Some header names cannot be controlled by web applications, due to security features built into web browsers.
Forbidden headers include:
- Accept-Charset
- Accept-Encoding
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Connection
- Content-Length
- Cookie
- Cookie2
- Date
- DNT
- Expect
- Host
- Keep-Alive
- Origin
- Proxy-*
- Sec-*
- Referer
- TE
- Trailer
- Transfer-Encoding
- Upgrade
- Via
The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be controlled when running Swagger UI in a browser.
For more context, see #3956.