Glossary of Security Terms: Forbidden Header Name

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`

XMLHttpRequest

Forbidden header names start with

Proxy-

Sec-

• Accept-Charset

• Accept-Encoding

• Access-Control-Request-Headers

• Access-Control-Request-Method

• Connection

• Content-Length

• Cookie

• Cookie2

• Date

• DNT

• Expect

• Feature-Policy

• Host

• Keep-Alive

• Origin

• Proxy-

• Sec-

• Referer

• TE

• Trailer

• Transfer-Encoding

• Upgrade

• Via

Note: The

User-Agent

header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

View Previous Terms:

• Block cipher mode of operation
• Certificate authority
• Challenge-response authentication
• Cipher
• Cipher suite
• Ciphertext
• CORS
• CORS-safelisted request header
• CORS-safelisted response header
• Cross-site scripting
• Cryptanalysis
• Cryptographic hash function
• Cryptography
• CSP
• CSRF
• Decryption
• Digital certificate
• DTLS (Datagram Transport Layer Security)
• Encryption
• Forbidden response header name
• Hash
• HMAC
• HPKP
• HSTS
• HTTPS
• Key
• MitM
• OWASP
• Preflight request
• Public-key cryptography
• Reporting directive
• Robots.txt
• Same-origin policy
• Session Hijacking
• SQL Injection
• Symmetric-key cryptography
• TOFU
• Transport Layer Security (TLS)

Credits

• Source: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
• Published under Open CC Attribution ShareAlike 3.0 license