Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: HTTP Header Usage Statistics HTTP Header Usage Statistics


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

This is a continuation of work started by Brough Davis as part of his software security project for his Masters in Information Security Engineering. The main goal of this project is to find how many sites use security relevant headers, like for example the X-XSS-Protection or X-Frame-Options headers.

Below you will find a table/histogram showing how many times we found each header (security relevant or not). We access the index page of each site using a "head" request. The list of sites is derived from Alexa's Top 1 Million sites. We try to poll as many sites as possible each day.

As we collect more data, we will plot changes over time.



All Headers Active In The Past Month
Header Popularity
Set-Cookie
Content-Type
Date
Connection
Server
Cache-Control
Vary
Expires
X-Frame-Options
Content-Length
Strict-Transport-Security
X-Content-Type-Options
Accept-Ranges
Last-Modified
Link
CF-Cache-Status
X-Powered-By
Pragma
ETag
CF-RAY
Expect-CT
X-XSS-Protection
Via
Age
X-Cache
Content-Security-Policy
Access-Control-Allow-Origin
Content-Language
P3P
Referrer-Policy
X-Cache-Hits
X-Amz-Cf-Pop
X-Amz-Cf-Id
X-UA-Compatible
X-Xss-Protection
X-Served-By
Alt-Svc
X-Varnish
X-Request-Id
X-Timer
Access-Control-Allow-Headers
Access-Control-Allow-Methods
X-Download-Options
X-AspNet-Version
Access-Control-Allow-Credentials
X-Runtime
CF-Ray
X-Adblock-Key
X-Check
X-Drupal-Cache
Content-Security-Policy-Report-Only
X-Permitted-Cross-Domain-Policies
X-Generator
X-Cache-Status
X-Cacheable
X-Kinja-Server-Push
X-DNS-Prefetch-Control
Timing-Allow-Origin
X-Template
X-Language
X-FRAME-OPTIONS
X-AspNetMvc-Version
X-Iinfo
X-Buckets
X-Ua-Compatible
Status
X-Content-Security-Policy
Content-Encoding
Access-Control-Expose-Headers
X-CDN
Upgrade
X-Request-ID
X-Envoy-Upstream-Service-Time
Access-Control-Max-Age
Keep-Alive
X-Via
X-Drupal-Dynamic-Cache
X-Ws-Request-Id
X-Backend
X-AH-Environment
X-Age
X-Server
X-Turbo-Charged-By
P3p
X-Cache-Group
X-Robots-Tag
Feature-Policy
Request-Context
X-Proxy-Cache
Xkey
X-Amz-Request-Id
X-Amz-Id-2
EagleId
X-Page-Speed
X-Hacker
X-Server-Powered-By
X-UA-Device
X-Nginx-Cache-Status
Grace
X-Pingback
Server-Timing
X-Varnish-Cache
X-Swift-SaveTime
X-Swift-CacheTime
Ali-Swift-Global-Savetime
Report-To
X-LiteSpeed-Cache
X-Amz-Version-Id
X-Server-Id
X-Dns-Prefetch-Control
Cf-Railgun
X-Rq
X-Styx-Req-Id
X-Pantheon-Styx-Hostname
X-WebKit-CSP
X-OneAgent-JS-Injection
EagleEye-TraceId
X-Origin-Cache
X-Host
Surrogate-Control
X-Device
X-Response-Time
X-Vhost
X-Readtime
X-Ac
X-Cache-Lookup
X-Node
X-Backend-Server
NEL
X-Dispatcher
X-Origin-Upstream-Status
Content-Location
X-HW
Fusion-Source
Fusion-Template-Id
Fusion-Component-Id
Fusion-Content-Id
Fusion-Content-Source
X-Mod-Pagespeed
Request-Id
X-DataDome
X-Application-Context
X-ORACLE-DMS-ECID
X-Akam-SW-Version
X-Ruxit-JS-Agent
Fusion-Deployment-Id
X-ORACLE-DMS-RID
X-Country
Allow
X-EdgeConnect-MidMile-RTT
X-EdgeConnect-Origin-MEX-Latency
X-Cloud-Trace-Context
Rating
X-Country-Code
X-Cnection
Accept-CH
X-Rack-Cache
X-Url
Edge-Control
RTSS
X-Clacks-Overhead
MS-Author-Via
X-Px
Accept-CH-Lifetime
X-FTR-Request-ID
Host-Header
X-Vname
X-TtlSet
X-PC
X-Goog-Hash
Verso
X-Powered-By-Plesk
X-Varnish-TTL
Service-Worker-Allowed
X-B3-TraceId
X-Exp-Id
X-Cdn-Fetch
X-Exp-Variant
X-Kinja-Build
X-Use-Magma
X-Kinja-Server
X-Kinja-Revision
X-Kinja
X-GoogleNews-Bot
Public-Key-Pins
X-GitHub-Request-Id
Arr-Disable-Session-Affinity
X-MS-InvokeApp
X-Forwarded-Proto
X-Amz-Server-Side-Encryption
X-Sol
X-Middleton-Display
Display
Pagespeed
Response
X-Middleton-Response
X-Cache-TTL
X-DynaTrace
X-Content-Type
X-D2id
X-Amz-Rid
X-NF-Request-ID
TCN
X-Vcap-Request-Id
X-Abt-Application-Version
X-CST
Pinterest-Generated-By
X-Cdn
X-VARITI-CCR
X-Cached
AR-Request-ID
X-Ttl
AR-ATIME
AR-PoweredBy
Ar-Sid
AR-CACHE
X-ESI
X-Navigation-Version
X-Version
X-Powered-CMS
X-Upstream
X-Fastly-Request-ID
Cache-Tag
X-Server-Name
Accept-Ch
X-Grace
X-Debug
X-Instart-Request-ID
X-XRDS-Location
X-TEC-API-ROOT
Access-Control-Request-Method
X-TEC-API-ORIGIN
X-TEC-API-VERSION
Charset
X-MSEdge-Ref
Nginx-Cache
Accept-Ch-Lifetime
Content-MD5
X-Element-Page-Cache
MRF-Tech
X-Mrf-Item-Lastmod
X-Mrf-Section-Lastmod
X-B3-TraceId-Primal
Mrf-Cache-Status
Realpath
X-Accel-Expires
X-Ezoic-Cdn
X-DynaTrace-JS-Agent
SPIisLatency
SPRequestDuration
X-SRCache-Fetch-Status
X-SRCache-Store-Status
X-Shield-Request-Id
SPRequestGuid
X-SharePointHealthScore
Pinterest-Version
X-Pinterest-Rid
S
X-Jurisdiction
X-Hp-Webp
X-Amz-Meta-S3cmd-Attrs
X-Pass-Why
X-Dw-Request-Base-Id
X-Recruiting
X-Id
X-Kinsta-Cache
X-Trace
X-TTL
X-T
Fastcgi-Cache
X-Cache-Key
X-Content-Digest
X-Logged-In
X-Node-Name
X-Client-IP
TP-Cache
X-NWS-LOG-UUID
TP-L2-Cache
X-Mobile-URL
X-Hostname
Server-Node
X-Request-Processing-Time
X-Frontend
X-Cache-Hit
X-Request-Received
ServerID
Fastly-Restarts
X-Cache-Age
X-Oneagent-Js-Injection
X-Amzn-Trace-Id
Front-End-Https
X-FastCGI-Cache
X-FTR-Backend-Server
X-FTR-Backend
X-FTR-Balancer
X-Country-Code-Real
X-FTR-Realm
X-Forwarded-For
X-FTR-DC
X-FTR-Cache-Status
Edge-Cache-Tag
X-FTR-Expires
X-Yandex-Sdch-Disable
X-GUploader-UploadID
X-Goog-Metageneration
X-Goog-Stored-Content-Length
X-Goog-Storage-Class
X-Goog-Generation
X-Goog-Stored-Content-Encoding
Powered
Server-Name
PB-PID
PB-RID
Arc-Version
X-Request-Handler-Origin-Region
X-Server-ID
X-Microsite
X-User-Agent
X-Content-Security-Policy-Report-Only
X-Page-Id
X-DIS-Request-ID
X-Hits
X-F-Cache
X-Jobs
Filters
X-Revision
X-Akamai-Edgescape
X-LB-Cache
X-Fastcgi-Cache
X-Erf-Bev-Bev-Is-Generated
X-Erf-Bev-Bev
X-Kong-Upstream-Latency
X-Kong-Proxy-Latency
X-Zen-Fury
DynaTrace
X-ORACLE-APMCS-TAG
X-ORACLE-APMCS-REQUEST-ID
X-Mobile-Rewrite
Alternate-Protocol
X-Origin-Server
X-Content-Powered-By
X-HS-Hub-Id
X-HS-Combine-CSS
X-HS-Content-Id
X-HS-Cache-Config
X-Geo-Country
X-Correlation-Id
Accept-Charset
AMP-Access-Control-Allow-Source-Origin
X-Varnish-Age
X-N
X-FTR-Cache-Host
X-Daa-Tunnel
X-B
X-RateLimit-Remaining
Cache-Tags
X-Varnish-Backend
X-Litespeed-Cache
X-Ruxit-Js-Agent
X-Rid
X-WebKit-CSP-Report-Only
X-Type
Retry-After
X-Varnish-Grace
X-Amz-Replication-Status
Section-Io-Cache
X-Content-Options
X-Git-Hash
X-Whom
Surrogate-Key
DC
Host
Paypal-Debug-Id
X-B-Cache
X-TT
X-Signature
X-Request-Guid
X-FB-Debug
X-Edge
X-App-Environment
X-Via-JSL
X-Activity-Id
X-AppVersion
X-Az
X-Ser
X-Esi
MicrosoftSharePointTeamServices
X-Debug-Info
X-Status
Fastcgi-Useragent
Frame-Options
Actual-Object-TTL
X-IPLB-Instance
X-ATS-Timestamp
Backend-Timing
X-ATG-Version
Healthy
X-Endurance-Cache-Level
X-App-Server
X-Webkit-CSP
X-HTML-Minification-Powered-By
Srv
X-AOL-HN
Nel
X-Contextid
X-Cache-Action
X-Seen-By
X-Amzn-RequestId
X-ECACHE
X-B3-Sampled
Refresh
X-Pinterest-Direct
From-Origin
X-Amz-Apigw-Id
Access-Control-Allow-Method
Content-Disposition
X-Upgrade-Enabled
X-Protected-By
X-Cache-Rule
X-Accel-Buffering
X-Response-Served-From
X-Tumblr-Pixel-0
X-Cache-Operation
X-Tumblr-Pixel
X-RemovedCookies
X-Release
X-ProcessESI
X-Tumblr-User
X-Instance
X-Host-Name
VIX-Pulpo-Node
X-Is-Bot
X-Mid
X-Region
X-Rendered-As
X-Cacheable-TTL
VIX-Pulpo-Upstream-Status
X-MCACHE
Odigeo-Trace-Id
X-Drupal-Cache-Tags
X-L-Path
X-WA-Info
Datacenter
Payment
X-Environment-Context
X-UUID
X-Varnish-Server
X-FW-Server
X-FW-Dynamic
X-FW-Hash
X-FW-Serve
X-FW-Static
X-FW-Type
Eomportal-Instance
X-Adobe-Loc
MS-CV
X-Cache-Time
X-Time
X-Rule
Countrycode
X-Adobe-Content
X-Proxy
Uber-Trace-Id
Source
X-Cached-By
Xserver
X-Load-Cache
X-Akamai-Request-ID2
X-EdgeConnect-Cache-Status
X-Cache-Server
