A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with
`Sec-`XMLHttpRequestForbidden header names start with
Proxy-Sec-Accept-CharsetAccept-EncodingAccess-Control-Request-HeadersAccess-Control-Request-MethodConnectionContent-LengthCookieCookie2DateDNTExpectFeature-PolicyHostKeep-AliveOriginProxy-Sec-RefererTETrailerTransfer-EncodingUpgradeVia
Note: Theheader is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).User-Agent
View Previous Terms:
- Block cipher mode of operation
- Certificate authority
- Challenge-response authentication
- Cipher
- Cipher suite
- Ciphertext
- CORS
- CORS-safelisted request header
- CORS-safelisted response header
- Cross-site scripting
- Cryptanalysis
- Cryptographic hash function
- Cryptography
- CSP
- CSRF
- Decryption
- Digital certificate
- DTLS (Datagram Transport Layer Security)
- Encryption
- Forbidden response header name
- Hash
- HMAC
- HPKP
- HSTS
- HTTPS
- Key
- MitM
- OWASP
- Preflight request
- Public-key cryptography
- Reporting directive
- Robots.txt
- Same-origin policy
- Session Hijacking
- SQL Injection
- Symmetric-key cryptography
- TOFU
- Transport Layer Security (TLS)
Credits
- Source: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
- Published under Open CC Attribution ShareAlike 3.0 license