Forbidden header name

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. For example, the Date header is a forbidden header name, so this code cannot set the message Date field:

js
fetch("https://httpbin.org/get", {
  headers: {
    Date: new Date().toUTCString(),
  },
});

Names starting with Sec- are reserved for creating new headers safe from APIs that grant developers control over headers, such as fetch(). Forbidden header names start with Proxy- or Sec-, or are one of the following names:

Note: The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or with the setRequestHeader() method of XMLHttpRequest. However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

Note: While the Referer header is listed as a forbidden header in the spec, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using fetch(), the Referer header can be programmatically modified via the referrer option.

See also