A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a {{Glossary("Forbidden response header name")}}).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with `Sec-` are reserved for creating new headers safe from {{glossary("API","APIs")}} using Fetch that grant developers control over headers, such as {{domxref("XMLHttpRequest")}}.
Forbidden header names start with Proxy- or Sec-, or are one of the following names:
Accept-CharsetAccept-EncodingAccess-Control-Request-HeadersAccess-Control-Request-MethodConnectionContent-LengthCookieCookie2DateDNTExpectFeature-PolicyHostKeep-AliveOriginProxy-Sec-RefererTETrailerTransfer-EncodingUpgradeViaNote: The User-Agent header is no longer forbidden, as per spec — see forbidden header name list (this was implemented in Firefox 43) — it can now be set in a Fetch Headers object, or via XHR setRequestHeader(). However, Chrome will silently drop the header from Fetch requests (see Chromium bug 571722).