Modifying such headers is forbidden because the user agent retains full control over them. Names starting with
Sec- are reserved for creating new headers safe from APIs that grant developers control over headers, such as
Forbidden header names start with
Sec-, or are one of the following names:
User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or with the setRequestHeader() method of
XMLHttpRequest. However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).
Forbidden response header name (Glossary)