There are certain request headers which cannot be modified programmatically. Modifying such headers is forbidden because the user agent retains full control over them.

You can find more on these forbidden headers here on MDN website.

Even though the headers are forbidden that doesn't mean we can't send them in the request for testing purposes. Here is how...

Using the web extension

APIC web extension leverages the Declarative Net Request API to modify the forbidden headers to the values you specify. This works out of the box for the web extension.

Native app for Windows, Linux & Mac

Since the native app for Windows, Linus or Mac doesn't run on a typical browser it doesn't have the limitation for sending Forbidden headers.

Web App

Since the browsers don't allow sending these restricted headers you can bypass that limitation by using APIC's Web Agent which also bypasses the CORS limitation imposed by browsers. Learn more on how to use the Web Agent here.

List of Forbidden headers

Forbidden header names start with Proxy- or Sec-, or are one of the following names:

• Accept-Charset

• Accept-Encoding

• Access-Control-Request-Headers

• Access-Control-Request-Method

• Connection

• Content-Length

• Cookie

• Date

• DNT

• Expect

• Host

• Keep-Alive

• Origin

• Permissions-Policy

• Proxy-

• Sec-

• Referer

• TE

• Trailer

• Transfer-Encoding

• Upgrade

• Via