A
forbidden header name
is the name of any
HTTP header
that cannot be modified programmatically; specifically, an HTTP
request
header name (in contrast with a
Forbidden response header name
).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with
Sec-
are reserved for creating new headers safe from
APIs
that grant developers control over headers, such as
fetch()
.
Forbidden header names start with
Proxy-
or
Sec-
, or are one of the following names:
Note:
The
User-Agent
header is no longer forbidden,
as per spec
? see forbidden header name list (this was implemented in Firefox 43) ? it can now be set in a Fetch
Headers
object, or with the
setRequestHeader()
method of
XMLHttpRequest
. However, Chrome will silently drop the header from Fetch requests (see
Chromium bug 571722
).
Note:
While the
Referer
header is listed as a forbidden header
in the spec
, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using
fetch()
, the
Referer
header can be programmatically modified via the
referrer
option
.