Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-Cache-Status
Accept-Ranges
Link
CF-RAY
ETag
Pragma
Expect-CT
X-Powered-By
X-XSS-Protection
Via
X-Cache
Age
Content-Security-Policy
Access-Control-Allow-Origin
Report-To
NEL
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
Alt-Svc
X-UA-Compatible
P3P
X-Served-By
X-Xss-Protection
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
X-Cache-Status
X-Generator
X-Cacheable
X-Check
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
Feature-Policy
X-Iinfo
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
P3p
Status
X-CONTENT-TYPE-OPTIONS
Access-Control-Expose-Headers
X-Drupal-Dynamic-Cache
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
CF-Ray
X-Ws-Request-Id
Access-Control-Max-Age
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Backend
EagleId
Keep-Alive
Request-Context
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-UA-Device
Host-Header
X-Proxy-Cache
X-Amz-Request-Id
X-Amz-Id-2
X-Hacker
X-Dns-Prefetch-Control
Grace
X-Rq
X-Swift-SaveTime
X-Swift-CacheTime
X-Server-Powered-By
X-Varnish-Cache
Ali-Swift-Global-Savetime
X-Vhost
X-Ua-Compatible
CONTENT-SECURITY-POLICY
X-Amz-Version-Id
X-LiteSpeed-Cache
X-Dispatcher
X-Akamai-Path-Stats
EagleEye-TraceId
X-WebKit-CSP
X-Nginx-Cache-Status
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-OneAgent-JS-Injection
X-Cache-Spec
X-Device
Cf-Railgun
X-Page-Speed
Allow
X-Host
X-Node
X-Pingback
X-Server-Id
X-Aws-Lambda-Call-Status
X-CST
Surrogate-Control
X-Backend-Server
Request-Id
Accept-CH
X-Akam-SW-Version
X-Readtime
X-HW
X-Cache-Lookup
X-Response-Time
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
X-Cloud-Trace-Context
Rating
X-Trace
Cf-Edge-Cache
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Url
Accept-Ch-Lifetime
X-Country
Fastly-Restarts
X-Ruxit-JS-Agent
X-Mod-Pagespeed
X-Vname
X-PC
X-TtlSet
X-MS-InvokeApp
X-Rack-Cache
X-Server-Name
X-Varnish-TTL
X-Clacks-Overhead
Edge-Control
RTSS
X-Content-Type
X-ESI
X-VARITI-CCR
X-B3-TraceId
Accept-Ch
X-Vcap-Request-Id
Cache-Tag
X-Px
X-Kinja-Revision
X-Cdn-Fetch
X-Kinja-Server
X-Use-Magma
X-Kinja-Build
X-Kinja
X-Exp-Variant
X-Exp-Id
X-GoogleNews-Bot
X-Amz-Rid
X-Ac
X-Cnection
X-Dw-Request-Base-Id
Public-Key-Pins
X-Element-Page-Cache
X-Amz-Server-Side-Encryption
X-D2id
Verso
X-Navigation-Version
X-Cache-TTL
X-RateLimit-Remaining
X-Abt-Application-Version
X-Client-IP
X-Powered-By-Plesk
Service-Worker-Allowed
X-FastCGI-Cache
X-Sol
Pagespeed
X-Middleton-Display
X-Ser
Display
X-Version
X-GitHub-Request-Id
X-Country-Code
Arr-Disable-Session-Affinity
X-Edge
X-TTL
X-Middleton-Response
Response
X-NF-Request-ID
Access-Control-Request-Method
X-Goog-Hash
X-Ruxit-Js-Agent
X-Correlation-Id
AR-ATIME
X-Upstream
AR-SID
AR-Request-ID
AR-PoweredBy
X-Kinsta-Cache
AR-CACHE
X-Webkit-Csp
X-Edge-Location-Klb
SPIisLatency
SPRequestDuration
X-Cached
X-LLID
X-NWS-LOG-UUID
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
Nginx-Cache
X-Litespeed-Cache
X-Powered-CMS
Edge-Cache-Tag
X-RateLimit-Limit
MS-Author-Via
X-Cache-Key
X-Ttl
X-SharePointHealthScore
X-Forwarded-For
SPRequestGuid
MRF-Tech
Mrf-Cache-Status
X-MSEdge-Ref
TCN
Content-MD5
X-B3-TraceId-Primal
X-Shield-Request-Id
X-Id
X-T
X-Content-Security-Policy-Report-Only
X-Daa-Tunnel
X-Recruiting
S
X-Mg-S
X-Ua-Device
X-Content-Digest
X-TEC-API-ROOT
X-TEC-API-ORIGIN
X-TEC-API-VERSION
X-Protected-By
X-Jurisdiction
X-HP-Trace-Id
X-HP-Webp
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-HS-Cache-Config
X-HS-Hub-Id
X-HS-Content-Id
X-Ezoic-Cdn
X-Ua-Browser
MicrosoftSharePointTeamServices
X-Content
X-Ab
X-Yandex-Sdch-Disable
X-Request-Processing-Time
X-Request-Received
X-HS-Combine-CSS
X-Frontend
Front-End-Https
Server-Node
Filters
X-Grace
X-Accel-Expires
X-Server-ID
X-DataDome
X-ECACHE
X-ORACLE-DMS-ECID
X-ORACLE-DMS-RID
Fastcgi-Cache
X-Mid
X-Geo-Country
X-Hits
X-PressLabs-Stats
X-Origin-Server
X-Pinterest-Rid
Pinterest-Version
Pinterest-Generated-By
TP-L2-Cache
TP-Cache
X-Ratelimit-Reset
X-Distributor
X-Debug-Info
X-Amzn-Trace-Id
X-Tt-Trace-Tag
X-Tt-Trace-Host
Cleartype
Charset
X-Page-Id
Host
X-F-Cache
X-DIS-Request-ID
X-Git-Hash
X-DynaTrace
X-B3-Sampled
X-Www-Served-By
Cross-Origin-Opener-Policy
X-LB-Cache
X-Forwarded-Proto
ServerID
Cache-Tags
X-Cache-Age
Access-Control-Allow-Method
X-Seen-By
X-Aspnetmvc-Version
X-Request-Handler-Origin-Region
X-Microsite
X-Kong-Upstream-Latency
X-MCACHE
X-Kong-Proxy-Latency
X-Language
X-Cluster-Name
X-Activity-Id
X-AppVersion
X-Az
Server-Name
X-Varnish-Age
Realpath
Accept-Charset
X-WebKit-CSP-Report-Only
Cache-Status
X-Rid
Filterid
X-Type
X-Content-Options
X-Mobile-URL
X-App-Environment
X-XRDS-LOCATION
X-Upgrade-Enabled
X-Oracle-Dms-Ecid
X-Origin-Cache
X-User-Agent
X-FB-Debug
X-Via-JSL
X-Varnish-Grace
Country
X-Oracle-Dms-Rid
Viewport
Node
X-Wix-Request-Id
X-Tb
X-B-Cache
X-Signature
X-Flags
X-Aspnet-Duration-Ms
X-Whom
X-Route-Name
X-Drupal-Cache-Tags
Paypal-Debug-Id
X-Is-Crawler
DC
X-Providence-Cookie
X-Request-Guid
X-Nginx-Upstream-Cache-Status
Protected
X-TT
X-NWS-UUID-VERIFY
X-Goog-Stored-Content-Length
X-GUploader-UploadID
X-Goog-Metageneration
X-VCache
X-Goog-Generation
X-Goog-Storage-Class
X-Goog-Stored-Content-Encoding
Retry-After
Fastcgi-Useragent
X-Varnish-Backend
X-Fastly-Request-Id
X-Fastly-Request-ID
X-Contextid
X-Cache-NGX
X-Fastcgi-Cache
X-B
X-Amz-Replication-Status
Payment
X-Debug
X-Template
X-Logged-In
X-N
X-FW-Server
WPO-Cache-Message
X-FW-Hash
X-FW-Dynamic
WPO-Cache-Status
X-FW-Type
X-FW-Serve
X-FW-Static
X-Load-Cache
Surrogate-Key
X-Cache-Control
X-Node-Name
X-Parallel-Accel
X-XRDS-Location
X-Erf-Bev-Bev-Is-Generated
Amp-Access-Control-Allow-Source-Origin
X-Erf-Bev-Bev
X-Browser-Type
SD-X-WS
X-Original-Request-Id
Count-Hit
X-Response-Served-From
X-Hostname
X-Trace-Id
Akamai-GRN
X-Proxy
Refresh
Healthy
X-Revision
X-UUID
X-Rendered-As
X-Real-IP
X-Cache-Time
X-Zen-Fury
X-Jobs
X-Akamai-Request-ID2
X-Is-Bot
X-G
X-Mobile
X-Amz-Meta-S3cmd-Attrs
X-Http-Reason
X-Cache-TTL-Remaining
X-Page-View
Uber-Trace-Id
X-Framework
X-Cacheable-TTL
X-Debug-IsPreview
X-Drupal-Cache-Contexts
Content-Disposition
X-Proxy-Cache-Status
X-Device-Type
VIX-Pulpo-Node
Alternate-Protocol
X-Instance
X-Debug-IsConnected
VIX-Pulpo-Upstream-Status
NGB
X-Cache-Rule
X-Adobe-Content
Access-Control-Request-Headers
X-Adobe-Loc
X-Yottaa-Optimizations
X-Yottaa-Metrics
From-Origin
X-IPLB-Instance
X-Vgn-Hpd-Reason
Url
X-Source
X-Servername
X-B3-Traceid
Version
X-Cache-Grace
X-Cache-Expired-At
X-Oneagent-Js-Injection
X-Cache-Hit
Permissions-Policy
Accept-Language
X-Varnish-Server
X-Mcache
X-Environment-Context
X-L-Path
Referer-Policy
X-Mg-Request-UUID
X-Ratelimit-Remaining
X-EdgeConnect-Cache-Status
X-FW-Version
Countrycode
X-App-Server
X-Restarts
X-RTag
Ms-Operation-Id
MS-CV
X-Cache-Action
X-NGENIX-Cache
Cross-Origin-Window-Policy
X-ECache
X-Tumblr-Pixel-1
X-Tumblr-Pixel-0
X-Tumblr-User
X-Tumblr-Pixel
X-IPS-LoggedIn
Backend
X-COUNTRY
X-NYM-Debug-Backend
Liferay-Portal
X-ProcessESI
X-RemovedCookies
CF-IPCountry
X-Hyper-Cache
X-Nginx-Cache
Content-Secure-Policy
X-HTML-Minification-Powered-By
Frame-Options
X-Datadome
X-Rule
Upgrade-Insecure-Requests
Section-Io-Cache
X-RN-RSRV
X-Redis-Cache
WP-Super-Cache
X-Cache-Server
Meta-Geo
X-UPSTREAM-Address
Ec-Rule-Version
X-No-Session
X-PCL
X-Ua
X-OCL
Cache-Tv-Group
X-FB-TRIP-ID
X-Detected-As
X-Content-Age
X-Generation-Time
X-Cache-Enabled
Azure-RegionName
Azure-InstanceId
X-Section
X-Urbn-Site-Id
Apigw-Requestid
X-Region
X-Origin-Date
X-Sql-Count
X-Say-Cacheable
X-Server-W
X-SayCDN-TTL
X-Say-TTL
X-Request-Time
X-Site-Version
X-UA-Device-Type
X-Sql-Duration-Ms
Azure-SiteName
X-PHP-Backend
X-Urbn-Context-Path
X-Varnish-Cache-Hits
Webcakes-App-Name
TWC-Privacy
TWC-Device-Class
TWC-Connection-Speed
Property-Id
TWC-Locale-Group
X-Human
X-Cluster-Node
TWC-GeoIP-Country
X-Generated-By
TWC-GeoIP-LatLong
X-Hosted-By
X-Akamai-Edgescape
S-Rt
X-AOL-HN
X-Format
X-Origin-Hint
Azure-Version
Azure-SlotName
Locale
X-Via-Fastly
Webcakes-App-Version
Mn-Server-Ip
Webcakes-Region
X-Access
X-Web-Node
X-Uri
X-Be
X-Mode
X-TT-LOGID
CDN-EdgeStorageId
CDN-PullZone
CDN-RequestCountryCode
CDN-CachedAt
CDN-Cache
X-Nginx-Cache-Key
X-Forwarded-Host
X-Debug-Cache
CDN-RequestId
CDN-Uid
Eomportal-Instance
Fastly-SSL
Webserver
X-BYPASS-REASON
X-Cache-Host
X-Content-Powered-By
X-Cache-Type
X-Cache-Tags
X-Unique-Id
X-Platform-Server
X-Storage
X-Xfnlog-Site
X-PERF
X-Status
X-Webkit-CSP
X-ProxyCache-Key
X-ApacheServer
X-ProxyCache-Status
X-Tid
X-Zipkin-Id
X-Alternate-Cache-Key
X-Backend-Name
X-Varnishpool
X-Sorting-Hat-PodId
X-SaId
X-Routing-Service
X-Hl-Ver
X-JoinUs
X-ServerID
X-ShardId
X-Proxied
X-Shopify-Stage
X-ShopId
X-Sorting-Hat-ShopId
X-Extlb
X-Accel-Buffering
X-Adobe-Source
X-Cache-Operation
X-Timing-Wait
X-Handled-By
X-Proxy-Build
Selected-Fe
ServedBy
X-Cache-Remote
X-Locale
X-Labrador-Cache-Channel
X-Ratelimit-Limit
X-PHP-Host
X-GG-Cache-Date
X-NewRelic-App-Data
X-Rewrite-Enabled
X-APP-VERSION
X-Dc
X-LSADC-Cache
X-VWS-Id
X-LJ-Flow-ID
SID
X-AWS-Id
Xserver
X-VC-Cache
X-App-Version
X-Soup
X-Buckets
SRV
X-Cached-By
X-Pubstack
Fastly-Drupal-Html
Mime-Version
Web-Mar-Node
X-Edge-Location
X-CDN-Forward
X-Proto
Country-Code
X-Cdn
X-Storefront-Renderer-Rendered
X-Request-Host
LB
X-Reqid
X-GEO
X-Microcachable
Onion-Location
X-TA-CDN-Provider
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
X-Cms-Context
X-Origin-TTL
X-Varnish-Hostname
Server-Info
X-Origin-CC
X-Ms-Version
X-Ms-Request-Id
Xet-Cookie
Cache-Hits
X-Tumblr-Pixel-3
X-NCache
X-MP-GENERATED-AT
X-Tumblr-Pixel-2
X-Cluster
X-CSRF-Token
X-GeoCode
Load-Balancing
X-B3-SpanId
X-GeoCountry
X-SRV
X-Bc-Bl
X-Varnish-Hits
DynaTrace
X-Air-Hostname
X-Air-Source
X-Air-Trace-Id
X-Midtier
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Varnish-Beresp-Grace
X-R9-Blue-Green-Version
Cache-Name
X-Origin-Response-Time
X-Envoy-Decorator-Operation
X-RCS-CacheZone
X-Azure-Ref
X-Endurance-Cache-Level
Mobile-Detection-Method
BehaviorPad-Version
Meta-Geo-Continent
NM-Fastcgi-Cache
Rendered-Blocks
Cdncip
Sslversion
Odigeo-Trace-Id
Pramga
Cdnsip
DB-Nickname
DCR-Decision-By
Fastcgi-X-Cache-Version
DCR-Processing-Time-Ms
Host-ID
Cmstype
Expiry
Cmsid
Lang
A
X-Epic-Correlation-Id
X-Processor
X-PBS-Appsvrname
X-Rojux
X-S
X-ScT
X-S-Cookie
X-PAYTM-SRV-ID
X-Orig-Expires
X-Hash
X-Gzip
X-HS-Content-Campaign-Id
X-Ig-Push-State
X-NAPM-TraceId
X-Men
X-SD-PageType
X-Session-Fingerprint
X-VG-WebCache
X-Vdms-Version
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
Xc-Version
X-Webstats-RespID
X-Vdms-Path
X-User
X-SRCache-Key
X-Shop-Environment
X-Tenant
X-TIM-N
X-TrackingId
X-Geo-Header
X-Ftr-Request-Id
X-AK-Request-ID
X-Aed
X-Application
X-B-Cookie
X-Cache-Id
X-Cache-Bucket
X-A-Wwc
X-A-Dgt
X-A
T-Server
X-A-Ccd
X-A-Dam
X-A-Dcw
X-Cache-NE
X-Cdn-Srv
X-Ec-GeoHdr
X-Ec-Fail
X-Esi-Check
X-External-Request-Id
X-From
X-Forwarded-Path
X-Developer
X-Destination
X-CF-Lambda-Version
X-CF-Lambda-Fn
X-Conf
X-Connection-Hash
X-D
Surrogated-Key
X-ARC
X-Magnolia-Registration
X-Via-NSCOPI
X-Fmm-Version
X-Gdpr
X-Fetched-On
X-Fastly-Cache
X-DPWN-IS-SECURE
X-Gen-Mode
X-Device-Os
X-Has-Esi
X-LAGOON
X-Location
X-JWT-State
X-Is-Gdpr
X-Hnp-Log
X-Irp-Debug
X-DefHash
X-DefElseHash
User-Cache-Control
We-Hiring
Web-Mar-Region
State
Server-Host
Platform
Producers
X-Amzn-Remapped-Content-Length
X-Block-Status
X-Core-Mission
X-Core-Value
X-Clara-WADP
X-Ckpd-Fst-Backend
X-Cache-Backend
X-Cache-Info
X-Loop
X-Mvc-Supplant-Cachable
X-Variation
X-Varnish-CookieHashed-On
X-Varnish-CookieINHashed-On
X-V-Cache
X-TNCMS
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Varnish-Remaining-TTL
X-WADP-Cache
Wxu-Next-Region
X-Developers
Wxu-Next-Hostname
Wxu-Next-Commit
X-Wix-Viewer-Type
X-Worker
X-Slack-Backend
X-Sigma-Backend
X-Origin-Expires
X-Origin-Time
X-Origin
X-Old-Content-Length
X-NodeID
X-Nyt-Route
X-Planisys-CDN-Cache
X-Planisys-CDN-Rules
X-Server-IP
X-Sigma
X-Scheme
X-SB
X-Planisys-CDN-TTL
X-Rocket-Build-Number
X-Node-Id
X-GeoIP
Fastly-GeoIP-CountryCode
Is-Eu
Machine
Environment
Memcached
Adler-Geo
AKAMAI
Mail-Subject
X-Tx-Id
CDN
Source
X-Cdn-Origin
X-VarnishDD-TTL
X-Cache-Date
HA-Ipaddr
X-Gamma-Serve
Gh-Request-Id
X-Rebelmouse-Cache-Control
Ha-Gx-Prefs
X-CGP
X-Thinkindot-L3
X-VG-TLSProxy
X-VServer
X-Proxy-Cache-Info
X-GeoIP-City
X-Rocket-Nginx-Serving-Static
Apple-News-Services-Handled
X-Proxy-Upstream
X-BBC-Edge-Cache-Status
X-Sn-Servicetimems
X-Qloud-Router
X-Branch-Name
X-Generated-On
X-Viewer-Country
X-Rebelmouse-Surrogate-Control
X-Response-By
X-Request-URI
X-DW
X-DSS
X-RSL
X-RPS
Fastcgi-Cache-TTL
HostName
X-RPM
X-Eu-Site
X-DI
Fastly-SIE
X-Datadog-Parent-Id
X-Forwarded-Site
X-Csrf-Jwt
X-Skip-Cache
X-Datadog-Sampling-Priority
X-Datadog-Trace-Id
X-Served-From
Fastly-SWR
X-Region-Sid
X-DB
Apple-News-Services-Host
X-Auto-Login
Cache
Svr
X-Level-Front-Cache
Ssr
Origin-CC
Arc-Country
TDXMobile
X-Time
Thinkindot-Control
Apple-News-Services-Parsed-Url
Thinkindot-CacheControl
CDCHOST
N-Cache
Origin
X-Minions-Version
PFcat
Origin-EX
CloudFront-Viewer-Country
Redirect-Candidate
X-Loc
Req-Svc-Chain
Cluster
Release
Traceparent
Thinkindot-CacheControl-Type
X-HN
X-Pool
L5d-Success-Class
X-Pod-Name
X-Httpd
X-Aicache-OS
X-Ec-Custom-Error
Locid
L
Vix-Hermes-Req-Id
X-Policy
X-Platform
V-Age
Kp-EeAlive
Apple-News-Services-Request-Url
X-TraceId
X-Tec-Api-Version
X-CS
X-Tec-Api-Origin
X-Tec-Api-Root
DSUID
AMP-Access-Control-Allow-Source-Origin
X-EC-Lua
NGX
MD5-Digest
X-RateLimit-Remaining-Second
X-RateLimit-Limit-Second
X-Date
X-Accel-Expires-Debug
X-Optimistic-Header
X-TIME
X-ZONE
X-Parent-Response-Time
X-GeoIP-Region-Code
GEO-INFO
X-Akamai-Transformed
X-WP-CF-Super-Cache
X-VC
X-WP-CF-Super-Cache-Cache-Control
X-Owner
X-CacheTTL
X-NC
X-Srv
Pics-Label
X-GeoIP-Country-Code
X-Dispatcher-Number
IsBot
X-Scale
X-Refresh
Server-Ext
X-Ah-Environment
Sever-Int
X-SIPLIST1
X-Via-Ucdn
Server-Hostname
X-Tb-Optimization-Total-Bytes-Saved
X-Udemy-Cache-App-Namespace
Ms-Author-Via
Servername
X-LB-NoCache
X-Cache-Debug
X-Mvc-Supplant-OutputCached
Env
Memory
X-API-Version
Time
X-Edge-Pop
Fusion-Content-Source
Fusion-Content-Id
Fusion-Component-Id
Fusion-Source
Fusion-Template-Id
Fusion-Deployment-Id
X-Newrelic-Synthetics
X-Wikidot-Static-Cache
Ohc-File-Size
X-Wikidot-Backend
CacheControlHeader
Geo-Info
X-Generated-In
X-CACHE-KEY
X-Tt-Logid
X-Varnish-Ttl
X-Xrds-Location
Cache-Key
X-Via-Poph
X-TH-Server
GeoIp-Country-Code
X-Amz-Meta-Cb-Modifiedtime
X-Via-Popn
X-Via-Popv
True-Client-Country-4JS
X-Ad-Defer-Variation
Candidate-Md5Url
X-Action
X-BCube-Filmed-By
X-IPLB-Request-ID
Datacenter
CPC-Cache
CPC-Age
X-Contensis-Viewer-Groups
VNS-Cache
XM
X-Backend-TTL
X-S-Maxage
X-Cache-ASPX
X-SplitTest
VNS-Age
X-Servedbyhost
X-HA-Backend
X-RateLimit-Reset
Fastly-Backend-Name
Client
FSS-Cache
Geoip-Latitude
X-Presslabs-Stats
X-Varnish-Authentication
X-WA-Info
X-Micro-Cache
X-Varnish-Beresp-TTL
X-VCL-Version
X-Dynatrace
X-Vc
ITXSESSIONID
Path
Edge-Cache
X-Req
X-Provided-By
X-VHOST
X-Cache-Status-Check
My-App
X-DC
X-Trace-ID
X-AIR-PT
Server-ID
X-Zone
X-Cs
Cache-Host
Hostname
Ohc-Cache-HIT
X-Origin-Upstream-Status
Lb
X-Pass-Why
X-TX-ID
Ngx.Var.Host
X-Up
True-Client-IP
DataCenter
X-LB-ID
X-FireWall-Port
NtCoent-Length
X-Webkit-Csp-Report-Only
X-Fpc
X-Proxy-CacheRZ
X-Clientip
X-FPC
XkeyRZ
X-Api-Version
X-Varnish-Beresp-Ttl
X-Traceid
OT-Force-Account-Verify
Powered-By
X-Li-Pop
X-LI-UUID
X-Li-Fabric
Test
Cf-Int-Pingora-Origin-Digest
X-NGINX-Cache
X-B3-Spanid
X-UnsetCookies
X-Cdn-Request-ID
