Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Last-Modified
Accept-Ranges
Cf-Request-Id
CF-Cache-Status
Link
ETag
CF-RAY
Pragma
Expect-CT
X-Powered-By
X-XSS-Protection
Via
X-Cache
Age
Content-Security-Policy
Report-To
NEL
Access-Control-Allow-Origin
Content-Language
Referrer-Policy
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-Cache-Hits
X-UA-Compatible
Alt-Svc
P3P
X-Xss-Protection
X-Served-By
X-Download-Options
X-Timer
Access-Control-Allow-Headers
X-Varnish
X-Request-Id
Access-Control-Allow-Methods
Access-Control-Allow-Credentials
X-Adblock-Key
X-Permitted-Cross-Domain-Policies
X-Runtime
X-AspNet-Version
Content-Security-Policy-Report-Only
X-Drupal-Cache
X-DNS-Prefetch-Control
CF-Ray
X-Cache-Status
X-Generator
X-Cacheable
X-Check
P3p
Timing-Allow-Origin
X-Request-ID
X-FRAME-OPTIONS
X-Iinfo
Feature-Policy
X-Content-Security-Policy
X-Envoy-Upstream-Service-Time
Content-Encoding
Status
X-Drupal-Dynamic-Cache
X-CONTENT-TYPE-OPTIONS
Access-Control-Expose-Headers
X-AspNetMvc-Version
X-CDN
Upgrade
X-Via
X-XSS-PROTECTION
Access-Control-Max-Age
X-Ws-Request-Id
Server-Timing
X-Cache-Group
X-Turbo-Charged-By
X-Dns-Prefetch-Control
X-Backend
Keep-Alive
Request-Context
EagleId
X-Akamai-Path-Stats
X-Age
X-Robots-Tag
X-Server
X-AH-Environment
X-Amz-Request-Id
Host-Header
X-UA-Device
X-Proxy-Cache
X-Amz-Id-2
X-Hacker
Grace
X-Rq
X-Server-Powered-By
X-Varnish-Cache
X-Swift-CacheTime
X-Swift-SaveTime
Ali-Swift-Global-Savetime
X-Vhost
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Dispatcher
X-Ua-Compatible
CONTENT-SECURITY-POLICY
Allow
EagleEye-TraceId
X-Nginx-Cache-Status
X-Pantheon-Styx-Hostname
X-Styx-Req-Id
X-Device
X-WebKit-CSP
X-OneAgent-JS-Injection
X-Cache-Spec
Cf-Railgun
X-Page-Speed
X-Host
X-Node
X-Server-Id
X-CST
X-Aws-Lambda-Call-Status
X-Pingback
Surrogate-Control
Request-Id
X-Backend-Server
Cf-Edge-Cache
X-Readtime
X-Akam-SW-Version
Accept-CH
X-Response-Time
X-Cache-Lookup
X-HW
X-Application-Context
Xkey
Content-Location
X-ASPNET-VERSION
Accept-CH-Lifetime
Rating
X-Cloud-Trace-Context
X-Url
X-EdgeConnect-Origin-MEX-Latency
X-EdgeConnect-MidMile-RTT
X-Trace
X-Country
Fastly-Restarts
Accept-Ch-Lifetime
Accept-Ch
X-MS-InvokeApp
X-Rack-Cache
X-Mod-Pagespeed
X-PC
X-TtlSet
X-Vname
X-Ruxit-JS-Agent
X-Clacks-Overhead
RTSS
X-Server-Name
Edge-Control
X-VARITI-CCR
X-ESI
X-B3-TraceId
X-Varnish-TTL
X-Amz-Server-Side-Encryption
Cache-Tag
X-Content-Type
X-Vcap-Request-Id
X-Dw-Request-Base-Id
Public-Key-Pins
X-Px
X-Amz-Rid
X-Cdn-Fetch
X-Kinja-Build
X-Kinja-Revision
X-Kinja-Server
X-Kinja
X-GoogleNews-Bot
X-Use-Magma
X-Exp-Id
X-Exp-Variant
