Modifying such headers is forbidden because the user agent retains full control over them. Names starting with Sec-
are reserved for creating new headers safe from APIs
that grant developers control over headers, such as
fetch()
.
Forbidden header names start with Proxy-
or Sec-
, or are one of the following names:
-
Accept-Charset -
Accept-Encoding -
Access-Control-Request-Headers -
Access-Control-Request-Method -
Connection -
Content-Length -
Cookie -
Date -
DNT -
Expect -
Host -
Keep-Alive -
Origin -
Permissions-Policy -
Proxy- -
Sec- -
Referer -
TE -
Trailer -
Transfer-Encoding -
Upgrade -
Via
Note:
The
User-Agent
header is no longer forbidden, as per spec
— see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers
object, or with the setRequestHeader()
method of XMLHttpRequest
. However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722
).
Note:
While the
Referer
header is listed as a forbidden header in the spec
, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using
fetch()
, the
Referer
header can be programmatically modified via the
referrer
option
.
See also
Forbidden response header name (Glossary)