Table of Contents
About
A forbidden request header is an HTTP header name-value pair that
cannot be set or modified programmatically in a request1.
Modifying such headers is forbidden because the user agent retains
full control over them. For example, the Date header is a forbidden
request header,
so this code cannot set the message Date field:
fetch("https://httpbin.org/get", {
headers: {
Date: new Date().toUTCString(),
},
});
Names starting with Sec- are reserved for creating new headers safe
from APIs that grant developers control over headers, such as
fetch().
Types of Forbinned headers
Forbidden headers are one of the following:
- Accept-Charset
- Accept-Encoding
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Connection
- Content-Length
- Cookie
- Date
- Do Not Track (DNT) header (deprecated)
- Expect
- Host
- Keep-Alive
- Origin
- Permissions-Policy
Proxy-headersSec-headers- Referer
- TE
- Trailer
- Transfer-Encoding
- Upgrade
- Via
X-HTTP-Method, but only when it contains a forbidden method name (CONNECT method, TRACE, TRACK)X-HTTP-Method-Overriden, but only when it contains a forbidden method nameX-Method-Overriden, but only when it contains a forbidden method name
Anki
Links
References
MDN. “Forbidden request header”. Available at: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_request_header. (Accessed: ). ↩︎