X-Cache-Control
X-UnsetCookies
X-Mobile
X-PHP-Backend
X-NewRelic-App-Data
Access-Control-Request-Headers
X-GeoIP
X-Azure-Ref
X-Akamai-Transformed
X-Yottaa-Optimizations
X-PressLabs-Stats
Accept-Language
X-Yottaa-Metrics
X-Air-Hostname
Cache-Status
X-Correlation-ID
X-Tt-Trace-Tag
X-Tt-Trace-Host
X-Origin-Response-Time
X-SERVER-NAME
Version
Filterid
X-NGENIX-Cache
X-Mode
X-Wix-Request-Id
Liferay-Portal
X-Cache-NGX
X-Handled-By
X-Backend-Name
X-NWS-UUID-VERIFY
X-Framework
X-Cluster
X-CSRF-Token
Server-Info
X-VCache
X-IPS-LoggedIn
X-RateLimit-Limit
X-Ua
X-Ua-Device
X-Tumblr-Pixel-1
X-ApacheServer
X-Tumblr-Pixel-2
X-Routing-Service
X-UA-Device-Type
X-AWS-Id
X-RN-RSRV
X-LJ-Flow-ID
X-Via-Fastly
Load-Balancing
X-VWS-Id
X-Path-Route
Meta-Geo
X-UPSTREAM-Address
X-Proxied
X-PERF
Cache
X-Locale
X-Cache-Var-Map
X-FireWall-Port
X-CCM
X-Adobe-Source
X-Cache-Var
X-URL
Cross-Origin-Window-Policy
X-ES-SERVER
X-Zipkin-Id
X-Detected-As
Cache-Hits
DSUID
X-MP-GENERATED-AT
ServedBy
X-Viewer-Country
Mn-Server-Ip
X-Site-Version
NGB
X-Cache-Status-Check
X-Www-Served-By
X-Qloud-Router
X-TX-ID
X-Cache-Remote
X-Real-IP
X-Cache-Config
X-Access
Now
Section-Io-Origin-Status
Section-Io-Id
Section-Io-Origin-Time-Seconds
Section-Origin-Responded
Cache-Name
Cache-Tv-Group
Cleartype
Akamai-GRN
X-Section
X-Redis-Cache
X-NCache
X-PCL
X-R9-Blue-Green-Version
X-Human
X-Web-Node
X-IP
X-Pubstack
X-SayCDN-TTL
X-OCL
X-Storage
X-Say-TTL
X-Say-Cacheable
X-Format
TWC-GeoIP-LatLong
TWC-GeoIP-Country
X-ShopId
TWC-Locale-Group
X-Sorting-Hat-ShopId
X-Sorting-Hat-PodId
X-Shopify-Stage
X-ProxyCache-Key
TWC-Connection-Speed
X-Origin-Hint
TWC-Device-Class
X-Varnish-Cache-Hits
X-PHP-Host
TWC-Privacy
Webcakes-Region
X-ServerID
X-FW-Version
X-Bc-Bl
X-FC-Vary-Parameters
X-EIG-Tracking-Id
X-BYPASS-REASON
X-CS
X-Device-Type
X-ShardId
X-Hosted-By
Webcakes-App-Version
Webcakes-App-Name
X-Labrador-Cache-Channel
X-Cache-Host
Webserver
S-Rt
X-Alternate-Cache-Key
X-Info
X-ProxyCache-Status
Decoy-Debug-Status
Decoy-Debug-Key
Decoy-Debug-TTL
Fastly-SSL
Property-Id
X-Proxy-Build
X-JoinUs
X-Time-Microsecs
X-Cache-Enabled
X-Loop
X-NYM-Debug-Backend
X-SaId
X-Timing-Wait
Origin-Cache-Control
X-Origin
X-TNCMS
X-Hl-Ver
X-FB-TRIP-ID
X-From
X-BCube-Filmed-By
X-Content-Age
Selected-Fe
X-Amzn-Remapped-Content-Length
X-RTag
Ms-Operation-Id
X-Hyper-Cache
DB-Nickname
X-No-Session
X-Unique-Id
X-Generated
X-Geo
Azure-InstanceId
Azure-SlotName
X-APP-VERSION
Ec-Rule-Version
Azure-SiteName
Azure-Version
Azure-RegionName
Apigw-Requestid
X-Cache-2
X-Vcache
X-Cache-TTL-Remaining
