Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Cf-Request-Id
CF-RAY
CF-Cache-Status
Accept-Ranges
Link
Pragma
ETag
Expect-CT
X-Powered-By
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
P3P
X-UA-Compatible
Alt-Svc
X-Served-By
X-Xss-Protection
X-Timer
X-Download-Options
Access-Control-Allow-Headers
X-Varnish
Access-Control-Allow-Methods
X-Request-Id
Access-Control-Allow-Credentials
X-AspNet-Version
X-Runtime
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
Content-Security-Policy-Report-Only
X-Request-ID
X-Drupal-Cache
X-Check
X-Cache-Status
X-Generator
X-DNS-Prefetch-Control
X-Cacheable
Timing-Allow-Origin
P3p
X-Content-Security-Policy
X-FRAME-OPTIONS
X-Iinfo
Status
Content-Encoding
Feature-Policy
X-AspNetMvc-Version
X-CDN
Upgrade
Access-Control-Expose-Headers
X-Envoy-Upstream-Service-Time
X-Drupal-Dynamic-Cache
Access-Control-Max-Age
X-Via
Keep-Alive
X-Dns-Prefetch-Control
X-Robots-Tag
Server-Timing
Request-Context
X-Server
X-Ws-Request-Id
X-AH-Environment
X-Ua-Compatible
X-Age
X-Hacker
X-Turbo-Charged-By
X-Proxy-Cache
X-Server-Powered-By
X-Cache-Group
X-Backend
Host-Header
X-Nginx-Cache-Status
EagleId
X-Amz-Request-Id
X-Amz-Id-2
Report-To
X-Rq
X-UA-Device
X-Varnish-Cache
Grace
X-Page-Speed
X-LiteSpeed-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Pingback
X-Device
EagleEye-TraceId
X-Vhost
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
Cf-Railgun
X-Server-Id
X-Amz-Version-Id
X-OneAgent-JS-Injection
X-Host
X-Dispatcher
NEL
X-CST
X-Node
Allow
Surrogate-Control
X-Cache-Spec
Request-Id
X-Backend-Server
X-WebKit-CSP
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Response-Time
X-Akam-SW-Version
X-Readtime
Xkey
Accept-CH
X-HW
X-Country
Content-Location
X-Ac
X-Application-Context
X-Language
Accept-Ch-Lifetime
X-Webkit-CSP
X-Template
Rating
MS-Author-Via
X-Ruxit-JS-Agent
X-Url
X-Cloud-Trace-Context
X-Cache-Lookup
X-Mod-Pagespeed
X-B3-TraceId
Edge-Control
X-Vname
X-TtlSet
X-PC
X-Clacks-Overhead
X-ESI
X-MS-InvokeApp
X-Trace
X-Varnish-TTL
X-GitHub-Request-Id
Fastly-Restarts
X-Content-Type
X-ASPNET-VERSION
Accept-Ch
Accept-CH-Lifetime
X-Cnection
X-Origin-Cache
X-Rack-Cache
X-Kinja
X-GoogleNews-Bot
X-Exp-Variant
X-Exp-Id
Arr-Disable-Session-Affinity
X-Cdn-Fetch
X-Kinja-Server
X-Use-Magma
X-Kinja-Build
X-Kinja-Revision
X-Country-Code
Verso
X-Goog-Hash
X-D2id
X-VARITI-CCR
X-Cached
X-Server-Name
X-Powered-By-Plesk
X-Vcap-Request-Id
Cache-Tag
X-Client-IP
X-Navigation-Version
X-Amz-Rid
X-Abt-Application-Version
X-Fastly-Request-ID
X-Buckets
Service-Worker-Allowed
X-FastCGI-Cache
X-Middleton-Display
Response
X-Middleton-Response
Display
Pagespeed
X-Sol
X-ORACLE-DMS-ECID
RTSS
X-Ttl
Access-Control-Request-Method
X-Element-Page-Cache
X-MSEdge-Ref
X-Powered-CMS
X-NF-Request-ID
X-Cache-TTL
Public-Key-Pins
X-Upstream
X-Dw-Request-Base-Id
X-Litespeed-Cache
X-Version
X-SRCache-Store-Status
X-SRCache-Fetch-Status
S
X-Edge
X-LLID
X-Kinsta-Cache
X-B3-TraceId-Primal
MRF-Tech
Mrf-Cache-Status
X-Ruxit-Js-Agent
SPIisLatency
Realpath
SPRequestDuration
X-Oneagent-Js-Injection
X-Accel-Expires
SPRequestGuid
X-SharePointHealthScore
X-Px
X-Jurisdiction
X-HP-Webp
X-ECACHE
X-T
X-TTL
X-Forwarded-Proto
X-Correlation-Id
X-Release
X-MCACHE
X-Mid
X-Edge-Location-Klb
X-Mg-S
Charset
X-Content-Security-Policy-Report-Only
X-PressLabs-Stats
X-Recruiting
X-Shield-Request-Id
TP-Cache
TP-L2-Cache
X-Ezoic-Cdn
Edge-Cache-Tag
Pinterest-Generated-By
X-Pinterest-Rid
Pinterest-Version
Fastcgi-Cache
X-DynaTrace
X-Amz-Server-Side-Encryption
X-ORACLE-DMS-RID
X-Id
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
X-Kraken-Routeconfig-Destination
X-Content-Digest
X-Request-Processing-Time
X-Request-Received
Cache-Tags
Filters
Content-MD5
Alternate-Protocol
Server-Node
X-Logged-In
Front-End-Https
X-Forwarded-For
Nginx-Cache
Server-Name
X-Origin-Upstream-Status
X-Cache-Key
X-WebKit-CSP-Report-Only
X-Amzn-Trace-Id
Fusion-Content-Id
Fusion-Source
Fusion-Content-Source
X-Fastcgi-Cache
Fusion-Component-Id
Fusion-Template-Id
Fusion-Deployment-Id
X-Origin-Server
TCN
AR-Request-ID
AR-PoweredBy
AR-CACHE
AR-ATIME
Ar-Sid
X-XRDS-LOCATION
X-Grace
X-Contextid
X-F-Cache
X-Geo-Country
X-Rid
X-Amz-Replication-Status
X-Goog-Generation
X-Goog-Stored-Content-Length
X-Goog-Stored-Content-Encoding
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Metageneration
X-HS-Hub-Id
Host
X-HS-Content-Id
X-HS-Cache-Config
Cleartype
X-HS-Combine-CSS
X-AppVersion
X-Az
X-Activity-Id
X-Frontend
X-Server-ID
X-Protected-By
X-Hostname
X-Www-Served-By
X-RateLimit-Remaining
Section-Io-Cache
X-LB-Cache
X-Debug-Info
X-XRDS-Location
X-Ser
MicrosoftSharePointTeamServices
X-Erf-Bev-Bev-Is-Generated
X-Browser-Type
X-Erf-Bev-Bev
X-Aspnetmvc-Version
X-Request-Handler-Origin-Region
X-Microsite
X-Page-Id
X-Git-Hash
X-Cache-Age
Accept-Charset
X-Varnish-Age
X-Hits
X-Respond-Thread
X-Source
Nel
ServerID
X-Upgrade-Enabled
X-VCache
X-Mobile-URL
X-DIS-Request-ID
X-Tec-Api-Origin
Paypal-Debug-Id
X-Tec-Api-Root
X-Tec-Api-Version
X-CACHE-GROUP
X-B-Cache
X-Content-Options
X-Varnish-Backend
X-Signature
X-NWS-LOG-UUID
X-Route-Name
X-Providence-Cookie
X-Is-Crawler
X-Varnish-Grace
X-Flags
X-Aspnet-Duration-Ms
X-Request-Guid
Payment
Access-Control-Allow-Method
X-Whom
X-TT
Healthy
X-App-Environment
X-Cache-Action
X-FB-Debug
X-B3-Sampled
X-Kong-Upstream-Latency
X-N
X-Kong-Proxy-Latency
Node
Viewport
X-Seen-By
X-AOL-HN
X-Type
X-Daa-Tunnel
X-Load-Cache
Fastcgi-Useragent
Version
MS-CV
X-Mobile
DC
X-Cache-Expired-At
X-Webkit-Csp
Filterid
X-HTML-Minification-Powered-By
X-IPLB-Instance
X-Distributor
DynaTrace
X-Cache-Control
SRV
X-Yandex-Sdch-Disable
X-FireWall-Port
X-Original-Request-Id
X-Response-Served-From
X-Debug
X-Instance
X-Ab
Retry-After
NGB
X-Jobs
X-Real-IP
X-Proxy-Cache-Status
X-Accel-Buffering
X-Tt-Trace-Host
X-Tt-Trace-Tag
X-UUID
X-Tumblr-Pixel
X-Page-View
X-Tumblr-Pixel-0
X-Tumblr-User
X-IPS-LoggedIn
X-Varnish-Server
X-Tumblr-Pixel-1
X-Device-Type
Frame-Options
Cache
X-B
X-Cacheable-TTL
VIX-Pulpo-Node
X-Debug-IsPreview
X-Debug-IsConnected
X-Content-Powered-By
X-Framework
VIX-Pulpo-Upstream-Status
X-Region
X-Cluster-Name
Access-Control-Request-Headers
X-Cache-Time
Refresh
X-Adobe-Loc
Uber-Trace-Id
Ms-Operation-Id
X-RTag
X-Adobe-Content
X-ProcessESI
X-RemovedCookies
X-G
X-Wix-Request-Id
X-User-Agent
X-Proxy
X-FW-Serve
X-FW-Static
X-FW-Server
X-FW-Hash
X-Zen-Fury
X-FW-Dynamic
X-FW-Type
Countrycode
Section-Origin-Responded
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Io-Origin-Status
X-Cache-Hit
X-App-Version
X-Time
X-Vgn-Hpd-Reason
Cache-Status
Surrogate-Key
X-RateLimit-Limit
X-Nginx-Cache
X-Drupal-Cache-Tags
X-NGENIX-Cache
X-Is-Bot
Country
X-Rendered-As
Eomportal-Instance
X-TA-CDN-Provider
X-Azure-Ref
X-App-Server
X-EdgeConnect-Cache-Status
X-Mg-Request-UUID
S-Cnection
X-Oracle-Dms-Rid
X-Ms-Request-Id
X-Rule
X-Ms-Version
CF-IPCountry
X-Drupal-Cache-Contexts
X-CDN-Forward
X-Cache-Rule
AMP-Access-Control-Allow-Source-Origin
Liferay-Portal
Meta-Geo
X-UPSTREAM-Address
X-JoinUs
Selected-Fe
X-ES-SERVER
SD-X-WS
X-RN-RSRV
X-SaId
X-Proxy-Build
Referer-Policy
X-Timing-Wait
X-Xfnlog-Site
ServedBy
X-Cache-TTL-Remaining
X-Yottaa-Metrics
X-Varnishpool
X-Backend-Host
X-Alternate-Cache-Key
From-Origin
X-Yottaa-Optimizations
X-Storefront-Renderer-Rendered
X-TNCMS
X-Handled-By
X-Shopify-Stage
X-ShardId
X-Sorting-Hat-PodId
X-Tumblr-Pixel-2
X-ShopId
X-Sorting-Hat-ShopId
X-Pubstack
Country-Code
Protected
X-Loop
TWC-Locale-Group
X-R9-Blue-Green-Version
Webcakes-App-Name
Azure-InstanceId
Xserver
TWC-Privacy
X-SayCDN-TTL
X-Node-Name
X-VWS-Id
TWC-Device-Class
TWC-Connection-Speed
TWC-GeoIP-Country
TWC-GeoIP-LatLong
X-Say-TTL
Azure-RegionName
X-Server-W
X-Say-Cacheable
Webcakes-Region
X-NYM-Debug-Backend
X-L-Path
X-Cache-PHP
X-Environment-Context
X-Request-Time
X-Endurance-Cache-Level
X-LAGOON
X-LJ-Flow-ID
X-No-Session
X-Human
Property-Id
Azure-Version
Webcakes-App-Version
Azure-SlotName
X-Proto
X-PHP-Backend
X-AWS-Id
Azure-SiteName
X-Origin-Hint
Fastly-SSL
X-Status
X-Origin-Date
X-OCL
X-PCL
X-PHP-Host
X-RCS-CacheZone
X-Sql-Count
X-Labrador-Cache-Channel
Decoy-Debug-TTL
X-Be
X-Format
X-Sql-Duration-Ms
X-Hyper-Cache
X-Backend-Name
Apigw-Requestid
X-ProxyCache-Key
X-BYPASS-REASON
X-ProxyCache-Status
X-S-Maxage
X-Varnish-Hostname
Decoy-Debug-Status
Akamai-GRN
X-Cache-Operation
Cache-Name
Decoy-Debug-Key
Cache-Tv-Group
X-Access
X-Hosted-By
X-Akamai-Edgescape
X-FB-TRIP-ID
Mn-Server-Ip
X-UA-Device-Type
X-Cache-Server
X-GG-Cache-Date
X-Hl-Ver
X-Via-Fastly
X-Section
X-Cached-By
X-Varnish-Beresp-Grace
X-Adobe-Source
X-Uri
X-Redis-Cache
X-PERF
X-ApacheServer
X-Web-Node
X-Content-Age
X-Trace-Id
X-WA-Info
X-Ua-Device
X-Dc
Amp-Access-Control-Allow-Source-Origin
X-ATG-Version
X-MP-GENERATED-AT
X-FW-Version
X-B3-SpanId
X-Cache-Enabled
X-Revision
X-Soup
X-CSRF-Token
X-SRV
X-Edge-Location
Backend
X-ServerID
X-Time-Microsecs
X-Mode
X-Info
X-Cache-Type
X-Tumblr-Pixel-3
X-CACHE-KEY
Who
X-Bc-Bl
X-CS
X-Varnish-Beresp-Status
X-Cache-NGX
X-TT-LOGID
X-Akamai-Transformed
X-Detected-As
X-Debug-Cache
X-Microcachable
X-Proxied
X-Platform
X-Routing-Service
X-Storage
X-Zipkin-Id
X-Datadome
X-Aws-Lambda-Call-Status
X-Azure-Ref-OriginShield
X-Cache-Host
Web-Mar-Node
X-Varnish-Cache-Hits
X-Generation-Time
X-Via-JSL
X-APP-VERSION
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Amzn-Remapped-Content-Length
X-B3-Traceid
Server-Info
DataCenter
X-Extlb
X-Cluster-Node
X-Unique-ID
X-DataDome
X-Varnish-Beresp-Ttl
X-Varnish-Hits
OT-Force-Account-Verify
Cross-Origin-Opener-Policy
GEO-INFO
X-Origin-TTL
Count-Hit
X-Origin-CC
X-Locale
Rendered-Blocks
X-Ratelimit-Reset
Surrogated-Key
Mobile-Detection-Method
X-Processor
X-Proxy-Upstream
Meta-Geo-Continent
X-A-Dgt
Odigeo-Trace-Id
X-Magnolia-Registration
X-A-Dam
X-A-Ccd
X-Rojux
X-S
X-A-Dcw
X-A
X-Request-URI
Geo-Info
X-S-Cookie
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
T-Server
X-NAPM-TraceId
CDCHOST
CDN-Cache
DCR-Decision-By
DCR-Processing-Time-Ms
BehaviorPad-Version
CDN-CachedAt
CDN-EdgeStorageId
CDN-Uid
CDN-RequestId
CDN-RequestCountryCode
CDN-PullZone
Expiry
Fastcgi-X-Cache-Version
Host-ID
X-PBS-Appsvrname
X-Parallel-Accel
X-A-Wwc
M-TraceId
X-PAYTM-SRV-ID
A
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
MD5-Digest
X-Rewrite-Enabled
X-CF-Lambda-Fn
X-EC-Lua
X-CF-Lambda-Version
X-VG-WebServer
X-From
X-SRCache-Key
X-Varnish-Url
X-Cache-NE
X-VG-WebCache
X-Thanos
X-D
X-Developer
X-Destination
X-External-Request-Id
X-Connection-Hash
X-Vdms-Version
X-Vdms-Path
X-Cache-Bucket
X-AIR-PT
X-Geo-Header
X-B-Cookie
X-Vtex-Processado-Em
X-Application
X-Vtex-Remote-Cache
X-ScT
X-Aed
X-BCube-Filmed-By
X-ARC
X-Bip
X-Session-Fingerprint
User-Cache-Control
X-Tb
X-Site-Version
X-Pass-Why
X-Envoy-Decorator-Operation
Content-Disposition
Fastly-SWR
Req-Svc-Chain
Fastly-SIE
X-Origin
X-Fmm-Version
Esi-Enabled
X-Fastly-Cache
X-Generated-On
X-Forwarded-Site
X-GoCache-CacheStatus
X-Men
X-Branch-Name
X-Cache-Debug
X-Cache-Info
Pics-Label
UCS
X-Backend-State
Cache-Host
X-Level-Front-Cache
X-Aicache-OS
Cmstype
Path
X-Location
X-Core-Value
X-Date
X-Hash
Gh-Request-Id
My-App
X-Micro-Cache
X-Clara-WADP
X-Clientip
X-Accel-Expires-Debug
X-Cms-Context
X-NU-AKA-ACS-Version
Fastly-Backend-Name
X-Sucuri-ID
X-Epic-Correlation-Id
X-Service
X-Platform-Server
X-Req
X-Var-Ttl
X-TrackingId
X-Varnish-Ttl
X-TEC-API-ORIGIN
X-TEC-API-ROOT
X-Rebelmouse-Surrogate-Control
Cmsid
X-Request-Host
X-Rebelmouse-Cache-Control
X-Request-UUID
X-TEC-API-VERSION
X-Served-From
X-Amz-Meta-S3cmd-Attrs
State
X-Cache-Ttl
X-WADP-Cache
X-Cluster
CacheControlHeader
X-VG-TLSProxy
Ec-Rule-Version
Upgrade-Insecure-Requests
X-Servername
X-Sigma
X-Scheme
X-Wikidot-Backend
X-Viewer-Country
X-Is-Gdpr
X-JWT-State
X-Wikidot-Static-Cache
We-Hiring
X-Generated-By
Vix-Hermes-Req-Id
Fastly-Drupal-HTML
Wxu-Next-Commit
Wxu-Next-Hostname
X-Gzip
X-Gamma-Serve
Wxu-Next-Region
X-Gen-Mode
X-Rocket-Build-Number
X-Sigma-Backend
X-SVT-ORM-VERSION
X-CGP
X-SVT-ORM-RULES
X-DPWN-IS-SECURE
X-Has-Esi
X-Hnp-Log
X-Variation
X-Device-Os
X-HN
X-Csrf-Jwt
X-Cache-Tags
X-Minions-Version
X-Slack-Backend
X-Block-Status
X-TX-ID
X-Developers
X-Fastly-Backend
X-Eu-Site
X-VarnishDD-TTL
X-Esi-Check
X-Cache-Id
X-Cache-Grace
X-Irp-Debug
X-Li-Fabric
X-Generated-In
X-Policy
Memcached
Mail-Subject
NGX
NM-Fastcgi-Cache
PB-RID
PB-PID
X-RateLimit-Limit-Second
Arc-Version
AKAMAI
Adler-Geo
Ha-Gx-Prefs
L5d-Success-Class
Is-Eu
HA-Ipaddr
X-Owner
X-Mvc-Supplant-Cachable
Origin
True-Client-Country-4JS
Location
PFcat
Pagetype
C-Via
X-Old-Content-Length
Server-Host
DSUID
Cache-Key
Kp-EeAlive
X-Origin-Expires
X-Li-Pop
L
X-LI-UUID
X-RateLimit-Remaining-Second
Platform
Webserver
Source
X-Varnish-Remaining-TTL
X-DefElseHash
CPC-Age
X-Forwarded-Host
X-Varnish-CookieINHashed-On
X-Nginx-Cache-Key
X-DefHash
Cf-Device-Type
X-VServer
X-FC-Vary-Parameters
Arc-Country
X-Via-NSCOPI
X-GeoIP-City
X-GeoIP
X-VC-Cache
X-Fetched-On
CPC-Cache
Locid
X-Loc
Release
SID
X-Varnish-CookieHashed-On
X-Qloud-Router
Server-Ext
Server-Hostname
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
TDXMobile
Svr
Sever-Int
X-SIPLIST1
VNS-Cache
Fastcgi-Cache-TTL
X-User
X-HS-Content-Campaign-Id
IsBot
V-Age
VNS-Age
X-Thinkindot-L3
X-Ratelimit-Limit
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
Thinkindot-Control
Tcn
X-NWS-UUID-VERIFY
X-PF-Uncompressing
X-Mvc-Supplant-OutputCached
X-Skip-Cache
Url
X-Unique-Id
X-Goog-Meta-Goog-Reserved-File-Mtime
X-CLOUD-TRACE-CONTEXT
X-Orig-Expires
Powered-By-ChinaCache
X-Forwarded-Path
S-Rt
X-OVcl
X-OVcl-Cache
X-Tenant
X-Shop-Environment
NtCoent-Length
X-Via-Poph
X-Via-Popn
X-Via-Popv
X-TraceId
X-PJAX-URL
X-Refresh
Cf-Bgj
X-Vc
DB-Nickname
X-Ratelimit-Remaining
Cache-Hits
Cross-Origin-Window-Policy
MIME-Version
X-Ua
XServer
X-Backend-TTL
X-NC
Magicmarker
X-Ftr-Request-Id
X-ZONE
X-ID
X-Zone
X-Internal-Host
X-GEO
X-LB-ID
X-Conf
X-Geo
Content-Secure-Policy
WebServer
X-Dispatcher-Server
Time
GeoIp-Country-Code
Memory
X-BBC-Edge-Cache-Status
Geoip-Latitude
X-Method
HostName
X-NCache
X-Servedbyhost
X-HP-Trace-Id
X-Srv
X-Ckpd-Fst-Backend
Server-ID
X-TIME
X-Worker
X-IP
X-Auto-Login
X-NewRelic-App-Data
X-DC
Hostname
X-V-Cache
Ssr
X-Render-Time
X-Qnm-Cache
X-LSADC-Cache
X-Li-Proto
LB
X-M-Log
X-M-Reqid
X-Newrelic-Synthetics
X-Wa
X-Platform-Processor
X-Tb-Optimization-Total-Bytes-Saved
X-Platform-Cluster
X-Platform-Router
X-Rocket-Nginx-Serving-Static
X-Trv-Group
X-Nc
X-Traceid
X-Tx-Id
Resin-Trace
X-SD-PageType
X-Vcl-Version
X-App
X-Cache-Remote
X-Node-Id
Ohc-File-Size
X-Dynatrace
X-MSEdge-Features
Environment
X-CACHE-AGE
Env
X-MSEdge-Flight
X-Datadog-Sampling-Priority
X-Datadog-Parent-Id
X-APP
X-Via-CDN
X-VCL-Version
X-Origin-Response-Time
X-Datadog-Trace-Id
X-HITS
X-VHOST
X-NodeID
X-HostName
X-Reqid
X-FTR-Request-ID
X-BBC-Origin-Response-Status
Datacenter
X-Via-Ucdn
Sid
X-ServerName
X-Cache-Config
X-Nyt-Route
X-Varnish-Beresp-TTL
X-Gdpr
X-Origin-Time
X-WA
X-Server-IP
CF-Cached-On
Cluster
X-API-Version
X-Pod-Name
X-DynaTrace-JS-Agent
X-Correlation-ID
X-LI-Proto
X-Wix-Viewer-Type
X-Edge-Pop
Cf-Ipcountry
X-ND-Cache
VivaBuild
Candidate-Md5Url
X-ElasticPress-Query
Rt-Fastcgi-Cache
Viewtype
X-Cdn-Forward
Web-Mar-Region
Machine
X-HS-Status
X-Cache-Var-Map
X-Cache-Var
X-Akamai-Pragma-Client-IP
X-Dynatrace-Js-Agent
N-Cache
X-Cs
Server-Id
On-Server
CDN
FSS-Cache
X-ServedByHost
Proxy-Connection
GeoIP-Country-Code
X-NGINX-Cache
GeoIP-Latitude
X-Webkit-CSP-Report-Only
X-Pjax-Url
X-Lb-Id
WZWS-RAY
Servername
X-Check-Cacheable
X-CCM
X-Oss-Request-Id
X-Oss-Object-Type
X-Oss-Server-Time
X-Oss-Storage-Class
Xc-Version
X-FTR-Realm
X-FTR-DC
X-FTR-Backend
X-Country-Code-Real
X-FTR-Backend-Server
X-FTR-Balancer
X-FTR-Cache-Status
X-Swa-Ws
X-Oss-Hash-Crc64ecma
X-URL
Ohc-Cache-HIT
X-Esi
X-CSRF-TOKEN
X-Xrds-Location
WWW-Authenticate
X-Varnish-Cacheable
X-Via-PopN
X-Cache-Backend
X-EIG-Tracking-Id
X-VC
X-Fastly-Backend-Reqs
Tracecode
X-Via-PopH
X-IN-APIGATEWAY
X-Via-PopV
Cdn
X-IN-APIGATEWAYSSL
X-Fastly-Request-Id
CountryCode
X-CUA
Cteonnt-Length
Onion-Location
X-Swift-Error
X-SN
Mime-Version
URI
Instruction
SR-User-Adfree
X-Contensis-Viewer-Groups
X-Fpc
X-FORWARDED-FOR
X-Air-Pt
X-Region-Sid
X-FTR-Expires
X-Cache-ASPX
X-Presslabs-Stats
CACHE
X-Varnish-Authentication
WP-Super-Cache
X-Fastly-Cache-Hits
Ohc-Response-Time
Shield-Pop
X-DSS
X-Yottaa-OS
X-Dw-Trace-Id
X-RSL
X-UnsetCookies
X-ElasticPress-Search
Redirect-Candidate
X-StackifyID
Warning
X-Snapshot-Date
X-TIM-N
X-Tid
X-Pf-Uncompressing
Server-Ttl
X-DB
X-SB
X-Action
X-Webstats-RespID
X-DI
X-LiteSpeed-Cache-Control
X-Depends-On
X-RPS
X-DW
X-RPM
X-Provided-By
Xet-Cookie
X-Request-Start
X-Up
X-UA
Vha6-Origin
X-Edge-POP
W
X-Apw-Access-Action
X-Apw-Access-Object
X-Cache-Expires
X-C
X-TH-Server
X-Apw-Access-Token
X-Apw-Hits
X-Hcs-Proxy-Type
X-Mg-Request-Id
X-CCDN-Origin-Time
X-CCDN-CacheTTL
X-Cache-Status-Check
X-Matched-Rule
X-Core-Mission
Content-Script-Type
Content-Style-Type
CloudFront-Viewer-Country
X-Pad
X-Tt-Logid
Lfy
X-Acquia-Application-Trace
X-Acquia-Site
X-MiniProfiler-Ids
X-Acquia-Purge-Tags
X-Acquia-Application-UUID
ServerName