Glossary of Security Terms: Forbidden Header Name

A forbidden header name is the name of any that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a ).

Modifying such headers is forbidden because the user agent retains full control over them. Names starting with

`Sec-`

Forbidden header names start with

Proxy-

Sec-

• Accept-Charset

• Accept-Encoding

• Access-Control-Request-Headers

• Access-Control-Request-Method

• Connection

• Content-Length

• Cookie

• Cookie2

• Date

• DNT

• Expect

• Feature-Policy

• Host

• Keep-Alive

• Origin

• Proxy-

• Sec-

• Referer

• TE

• Trailer

• Transfer-Encoding

• Upgrade

• Via

Note: The

User-Agent

header is no longer forbidden, — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch object, or via XHR . However, Chrome will silently drop the header from Fetch requests (see ).

View Previous Terms:

• Block cipher mode of operation
• Certificate authority
• Challenge-response authentication
• Cipher
• Cipher suite
• Ciphertext
• CORS
• CORS-safelisted request header
• CORS-safelisted response header
• Cross-site scripting
• Cryptanalysis
• Cryptographic hash function
• Cryptography
• CSP
• CSRF
• Decryption
• Digital certificate
• DTLS (Datagram Transport Layer Security)
• Encryption
• Forbidden response header name
• Hash
• HMAC
• HPKP
• HSTS
• HTTPS
• Key
• MitM
• OWASP
• Preflight request
• Public-key cryptography
• Reporting directive
• Robots.txt
• Same-origin policy
• Session Hijacking
• SQL Injection
• Symmetric-key cryptography
• TOFU
• Transport Layer Security (TLS)

Credits

• Source:
• Published under Open CC Attribution ShareAlike 3.0 license