A forbidden header name is an HTTP header name that cannot be modified programmatically; specifically, an HTTP request header name.
Contrast with Forbidden response header name.
These are forbidden, so the user agent retains full control over them. Names starting with `Sec-
` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest
.
Forbidden headers names start with Proxy-
or Sec-
, or consists of one of these:
Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie2
Date
DNT
Expect
Host
Keep-Alive
Origin
Proxy-
Sec-
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via
Note: The User-Agent
header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43,) so can now be set in a Fetch Headers object, via XHR setRequestHeader(), etc.