X-Urbn-Site-Id
X-Urbn-Context-Path
Locale
X-Presslabs-Stats
X-XRDS-LOCATION
X-Drupal-Cache-Contexts
Origin-Edge-Control
X-Xfnlog-Site
Time
X-EC-Lua
SD-X-WS
X-Goog-Meta-Goog-Reserved-File-Mtime
Country
Geo-Info
X-App-Version
X-Pad
X-RequestSource
X-Source
X-Old-Content-Length
X-Debug-Cache
X-Varnish-Hostname
X-Cluster-Node
Upgrade-Insecure-Requests
X-Soup
X-CDN-Forward
User-Agent
X-Cache-NE
X-Akamai-Request-ID
X-TA-CDN-Provider
X-Backend-TTL
X-Proto
X-Tb
X-RCS-CacheZone
X-SRV
X-Parent-Response-Time
X-Storefront-Renderer-Rendered
X-Cache-Backend
X-Cache-PHP
Proxy-Connection
X-DC
X-App
LB
Cache-Key
X-Cache-Grace
X-NC
X-Proxy-Cache-Status
FilterID
X-Forwarded-Host
X-Origin-CC
X-Origin-TTL
X-CF-Lambda-Fn
X-B-Cookie
X-Dispatch
X-DevSite-Last-Modified
Meta-Geo-Continent
X-CF-Lambda-Version
X-Date
X-External-Request-Id
X-ARC
X-Destination
X-Developer
X-Connection-Hash
X-D
X-Accel-Expires-Debug
MD5-Digest
Machine
Fastcgi-X-Cache-Version
Content-Style-Type
Viewtype
Content-Script-Type
UCS
True-Client-Country-4JS
IsBot
Rendered-Blocks
ServerName
T-Server
FNAC-ModuleRouting
GEO-REGION-INFO
VivaBuild
Who
X-A-Wwc
X-A-Dgt
M-TraceId
X-Aed
X-Magnolia-Registration
N-Cache
X-A-Dcw
X-A-Dam
AsisCache
BehaviorPad-Version
Arc-Country
X-A
X-Geo-Header
X-A-Ccd
X-Application
X-G
X-VG-WebCache
X-Processor
Xc-Version
Mobile-Detection-Method
X-Uri
X-VG-WebServer
X-S
X-PAYTM-SRV-ID
X-SRCache-Key
X-Transaction
X-Response-By
X-FORWARDED-FOR
X-Swa-Ws
X-Rewrite-Enabled
X-Trace-Id
X-Rojux
X-Region-Sid
X-Vtex-Processado-Em
X-NodeID
X-Vtex-Remote-Cache
X-Vdms-Path
X-SD-PageType
X-Trv-Group
X-SIPLIST1
X-Twitter-Response-Tags
X-Scheme
X-ScT
X-Method
X-S-Cookie
X-Nginx-Cache-Key
X-Vdms-Version
Referer-Policy
User-Cache-Control
X-Tumblr-Pixel-3
Web-Mar-Node
X-SN
We-Hiring
V-Age
X-Skip-Cache
Vix-Hermes-Req-Id
Viewport
Sever-Int
X-VC-Cache
Pagetype
Release
On-Server
NM-Fastcgi-Cache
X-User
NGX
X-Varnish-Cacheable
RNT-Machine
RNT-Time
Thinkindot-CacheControl-Type
X-Thinkindot-L3
Thinkindot-Control
Thinkindot-CacheControl
Wxu-Next-Commit
Server-Ext
Server-Host
Server-Hostname
X-Thanos
X-Wikidot-Static-Cache
X-Matched-Rule
X-Logging-Id
X-Loc
X-Device-Os
X-Node-Id
X-Policy
X-Owner
X-Developers
X-Level-Front-Cache
X-SVT-ORM-VERSION
X-Gen-Mode
X-Generated-In
X-Generated-On
X-Hash
X-Hnp-Log
X-SVT-ORM-RULES
X-Dispatcher-Server
X-LAGOON
X-RateLimit-Limit-Second
X-Compress-Hint
X-Generation-Time
X-Agile
X-Agile-Age
X-Wikidot-Backend
X-Servername
Wxu-Next-Region
X-Session-Fingerprint
X-ServiceProvider
X-Worker
X-Reqid
X-Cache-FS-Status
X-RateLimit-Remaining-Second
