc
Req-Svc-Chain
Inserted-Into-Cache-At
X-Yottaa-OS
Who
X-HostName
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Path-Route
X-Selected-Scheme
X-Selected-Name
X-Selected-Host-Header
X-BBC-Origin-Response-Status
Resin-Trace
Cf-Device-Type
X-B3-Parentspanid
X-Apw-Access-Action
X-Apw-Access-Object
X-Vgn-Hpd-Reason
Mime-Version
X-Dw-Trace-Id
X-C
X-MiniProfiler-Ids
Source
X-Snapshot-Date
X-Apw-Hits
PICS-Label
X-Request-URL
X-Proxy-Cachei7
Pragrma
X-Apw-Access-Token
Vha6-Origin