My research shows that only the Host, Referer, and User-Agent headers can be spoofed.

Question

0

Asked: May 11, 20262026-05-11T09:53:56+00:00 2026-05-11T09:53:56+00:00

My research shows that only the Host, Referer, and User-Agent headers can be spoofed.

0

My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)

Is this a correct assumption to make? The security of a site I am building may require that ‘x-requested-with’ cannot be faked. This is far from ideal but may be the only avenue I have.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

score 0 · Answer 1 · 2026-05-11T09:53:56+00:00

The security of a site I am building may require that ‘x-requested-with’ cannot be faked

Just about anything in HTTP can be spoofed. The level of ‘spoofability’ is hard to determine. It’s fairly trivial to craft a request with any header value I desire.

If it’s your only option, so be it, but I wouldn’t want to use a site that relied on it for anything important.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

My research shows that only the Host, Referer, and User-Agent headers can be spoofed.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply