Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
X-Powered-By
Pragma
CF-Cache-Status
Link
ETag
Expect-CT
Via
Age
X-Cache
X-XSS-Protection
CF-RAY
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
X-Xss-Protection
X-Cache-Hits
P3P
X-Amz-Cf-Pop
CF-Ray
Referrer-Policy
X-Amz-Cf-Id
X-UA-Compatible
X-Served-By
X-Request-Id
Alt-Svc
X-Varnish
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Drupal-Cache
X-Check
X-Adblock-Key
Content-Security-Policy-Report-Only
X-DNS-Prefetch-Control
X-Cacheable
X-Permitted-Cross-Domain-Policies
X-Cache-Status
X-Generator
Timing-Allow-Origin
X-Iinfo
P3p
X-Template
X-Language
X-AspNetMvc-Version
X-Ua-Compatible
Upgrade
Status
X-CDN
X-Content-Security-Policy
Content-Encoding
X-Buckets
Access-Control-Expose-Headers
Access-Control-Max-Age
X-Kinja-Server-Push
X-Via
Keep-Alive
X-Turbo-Charged-By
X-Drupal-Dynamic-Cache
X-Pass-Why
X-Cache-Group
X-Envoy-Upstream-Service-Time
X-AH-Environment
X-Server
X-Ws-Request-Id
X-Backend
X-Age
EagleId
X-Proxy-Cache
Xkey
X-Amz-Id-2
X-Amz-Request-Id
X-Robots-Tag
X-Page-Speed
X-Hacker
X-Pingback
X-Server-Powered-By
Server-Timing
X-Swift-CacheTime
X-Swift-SaveTime
Feature-Policy
Ali-Swift-Global-Savetime
X-Nginx-Cache-Status
Request-Context
X-Varnish-Cache
X-UA-Device
Grace
X-Request-ID
Cf-Railgun
X-Amz-Version-Id
Report-To
X-LiteSpeed-Cache
X-OneAgent-JS-Injection
X-Rq
X-Device
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-Origin-Cache
X-Server-Id
EagleEye-TraceId
X-Host
X-Backend-Server
X-Node
X-Vhost
X-Response-Time
X-Dispatcher
X-Cache-Lookup
X-Ac
X-WebKit-CSP
NEL
X-Readtime
Surrogate-Control
X-Origin-Upstream-Status
Content-Location
X-Ruxit-JS-Agent
Request-Id
X-Application-Context
Fusion-Source
Fusion-Content-Id
Fusion-Component-Id
Fusion-Template-Id
Fusion-Content-Source
X-HW
X-Cnection
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
X-Cloud-Trace-Context
X-Country
X-Mod-Pagespeed
X-Akam-SW-Version
X-DataDome
X-Rack-Cache
Rating
Edge-Control
X-Url
X-Clacks-Overhead
RTSS
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-FTR-Request-ID
X-Instart-Request-ID
X-TtlSet
X-Goog-Hash
X-Vname
X-PC
X-DynaTrace
Allow
X-Country-Code
Content-MD5
Verso
Service-Worker-Allowed
X-GitHub-Request-Id
X-Varnish-TTL
Pinterest-Generated-By
X-Server-Name
X-D2id
X-ESI
X-Cdn-Fetch
X-Exp-Variant
X-Exp-Id
X-GoogleNews-Bot
X-Kinja
X-Kinja-Build
X-Kinja-Revision
X-Use-Magma
X-Kinja-Server
X-Server-ID
X-MS-InvokeApp
X-Vcache
X-Powered-By-Plesk
SPRequestGuid
X-Navigation-Version
X-Cached
X-Abt-Application-Version
Accept-Ch
X-Amz-Server-Side-Encryption
X-Debug
X-Forwarded-Proto
X-Webkit-Csp
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-TEC-API-ROOT
X-Amz-Rid
X-MSEdge-Ref
X-Trace
X-Fastly-Request-ID
Nginx-Cache
Public-Key-Pins
X-Vcap-Request-Id
X-SharePointHealthScore
X-B3-TraceId
X-VARITI-CCR
MS-Author-Via
TCN
Charset
Arr-Disable-Session-Affinity
Accept-Ch-Lifetime
Edge-Cache-Tag
X-Px
X-Cache-TTL
X-Accel-Expires
X-NF-Request-ID
X-Fastcgi-Cache
X-Middleton-Display
Response
Display
Pagespeed
X-Middleton-Response
Realpath
X-Sol
SPRequestDuration
SPIisLatency
X-Content-Type
X-Version
X-Ser
X-Client-IP
AR-PoweredBy
Cache-Tag
AR-Request-ID
AR-ATIME
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-DynaTrace-JS-Agent
Front-End-Https
X-Powered-CMS
Fusion-Deployment-Id
X-Pinterest-Rid
Pinterest-Version
AR-CACHE
Ar-Sid
X-TTL
X-Mrf-Item-Lastmod
MRF-Tech
Mrf-Cache-Status
X-Dns-Prefetch-Control
X-Mrf-Section-Lastmod
X-B3-TraceId-Primal
X-Ttl
X-Id
Access-Control-Request-Method
Accept-CH
X-Jurisdiction
X-Hp-Webp
X-Upstream
X-Grace
NR-ENABLED
X-Forwarded-For
X-Content-Digest
X-T
X-Element-Page-Cache
X-Hits
DynaTrace
X-Amz-Meta-S3cmd-Attrs
S
X-Dw-Request-Base-Id
X-Aspnet-Version
Fastcgi-Cache
Accept-CH-Lifetime
ServerID
X-Amzn-Trace-Id
X-Mobile-URL
X-Node-Name
X-FTR-DC
X-FTR-Backend-Server
X-FTR-Backend
X-FTR-Realm
PB-PID
PB-RID
X-FTR-Cache-Status
X-FTR-Balancer
X-Country-Code-Real
X-Recruiting
X-Ezoic-Cdn
X-Shard
X-Goog-Generation
X-HS-Content-Id
X-Goog-Stored-Content-Length
Server-Node
X-GUploader-UploadID
Arc-Version
X-Goog-Stored-Content-Encoding
X-Goog-Storage-Class
X-HS-Cache-Config
X-Goog-Metageneration
X-HS-Hub-Id
X-Mobile-Rewrite
X-Frontend
Powered
X-FTR-Expires
TP-Cache
TP-L2-Cache
X-Cache-Hit
X-DIS-Request-ID
Fastly-Restarts
X-NWS-LOG-UUID
Upgrade-Insecure-Requests
X-HS-Combine-CSS
X-Shield-Request-Id
X-Logged-In
AMP-Access-Control-Allow-Source-Origin
Alternate-Protocol
X-Varnish-Age
X-Request-Processing-Time
X-Request-Received
Refresh
X-XRDS-LOCATION
X-Correlation-Id
X-Microsite
X-Request-Handler-Origin-Region
X-ATS-Timestamp
X-FTR-Cache-Host
Backend-Timing
MicrosoftSharePointTeamServices
WPE-Backend
Server-Name
X-LB-Cache
X-Page-Id
X-Content-Security-Policy-Report-Only
X-F-Cache
X-Akamai-Edgescape
X-B
X-Rid
X-User-Agent
X-Via-JSL
X-Geo-Country
Cache-Status
X-Zen-Fury
X-N
X-XRDS-Location
