mdn · sideshowbarker · Feb 24, 2025 · Feb 24, 2025
@@ -3566,6 +3566,7 @@
 /en-US/docs/Glossary/Empty_element	/en-US/docs/Glossary/Void_element
 /en-US/docs/Glossary/Error	/en-US/docs/Glossary/Exception
 /en-US/docs/Glossary/First_interactive	/en-US/docs/Glossary/First_CPU_idle
+/en-US/docs/Glossary/Forbidden_header_name	/en-US/docs/Glossary/Forbidden_request_header
 /en-US/docs/Glossary/GZip	/en-US/docs/Glossary/gzip_compression
 /en-US/docs/Glossary/Global_attribute	/en-US/docs/Web/HTML/Global_attributes
 /en-US/docs/Glossary/Grid_Rows	/en-US/docs/Glossary/Grid_Row

@@ -2367,7 +2367,7 @@
       "rachelandrew"
     ]
   },
-  "Glossary/Forbidden_header_name": {
+  "Glossary/Forbidden_request_header": {
     "modified": "2020-06-17T22:05:57.083Z",
     "contributors": [
       "s.zeid",

@@ -33,5 +33,5 @@ CORS-safelisted headers must also fulfill the following requirements in order to
 
 - Related glossary terms:
   - {{Glossary("CORS-safelisted response header")}}
-  - {{Glossary("Forbidden header name")}}
+  - {{Glossary("Forbidden request header")}}
   - {{Glossary("Request header")}}
@@ -40,5 +40,5 @@ Access-Control-Expose-Headers: X-Custom-Header, Content-Encoding
 - Related glossary terms:
   - {{Glossary("CORS")}}
   - {{Glossary("CORS-safelisted_request_header", "CORS-safelisted request header")}}
-  - {{Glossary("Forbidden header name")}}
+  - {{Glossary("Forbidden request header")}}
   - {{Glossary("Request header")}}
@@ -10,7 +10,7 @@ A **fetch metadata request header** is an {{Glossary("Request header", "HTTP req
 
 With this information a server can implement a resource isolation policy, allowing external sites to request only those resources that are intended for sharing, and that are used appropriately. This approach can help mitigate common cross-site web vulnerabilities such as {{Glossary("CSRF")}}, Cross-site Script Inclusion (XSSI), timing attacks, and cross-origin information leaks.
 
-These headers are prefixed with `Sec-`, and hence have {{Glossary("Forbidden header name", "forbidden header names")}}. As such, they cannot be modified from JavaScript.
+These headers are prefixed with `Sec-`, and hence are {{Glossary("Forbidden request header", "forbidden request headers")}}. As such, they cannot be modified from JavaScript.
 
 The fetch metadata request headers are:
 

@@ -1,15 +1,15 @@
 ---
-title: Forbidden header name
-slug: Glossary/Forbidden_header_name
+title: Forbidden request header
+slug: Glossary/Forbidden_request_header
 page-type: glossary-definition
 ---
 
 {{GlossarySidebar}}
 
-A **forbidden header name** is the name of any [HTTP header](/en-US/docs/Web/HTTP/Headers) that cannot be modified programmatically; specifically, an HTTP **request** header name (in contrast with a {{Glossary("Forbidden response header name")}}).
+A **forbidden request header** is an [HTTP header](/en-US/docs/Web/HTTP/Headers) name-value pair that cannot be set of modified programmatically in a request. For headers forbidden to be modified in responses, see {{Glossary("forbidden response header name")}}.
 
 Modifying such headers is forbidden because the user agent retains full control over them.
-For example, the {{HTTPHeader("Date")}} header is a forbidden header name, so this code cannot set the message `Date` field:
+For example, the {{HTTPHeader("Date")}} header is a forbidden request header, so this code cannot set the message `Date` field:
 
 ```js example-bad
 fetch("https://httpbin.org/get", {
@@ -20,8 +20,9 @@ fetch("https://httpbin.org/get", {
 ```
 
 Names starting with `Sec-` are reserved for creating new headers safe from {{glossary("API","APIs")}} that grant developers control over headers, such as {{domxref("Window/fetch", "fetch()")}}.
-Forbidden header names start with `Proxy-` or `Sec-`, or are one of the following names:
+Forbidden headers are one of the following:
 
+- {{HTTPHeader("Accept-Charset")}}
 - {{HTTPHeader("Accept-Encoding")}}
 - {{HTTPHeader("Access-Control-Request-Headers")}}
 - {{HTTPHeader("Access-Control-Request-Method")}}
@@ -43,9 +44,12 @@ Forbidden header names start with `Proxy-` or `Sec-`, or are one of the followin
 - {{HTTPHeader("Transfer-Encoding")}}
 - {{HTTPHeader("Upgrade")}}
 - {{HTTPHeader("Via")}}
+- `X-HTTP-Method`, but only when it contains a forbidden method name ({{HTTPMethod("CONNECT")}}, {{HTTPMethod("TRACE")}}, {{HTTPMethod("TRACK")}})
+- `X-HTTP-Method-Override`, but only when it contains a forbidden method name
+- `X-Method-Override`, but only when it contains a forbidden method name
 
 > [!NOTE]
-> The {{HTTPHeader("User-Agent")}} header is no longer forbidden, [as per spec](https://fetch.spec.whatwg.org/#terminology-headers) — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch [Headers](/en-US/docs/Web/API/Headers) object, or with the [setRequestHeader()](/en-US/docs/Web/API/XMLHttpRequest/setRequestHeader) method of `XMLHttpRequest`. However, Chrome will silently drop the header from Fetch requests (see [Chromium bug 571722](https://crbug.com/571722)).
+> The {{HTTPHeader("User-Agent")}} header used to be forbidden, but no longer is. However, Chrome still silently drops the header from Fetch requests (see [Chromium bug 571722](https://crbug.com/571722)).
 
 > [!NOTE]
 > While the {{HTTPHeader("Referer")}} header is listed as a forbidden header [in the spec](https://fetch.spec.whatwg.org/#forbidden-request-header), the user agent does not retain full control over it and the header can be programmatically modified. For example, when using [`fetch()`](/en-US/docs/Web/API/Window/fetch), the {{HTTPHeader("Referer")}} header can be programmatically modified via the [`referrer` option](/en-US/docs/Web/API/RequestInit#referrer).

@@ -12,4 +12,4 @@ A _forbidden response header name_ is an [HTTP header](/en-US/docs/Web/HTTP/Head
 
 - [Fetch specification: forbidden response-header name](https://fetch.spec.whatwg.org/#forbidden-response-header-name)
 - Related glossary terms:
-  - {{Glossary("Forbidden header name")}}
+  - {{Glossary("Forbidden request header")}}
@@ -62,7 +62,7 @@ X-Cache-Info: cached
   - {{Glossary("Response header")}}
   - {{Glossary("Representation header")}}
   - {{Glossary("Fetch metadata request header")}}
-  - {{Glossary("Forbidden header name")}}
+  - {{Glossary("Forbidden request header")}}
   - {{Glossary("Forbidden response header name")}}
   - {{Glossary("CORS-safelisted request header")}}
   - {{Glossary("CORS-safelisted response header")}}
@@ -35,7 +35,7 @@ This article explains how to create a new reference page for an HTTP header.
 - Make sure you have these sections:
 
   - Introductory text where the first sentence mentions the header name (bold) and summarizes its purpose.
-  - Information box containing at least the header type and if the header is a {{Glossary("Forbidden header name")}}.
+  - Information box containing at least the header type and if the header is a {{Glossary("Forbidden request header")}}.
   - A syntax box containing all possible directives/parameters/values of the HTTP header.
   - A section that explains these directives/values.
   - An example section that contains a practical use case for this header or shows where and how it occurs usually.

@@ -93,7 +93,7 @@ Two or three paragraphs in this section is appropriate, and if there are substan
       </td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>"Yes" or "No"</td>
     </tr>
     <tr>

@@ -75,7 +75,7 @@ _No change._
 #### Miscellaneous
 
 - The [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) now uses the new promise syntax for {{domxref("Navigator.getBattery()")}}, as specified in the recent evolution of the specification ([Firefox bug 1050749](https://bugzil.la/1050749)).
-- The `User-Agent` header is no longer in the list of {{Glossary("Forbidden_header_name", "forbidden header names")}} so it can now be set in a [Fetch](/en-US/docs/Web/API/Fetch_API) {{domxref("Headers")}} object, via XHR {{domxref("XMLHttpRequest.setRequestHeader()")}},… ([Firefox bug 1188932](https://bugzil.la/1188932)).
+- The `User-Agent` header is no longer in the list of {{Glossary("Forbidden_request_header", "forbidden request headers")}} so it can now be set in a [Fetch](/en-US/docs/Web/API/Fetch_API) {{domxref("Headers")}} object, via XHR {{domxref("XMLHttpRequest.setRequestHeader()")}},… ([Firefox bug 1188932](https://bugzil.la/1188932)).
 - The {{domxref("MediaRecorder.MediaRecorder", "MediaRecorder()")}} constructor can now accept an options dictionary as a parameter, which allows you to set custom bitrates for the audio/video to be recorded ([Firefox bug 1161276](https://bugzil.la/1161276)).
 - The {{domxref("PerformanceObserver")}} interface, belonging to the [Performance APIs](/en-US/docs/Web/API/Performance_API) has been implemented ([Firefox bug 1165796](https://bugzil.la/1165796)).
 - The Frame Timing API has been added: the `PerformanceRenderTiming` and `PerformanceCompositeTiming` interfaces are now available ([Firefox bug 1191178](https://bugzil.la/1191178)).

@@ -174,7 +174,7 @@ const response = await fetch("https://example.org/post", {
 });
 ```
 
-Compared to using plain objects, the `Headers` object provides some additional input sanitization. For example, it normalizes header names to lowercase, strips leading and trailing whitespace from header values, and prevents certain headers from being set. Many headers are set automatically by the browser and can't be set by a script: these are called {{glossary("Forbidden header name", "Forbidden header names")}}. If the {{domxref("Request.mode", "mode")}} option is set to `no-cors`, then the set of permitted headers is further restricted.
+Compared to using plain objects, the `Headers` object provides some additional input sanitization. For example, it normalizes header names to lowercase, strips leading and trailing whitespace from header values, and prevents certain headers from being set. Many headers are set automatically by the browser and can't be set by a script: these are called {{glossary("Forbidden request header", "Forbidden request headers")}}. If the {{domxref("Request.mode", "mode")}} option is set to `no-cors`, then the set of permitted headers is further restricted.
 
 ### Sending data in a GET request
 

@@ -18,7 +18,7 @@ that if the specified header already exists and accepts multiple values,
 `append()` will append the new value onto the end of the set of values.
 
 For security reasons, some headers can only be controlled by the user agent. These
-headers include the {{Glossary("Forbidden_header_name", "forbidden header names")}}
+headers include the {{Glossary("Forbidden_request_header", "forbidden request headers")}}
 and {{Glossary("Forbidden_response_header_name", "forbidden response header names")}}.
 
 ## Syntax

@@ -12,7 +12,7 @@ The **`delete()`** method of the {{domxref("Headers")}}
 interface deletes a header from the current `Headers` object.
 
 For security reasons, some headers can only be controlled by the user agent. These
-headers include the {{Glossary("Forbidden_header_name", "forbidden header names")}}
+headers include the {{Glossary("Forbidden_request_header", "forbidden request headers")}}
 and {{Glossary("Forbidden_response_header_name", "forbidden response header names")}}.
 
 ## Syntax

@@ -14,7 +14,7 @@ with a given name. If the requested header doesn't exist in the `Headers`
 object, it returns `null`.
 
 For security reasons, some headers can only be controlled by the user agent. These
-headers include the {{Glossary("Forbidden_header_name", "forbidden header names")}}
+headers include the {{Glossary("Forbidden_request_header", "forbidden request headers")}}
 and {{Glossary("Forbidden_response_header_name", "forbidden response header names")}}.
 
 ## Syntax

@@ -13,7 +13,7 @@ returns a boolean stating whether a `Headers` object contains a certain
 header.
 
 For security reasons, some headers can only be controlled by the user agent. These
-headers include the {{Glossary("Forbidden_header_name", "forbidden header names")}}
+headers include the {{Glossary("Forbidden_request_header", "forbidden request headers")}}
 and {{Glossary("Forbidden_response_header_name", "forbidden response header names")}}.
 
 ## Syntax

@@ -27,7 +27,7 @@ Some `Headers` objects have restrictions on whether the {{domxref("Headers.set",
 - For headers created with {{domxref("Headers.Headers","Headers()")}} constructor, there are no modification restrictions.
 - For headers of {{domxref("Request")}} objects:
   - If the request's {{domxref("Request.mode","mode")}} is `no-cors`, you can modify any {{Glossary("CORS-safelisted request header")}} name/value.
-  - Otherwise, you can modify any {{Glossary("forbidden header name", "non-forbidden header")}} name/value.
+  - Otherwise, you can modify any {{Glossary("forbidden request header", "non-forbidden request header")}} name/value.
 - For headers of {{domxref("Response")}} objects:
   - If the response is created using {{domxref("Response.error_static", "Response.error()")}} or {{domxref("Response.redirect_static", "Response.redirect()")}}, or received from a {{domxref("Window/fetch", "fetch()")}} call, the headers are immutable and cannot be modified.
   - Otherwise, if the response is created using {{domxref("Response.Response","Response()")}} or {{domxref("Response.json_static","Response.json()")}}, you can modify any {{Glossary("forbidden response header name", "non-forbidden response header")}} name/value.

@@ -18,7 +18,7 @@ overwrites the existing value with the new one, whereas {{domxref("Headers.appen
 appends the new value to the end of the set of values.
 
 For security reasons, some headers can only be controlled by the user agent. These
-headers include the {{Glossary("Forbidden_header_name", "forbidden header names")}}
+headers include the {{Glossary("Forbidden_request_header", "forbidden request headers")}}
 and {{Glossary("Forbidden_response_header_name", "forbidden response header names")}}.
 
 ## Syntax

@@ -109,7 +109,7 @@ You can also construct a `Request` with a `RequestInit`, and pass the `Request`
   - : Any headers you want to add to your request, contained
     within a {{domxref("Headers")}} object or an object literal whose keys are the names of headers and whose values are the header values.
 
-    Many headers are set automatically by the browser and can't be set by a script: these are called {{glossary("Forbidden header name", "Forbidden header names")}}.
+    Many headers are set automatically by the browser and can't be set by a script: these are called {{glossary("Forbidden request headers", "Forbidden request headers")}}.
 
     If the `mode` option is set to `no-cors`, you can only set {{glossary("CORS-safelisted request header", "CORS-safelisted request headers")}}.
 

@@ -16,7 +16,7 @@ Each time you call `setRequestHeader()` after the first time you call it, the sp
 
 If no {{HTTPHeader("Accept")}} header has been set using this, an `Accept` header with the type `"*/*"` is sent with the request when {{domxref("XMLHttpRequest.send", "send()")}} is called.
 
-For security reasons, there are several {{Glossary("Forbidden_header_name", "forbidden header names")}} whose values are controlled by the user agent. Any attempt to set a value for one of those headers from frontend JavaScript code will be ignored without warning or error.
+For security reasons, there are several {{Glossary("Forbidden_request_header", "forbidden request headers")}} whose values are controlled by the user agent. Any attempt to set a value for one of those headers from frontend JavaScript code will be ignored without warning or error.
 
 In addition, the [`Authorization`](/en-US/docs/Web/HTTP/Headers/Authorization) HTTP header may be added to a request, but will be removed if the request is redirected cross-origin.
 

@@ -55,7 +55,7 @@ A _simple request_ is one that **meets all the following conditions**:
   - {{HTTPMethod("HEAD")}}
   - {{HTTPMethod("POST")}}
 
-- Apart from the headers automatically set by the user agent (for example, {{HTTPHeader("Connection")}}, {{HTTPHeader("User-Agent")}}, or [the other headers defined in the Fetch spec as a _forbidden header name_](https://fetch.spec.whatwg.org/#forbidden-header-name)), the only headers which are allowed to be manually set are [those which the Fetch spec defines as a CORS-safelisted request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header), which are:
+- Apart from the headers automatically set by the user agent (for example, {{HTTPHeader("Connection")}}, {{HTTPHeader("User-Agent")}}, or the {{glossary("Forbidden request header", "forbidden request headers")}}), the only headers which are allowed to be manually set are the [CORS-safelisted request-headers](/en-US/docs/Glossary/CORS-safelisted_request_header), which are:
 
   - {{HTTPHeader("Accept")}}
   - {{HTTPHeader("Accept-Language")}}

@@ -17,7 +17,7 @@ To ensure client hints are sent reliably, the `Accept-CH` header should be persi
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
     <tr>

@@ -32,7 +32,7 @@ As long as the `identity;q=0` or `*;q=0` directives do not explicitly forbid the
       <td>{{Glossary("Request header")}}, {{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>Yes</td>
     </tr>
   </tbody>

@@ -28,7 +28,7 @@ Servers often ignore the `Accept-Language` header in such cases and send a succe
       <td>{{Glossary("Request header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
     <tr>

@@ -24,7 +24,7 @@ An `Accept-Patch` header in a response to any request method implicitly means th
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>Yes</td>
     </tr>
   </tbody>

@@ -24,7 +24,7 @@ An `Accept-Post` header in a response to any request method implicitly means tha
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>Yes</td>
     </tr>
   </tbody>

@@ -19,7 +19,7 @@ For example, a response with an `Accept-Ranges` header indicates that the server
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
   </tbody>

@@ -22,7 +22,7 @@ For example, a browser uses different values in a request when fetching a CSS st
       {{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
     <tr>

@@ -31,7 +31,7 @@ When credentials are included:
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
   </tbody>

@@ -20,7 +20,7 @@ This header is required if the preflight request contains {{HTTPHeader("Access-C
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
   </tbody>

@@ -16,7 +16,7 @@ The HTTP **`Access-Control-Allow-Methods`** {{Glossary("response header")}} spec
       <td>{{Glossary("Response header")}}</td>
     </tr>
     <tr>
-      <th scope="row">{{Glossary("Forbidden header name")}}</th>
+      <th scope="row">{{Glossary("Forbidden request header")}}</th>
       <td>No</td>
     </tr>
   </tbody>
-Original file line number
+Diff line change
@@ Expand Up @@
           </td>
         </tr>
         <tr>
-          <th scope="row">{{Glossary("Forbidden header name")}}</th>
+          <th scope="row">{{Glossary("Forbidden request header")}}</th>
           <td>"Yes" or "No"</td>
         </tr>
         <tr>
@@ Expand Down @@