How to Fix: Refused to Set Unsafe Header

Reynaldi
Reynaldi •

On This Page

This article shows you how to fix the “Refused to set unsafe header” error in JavaScript. This error happens when your code tries to set a request header the browser considers forbidden, like Cookie, Host, or Origin.

Instant Fix for “Refused to Set Unsafe Header”

Use Corsfix to fix the “Refused to set unsafe header” error. Pass the header inside x-corsfix-headers, and Corsfix applies it server-side before forwarding the request to the target API.

const xhr = new XMLHttpRequest();
xhr.open("GET", "https://proxy.corsfix.com/?https://api.example.com/data");
xhr.setRequestHeader(
  "x-corsfix-headers",
  JSON.stringify({ Cookie: "session_id=abc123" })
);
xhr.onload = function () {
  console.log(JSON.parse(xhr.responseText));
};
xhr.send();

Your request goes to the proxy, the proxy sets the forbidden header on the outbound request, and forwards it to the target API. The response comes back to your browser with proper CORS headers attached.

For local development, this works instantly without registration. For live websites, set up your domain (takes 30 seconds).

Why This Error Happens

Browsers maintain a list of forbidden header names that JavaScript cannot set or modify. These headers are managed exclusively by the browser for security reasons.

The forbidden headers include:

  • Cookie — the browser controls which cookies to send based on domain, path, and SameSite rules
  • Host — set automatically from the request URL
  • Origin — indicates where the request came from, used by servers for CORS validation
  • Referer — the browser sets this to the page that initiated the request
  • User-Agent — identifies the browser (Chrome still blocks overrides despite it being removed from the spec’s forbidden list)
  • Connection, Content-Length, Transfer-Encoding — managed by the browser’s networking layer
  • Any header starting with Sec- or Proxy-

When you try to set one of these using XMLHttpRequest.setRequestHeader(), the browser logs the “Refused to set unsafe header” warning and silently ignores the header.

const xhr = new XMLHttpRequest();
xhr.open("GET", "https://api.example.com/data");
xhr.setRequestHeader("Origin", "https://custom-origin.com");
// ⚠️ Refused to set unsafe header "Origin"
xhr.send();

This is not a CORS issue. It happens on same-origin requests too. The browser blocks these headers regardless of whether the request is cross-origin or same-origin, because the restriction exists to prevent scripts from impersonating or spoofing browser-level metadata.

Conclusion

Use a server-side proxy like Corsfix to fix “Refused to set unsafe header” in JavaScript. The browser will always block scripts from setting forbidden headers, and there is no client-side workaround or setting to change this behavior. Pass the headers you need inside x-corsfix-headers, and Corsfix sets them on the real request server-side, where the browser’s restrictions don’t apply.

Corsfix handles forbidden header overrides for you, so you don’t need to spin up your own backend just to set a header.

It's time to build great websites without CORS errors

Try our CORS proxy for free, all features included.

Fix CORS errorsNo credit card required.