X-Content-Options
Host
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-ORACLE-APMCS-REQUEST-ID
X-Origin-Server
X-ORACLE-APMCS-TAG
X-Varnish-Grace
X-Amz-Apigw-Id
Host-Header
X-Revision
X-Kinsta-Cache
X-B3-Sampled
X-Type
X-Content-Powered-By
X-Instance
X-AOL-HN
X-TT
X-ATG-Version
X-Cache-Action
X-FB-Debug
X-Amz-Replication-Status
X-WebKit-CSP-Report-Only
X-Signature
X-Tumblr-User
X-Tumblr-Pixel-0
X-Tumblr-Pixel
X-Git-Hash
X-Debug-Info
Access-Control-Allow-Method
Paypal-Debug-Id
Actual-Object-TTL
X-B-Cache
X-App-Environment
X-Request-Guid
X-Jobs
X-Varnish-Backend
Liferay-Portal
Fastcgi-Useragent
X-Whom
Frame-Options
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Cached-By
Healthy
X-Srv
Section-Io-Cache
X-Hostname
X-Cluster
X-PHP-Backend
X-CST
X-Framework
X-Cache-Key
X-Daa-Tunnel
X-Seen-By
X-Activity-Id
X-Az
X-AppVersion
X-Cache-Rule
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Cache-Operation
X-FireWall-Port
X-WA-Info
X-Mobile
Retry-After
X-Endurance-Cache-Level
Tracecode
X-Cache-Age
X-Contextid
Xserver
X-IPLB-Instance
X-Host-Name
X-Accel-Buffering
NGB
X-Upgrade-Enabled
Source
X-Response-Served-From
Accept-Charset
X-Presslabs-Stats
X-RemovedCookies
X-ProcessESI
Surrogate-Key
X-Cache-NE
DC
X-Region
Srv
Eomportal-Instance
Payment
X-Origin-Response-Time
X-Edge-O15-RID
X-Varnish-Server
X-FW-Serve
X-FW-Static
X-Handled-By
X-FW-Type
X-Varnish-Hostname
X-FW-Server
X-Cacheable-TTL
X-Rendered-As
X-Adobe-Content
X-Is-Bot
X-Adobe-Loc
X-Tumblr-Pixel-1
X-GeoIP
Filters
X-Tumblr-Pixel-2
X-FW-Hash
X-FastCGI-Cache
X-Environment-Context
X-L-Path
Trailer
X-UUID
X-RequestSource
Server-Info
X-Cache-2
X-EdgeConnect-Cache-Status
X-Amzn-Requestid
X-UA-Device-Type
X-B3-Traceid
X-RateLimit-Remaining
X-Backend-Name
Cache-Tv-Group
X-Cache-TTL-Remaining
Nel
From-Origin
X-Time-Microsecs
X-Proxy
X-Wix-Request-Id
X-Cache-Server
MS-CV
X-Oss-Server-Time
X-Oss-Request-Id
X-Oss-Object-Type
X-Oss-Storage-Class
X-Oss-Hash-Crc64ecma
X-APP-VERSION
X-Cache-Enabled
X-Akamai-Transformed
VIX-Pulpo-Upstream-Status
VIX-Pulpo-Node
X-NGENIX-Cache
Version
X-Amzn-RequestId
X-Status
Datacenter
X-IPS-LoggedIn
Filterid
X-Dc
X-SS-Set-Cookie
X-Yottaa-Metrics
X-Unique-Id
X-Yottaa-Optimizations
S-Cnection
X-Pad
X-Cache-Var
X-CCM
X-Cache-Var-Map
X-NewRelic-App-Data
X-Path-Route
Meta-Geo
X-RN-RSRV
X-Mode
X-ES-SERVER
X-Section
X-Forwarded-Host
X-TX-ID
X-Access
X-Format
X-Tb
ServedBy
X-Origin
X-Ua-Device
