Limitations

Forbidden header names

Some header names cannot be controlled by web applications, due to security features built into web browsers.

Forbidden headers include:

Accept-Charset

Accept-Encoding

Access-Control-Request-Headers

Access-Control-Request-Method

Connection

Content-Length

Cookie

Cookie2

Date

DNT

Expect

Host

Keep-Alive

Origin

Proxy-*

Sec-*

Referer

TE

Trailer

Transfer-Encoding

Upgrade

Via

Forbidden header names (developer.mozilla.org)

The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be controlled when running Swagger UI in a browser.

For more context, see #3956.

845 B Raw Blame History

Limitations

Forbidden header names

845 B

Raw Blame History