Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Xss-Protection
X-Served-By
Alt-Svc
X-Varnish
X-Timer
X-Request-Id
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
X-Check
X-Drupal-Cache
X-Adblock-Key
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
CF-Ray
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Iinfo
X-Buckets
X-Ua-Compatible
Status
X-Request-ID
X-Content-Security-Policy
Content-Encoding
Access-Control-Expose-Headers
Upgrade
X-CDN
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-AH-Environment
X-Backend
X-Server
X-Age
X-Turbo-Charged-By
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Id-2
X-Amz-Request-Id
EagleId
X-Hacker
X-Page-Speed
X-Server-Powered-By
X-UA-Device
X-Nginx-Cache-Status
Grace
X-Pingback
Server-Timing
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
Report-To
X-LiteSpeed-Cache
P3p
X-Amz-Version-Id
Cf-Railgun
X-Dns-Prefetch-Control
X-Server-Id
X-Rq
X-WebKit-CSP
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-OneAgent-JS-Injection
X-Origin-Cache
EagleEye-TraceId
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Ac
X-Readtime
X-Cache-Lookup
X-Backend-Server
X-Node
NEL
X-Dispatcher
X-Origin-Upstream-Status
X-HW
Content-Location
Fusion-Template-Id
Fusion-Source
Fusion-Content-Source
Fusion-Component-Id
Fusion-Content-Id
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
Fusion-Deployment-Id
X-Ruxit-JS-Agent
X-ORACLE-DMS-RID
X-Country
Allow
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Cloud-Trace-Context
Rating
X-Country-Code
X-Cnection
Edge-Control
Accept-CH
X-Url
X-Rack-Cache
RTSS
X-Clacks-Overhead
X-Px
MS-Author-Via
Accept-CH-Lifetime
X-Cdn
X-FTR-Request-ID
X-PC
X-TtlSet
X-Vname
X-Goog-Hash
Verso
X-Powered-By-Plesk
X-Varnish-TTL
Service-Worker-Allowed
X-B3-TraceId
Host-Header
X-Exp-Variant
X-Kinja
X-Cdn-Fetch
X-Kinja-Build
X-Exp-Id
X-GoogleNews-Bot
X-Use-Magma
X-Kinja-Revision
X-Kinja-Server
Public-Key-Pins
X-GitHub-Request-Id
X-MS-InvokeApp
Arr-Disable-Session-Affinity
X-Amz-Server-Side-Encryption
X-Forwarded-Proto
Pagespeed
X-Middleton-Response
X-Middleton-Display
X-Sol
Response
Display
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-D2id
X-Amz-Rid
X-NF-Request-ID
TCN
X-Vcap-Request-Id
X-Abt-Application-Version
X-CST
X-Cached
X-VARITI-CCR
Pinterest-Generated-By
X-Ttl
AR-Request-ID
AR-PoweredBy
AR-ATIME
AR-CACHE
Ar-Sid
X-ESI
X-Navigation-Version
X-Version
X-Fastly-Request-ID
X-Powered-CMS
X-Upstream
Cache-Tag
X-Server-Name
X-Pass-Why
Accept-Ch
X-Grace
X-Debug
X-Instart-Request-ID
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-TEC-API-VERSION
Access-Control-Request-Method
X-XRDS-Location
Charset
X-MSEdge-Ref
Nginx-Cache
Content-MD5
X-Accel-Expires
X-Element-Page-Cache
X-B3-TraceId-Primal
Mrf-Cache-Status
X-Mrf-Item-Lastmod
MRF-Tech
X-Mrf-Section-Lastmod
Accept-Ch-Lifetime
Realpath
SPIisLatency
SPRequestDuration
X-Ezoic-Cdn
X-DynaTrace-JS-Agent
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-SharePointHealthScore
SPRequestGuid
X-Shield-Request-Id
S
Pinterest-Version
X-Pinterest-Rid
X-Jurisdiction
X-Hp-Webp
X-Amz-Meta-S3cmd-Attrs
X-Dw-Request-Base-Id
X-Id
X-Recruiting
X-Kinsta-Cache
X-Trace
X-T
X-TTL
X-Client-IP
Fastcgi-Cache
X-Content-Digest
X-Node-Name
X-Cache-Key
X-Logged-In
X-Server-ID
X-NWS-LOG-UUID
X-Mobile-URL
TP-Cache
TP-L2-Cache
X-Cache-Hit
X-FastCGI-Cache
X-Frontend
X-Request-Processing-Time
X-Hostname
Server-Node
X-Request-Received
ServerID
X-Cache-Age
X-Oneagent-Js-Injection
X-Amzn-Trace-Id
Front-End-Https
Fastly-Restarts
X-Country-Code-Real
X-FTR-DC
X-FTR-Backend
X-FTR-Cache-Status
X-FTR-Realm
X-FTR-Backend-Server
X-FTR-Balancer
X-Forwarded-For
Edge-Cache-Tag
X-FTR-Expires
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Generation
X-Goog-Storage-Class
X-Yandex-Sdch-Disable
Server-Name
Powered
PB-RID
PB-PID
Arc-Version
X-Request-Handler-Origin-Region
X-Microsite
X-Content-Security-Policy-Report-Only
X-Revision
X-User-Agent
X-Hits
X-Page-Id
X-DIS-Request-ID
Filters
X-LB-Cache
X-F-Cache
X-Jobs
X-Zen-Fury
X-Akamai-Edgescape
DynaTrace
X-Correlation-Id
X-Fastcgi-Cache
X-Kong-Upstream-Latency
X-ORACLE-APMCS-TAG
X-Kong-Proxy-Latency
X-ORACLE-APMCS-REQUEST-ID
X-Mobile-Rewrite
X-Erf-Bev-Bev
X-Erf-Bev-Bev-Is-Generated
X-HS-Hub-Id
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Cache-Config
Alternate-Protocol
X-Geo-Country
X-Content-Powered-By
X-Origin-Server
Accept-Charset
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Age
X-FTR-Cache-Host
X-N
X-Daa-Tunnel
X-B
Cache-Tags
X-Varnish-Backend
X-RateLimit-Remaining
X-Litespeed-Cache
X-Ruxit-Js-Agent
X-Rid
X-Type
X-Amz-Replication-Status
X-WebKit-CSP-Report-Only
X-Varnish-Grace
Retry-After
X-Git-Hash
Section-Io-Cache
Surrogate-Key
DC
X-Whom
X-Signature
X-TT
Host
X-App-Environment
X-FB-Debug
X-B-Cache
X-Request-Guid
Paypal-Debug-Id
X-Content-Options
MicrosoftSharePointTeamServices
X-Via-JSL
X-ATS-Timestamp
Backend-Timing
X-Activity-Id
X-AppVersion
X-Az
X-Esi
X-Status
X-Edge
X-Debug-Info
Frame-Options
Fastcgi-Useragent
Actual-Object-TTL
X-Ser
X-ATG-Version
X-IPLB-Instance
Healthy
X-Endurance-Cache-Level
X-App-Server
X-HTML-Minification-Powered-By
X-Webkit-CSP
Srv
X-Contextid
X-AOL-HN
Nel
X-Amzn-RequestId
X-Cache-Action
X-Seen-By
X-ECACHE
X-B3-Sampled
Refresh
X-Pinterest-Direct
From-Origin
Access-Control-Allow-Method
X-Amz-Apigw-Id
X-Upgrade-Enabled
X-Host-Name
X-Response-Served-From
X-Cache-Rule
X-Protected-By
X-Tumblr-Pixel
X-Tumblr-Pixel-0
X-Accel-Buffering
X-Tumblr-User
X-Instance
X-Cache-Operation
X-RemovedCookies
X-ProcessESI
X-Drupal-Cache-Tags
VIX-Pulpo-Node
X-Is-Bot
VIX-Pulpo-Upstream-Status
X-Cacheable-TTL
Content-Disposition
Odigeo-Trace-Id
X-MCACHE
X-Rendered-As
X-Region
X-Mid
X-Environment-Context
Payment
Datacenter
X-WA-Info
X-L-Path
X-UUID
X-Time
X-Varnish-Server
Eomportal-Instance
X-Rule
X-FW-Type
X-FW-Static
X-FW-Serve
X-FW-Server
X-FW-Dynamic
X-FW-Hash
Countrycode
X-Release
X-Cache-Time
X-Adobe-Loc
X-Adobe-Content
MS-CV
Source
Uber-Trace-Id
X-Proxy
Xserver
X-Cached-By
X-Cache-Server
X-EdgeConnect-Cache-Status
X-Akamai-Request-ID2
X-Load-Cache
X-Cache-Control
X-PressLabs-Stats
X-UnsetCookies
X-Mobile
X-GeoIP
X-PHP-Backend
Cache-Status
X-Akamai-Transformed
X-NewRelic-App-Data
X-Azure-Ref
Access-Control-Request-Headers
X-Yottaa-Metrics
X-Yottaa-Optimizations
X-Tt-Trace-Tag
X-Origin-Response-Time
X-Tt-Trace-Host
X-VCache
X-Air-Hostname
X-SERVER-NAME
Version
X-Wix-Request-Id
Accept-Language
X-Handled-By
X-Mode
X-NGENIX-Cache
X-Cache-NGX
Liferay-Portal
X-Backend-Name
X-Cluster
X-NWS-UUID-VERIFY
Cache
X-IPS-LoggedIn
X-Framework
X-Ua
X-Ua-Device
X-CSRF-Token
X-Correlation-ID
X-Tumblr-Pixel-2
NGB
X-Tumblr-Pixel-1
X-PERF
X-Path-Route
X-Proxied
X-FireWall-Port
X-RateLimit-Limit
X-Cache-Remote
X-LJ-Flow-ID
X-Routing-Service
X-UA-Device-Type
X-UPSTREAM-Address
Filterid
X-AWS-Id
X-Zipkin-Id
X-URL
X-ES-SERVER
Cross-Origin-Window-Policy
X-Locale
X-RN-RSRV
Load-Balancing
Meta-Geo
X-ApacheServer
X-CCM
X-Cache-Var-Map
X-Via-Fastly
X-Adobe-Source
X-VWS-Id
X-Cache-Var
Server-Info
DSUID
Cache-Hits
Mn-Server-Ip
X-MP-GENERATED-AT
X-TX-ID
X-Cache-Status-Check
X-Detected-As
X-Site-Version
ServedBy
X-Www-Served-By
X-Qloud-Router
X-Real-IP
X-Viewer-Country
X-Say-TTL
X-Redis-Cache
X-Say-Cacheable
X-R9-Blue-Green-Version
X-Storage
Cache-Name
Akamai-GRN
X-Web-Node
Cache-Tv-Group
X-Section
Cleartype
X-SayCDN-TTL
Decoy-Debug-Key
X-Access
X-Cache-Config
X-Format
Now
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
X-Human
X-Info
Section-Io-Origin-Status
X-PCL
Decoy-Debug-Status
X-OCL
X-IP
X-NCache
X-Pubstack
Decoy-Debug-TTL
X-Alternate-Cache-Key
X-Geo
Webserver
X-Bc-Bl
X-BYPASS-REASON
X-CS
X-Cache-Enabled
Webcakes-Region
Webcakes-App-Version
TWC-GeoIP-Country
TWC-Device-Class
TWC-GeoIP-LatLong
TWC-Locale-Group
Webcakes-App-Name
TWC-Privacy
X-Device-Type
X-EIG-Tracking-Id
X-ShopId
X-ShardId
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Varnish-Cache-Hits
X-Sorting-Hat-ShopId
X-ProxyCache-Status
X-ProxyCache-Key
X-FW-Version
X-FC-Vary-Parameters
X-Hosted-By
X-Labrador-Cache-Channel
X-PHP-Host
X-Origin-Hint
TWC-Connection-Speed
X-ServerID
Fastly-SSL
S-Rt
Property-Id
X-SaId
X-BCube-Filmed-By
X-JoinUs
X-Proxy-Build
X-No-Session
X-NYM-Debug-Backend
X-Origin
X-Loop
X-Hl-Ver
X-From
Selected-Fe
X-Cache-Host
X-FB-TRIP-ID
X-Content-Age
X-Generated
X-TNCMS
X-Time-Microsecs
X-Timing-Wait
X-Amzn-Remapped-Content-Length
DB-Nickname
X-Hyper-Cache
Ms-Operation-Id
X-RTag
Origin-Cache-Control
Azure-RegionName
Ec-Rule-Version
Azure-InstanceId
X-APP-VERSION
Azure-SiteName
Azure-SlotName
Azure-Version
X-Cache-2
X-Cache-TTL-Remaining
X-Drupal-Cache-Contexts
X-Xfnlog-Site
X-XRDS-LOCATION
Origin-Edge-Control
X-Unique-Id
Time
Locale
Apigw-Requestid
X-Urbn-Context-Path
X-Urbn-Site-Id
Geo-Info
X-Goog-Meta-Goog-Reserved-File-Mtime
SD-X-WS
X-RequestSource
Country
X-Pad
X-Vcache
X-Presslabs-Stats
X-Old-Content-Length
X-Source
X-Varnish-Hostname
User-Agent
X-Cluster-Node
X-App-Version
X-EC-Lua
X-Debug-Cache
X-Cache-NE
Upgrade-Insecure-Requests
X-Soup
FilterID
X-Akamai-Request-ID
X-DC
X-RCS-CacheZone
X-Proto
X-Cache-Backend
X-CDN-Forward
X-Parent-Response-Time
X-Tb
Proxy-Connection
X-Backend-TTL
X-Cache-PHP
X-Cache-Grace
X-Storefront-Renderer-Rendered
X-SRV
X-Proxy-Cache-Status
X-App
X-Forwarded-Host
Cache-Key
LB
X-Uri
X-Method
AsisCache
VivaBuild
Fastcgi-X-Cache-Version
X-Newrelic-Synthetics
X-A-Ccd
UCS
GEO-REGION-INFO
FNAC-ModuleRouting
X-A-Dam
BehaviorPad-Version
X-Geo-Header
Viewtype
True-Client-Country-4JS
X-External-Request-Id
X-DevSite-Last-Modified
Who
X-CF-Lambda-Version
Content-Script-Type
X-Developer
X-SRCache-Key
X-Date
X-Destination
X-Vtex-Processado-Em
X-SIPLIST1
X-CF-Lambda-Fn
X-G
X-A
X-D
Content-Style-Type
X-Vtex-Remote-Cache
X-Dispatch
X-Twitter-Response-Tags
Mobile-Detection-Method
X-Trv-Group
X-Vdms-Version
X-Rojux
X-S
X-S-Cookie
Meta-Geo-Continent
X-Vdms-Path
X-Response-By
X-Rewrite-Enabled
Xc-Version
Machine
X-A-Dgt
X-Transaction
X-Scheme
X-Trace-Id
X-ScT
Rendered-Blocks
MD5-Digest
X-VG-WebCache
X-Aed
X-A-Wwc
N-Cache
M-TraceId
X-A-Dcw
X-NodeID
X-Session-Fingerprint
T-Server
X-PAYTM-SRV-ID
X-Accel-Expires-Debug
X-SD-PageType
X-Nginx-Cache-Key
Arc-Country
X-Tumblr-Pixel-3
X-VG-WebServer
IsBot
X-ARC
X-Application
X-Swa-Ws
X-Region-Sid
X-FORWARDED-FOR
X-Processor
ServerName
X-Connection-Hash
X-B-Cookie
X-Magnolia-Registration
X-Nc
X-Origin-CC
X-Srv
User-Cache-Control
X-Origin-TTL
Server-Host
Server-Hostname
Sever-Int
RNT-Time
Pagetype
Release
RNT-Machine
Thinkindot-CacheControl
Server-Ext
Thinkindot-Control
We-Hiring
Wxu-Next-Hostname
Wxu-Next-Commit
Wxu-Next-Region
Vix-Hermes-Req-Id
Thinkindot-CacheControl-Type
V-Age
Viewport
On-Server
X-Generated-In
X-VC-Cache
X-Policy
NM-Fastcgi-Cache
X-RateLimit-Limit-Second
X-RateLimit-Remaining-Second
X-Varnish-Cacheable
X-User
X-Matched-Rule
X-Micro-Cache
X-Node-Id
X-Owner
X-Req
X-Reqid
X-Thanos
