Hackernoon logoGlossary of Security Terms: Forbidden Header Name by@mozilla

Glossary of Security Terms: Forbidden Header Name

A forbidden header name is the name of any HTTP header that cannot be modified programmatically. Modifying such headers is forbidden because the user agent retains full control over them. Names starting with 'Sec-` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest. The User-Agent header is no longer forbidden, as per spec. Chrome will silently drop the header from Fetch requests (see Chromium bug 571722)
image
Mozilla Contributors Hacker Noon profile picture

@mozillaMozilla Contributors

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`
are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as
XMLHttpRequest
.

Forbidden header names start with

Proxy-
or
Sec-
, or are one of the following names:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Feature-Policy
  • Host
  • Keep-Alive
  • Origin
  • Proxy-
  • Sec-
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via
Note: The
User-Agent
header is no longer forbidden, as per spec โ€” see forbidden header name list (this was implemented in Firefox 43) โ€” it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

View Previous Terms:

Mozilla Contributors Hacker Noon profile picture
by Mozilla Contributors @mozilla. Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.Read my stories

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.