Forbidden request header

A forbidden request header is an HTTP header name-value pair that cannot be set of modified programmatically in a request. For headers forbidden to be modified in responses, see forbidden response header name.

Modifying such headers is forbidden because the user agent retains full control over them. For example, the Date header is a forbidden request header, so this code cannot set the message Date field:

fetch("https://httpbin.org/get", {
  headers: {
    Date: new Date().toUTCString(),
  },
});

Names starting with Sec- are reserved for creating new headers safe from APIs that grant developers control over headers, such as fetch(). Forbidden headers are one of the following:

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Date
DNT
Expect
Host
Keep-Alive
Origin
Permissions-Policy
Proxy- headers
Sec- headers
Referer
TE
Trailer
Transfer-Encoding
Upgrade
Via
X-HTTP-Method, but only when it contains a forbidden method name (CONNECT, TRACE, TRACK)
X-HTTP-Method-Override, but only when it contains a forbidden method name
X-Method-Override, but only when it contains a forbidden method name

Note: The User-Agent header used to be forbidden, but no longer is. However, Chrome still silently drops the header from Fetch requests (see Chromium bug 571722).

Note: While the Referer header is listed as a forbidden header in the spec, the user agent does not retain full control over it and the header can be programmatically modified. For example, when using fetch(), the Referer header can be programmatically modified via the referrer option.