A forbidden header name is the name of any that cannot be modified programmatically; specifically, an HTTP header name (in contrast with a ). HTTP header request Forbidden response header name Modifying such headers is forbidden because the user agent retains full control over them. Names starting with are reserved for creating new headers safe from using that grant developers control over headers, such as . `Sec-` APIs Fetch XMLHttpRequest Forbidden header names start with or , or are one of the following names: Proxy- Sec- Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Date DNT Expect Feature-Policy Host Keep-Alive Origin Proxy- Sec- Referer TE Trailer Transfer-Encoding Upgrade Via : The header is no longer forbidden, — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch object, or via XHR . However, Chrome will silently drop the header from Fetch requests (see ). Note User-Agent as per spec Headers setRequestHeader() Chromium bug 571722 View Previous Terms: Block cipher mode of operation Certificate authority Challenge-response authentication Cipher Cipher suite Ciphertext CORS CORS-safelisted request header CORS-safelisted response header Cross-site scripting Cryptanalysis Cryptographic hash function Cryptography CSP CSRF Decryption Digital certificate DTLS (Datagram Transport Layer Security) Encryption Forbidden response header name Hash HMAC HPKP HSTS HTTPS Key MitM OWASP Preflight request Public-key cryptography Reporting directive Robots.txt Same-origin policy Session Hijacking SQL Injection Symmetric-key cryptography TOFU Transport Layer Security (TLS) Credits Source: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name Published under license Open CC Attribution ShareAlike 3.0