X-ND-Cache
X-CSRF-TOKEN
X-Correlation-ID
X-Beluga-Cache-Status
X-Beluga-Record
X-Beluga-Node
X-Time-Microsecs
X-Beluga-Trace
X-Webkit-CSP-Report-Only
X-Beluga-Status
X-Vcl-Version
Server-Id
X-Beluga-Response-Time
User-Agent
X-CUA
Target-Params
Tracecode
X-Fragments
X-MSEdge-Features
X-RAMCache
WZWS-RAY
X-MSEdge-Flight
X-Dmc
Cf-Device-Type
Proxy-Connection
X-CLOUD-TRACE-CONTEXT
X-Azure-Ref-OriginShield
X-HS-Status
X-Via-PopN
Lfy
X-Fastly-Backend
X-FC-Vary-Parameters
X-Via-PopH
Uri
X-ATG-Version
X-Var-Ttl
X-Sucuri-ID
X-INCAP-ABP
X-Via-PopV
X-ServedByHost
X-Sucuri-Cache
X-Ha-Backend
Resin-Trace
X-Render-Time
X-Platform-Processor
X-URL
X-Platform-Cluster
X-Platform-Router
X-Geo
Tcn
C-Via
GeoIP-Country-Code
Sid
Rip
GeoIP-Latitude
Srvid
X-Check-Cacheable
X-Akamai-Pragma-Client-IP
MIME-Version
X-PX
X-LI-Proto
X-M-Reqid
X-Alfa-Service
Click-Count-Error
Click-Count-Action-Start
X-Hcs-Proxy-Type
X-Proxy-Cache-Hk
Tube-Get-Contents
X-CCDN-Origin-Time
X-CCDN-CacheTTL
Tube-Return
Tube-Got-Eval
X-Qnm-Cache
Tube-Got-Results
Epwk-X-Cache
X-M-Log
X-NU-AKA-ACS-Version
X-Gateway-Skip-Cache
X-Service
X-Varnish-Beresp-Status
X-Li-Proto
X-Gateway-Request-Id
X-Gateway-Cache-Key
X-Gateway-Cache-Status
X-DynaTrace-JS-Agent
X-Fetch-By
Fastly-Drupal-HTML
X-Cdn-Forward
X-TRACE-ID
Magicmarker
X-Backend-State
HIT
ENV
X-Backend-Host
Esi-Enabled
X-Fastly-Backend-Reqs
X-Esi
Cdn
X-Lb-Nocache
X-Cache-Expires
X-Request-Start
X-B3-Traceid-Primal
XServer
X-Edge-POP
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
Section-Io-Id
ServerName
On-Server
X-Cache-CFC
X-Newrelic-App-Data
X-Srcache-Store-Status
X-Srcache-Fetch-Status
X-LiteSpeed-Cache-Control
Srv
X-HostName
X-MG-S
CF-Cached-On
X-Yottaa-OS
PICS-Label
X-ElasticPress-Query
Server-Ttl
X-Thanos
X-Bip
X-App
X-APP
D-Url-Rewrites
X-Iplb-Request-Id
X-Acquia-Application-UUID
X-Acquia-Application-Trace
X-Acquia-Purge-Tags
X-Acquia-Site
X-Nc
Inserted-Into-Cache-At
X-Serial
X-BBC-Origin-Response-Status
X-Iplb-Instance
Wpo-Cache-Status
Cf-Ipcountry
X-Vcache
Wpo-Cache-Message
Warning
Servedby
X-Request-URL
X-Wp-Cf-Super-Cache
Fastcgi-Cache-Ttl
X-Fastly-Cache-Hits
X-Wp-Cf-Super-Cache-Cache-Control
X-Cache-Config
X-B3-Parentspanid
X-Swift-Error
X-IN-APIGATEWAY
X-IN-APIGATEWAYSSL
X-Litespeed-Cache-Control
X-Shopify-Generated-Cart-Token
X-LiteSpeed-Tag
M-TraceId
X-Akamai-ERPolicy
X-Akamai-ERRuleID
X-Akamai-Request-ID
Cneonction
Ngx
Content-Style-Type
Content-Script-Type
X-Back
X-Th-Server
X-Storefront-Renderer-Verified
X-Dw-Trace-Id
CountryCode
X-Snapshot-Date
X-Request-Url
X-Dist-Code
X-Release
X-CF-Powered-By