I know that X- was historically used as a convention for non-standard headers, which is now recommended against. These days I'm seeing more and more headers which start with Sec-, such as Sec-WebSocket-*, Sec-CH-UA, Sec-Fetch-*, and now Sec-GPC. However, I can't find an any RFC which specifically discusses this convention. So, where did this convention come from, what does it stand for (Secure?), and what is its purpose?
Sec- headers are so called "forbidden response-header names" as defined in Fetch Metadata Request Headers - 4.2. The Sec- Prefix
4.2. The Sec- Prefix
Each of the headers defined in this document is prefixed with
Sec-, which makes them all forbidden response-header names, and therefore unmodifiable from JavaScript. This will prevent malicious websites from convincing user agents to send forged metadata along with requests, which should give sites a bit more confidence in their ability to respond reasonably to the advertised information.
Also see Forbidden header name:
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name).
Modifying such headers is forbidden because the user agent retains full control over them. Names starting with
Sec-are reserved for creating new headers safe from APIs that grant developers control over headers, such asfetch().