X-WADP-Cache
X-Skip-Cache
X-SN
X-ServiceProvider
X-Thinkindot-L3
X-Worker
X-Wikidot-Static-Cache
X-Wikidot-Backend
X-Servername
X-Logging-Id
X-Loc
X-Cache-Info
X-Cache-FS-Status
X-Cache-URL
X-Clara-WADP
X-Cms-Context
X-Cache-Bucket
X-Block-Status
X-Agile-Age
X-Agile-Id
X-Backend-State
X-Bip
X-Compress-Hint
X-Developers
X-Hash
X-Hnp-Log
X-LAGOON
X-Level-Front-Cache
X-Generation-Time
X-Generated-On
X-Device-Os
X-Dispatcher-Server
X-Fmm-Version
X-Gen-Mode
X-Agile
Web-Mar-Node
Cache-Cookie-Set-Idcheck
Cache-Cookie-Set-Lfrom
CacheControlHeader
CDCHOST
Cache-Cookie-Set-From
Apple-News-Services-Request-Url
AKAMAI
Apple-News-Services-Handled
Apple-News-Services-Host
Apple-News-Services-Parsed-Url
Kp-EeAlive
OT-Force-Account-Verify
X-NC
X-AIR-PT
Mail-Subject
NGX
Magicmarker
X-Cluster-Name
X-Hit
Referer-Policy
X-Epic-Correlation-Id
X-BBXSRF
X-Esi-Check
Node
X-Distributor
X-Auto-Login
X-SVT-ORM-RULES
X-Has-Esi
X-Variation
X-Envoy-Decorator-Operation
X-TH-Server
X-Gzip
X-We-Are-Hiring
X-Clientip
X-Var-Ttl
X-CGP
X-Eu-Site
X-Request-Host
X-Core-Mission
X-VG-TLSProxy
X-Fastly-Cache
X-VServer
X-Cache-Id
X-Core-Value
X-Webstats-RespID
X-Cache-Tags
X-TrackingId
X-Irp-Debug
Sid
X-Be
Adler-Geo
Is-Eu
X-Mvc-Supplant-Cachable
X-NU-AKA-ACS-Version
X-Location
HA-Ipaddr
X-Is-Gdpr
X-Slack-Backend
Ha-Gx-Prefs
X-Origin-Date
L5d-Success-Class
X-Rebelmouse-Surrogate-Control
Platform
X-Request-UUID
X-Rebelmouse-Cache-Control
Rt-Fastcgi-Cache
X-Origin-Expires
X-Server-W
Fastly-SWR
Gh-Request-Id
Fastly-SIE
X-JWT-State
C-Via
X-Distil-CS
W
X-SVT-ORM-VERSION
Fastly-Drupal-HTML
X-GoCache-CacheStatus
X-Backend-Host
X-TA-CDN-Provider
X-LI-UUID
Memcached
X-LI-Proto
X-Contensis-Viewer-Groups
X-Edge-Location
X-Cache-ASPX
X-Key
X-Li-Fabric
X-Reboot
X-Li-Pop
X-Varnish-Authentication
Cf-Ipcountry
X-Varnish-Beresp-Ttl
X-Varnish-Beresp-Grace
S-Cnection
X-Varnish-Beresp-Status
X-Configured-By
X-Cache-Debug
X-Branch-Name
Pragrma
X-Wa
MIME-Version
HostName
X-Cdn-Forward
NR-ENABLED
WPE-Backend
X-Instart-Info
X-Varnish-URL
X-Refresh
X-Microcachable
X-BC
X-ZONE
X-Dc
X-Via-CDN
GEO-INFO
X-Servedbyhost
X-Platform-Server
X-Up
Fastly-Backend-Name
X-Via-PopH
X-Via-PopV
X-Envoy-Upstream-Healthchecked-Cluster
X-Batcache
X-Ms-Version
X-Ms-Request-Id
X-Mvc-Supplant-OutputCached
X-TT-TIMESTAMP
X-Nginx-Cache
X-Minions-Version
Memory
X-Vgn-Hpd-Reason
X-MSEdge-Features
X-ElasticPress-Query
X-MSEdge-Flight
X-B3-Traceid
X-UA
X-VCL-Version
X-Aicache-OS
Esi-Enabled
NtCoent-Length
X-Bc
X-Sucuri-ID
X-Zone
Server-ID
L
X-Pjax-Url
X-ND-Cache
X-App-Name
X-BACKEND-TTL
X-TIME
X-Unique-ID
CACHE
X-Debug-Panamera-Host
DCR-Processing-Time-Ms
DCR-Decision-By
X-Debug-Panamera-Sitecode
X-Server-IP
GeoIP-Country-Code
Cache-Host
X-CF-Powered-By
