Forbidden header name
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
Modifying such headers is forbidden because the user agent retains full control over them.
For example, the Date
header is a forbidden header name, so this code cannot set the message Date
field:
fetch("https://httpbin.org/get", {
headers: {
Date: new Date().toUTCString(),
},
});
Names starting with Sec-
are reserved for creating new headers safe from APIs that grant developers control over headers, such as fetch()
.
Forbidden header names start with Proxy-
or Sec-
, or are one of the following names:
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Date
DNT
Expect
Host
Keep-Alive
Origin
Permissions-Policy
Proxy-
headersSec-
headersReferer
TE
Trailer
Transfer-Encoding
Upgrade
Via
Note:
The User-Agent
header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or with the setRequestHeader() method of XMLHttpRequest
. However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).
Note:
While the Referer
header is listed as a forbidden header in the spec, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using fetch()
, the Referer
header can be programmatically modified via the referrer
option.
See also
- Related glossary terms: