Forbidden Header Name

April 27, 2023

When transmitting data over the internet, HTTP (Hypertext Transfer Protocol) is the standard protocol used by web servers to communicate with web clients such as browsers. HTTP headers are a crucial part of this communication process as they provide additional information about the data being transmitted. They consist of key-value pairs, where the key specifies the type of information being transmitted and the value provides the actual information.

However, not all header names can be used in HTTP headers, and some are considered forbidden. A forbidden header name is a specific header name that is not allowed to be used in an HTTP header due to security concerns or potential conflicts with other headers.


The list of forbidden header names is defined by the HTTP specification, and its purpose is to prevent security vulnerabilities or conflicts that could occur when using certain header names. The forbidden header names are not allowed to be set by developers because they are either reserved by the browser or have the potential to be misused.

For example, the “Set-Cookie” header is a forbidden header name because it can be used to set cookies, which are small pieces of data that are stored on a user’s computer by a web server. Malicious actors could use this header to set cookies without the user’s consent, which could lead to security breaches or privacy violations.

Another example of a forbidden header name is the “Authorization” header, which is used to send authentication credentials to a server. This header is forbidden because it could be used to transmit sensitive information such as usernames and passwords, which could be intercepted by attackers.


When building web applications, developers need to be aware of the forbidden header names and ensure they are not used in their code. If a forbidden header name is used, the browser will not allow it to be set and will instead throw an error.

Some common forbidden header names include:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Host
  • Keep-Alive
  • Origin
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via

It is important to note that although these headers are forbidden, there are often alternative ways to achieve the desired functionality. For example, instead of using the “Cookie” header, developers can use the “Set-Cookie” header to set cookies on the client-side.


Forbidden header names are an important aspect of web development that developers need to be aware of when building web applications. The use of forbidden header names can lead to security vulnerabilities and potential conflicts with other headers. By following the HTTP specification and avoiding the use of forbidden header names, developers can ensure that their web applications are secure and function correctly.