Ohc-File-Size
Pramga
Powered-By-ChinaCache
X-Fastly-Cache-Status
X-Svr
X-PF-Uncompressing
Tracecode
X-COUNTRY
X-Cdn-Srv
GeoIP-Latitude
X-Client-Ip
FSS-Cache
X-Oss-Request-Id
X-Oss-Object-Type
X-Oss-Hash-Crc64ecma
X-Oss-Server-Time
X-Generated-By
X-Oss-Storage-Class
HitType
Server-Cache-Control
Location
Server-Surrogate-Control
X-FPC
X-S-Maxage
Hostname
X-BE
X-Ratelimit-Reset
X-Varnishpool
X-LB-ID
X-Azure-Ref-OriginShield
X-GEO
Ohc-Response-Time
Resin-Trace
X-Sucuri-Cache
X-Check-Cacheable
X-Rocket-Nginx-Bypass
X-VCT
X-VarnishDD-TTL
X-Original-Request-Id
X-OVcl-Cache
X-Varnish-Ttl
X-OVcl
PFcat
Cteonnt-Length
X-Instart-Isnd
X-Fastly-Country-Code
Locid
Request-Country
Request-EU
X-Fpc
X-Fastly-Backend-Reqs
Heartbleed
X-Varnish-Hits
X-Request-URI
X-HS-Status
X-Render-Time
X-Platform
Cdn-Host
X-Vgn-Hpd-Variations-Key
X-Vgn-Hpd-Cached
X-Edge-Server
X-Vgn-Hpd-Ssi
X-Cache-Expired-At
Cdn-Request-Time
X-VHOST
X-PJAX-URL
Lfy
X-Newrelic-App-Data
CF-Cached-On
X-CSRF-TOKEN
Geoip-Latitude
GeoIp-Country-Code
X-Gamma-Serve
X-CUA
SRV
Amp-Access-Control-Allow-Source-Origin
X-Ratelimit-Remaining
X-Vcl-Version
SN
X-Pf-Uncompressing
Epwk-X-Cache
Pics-Label
X-Shopify-Generated-Cart-Token
X-Oracle-Dms-Rid
X-WebServer
X-CACHE-AGE
X-CLOUD-TRACE-CONTEXT
WZWS-RAY
Backend-Name
X-Proxy-Upstream
X-NGINX-Cache
WWW-Authenticate
X-CACHE-KEY
X-StackifyID
X-ECache
X-RunCloud-Cache
Backend
Product
Mime-Version
X-Fetched-On
X-Varnish-Url
My-App
X-Via-Popv
X-Sn-Servicetimems
X-Ratelimit-Limit
X-Via-Poph
X-Csrf-Jwt
X-ServedByHost
XServer
X-Cdn-Origin
URI
X-Amzn-Remapped-Connection
X-Amzn-Remapped-Date
X-Ftr-Cache-Host
X-Oss-Cdn-Auth
X-Tec-Api-Root
CloudFront-Viewer-Country
X-Tec-Api-Origin
A
X-Tec-Api-Version
X-GeoIP-Country-Code
Ohc-Cache-HIT
X-Debug-Cache-Store
X-Sigma
X-Rocket-Build-Number
X-Request-Time
X-Debug-Cache-Fetch
Dt-Cache-Category
X-B3-SpanId
X-Sigma-Backend
Lb
Cloudfront-Viewer-Country
Server-Ttl
PICS-Label
X-Cache-Tag
X-Debug-Cache-Bypass
X-Debug-Do-Not-Cache-Uri
X-Debug-Xas-Auth
X-Debug-Ysi-Auth
X-LiteSpeed-Cache-Control
X-Debug-Cache-Status
X-Request-Start
SID
X-Tb-Optimization-Total-Bytes-Saved
X-B3-Spanid
X-Nananana
X-Debug-Cache-String
Host-ID
X-Cache-Version
X-Swift-Error
Group
X-Apw-Hits
X-Acquia-Application-Trace
Cdn
X-Served-From
X-DPWN-IS-SECURE
X-Varnish-Beresp-TTL
X-WA
CF-IPCountry
X-Apw-Access-Token
X-Acquia-Site
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
X-Apw-Access-Action
Cneonction
X-Apw-Access-Object
Proxy-Firewall
X-Snapshot-Date
FSS-Proxy
Inserted-Into-Cache-At
Warning
Dnion-Transfer-Encoding
X-Request-URL
X-ElasticPress-Search
X-Cache-Hfrom
X-Cache-Hm
X-Varnish-ID
X-WR-MODIFICATION
X-Html-Edge-Cache
X-SB
X-Dw-Trace-Id
Cf-Alt-Svc
X-VC