Glossary of Security Terms: Forbidden Header Name | Hacker Noon

Author profile picture

@mozillaMozilla Contributors

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`

are reserved for creating new headers safe from APIs using Fetch that grant developers control over headers, such as

XMLHttpRequest

.

Forbidden header names start with

Proxy-

or

Sec-

, or are one of the following names:

Note: The

User-Agent

header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).

Credits

Author profile picture

Read my stories

Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape.

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!

read original article here