X-Cnection
X-D2id
X-RateLimit-Remaining
X-Ac
X-Edge
X-Navigation-Version
X-Element-Page-Cache
Verso
X-FastCGI-Cache
Pagespeed
X-Middleton-Display
X-Ser
X-Sol
Display
X-Client-IP
X-Powered-By-Plesk
X-Abt-Application-Version
X-Cache-TTL
X-Version
Arr-Disable-Session-Affinity
X-GitHub-Request-Id
Service-Worker-Allowed
X-Country-Code
Response
X-Middleton-Response
X-NF-Request-ID
X-Correlation-Id
Access-Control-Request-Method
X-Goog-Hash
X-Ruxit-Js-Agent
X-Content-Security-Policy-Report-Only
SPIisLatency
X-Ttl
SPRequestDuration
X-Kinsta-Cache
X-Cached
X-Edge-Location-Klb
AR-SID
AR-Request-ID
AR-ATIME
AR-CACHE
AR-PoweredBy
SPRequestGuid
X-SharePointHealthScore
X-Upstream
X-Powered-CMS
X-TTL
X-LLID
Edge-Cache-Tag
X-RateLimit-Limit
X-NWS-LOG-UUID
X-Webkit-Csp
X-Server-Lifecycle-Phase
X-Kraken-Loop-Name
X-Instrumentation
X-Forwarded-For
Nginx-Cache
X-Cache-Key
X-Litespeed-Cache
Content-MD5
X-Id
X-MSEdge-Ref
Mrf-Cache-Status
MRF-Tech
X-Shield-Request-Id
X-T
X-B3-TraceId-Primal
X-Daa-Tunnel
S
X-Recruiting
TCN
X-Content-Digest
X-ECACHE
X-DataDome
X-Mg-S
X-Jurisdiction
X-HP-Webp
X-HP-Trace-Id
X-Ua-Device
X-TEC-API-ROOT
X-TEC-API-VERSION
MS-Author-Via
X-TEC-API-ORIGIN
X-SRCache-Store-Status
X-SRCache-Fetch-Status
X-Accel-Expires
X-WebKit-CSP-Report-Only
X-Ezoic-Cdn
X-Protected-By
X-HS-Cache-Config
X-HS-Content-Id
X-HS-Hub-Id
X-HS-Combine-CSS
X-Ua-Browser
X-Ab
X-Content
MicrosoftSharePointTeamServices
X-Grace
X-Request-Received
X-Request-Processing-Time
X-Frontend
Server-Node
Filters
Front-End-Https
TP-L2-Cache
TP-Cache
X-DynaTrace
X-PressLabs-Stats
X-Yandex-Sdch-Disable
X-Server-ID
X-Origin-Server
X-Distributor
X-ORACLE-DMS-ECID
Fastcgi-Cache
X-Mid
X-ORACLE-DMS-RID
X-Hits
X-Geo-Country
X-Request-Handler-Origin-Region
X-Microsite
X-Tt-Trace-Host
X-Amzn-Trace-Id
X-Tt-Trace-Tag
Charset
X-LB-Cache
Host
Cleartype
X-Ratelimit-Reset
X-Debug-Info
X-Page-Id
X-F-Cache
X-Git-Hash
X-B3-Sampled
X-Forwarded-Proto
Cross-Origin-Opener-Policy
X-Cache-Age
X-Www-Served-By
X-DIS-Request-ID
X-Seen-By
Realpath
X-Pinterest-Rid
Pinterest-Version
Access-Control-Allow-Method
Pinterest-Generated-By
X-Az
Cache-Status
X-AppVersion
ServerID
X-Activity-Id
X-Fastly-Request-Id
Accept-Charset
Filterid
Cache-Tags
X-MCACHE
X-XRDS-LOCATION
X-Varnish-Age
X-Cluster-Name
X-Aspnetmvc-Version
X-Nginx-Upstream-Cache-Status
X-Language
X-Content-Options
X-Type
X-Rid
X-Kong-Proxy-Latency
X-Kong-Upstream-Latency
X-App-Environment
Country
Retry-After
Server-Name
X-Upgrade-Enabled
Viewport
X-Origin-Cache
X-FB-Debug
Node
X-Varnish-Grace
DC
Paypal-Debug-Id
X-User-Agent
X-Varnish-Backend
X-Drupal-Cache-Tags
