paint-brush
Glossary of Security Terms: Forbidden Header Nameby@mozilla
792 reads
792 reads

Glossary of Security Terms: Forbidden Header Name

by Mozilla ContributorsAugust 31st, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

A forbidden header name is the name of any HTTP header that cannot be modified programmatically. Modifying such headers is forbidden because the user agent retains full control over them. Names starting with 'Sec-` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest. The User-Agent header is no longer forbidden, as per spec. Chrome will silently drop the header from Fetch requests (see Chromium bug 571722)

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Glossary of Security Terms: Forbidden Header Name
Mozilla Contributors HackerNoon profile picture

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`
are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as
XMLHttpRequest
.

Forbidden header names start with

Proxy-
or
Sec-
, or are one of the following names:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Feature-Policy
  • Host
  • Keep-Alive
  • Origin
  • Proxy-
  • Sec-
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via
Note: The
User-Agent
header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

View Previous Terms: