httpstandards

What does the HTTP header name prefix Sec- mean/stand for?


I know that X- was historically used as a convention for non-standard headers, which is now recommended against. These days I'm seeing more and more headers which start with Sec-, such as Sec-WebSocket-*, Sec-CH-UA, Sec-Fetch-*, and now Sec-GPC. However, I can't find an any RFC which specifically discusses this convention. So, where did this convention come from, what does it stand for (Secure?), and what is its purpose?


Solution

  • Sec- headers are so called "forbidden response-header names" as defined in Fetch Metadata Request Headers - 4.2. The Sec- Prefix

    4.2. The Sec- Prefix

    Each of the headers defined in this document is prefixed with Sec-, which makes them all forbidden response-header names, and therefore unmodifiable from JavaScript. This will prevent malicious websites from convincing user agents to send forged metadata along with requests, which should give sites a bit more confidence in their ability to respond reasonably to the advertised information.

    Also see Forbidden header name:

    A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).

    Modifying such headers is forbidden because the user agent retains full control over them. Names starting with Sec- are reserved for creating new headers safe from APIs that grant developers control over headers, such as fetch().