X-Cms-Context
X-Block-Status
X-Bip
X-Req
X-Backend-State
Wxu-Next-Hostname
X-Agile-Id
Apple-News-Services-Request-Url
Apple-News-Services-Parsed-Url
Apple-News-Services-Host
Apple-News-Services-Handled
Cache-Cookie-Set-From
Cache-Cookie-Set-Idcheck
X-AIR-PT
CDCHOST
CacheControlHeader
Cache-Cookie-Set-Lfrom
Kp-EeAlive
AKAMAI
Magicmarker
Mail-Subject
OT-Force-Account-Verify
X-Hit
X-Ah-Environment
Node
X-Clara-WADP
X-Envoy-Decorator-Operation
X-Cache-Bucket
X-Cluster-Name
X-Distributor
X-Distil-CS
X-Core-Value
X-Cache-Id
X-Core-Mission
X-Cache-Info
X-Clientip
X-Cache-URL
X-CGP
X-Cache-Tags
X-Eu-Site
X-Slack-Backend
X-TH-Server
X-Server-W
X-Request-UUID
X-Rebelmouse-Surrogate-Control
X-TrackingId
X-Var-Ttl
X-WADP-Cache
X-Edge-Location
X-VServer
X-VG-TLSProxy
X-Variation
X-Rebelmouse-Cache-Control
X-Origin-Expires
X-Gzip
X-Has-Esi
X-Fmm-Version
X-BBXSRF
X-Esi-Check
X-Irp-Debug
X-Is-Gdpr
X-NU-AKA-ACS-Version
X-Origin-Date
X-Micro-Cache
X-Location
X-JWT-State
X-Epic-Correlation-Id
X-Request-Host
Fastly-SIE
Rt-Fastcgi-Cache
Fastly-Drupal-HTML
W
C-Via
Platform
Gh-Request-Id
Is-Eu
HA-Ipaddr
Ha-Gx-Prefs
L5d-Success-Class
Adler-Geo
Fastly-SWR
X-Auto-Login
X-Varnish-Beresp-Ttl
X-Srv
Sid
X-Varnish-Beresp-Status
X-Varnish-Beresp-Grace
X-Nc
X-Varnish-Authentication
X-GoCache-CacheStatus
X-Webstats-RespID
X-Fastly-Cache
X-We-Are-Hiring
X-Cache-ASPX
X-Key
Pragrma
X-LI-Proto
X-Contensis-Viewer-Groups
X-Reboot
X-LI-UUID
X-Mvc-Supplant-Cachable
X-Li-Fabric
X-Li-Pop
X-Backend-Host
X-Be
X-ZONE
X-Newrelic-Synthetics
X-BC
X-Wa
Memcached
MIME-Version
GEO-INFO
Cf-Ipcountry
X-Dc
X-Branch-Name
S-Cnection
X-Cache-Debug
X-Configured-By
X-Varnish-URL
Fastly-Backend-Name
HostName
X-Refresh
X-Up
X-Via-CDN
X-Minions-Version
X-Instart-Info
X-Servedbyhost
X-Cdn-Forward
X-Microcachable
X-Nginx-Cache
X-Via-PopH
X-Via-PopV
X-Envoy-Upstream-Healthchecked-Cluster
X-Batcache
X-ElasticPress-Query
X-Platform-Server
X-Client-Ip
X-TT-TIMESTAMP
X-Ms-Request-Id
CACHE
X-Aicache-OS
X-Ms-Version
X-UA
X-B3-Traceid
X-Mvc-Supplant-OutputCached
Memory
X-MSEdge-Flight
X-Sucuri-ID
X-MSEdge-Features
DCR-Decision-By
X-ND-Cache
DCR-Processing-Time-Ms
X-Pjax-Url
X-VCL-Version
NR-ENABLED
Esi-Enabled
WPE-Backend
X-Vgn-Hpd-Reason
X-TIME
NtCoent-Length
X-Debug-Panamera-Host
X-Fastly-Cache-Status
L
X-App-Name
X-PF-Uncompressing
GeoIP-Country-Code
Pramga
Server-ID
X-Debug-Panamera-Sitecode
Powered-By-ChinaCache
HitType
Location
X-Server-IP
X-BACKEND-TTL
Hostname
X-Ratelimit-Reset
X-BE
GeoIP-Latitude
X-COUNTRY
Cache-Host
X-Varnishpool
X-Unique-ID
X-Bc
FSS-Cache
X-Zone
X-GEO
X-FPC
X-Oss-Object-Type
X-LB-ID
Ohc-File-Size
X-Sucuri-Cache
X-Cdn-Srv
X-Oss-Storage-Class
X-Oss-Request-Id
X-CF-Powered-By
X-Svr
X-Oss-Server-Time
X-Oss-Hash-Crc64ecma
Server-Cache-Control
X-Original-Request-Id
X-Generated-By
Server-Surrogate-Control
X-Azure-Ref-OriginShield
X-S-Maxage
X-Check-Cacheable
PFcat
Resin-Trace
Tracecode
Ohc-Response-Time
X-OVcl-Cache
X-OVcl
X-VarnishDD-TTL
X-Vgn-Hpd-Ssi
X-Vgn-Hpd-Cached
X-Instart-Isnd
X-Rocket-Nginx-Bypass
X-Varnish-Ttl
X-Vgn-Hpd-Variations-Key
X-Fastly-Backend-Reqs
X-VCT
Cteonnt-Length
X-Render-Time
X-Platform
X-Fpc
X-Edge-Server
Request-Country
Request-EU
Cdn-Request-Time
Cdn-Host
Heartbleed
X-Fastly-Country-Code
Locid
X-Varnish-Hits
X-VHOST
X-Request-URI
X-CUA
X-PJAX-URL
X-Cache-Expired-At
X-Newrelic-App-Data
X-HS-Status
X-CSRF-TOKEN
CF-Cached-On
GeoIp-Country-Code
Epwk-X-Cache
Lfy
Pics-Label
Geoip-Latitude
SRV
Amp-Access-Control-Allow-Source-Origin
X-Vcl-Version
X-Pf-Uncompressing
X-Gamma-Serve
X-Ratelimit-Remaining
SN
Backend
X-CACHE-AGE
X-CLOUD-TRACE-CONTEXT
Backend-Name
X-RunCloud-Cache
X-Oracle-Dms-Rid
X-Shopify-Generated-Cart-Token
X-Csrf-Jwt
X-ECache
X-CACHE-KEY
X-NGINX-Cache
X-WebServer
X-Via-Popv
X-Via-Poph
WWW-Authenticate
X-Proxy-Upstream
X-Varnish-Url
X-StackifyID
X-ServedByHost
WZWS-RAY
URI
XServer
X-Ratelimit-Limit
X-Amzn-Remapped-Date
X-Amzn-Remapped-Connection
Product
X-Ftr-Cache-Host
CloudFront-Viewer-Country
X-Tec-Api-Origin
X-Sigma-Backend
X-Oss-Cdn-Auth
X-Sigma
X-Rocket-Build-Number
X-Tec-Api-Root
X-Request-Time
My-App
X-Cdn-Origin
X-Fetched-On
X-Nananana
X-Sn-Servicetimems
X-Tec-Api-Version
Mime-Version
X-Debug-Cache-Store
X-GeoIP-Country-Code
X-Debug-Cache-Fetch
A
Host-ID
Lb
X-Cache-Tag
PICS-Label
X-Debug-Cache-Status
X-B3-Spanid
X-Debug-Cache-Bypass
X-Debug-Cache-String
Ohc-Cache-HIT
Dnion-Transfer-Encoding
X-DPWN-IS-SECURE
CF-IPCountry
X-B3-SpanId
Dt-Cache-Category
SID
X-Tb-Optimization-Total-Bytes-Saved
Cloudfront-Viewer-Country
Server-Ttl
X-LiteSpeed-Cache-Control
X-Debug-Ysi-Auth
X-Debug-Xas-Auth
X-Debug-Do-Not-Cache-Uri
X-Cache-Version
X-Apw-Access-Object
X-Acquia-Purge-Tags
X-Acquia-Site
X-Varnish-Beresp-TTL
Cneonction
X-Apw-Hits
X-Acquia-Application-UUID
X-Apw-Access-Token
X-Acquia-Application-Trace
X-Apw-Access-Action
X-IN-APIGATEWAYSSL
Proxy-Firewall
X-IN-APIGATEWAY
Country-Code
X-WA
X-Request-Start
X-SB
Group
X-Dw-Trace-Id
X-VC
FSS-Proxy
X-Swift-Error
X-Html-Edge-Cache
X-ElasticPress-Search
X-Request-URL
X-WR-MODIFICATION
Cdn
Cf-Alt-Svc
Warning
Inserted-Into-Cache-At
X-Served-From
X-Snapshot-Date