Decoy-Debug-TTL
Country
X-Redis-Cache
GEO-INFO
Decoy-Debug-Status
Decoy-Debug-Key
X-R9-Blue-Green-Version
X-Akamai-Request-ID
Akamai-GRN
X-PERF
X-Hl-Ver
X-Cache-Status-Check
X-ApacheServer
Cleartype
X-Via-Fastly
X-NYM-Debug-Backend
Cache-Tags
X-ShardId
X-Goog-Meta-Goog-Reserved-File-Mtime
DB-Nickname
Content-Disposition
Cache-Key
X-Say-Cacheable
X-Say-TTL
X-SayCDN-TTL
Origin-Cache-Control
X-Cache-Config
X-BYPASS-REASON
X-ProxyCache-Key
X-Amzn-Remapped-Content-Length
X-Proxy-Cache-Status
X-FC-Vary-Parameters
X-Device-Type
X-Proto
X-Human
X-EIG-Tracking-Id
X-Alternate-Cache-Key
X-Akamai-Request-ID2
X-Debug-Cache
Now
NGX
X-Generated-By
Origin-Edge-Control
OT-Force-Account-Verify
X-ProxyCache-Status
X-Hosted-By
X-Pubstack
X-Request-Time
X-ServerID
X-Sorting-Hat-PodId
X-Vgn-Hpd-Reason
X-Varnish-Hits
X-Shopify-Stage
X-Web-Node
X-Sorting-Hat-ShopId
X-Shopify-Generated-Cart-Token
X-Cache-Remote
X-ShopId
X-Soup
X-Esi
X-Www-Served-By
X-AWS-Id
X-Timing-Wait
X-TNCMS
X-BCube-Filmed-By
S-Rt
Mn-Server-Ip
X-FB-TRIP-ID
X-Locale
X-JoinUs
X-Loop
X-MP-GENERATED-AT
X-NCache
X-IP
X-Generated
X-Proxy-Build
X-Detected-As
X-SaId
X-Viewer-Country
X-PressLabs-Stats
Selected-Fe
X-LJ-Flow-ID
X-Cache-Time
Azure-InstanceId
Azure-Version
Azure-SlotName
Azure-RegionName
Azure-SiteName
Ec-Rule-Version
X-VWS-Id
X-FW-Dynamic
X-Site-Version
Cross-Origin-Window-Policy
TWC-Locale-Group
Node
Webcakes-App-Name
X-Content-Age
Property-Id
Webcakes-Region
TWC-Device-Class
Webcakes-App-Version
TWC-GeoIP-Country
X-Cache-Control
X-Origin-Hint
TWC-Connection-Speed
TWC-Privacy
TWC-GeoIP-LatLong
Webserver
X-Xfnlog-Site
X-TIME
X-Routing-Service
Access-Control-Request-Headers
X-HTML-Minification-Powered-By
X-RCS-CacheZone
X-Zipkin-Id
X-App-Server
X-Proxied
FilterID
X-Real-IP
X-Geo
X-Drupal-Cache-Tags
Cache-Hits
X-Time
X-EC-Lua
X-Uri
Accept-Language
Section-Io-Origin-Time-Seconds
Section-Io-Id
Section-Origin-Responded
Section-Io-Origin-Status
X-CACHE-KEY
X-Microcachable
X-No-Session
X-Varnish-Ttl
X-PCL
X-Varnish-Cache-Hits
X-OCL
X-Qloud-Router
X-Source
X-Adobe-Source
Cf-Ipcountry
Odigeo-Trace-Id
X-UA
X-Rule
Ms-Operation-Id
X-RTag
X-NWS-UUID-VERIFY
X-Hyper-Cache
User-Agent
X-Azure-Ref
Time
X-From
X-Load-Cache
X-Storage
X-PHP-Host
X-Info
X-Labrador-Cache-Channel
Proxy-Connection
X-RateLimit-Limit
X-Backend-TTL
X-Cluster-Node
X-Nginx-Cache
Powered-By-ChinaCache
X-TA-CDN-Provider
X-Cache-NGX
X-Nc
X-UnsetCookies
X-Newrelic-Synthetics
