Hackernoon logoGlossary of Security Terms: Forbidden Header Name by@mozilla

Glossary of Security Terms: Forbidden Header Name

Mozilla Contributors Hacker Noon profile picture

@mozillaMozilla Contributors

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`
are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as
XMLHttpRequest
.

Forbidden header names start with

Proxy-
or
Sec-
, or are one of the following names:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Feature-Policy
  • Host
  • Keep-Alive
  • Origin
  • Proxy-
  • Sec-
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via
Note: The
User-Agent
header is no longer forbidden, as per spec β€” see forbidden header name list (this was implemented in Firefox 43) β€” it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

View Previous Terms:

Mozilla Contributors Hacker Noon profile picture

@mozillaMozilla Contributors

Read my stories

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.