kyy/swagger-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f464ba2d31674570d462f4e1c17ab58636d4c211
swagger-ui/docs/usage/limitations.md
kyy f464ba2d31
Some checks failed
Node.js CI / build (push) Failing after 2s
Details
Node.js CI / e2e-tests (+(a11y|security|bugs)/**/*cy.js) (push) Failing after 2s
Details
Node.js CI / e2e-tests (features/**/!(o|d|m)*.cy.js) (push) Failing after 2s
Details
Node.js CI / e2e-tests (features/**/+(o|d)*.cy.js) (push) Failing after 2s
Details
Node.js CI / e2e-tests (features/**/m*.cy.js) (push) Failing after 2s
Details
CodeQL / Analyze (javascript) (push) Failing after 2m49s
Details
Security scan for docker image / build (push) Failing after 54s
Details
Update swagger-ui
2025-06-24 13:40:26 +09:00

845 B
Executable File
Raw Blame History

Limitations

Forbidden header names

Some header names cannot be controlled by web applications, due to security features built into web browsers.

Forbidden headers include:

  • Accept-Charset
  • Accept-Encoding
  • Access-Control-Request-Headers
  • Access-Control-Request-Method
  • Connection
  • Content-Length
  • Cookie
  • Cookie2
  • Date
  • DNT
  • Expect
  • Host
  • Keep-Alive
  • Origin
  • Proxy-*
  • Sec-*
  • Referer
  • TE
  • Trailer
  • Transfer-Encoding
  • Upgrade
  • Via

Forbidden header names (developer.mozilla.org)

The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be controlled when running Swagger UI in a browser.

For more context, see #3956.

Reference in New Issue View Git Blame Copy Permalink