X-Magnolia-Registration
X-Request-URI
X-Trv-Group
X-VG-WebServer
Apple-News-Services-Handled
X-Transaction
X-Session-Fingerprint
X-SRCache-Key
Apple-News-Services-Parsed-Url
X-Twitter-Response-Tags
X-Vdms-Version
X-VG-TLSProxy
X-Old-Content-Length
X-Region-Sid
X-ScT
X-VG-WebCache
X-Edge-Location
Content-Style-Type
Fastcgi-X-Cache-Version
X-Request-UUID
X-Rewrite-Enabled
Apple-News-Services-Request-Url
X-Processor
X-PAYTM-SRV-ID
Arc-Country
X-Drupal-Cache-Contexts
X-Rojux
Content-Script-Type
A
X-S
Apple-News-Services-Host
AsisCache
BehaviorPad-Version
X-S-Cookie
X-GeoIP-Country-Code
X-A-Ccd
X-A
VivaBuild
Viewtype
X-A-Dam
X-A-Dcw
X-Accel-Expires-Debug
X-A-Wwc
X-A-Dgt
True-Client-Country-4JS
T-Server
Meta-Geo-Continent
Machine
MD5-Digest
Mobile-Detection-Method
Rendered-Blocks
Xc-Version
Request-EU
Request-Country
X-Aed
X-Application
X-G
X-External-Request-Id
X-DPWN-IS-SECURE
GEO-REGION-INFO
X-ND-Cache
X-Vtex-Remote-Cache
X-OVcl-Cache
X-OVcl
X-Developer
X-Destination
X-Cdn-Srv
X-B-Cookie
X-ARC
X-CF-Lambda-Fn
X-CF-Lambda-Version
X-Date
X-D
X-Connection-Hash
X-Vtex-Processado-Em
Rt-Fastcgi-Cache
X-GoCache-CacheStatus
X-Varnish-Beresp-Status
X-Ah-Environment
X-Varnish-Beresp-Grace
Mime-Version
Geo-Info
X-Cluster-Name
X-Backend-State
ServerName
X-CF-Powered-By
X-Agile-Id
X-C
X-Cache-Expired-At
X-Core-Value
X-CGP
X-Cdn-Origin
X-Cache-Grace
X-Agile-Age
X-Agile
PFcat
Locid
L5d-Success-Class
HA-Ipaddr
Server-Host
Thinkindot-CacheControl
W
Viewport
Thinkindot-Control
Thinkindot-CacheControl-Type
X-Wikidot-Backend
X-Developers
X-Rocket-Nginx-Bypass
X-Thinkindot-L3
X-Rocket-Build-Number
X-Trafficlayer-App-Name
X-Trafficlayer-App-Scope
X-Served-From
X-Sn-Servicetimems
X-Sigma-Backend
X-Sigma
X-ServiceProvider
X-Service
X-Trafficlayer-App-Version
X-Reboot
X-Geo-Header
X-Generated-On
X-Eu-Site
X-Distil-CS
X-GeoIP-City
X-IN-APIGATEWAY
X-TT-TIMESTAMP
X-Matched-Rule
X-Level-Front-Cache
X-IN-APIGATEWAYSSL
Ha-Gx-Prefs
X-Wikidot-Static-Cache
Cache-Name
HitType
CDCHOST
Uber-Trace-Id
X-Epic-Correlation-Id
X-Fastly-Cache
X-Fetched-On
X-Distributor
X-Dispatch
X-Dispatcher-Server
X-VC-Cache
X-VServer
X-Varnish-Authentication
X-Varnish-Beresp-Ttl
X-Variation
X-Has-Esi
X-Generation-Time
X-Generated-In
X-DevSite-Last-Modified
X-Gamma-Serve
X-Gen-Mode
X-FW-Version
X-We-Are-Hiring
X-Contensis-Viewer-Groups
Cache-Host
X-CS
X-Cms-Context
X-Clientip
X-Cache-Info
X-Cache-Tags
X-Clara-WADP
X-CUA
X-Webstats-RespID