X-Signature
X-B-Cache
X-Goog-Metageneration
X-Whom
X-Goog-Stored-Content-Length
X-Oracle-Dms-Ecid
X-Wix-Request-Id
X-Tb
X-Goog-Stored-Content-Encoding
X-Mobile-URL
X-GUploader-UploadID
X-Goog-Storage-Class
X-Goog-Generation
X-Is-Crawler
X-Providence-Cookie
X-Request-Guid
X-Route-Name
X-Flags
X-Oracle-Dms-Rid
X-VCache
X-TT
X-Aspnet-Duration-Ms
X-B
Protected
X-Mcache
X-NWS-UUID-VERIFY
X-Oneagent-Js-Injection
Fastcgi-Useragent
Permissions-Policy
X-Debug
X-Logged-In
WPO-Cache-Status
WPO-Cache-Message
X-Amz-Replication-Status
X-Via-JSL
X-N
Payment
X-Cache-NGX
X-Amz-Meta-S3cmd-Attrs
X-Load-Cache
X-Contextid
Surrogate-Key
X-Cache-Control
X-Node-Name
X-Template
Count-Hit
Healthy
X-Webkit-CSP
X-FW-Server
X-FW-Dynamic
X-FW-Static
X-FW-Hash
X-FW-Serve
X-Mobile
X-FW-Type
X-Response-Served-From
X-Original-Request-Id
SD-X-WS
Refresh
X-Proxy
X-Erf-Bev-Bev-Is-Generated
X-Trace-Id
Content-Disposition
Akamai-GRN
X-Erf-Bev-Bev
X-Browser-Type
X-XRDS-Location
X-Revision
X-Cache-TTL-Remaining
Amp-Access-Control-Allow-Source-Origin
X-Jobs
X-Cache-Time
X-Zen-Fury
X-Akamai-Request-ID2
X-UUID
X-Real-IP
Alternate-Protocol
X-Fastcgi-Cache
NGB
X-Is-Bot
X-Framework
X-G
X-Device-Type
VIX-Pulpo-Upstream-Status
X-Restarts
X-Rendered-As
X-NGENIX-Cache
Uber-Trace-Id
X-Hostname
VIX-Pulpo-Node
Url
X-Proxy-Cache-Status
X-Drupal-Cache-Contexts
X-Page-View
X-Cacheable-TTL
X-Instance
X-Http-Reason
Access-Control-Request-Headers
X-Yottaa-Metrics
X-Adobe-Content
X-Adobe-Loc
X-Yottaa-Optimizations
X-Debug-IsPreview
X-Debug-IsConnected
X-Fastly-Request-ID
X-Servername
X-IPLB-Instance
X-Cache-Grace
X-Varnish-Server
X-EdgeConnect-Cache-Status
X-L-Path
X-Mg-Request-UUID
X-Environment-Context
Version
X-Source
X-ECache
Accept-Language
X-B3-Traceid
X-HTML-Minification-Powered-By
X-Midtier
X-RTag
Countrycode
Ms-Operation-Id
MS-CV
Frame-Options
X-Cache-Rule
X-Cache-Hit
X-Cache-Expired-At
X-Vgn-Hpd-Reason
Liferay-Portal
Referer-Policy
From-Origin
X-NYM-Debug-Backend
X-App-Server
Cross-Origin-Window-Policy
X-Tumblr-Pixel
X-Tumblr-Pixel-1
X-Tumblr-User
X-Tumblr-Pixel-0
Backend
X-Nginx-Cache
X-Parallel-Accel
X-IPS-LoggedIn
X-COUNTRY
X-FW-Version
Content-Secure-Policy
X-Datadome
X-Hosted-By
Meta-Geo
X-RN-RSRV
X-UPSTREAM-Address
Upgrade-Insecure-Requests
X-Cache-Server
X-Unique-Id
X-No-Session
X-PCL
X-OCL
X-Generation-Time
X-Ua
X-Redis-Cache
X-Content-Age
Section-Io-Cache
X-Via-Fastly
X-Format
X-Cluster-Node
X-Varnish-Cache-Hits
X-Origin-Hint
X-Request-Time
X-Section
X-Access
X-PHP-Backend
X-Uri
X-Server-W
Webcakes-Region
Azure-SlotName
Azure-Version
Mn-Server-Ip
Azure-SiteName
Azure-RegionName
