Forbidden header name

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with Sec- are reserved for creating new headers safe from APIs using the fetch algorithm that grant developers control over headers, such as XMLHttpRequest.

Forbidden header names start with Proxy- or Sec-, or are one of the following names:

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Date
DNT
Expect
Host
Keep-Alive
Origin
Permissions-Policy
Proxy-
Sec-
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via

Note: The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or with the setRequestHeader() method of XMLHttpRequest. However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).