X-Debug-Log
X-Hash
X-WADP-Cache
Group
X-Debug-Cache-Store
X-WebServer
X-Debug-Cache-Expiry
X-Debug-Cache-Fetch
X-Device-Os
X-Hnp-Log
X-Platform-Server
X-Proxy-Upstream
X-RateLimit-Limit-Second
X-Owner
X-Tumblr-Pixel-3
X-NX-Host
X-Origin-Date
X-Origin-Expires
X-RateLimit-Remaining-Second
X-Rebelmouse-Cache-Control
X-Swa-Ws
X-Servername
X-Slack-Backend
X-Thanos
X-Trace-Id
X-Rebelmouse-Surrogate-Control
X-Request-Host
X-TrackingId
X-NodeID
X-Ms-Version
X-Irp-Debug
X-Is-Gdpr
X-JWT-State
X-Instart-Isnd
Adler-Geo
X-Hit
X-Cache-FS-Status
AKAMAI
X-Urbn-Site-Id
X-LAGOON
X-Logging-Id
X-Micro-Cache
X-Ms-Request-Id
X-Urbn-Context-Path
X-LI-UUID
X-Li-Fabric
X-Li-Pop
X-LI-Proto
X-Var-Ttl
X-Debug-Cookies
User-Cache-Control
V-Age
Fastly-SIE
Server-Surrogate-Control
Server-ID
Fastly-Drupal-HTML
We-Hiring
Countrycode
Environment
X-App-Name
Web-Mar-Node
Server-Cache-Control
X-Varnish-Cacheable
Kp-EeAlive
Locale
Is-Eu
Heartbleed
Gh-Request-Id
Mail-Subject
Memcached
Pramga
Platform
On-Server
N-Cache
Country-Code
Fastly-SWR
X-BBXSRF
X-Auto-Login
X-Bip
X-Skip-Cache
X-Cache-ASPX
X-Block-Status
X-Cache-Bucket
X-NC
Hostname
Cloudfront-Viewer-Country
X-Core-Mission
X-SIPLIST1
X-Lb-Id
IsBot
X-Cache-URL
RNT-Machine
X-Nginx-Cache-Key
X-Server-W
X-Bc-Bl
RNT-Time
X-Sucuri-ID
X-S-Maxage
X-Node-Id
X-VHOST
X-Response-By
X-Req
X-RESPONSE-TIME
Wxu-Next-Hostname
Wxu-Next-Commit
FNAC-ModuleRouting
Wxu-Next-Region
X-Backend-Host
Cache-Cookie-Set-Lfrom
X-Ratelimit-Remaining
Cache-Cookie-Set-From
X-Refresh
X-Parent-Response-Time
X-Origin-CC
X-CLOUD-TRACE-CONTEXT
X-BACKEND-TTL
Cache-Cookie-Set-Idcheck
X-Origin-TTL
X-Fmm-Version
X-Up
X-App-Version
X-B3-Spanid
X-VCT
X-Cdn-Forward
X-CSRF-Token
X-VCache
X-Scheme
X-Pjax-Url
Fastly-Backend-Name
X-Server-Time
Cache
X-CDN-Forward
Cdn-Request-Time
X-Edge-Server
X-Varnish-URL
Cdn-Host
Pragrma
X-MSEdge-Features
X-MSEdge-Flight
X-TT-LOGID
X-FPC
X-SN
SD-X-WS
X-Instart-Info
X-Correlation-ID
PICS-Label
Origin
X-APP
Geoip-Latitude
Proxy-Firewall
X-Cache-Host
X-AK-Request-ID
Cdnsip
Geoip-City
Cdncip
Ohc-File-Size
X-MCACHE
X-CSRF-TOKEN
X-Edge
X-SVT-ORM-RULES
X-Wa
X-Cache-PHP
X-SVT-ORM-VERSION
Request-Time
GeoIp-Country-Code
M-TraceId
CACHE
Vix-Hermes-Req-Id
X-Air-Hostname
X-NU-AKA-ACS-Version
X-Vcl-Version
X-ECACHE
TTL
NtCoent-Length
NM-Fastcgi-Cache
X-Vdms-Path
Cdn
X-Ua
X-Wix-Viewer-Type
X-HS-Status
X-URL
X-Pf-Uncompressing
X-Cache-Debug
X-Myra-Origin2
RequestId
Resin-Trace
X-Ratelimit-Limit
Ohc-Cache-HIT
CF-Cached-On
X-Be
X-Mid
Sever-Int
Memory
Server-Hostname
X-Zone
Server-Ext
X-Bc
X-ServedByHost
X-TH-Server
Pagetype
X-Cache-Metadata
Tcn
X-Method
Magicmarker
Cteonnt-Length
IBM-Web2-Location
X-ECache
SRV
X-Dynatrace-Js-Agent
HostName
X-Oneagent-Js-Injection
X-Servedbyhost
Release
X-Worker
X-FORWARDED-FOR
X-GEO
Server-Int
X-Via-PopV
X-Ocache
X-Via-PopH
Load-Balancing
X-ZONE
Dnion-Transfer-Encoding
X-BC
X-DC
X-Unique-ID
X-NGINX-Cache
X-Swift-Error
X-Newrelic-App-Data
XServer
X-Protected-By
Lb
X-Referer
X-Envoy-Upstream-Healthchecked-Cluster
Powered-By
X-Branch-Name
X-Tb-Optimization-Total-Bytes-Saved
Dt-Cache-Category
X-Azure-Ref-OriginShield
X-Request-Start
X-Tec-Api-Root
X-Tec-Api-Origin
X-VCL-Version
X-Esi-Check
X-Cache-Id
Ttl
X-Tec-Api-Version
Fastly-Soc-X-Request-Id
X-SRV
X-Configured-By
X-AIR-PT
X-Policy
X-Ruxit-Js-Agent
Esi-Enabled
X-WA
X-B3-SpanId
X-Gzip
X-Datadome
X-Node-ID
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Fastly-Country-Code
GeoIP-Country-Code
X-Action
X-COUNTRY
Pics-Label
Fastly-SSL
GeoIP-City
X-DSS
X-RPM
GeoIP-Latitude
X-Flog
X-RPS
X-RSL
X-DW
X-Hello
X-ABtesting
X-Reqid
X-DI
X-DB
X-C-Zone
MIME-Version
X-C-Key
Who
X-Via-Ucdn
Host-ID
X-Fpc
X-VarnishDD-TTL
X-HostName
X-Cache-Backend
X-SERVER-NAME
X-Via-CDN
ProcessTime
X-PF-Uncompressing
X-Svr
X-Render-Time
X-Powered-Y
LB
Amp-Access-Control-Allow-Source-Origin
X-PJAX-URL
X-Amzn-Remapped-Connection
Lfy
X-Amzn-Remapped-Date
UCS
X-Fastly-Backend-Reqs
X-Country-IP
X-Varnish-Url
X-UPSTREAM-Address
X-User
X-Fastly-Request-Id
Product
X-MID
FSS-Proxy
Sid
X-SD-PageType
X-Beluga-Node
X-Beluga-Cache-Status
FSS-Cache
X-Beluga-Response-Time
X-Beluga-Record
X-Key
X-Varnish-Beresp-TTL
X-Beluga-Trace
X-Beluga-Status
X-Sucuri-Cache
X-Flow-Id
X-WPE-Loopback-Upstream-Addr
X-Page-Impression-Id
X-Internal-Host
Xet-Cookie
X-B3-Parentspanid
SN
X-Zalando-Child-Request-Id
X-LiteSpeed-Cache-Control
Requestid
X-BE
X-Agile-Brick-Ok
X-RAMCache
CF-IPCountry
X-Pinterest-Direct
X-Aicache-OS
X-Apw-Hits
X-Apw-Access-Token
X-Apw-Access-Object
X-Apw-Access-Action
X-Request-Url
X-Server-IP
X-Location
WebServer
CDN
X-Debug-Controller
X-Debug-Revision
L
X-Compress-Hint
WZWS-RAY
X-Check-Cacheable
X-Tid
Servername
X-Sucuri-Id
X-Litespeed-Cache-Control
X-MiniProfiler-Ids
X-LB-ID
X-App
X-Fastly-Cache-Hits
X-Nananana
X-Dw-Trace-Id
X-Request-URL
Cneonction
DataCenter
X-ElasticPress-Search
CloudFront-Viewer-Country