Apigw-Requestid
Azure-InstanceId
Property-Id
S-Rt
TWC-Privacy
Webcakes-App-Name
Webcakes-App-Version
TWC-Locale-Group
TWC-GeoIP-LatLong
TWC-Connection-Speed
TWC-GeoIP-Country
WP-Super-Cache
TWC-Device-Class
X-RemovedCookies
X-ProcessESI
X-Mode
X-Shopify-Stage
X-Sorting-Hat-PodId
X-Sorting-Hat-ShopId
X-ShopId
X-ShardId
X-UA-Device-Type
X-Be
X-Cache-Host
X-BYPASS-REASON
X-Urbn-Site-Id
Fastly-SSL
X-FB-TRIP-ID
Locale
X-Cache-Enabled
Eomportal-Instance
X-Region
X-Debug-Cache
X-ApacheServer
X-Xfnlog-Site
Cache-Tv-Group
X-Urbn-Context-Path
X-Alternate-Cache-Key
X-Site-Version
X-Sql-Duration-Ms
X-Cache-Action
X-PERF
X-Status
CF-IPCountry
X-ProxyCache-Status
X-ProxyCache-Key
X-Sql-Count
X-Human
X-Locale
X-Extlb
X-Nginx-Cache-Key
X-ServerID
X-Zipkin-Id
Ec-Rule-Version
X-Routing-Service
X-Proxied
X-Origin-Date
X-SaId
X-Akamai-Edgescape
X-APP-VERSION
X-AOL-HN
X-Varnishpool
X-Backend-Name
X-Storage
X-Cache-Type
X-Tid
X-Detected-As
X-Content-Powered-By
X-JoinUs
X-Hl-Ver
X-SayCDN-TTL
X-Labrador-Cache-Channel
X-AWS-Id
X-LJ-Flow-ID
X-PHP-Host
X-Say-Cacheable
X-Generated-By
X-Handled-By
X-Say-TTL
X-Cms-Context
X-VWS-Id
X-Forwarded-Host
Selected-Fe
X-GG-Cache-Date
X-NewRelic-App-Data
X-Platform-Server
X-Cache-Tags
X-Adobe-Source
X-Timing-Wait
X-Ratelimit-Remaining
X-Proxy-Build
X-App-Version
X-Dc
ServedBy
X-TT-LOGID
X-VC-Cache
X-Storefront-Renderer-Rendered
X-Web-Node
CDN-Uid
CDN-Cache
X-Edge-Location
Load-Balancing
CDN-CachedAt
CDN-EdgeStorageId
CDN-RequestId
CDN-RequestCountryCode
CDN-PullZone
X-Hyper-Cache
X-Rule
SRV
X-CDN-Forward
X-Proto
Web-Mar-Node
X-Cache-Operation
X-LSADC-Cache
Onion-Location
Webserver
SID
X-Cached-By
X-Rewrite-Enabled
X-Cache-Remote
X-Soup
X-GeoCountry
X-GeoCode
Mime-Version
X-TA-CDN-Provider
Fastly-Drupal-Html
X-Varnish-Hostname
Cache-Hits
Xserver
X-Accel-Buffering
X-Cdn
X-Pubstack
X-Cluster
X-Varnish-Ttl
X-Reqid
X-GEO
Country-Code
X-SRV
X-Varnish-Hits
X-Envoy-Decorator-Operation
Xet-Cookie
LB
X-Air-Trace-Id
X-Air-Source
X-Air-Hostname
X-Buckets
X-Origin-TTL
X-Origin-CC
X-Microcachable
X-MP-GENERATED-AT
Server-Info
X-Tumblr-Pixel-2
X-Tumblr-Pixel-3
X-Ratelimit-Limit
X-CSRF-Token
Decoy-Debug-Status
Decoy-Debug-TTL
Decoy-Debug-Key
X-IPLB-Request-ID
X-Magnolia-Registration
DB-Nickname
X-Time
X-Newrelic-Synthetics
X-Ms-Version
X-Ms-Request-Id
X-B3-SpanId
X-Amzn-RequestId
X-Amz-Apigw-Id
X-Request-Host
Cache
X-Endurance-Cache-Level
X-Session-Fingerprint
Meta-Geo-Continent
X-Cache-NE
X-Shop-Environment
X-VG-WebCache
NM-Fastcgi-Cache
X-Vdms-Version
Mobile-Detection-Method
X-SD-PageType
Surrogated-Key
MD5-Digest
X-S-Cookie
X-ScT
T-Server
X-Vtex-Processado-Em
X-Vtex-Remote-Cache
BehaviorPad-Version
X-A
X-Application
X-A-Dgt
X-ARC
Pramga
Rendered-Blocks
X-A-Wwc
Source
X-Aed
X-B-Cookie
X-A-Dcw
X-Cache-Id
X-TIM-N
X-Tenant
X-A-Ccd
X-A-Dam
X-User
X-TrackingId
X-Vdms-Path
X-Cdn-Srv
X-Hash
X-HS-Content-Campaign-Id
X-Ec-Fail
X-Gzip
X-Geo-Header
A
X-Bc-Bl
DCR-Decision-By
Sslversion
X-Destination
X-Via-NSCOPI
Cmstype
Cmsid
X-Epic-Correlation-Id
X-External-Request-Id
X-Esi-Check
X-RCS-CacheZone
X-Ec-GeoHdr
X-Forwarded-Path
X-NCache
X-Tec-Api-Version
X-Tec-Api-Root
X-Tec-Api-Origin
X-Ig-Push-State
X-D
X-Processor
X-Connection-Hash
X-PAYTM-SRV-ID
Lang
X-Rojux
X-S
X-CF-Lambda-Fn
X-CF-Lambda-Version
Host-ID
X-PBS-Appsvrname
X-NAPM-TraceId
DCR-Processing-Time-Ms
Expiry
X-Conf
Fastcgi-X-Cache-Version
X-Orig-Expires
X-Origin-Response-Time
Server-Host
Memcached
Odigeo-Trace-Id
Mail-Subject
X-WADP-Cache
Xc-Version
Environment
Machine
Fastly-GeoIP-CountryCode
Cdnsip
Cdncip
X-Cache-Info
X-Nyt-Route
X-NodeID
X-Mvc-Supplant-Cachable
X-Clara-WADP
X-Origin
X-Rocket-Build-Number
X-Origin-Time
X-Irp-Debug
X-Core-Value
X-Fmm-Version
X-Fastly-Cache
X-Ftr-Request-Id
X-Gdpr
X-Developer
X-Developers
X-Ckpd-Fst-Backend
X-SB
X-V-Cache
X-AK-Request-ID
X-Amzn-Remapped-Content-Length
X-Via-Ucdn
Wxu-Next-Region
We-Hiring
Wxu-Next-Commit
X-Cache-Backend
X-Cache-Bucket
X-Scheme
X-CacheTTL
X-Server-IP
X-Sigma
X-SRCache-Key
X-Sigma-Backend
State
Wxu-Next-Hostname
X-Varnish-Beresp-Grace
AKAMAI
X-ZONE
HostName
X-Azure-Ref
Cache-Name
X-R9-Blue-Green-Version
X-Skip-Cache
X-Gen-Mode
X-Gamma-Serve
X-Device-Os
X-Has-Esi
X-Datadog-Trace-Id
X-Dispatcher-Number
X-Forwarded-Site
X-Datadog-Sampling-Priority
X-Generated-On
X-Ec-Custom-Error
X-Fetched-On
X-Eu-Site
X-Core-Mission
CDN
X-Auto-Login
Web-Mar-Region
Vix-Hermes-Req-Id
User-Cache-Control
V-Age
X-BBC-Edge-Cache-Status
X-Block-Status
X-HN
X-Csrf-Jwt
X-CGP
X-Tx-Id
X-Branch-Name
X-Datadog-Parent-Id
X-JWT-State
X-Rocket-Nginx-Serving-Static
X-Slack-Backend
X-Request-URI
X-Region-Sid
X-Proxy-Upstream
X-RateLimit-Limit-Second
X-SVT-ORM-RULES
X-SVT-ORM-VERSION
X-Wix-Viewer-Type
X-Worker
X-Viewer-Country
X-VG-TLSProxy
X-TNCMS
X-VarnishDD-TTL
X-Pool
X-Policy
X-Loop
X-Minions-Version
X-Level-Front-Cache
X-LAGOON
X-Is-Gdpr
Svr
X-Node-Id
AMP-Access-Control-Allow-Source-Origin
X-Platform
X-Pod-Name
X-Planisys-CDN-TTL
X-Planisys-CDN-Rules
X-Planisys-CDN-Cache
X-Hnp-Log
X-RateLimit-Remaining-Second
Fastcgi-Cache-TTL
Gh-Request-Id
Ha-Gx-Prefs
Apple-News-Services-Handled
Cluster
Apple-News-Services-Parsed-Url
Req-Svc-Chain
HA-Ipaddr
Kp-EeAlive
PFcat
Redirect-Candidate
Origin
N-Cache
L
L5d-Success-Class
CDCHOST
Apple-News-Services-Host
Apple-News-Services-Request-Url
Ssr
DynaTrace
X-Varnish-Remaining-TTL
X-Optimistic-Header
X-Varnish-CookieHashed-On
X-Wikidot-Backend
X-Varnish-CookieINHashed-On
X-Wikidot-Static-Cache
Candidate-Md5Url
Release
Cache-Key
Origin-EX
X-Variation
Origin-CC
X-From
X-GeoIP
X-DefElseHash
X-DefHash
Producers
X-Webstats-RespID
Is-Eu
Adler-Geo
CloudFront-Viewer-Country
X-Thinkindot-L3
X-Tt-Logid
Platform
X-Scale
X-Served-From
X-DPWN-IS-SECURE
X-Origin-Expires
X-Owner
Server-Ext
X-Cache-Date
TDXMobile
Traceparent
Thinkindot-Control
Thinkindot-CacheControl
Thinkindot-CacheControl-Type
Sever-Int
Server-Hostname
Datacenter
X-CS
X-VC
X-Cache-Status-Check
X-Rebelmouse-Cache-Control
X-SIPLIST1
X-Rebelmouse-Surrogate-Control
X-Sn-Servicetimems
X-VServer
DSUID
GEO-INFO
XM
X-SplitTest
X-Qloud-Router
X-Httpd
X-Aicache-OS
VNS-Cache
IsBot
Fastly-SWR
VNS-Age
X-Cdn-Origin
X-Loc
Fastly-SIE
X-Refresh
X-Location
X-Proxy-Cache-Info
X-GeoIP-City
Pics-Label
Ohc-File-Size
CPC-Cache
NGX
CPC-Age
X-BCube-Filmed-By
X-WP-CF-Super-Cache
X-NC
X-WP-CF-Super-Cache-Cache-Control
X-Ad-Defer-Variation
X-Parent-Response-Time
X-WA-Info
Fastly-Backend-Name
X-CACHE-KEY
X-Men
X-Cache-ASPX
Servername
X-LB-NoCache
X-Edge-Pop
X-Contensis-Viewer-Groups
Arc-Country
X-Ah-Environment
X-Micro-Cache
Locid
X-AIR-PT
Ms-Author-Via
X-Tb-Optimization-Total-Bytes-Saved
X-EC-Lua
X-Varnish-Authentication
X-Old-Content-Length
Time
Memory
Env
X-Srv
X-Response-By
X-Generated-In
X-RPM
X-RSL
X-TraceId
X-Udemy-Cache-App-Namespace
X-RPS
X-Mvc-Supplant-OutputCached
X-DI
X-Via-Popv
X-Via-Popn
X-Amz-Meta-Cb-Modifiedtime
X-Via-Poph
X-DW
X-DSS
X-DB
X-Xrds-Location
Lb
X-Api-Version
X-TIME
Ngx.Var.Host
X-HA-Backend
GeoIp-Country-Code
X-Date
X-Accel-Expires-Debug
X-Akamai-Transformed
Path
Cache-Host
X-Servedbyhost
ITXSESSIONID
X-GeoIP-Region-Code
X-Varnish-Beresp-TTL
X-GeoIP-Country-Code
X-Proxy-CacheRZ
XkeyRZ
X-RateLimit-Reset
Ohc-Cache-HIT
FSS-Cache
Client
X-Cache-Debug
Geoip-Latitude
X-S-Maxage
X-API-Version
X-Vc
X-Clientip
Server-ID
X-VCL-Version
True-Client-IP
Fusion-Deployment-Id
Fusion-Source
Fusion-Template-Id
X-Cs
Fusion-Content-Id
Fusion-Component-Id
X-VHOST
Fusion-Content-Source
CacheControlHeader
X-DC
X-Trace-ID
X-TX-ID
X-TH-Server
X-FireWall-Port
Hostname
X-Action
X-Presslabs-Stats
True-Client-Country-4JS
X-Dmc
Tcn
X-Backend-TTL
X-Fpc
X-Zone
Geo-Info
X-Webkit-Csp-Report-Only
Powered-By
X-Render-Time
X-MSEdge-Features
X-MSEdge-Flight
Edge-Cache
NtCoent-Length
X-B3-Spanid
X-DynaTrace-JS-Agent
X-PX
X-Traceid
X-Req
My-App
X-Gateway-Skip-Cache
X-Service
X-Gateway-Request-Id
Test
X-Pass-Why
X-Gateway-Cache-Key
X-Gateway-Cache-Status
X-INCAP-ABP
X-M-Reqid
X-NGINX-Cache
HIT
X-M-Log
Rip
C-Via
X-FPC
X-Qnm-Cache
X-CSRF-TOKEN
Esi-Enabled
X-Vcl-Version
X-Cdn-Request-ID
X-Correlation-ID
X-Origin-Upstream-Status
X-Provided-By
X-Beluga-Status
X-Beluga-Cache-Status
Tube-Get-Contents
User-Agent
X-Up
Server-Id
Tube-Return
X-Beluga-Node
Click-Count-Action-Start
X-Webkit-CSP-Report-Only
Click-Count-Error
Tube-Got-Eval
X-Beluga-Response-Time
OT-Force-Account-Verify
X-Beluga-Trace
X-Beluga-Record
X-Alfa-Service
Tube-Got-Results
On-Server
X-HS-Status
X-Varnish-Beresp-Ttl
X-LB-ID
Cf-Int-Pingora-Origin-Digest
X-Geo
X-TRACE-ID
Srvid
X-URL
X-APP
Uri
X-Ha-Backend
X-Via-PopH
Resin-Trace
X-Via-PopN
Proxy-Connection
MIME-Version
X-Via-PopV
X-Proxy-Cache-Hk
X-Check-Cacheable
X-CLOUD-TRACE-CONTEXT
GeoIP-Latitude
Sid
X-Li-Pop
X-LI-UUID
X-UnsetCookies
WebServer
GeoIP-Country-Code
X-RAMCache
X-Li-Fabric
DataCenter
X-Akamai-Pragma-Client-IP
Fastly-Drupal-HTML
X-CCDN-Origin-Time
X-ServedByHost
Epwk-X-Cache
X-Hcs-Proxy-Type
X-CCDN-CacheTTL
Srv
X-ND-Cache
WZWS-RAY
X-Edge-Origin-Shield-Bytes
X-Fetch-By
X-LI-Proto
ENV
Cdn
X-Time-Microsecs
X-Edge-Origin-Shield-Region
X-Cdn-Forward
X-Backend-Host
Server-Ttl
M-TraceId
X-CUA
X-Fastly-Backend-Reqs
X-Esi
Warning
X-Fragments
X-ATG-Version
X-Platform-Router
X-Lb-Nocache
X-Platform-Processor
ServerName
X-Request-Url
Tracecode
X-Dynatrace
Target-Params
X-B3-Traceid-Primal
X-Platform-Cluster
Cf-Device-Type
X-Edge-POP
XServer
X-HostName
X-MG-S
PICS-Label
X-Fastly-Backend
Section-Io-Origin-Status
Section-Io-Origin-Time-Seconds
Cdn-Pullzone
Section-Origin-Responded
Lfy
X-ElasticPress-Query
Cdn-Cache
Cdn-Cachedat
X-FC-Vary-Parameters
Cdn-Edgestorageid
Section-Io-Id
X-HITS
X-Azure-Ref-OriginShield
Cdn-Requestid
X-Sucuri-Cache
Cdn-Uid
X-Yottaa-OS
CF-Cached-On
Inserted-Into-Cache-At
X-Sucuri-ID
X-App
X-Newrelic-App-Data
Cdn-Requestcountrycode
X-Var-Ttl
Cf-Ipcountry
X-Nc
X-Bip
Dt-Hot-News
X-Thanos
X-LiteSpeed-Cache-Control
X-Cache-Expires
X-CF-Powered-By
X-Dw-Trace-Id
X-Serial
X-Iplb-Instance
X-Vcache
X-Iplb-Request-Id
X-Varnish-Beresp-Status
D-Url-Rewrites
Servedby
Wp-Super-Cache
DT-Hot-News
X-Fastly-Cache-Hits
X-Wp-Cf-Super-Cache
True-Client-Ip
X-Vercel-Id
X-Wp-Cf-Super-Cache-Cache-Control
X-Vercel-Cache
X-Akamai-Request-ID
X-Th-Server
Cneonction
X-BBC-Origin-Response-Status
X-Release
X-Dist-Code
Ngx
X-Snapshot-Date
X-NU-AKA-ACS-Version
CountryCode
Content-Script-Type
Magicmarker
X-Request-URL
X-Backend-State
X-Storefront-Renderer-Verified
X-Li-Proto
Content-Style-Type
X-Back
Fastcgi-Cache-Ttl