Too Long; Didn't Read
A forbidden header name is the name of any HTTP header that cannot be modified programmatically. Modifying such headers is forbidden because the user agent retains full control over them. Names starting with 'Sec-` are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as XMLHttpRequest. The User-Agent header is no longer forbidden, as per spec. Chrome will silently drop the header from Fetch requests (see Chromium bug 571722)