Forbidden request header
Aforbidden request header is anHTTP header name-value pair that cannot be set or modified programmatically in a request. For headers forbidden to be modified in responses, seeforbidden response header name.
Modifying such headers is forbidden because the user agent retains full control over them.For example, theDate header is a forbidden request header, so this code cannot set the messageDate field:
fetch("https://httpbin.org/get", { headers: { Date: new Date().toUTCString(), },});Names starting withSec- are reserved for creating new headers safe fromAPIs that grant developers control over headers, such asfetch().Forbidden headers are one of the following:
Accept-CharsetAccept-EncodingAccess-Control-Request-HeadersAccess-Control-Request-MethodConnectionContent-LengthCookieDateDNTExpectHostKeep-AliveOriginProxy-headersSec-headersRefererSet-CookieTETrailerTransfer-EncodingUpgradeViaX-HTTP-Method, but only when it contains a forbidden method name (CONNECT,TRACE,TRACK)X-HTTP-Method-Override, but only when it contains a forbidden method nameX-Method-Override, but only when it contains a forbidden method name
Note:TheUser-Agent header used to be forbidden, but no longer is. However, Chrome still silently drops the header from Fetch requests (seeChromium bug 571722).
Note:While theReferer header is listed as a forbidden headerin the spec, the user agent does not retain full control over it and the header can be programmatically modified. For example, when usingfetch(), theReferer header can be programmatically modified via thereferrer option.
Note:Chrome also forbidsAccess-Control-Request-Private-Network
See also
- Related glossary terms: