Add limitations.md

docs/usage/limitations.md

@@ -0,0 +1,38 @@
+# Limitations
+
+### Forbidden header names
+
+Some header names cannot be controlled by web applications, due to security
+features built into web browsers.
+
+Forbidden headers include:
+
+> - Accept-Charset
+> - Accept-Encoding
+> - Access-Control-Request-Headers
+> - Access-Control-Request-Method
+> - Connection
+> - Content-Length
+> - Cookie
+> - Cookie2
+> - Date
+> - DNT
+> - Expect
+> - Host
+> - Keep-Alive
+> - Origin
+> - Proxy-*
+> - Sec-*
+> - Referer
+> - TE
+> - Trailer
+> - Transfer-Encoding
+> - Upgrade
+> - Via
+>
+> _[Forbidden header names (developer.mozilla.org)](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)_
+
+The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be
+controlled when running Swagger-UI in a browser.
+
+_For more context, see [#3956](https://github.com/swagger-api/swagger-ui/issues/3956).