Forbidden request header
A forbidden request header is an HTTP header name-value pair that cannot be set or modified programmatically in a request. For headers forbidden to be modified in responses, see forbidden response header name.
Modifying such headers is forbidden because the user agent retains full control over them.
For example, the Date header is a forbidden request header, so this code cannot set the message Date field:
fetch("https://httpbin.org/get", {
  headers: {
    Date: new Date().toUTCString(),
  },
});
Names starting with Sec- are reserved for creating new headers safe from APIs that grant developers control over headers, such as fetch().
Forbidden headers are one of the following:
- Accept-Charset
- Accept-Encoding
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Connection
- Content-Length
- Cookie
- Date
- DNT
- Expect
- Host
- Keep-Alive
- Origin
- Permissions-Policy
- Proxy-headers
- Sec-headers
- Referer
- TE
- Trailer
- Transfer-Encoding
- Upgrade
- Via
- X-HTTP-Method, but only when it contains a forbidden method name (- CONNECT,- TRACE,- TRACK)
- X-HTTP-Method-Override, but only when it contains a forbidden method name
- X-Method-Override, but only when it contains a forbidden method name
Note:
The User-Agent header used to be forbidden, but no longer is. However, Chrome still silently drops the header from Fetch requests (see Chromium bug 571722).
Note:
While the Referer header is listed as a forbidden header in the spec, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using fetch(), the Referer header can be programmatically modified via the referrer option.
See also
- Related glossary terms: