Override Forbidden Request Headers

Set headers like Origin, Referer, and User-Agent that browsers normally block. Corsfix overrides them server-side so your requests reach the API exactly how you need.

GET /data HTTP/1.1
Host: remote-api.com
Origin: https://yourdomain.com

Referer: https://yourdomain.com/
User-Agent: Mozilla/5.0
Referer: https://remote-api.com/
User-Agent: GoogleBot/1.0
Accept: application/json
Used by thousands of developers worldwide, including at these companies
Seaya logo
https://seaya.vc
Taco Bell logo
https://tacobell.com
Runway logo
https://runwayml.com
tuOtempO logo
https://tuotempo.com

Set any request header from your frontend

Pass the headers you need as a JSON object. Corsfix applies them server-side, bypassing browser restrictions. Find more usage details in our header override documentation.

// Override forbidden headers with Corsfix
fetch("https://proxy.corsfix.com/?https://api.example.com/data", {
  headers: {
    "x-corsfix-headers": JSON.stringify({
      "Origin": "https://example.com",
      "Referer": "https://example.com/",
      "User-Agent": "MyApp/1.0"
    })
  }
});


// Corsfix applies these headers server-side
// The target API receives exactly what you specified

Honestly, working with Corsfix has been incredible, the level of support is top-notch, and using Corsfix has improved the entire user experience for our Figma plugin.

Kyle Conrad's avatar
Kyle Conrad

Lead Product Designer at Taco Bell

I've loved the way you're really trying to satisfy users' requests to make Corsfix an outstanding product. This is the aptitude I really like to see around me and my team.

Emanuele Luchetti's avatar
Emanuele Luchetti

Co-founder and CTO at tuOtempO

I've tried a couple more proxy services but they didn't work as I was expecting, or at all. With that said I was quite surprised at how easy it was to use Corsfix and how well it's documented.

Prem Daryanani's avatar
Prem Daryanani

Web Developer

Frequently Asked Questions

What are forbidden request headers?

Forbidden request headers (also called forbidden header names) are HTTP headers that cannot be set or modified programmatically in the browser. The browser controls these headers exclusively to maintain security and integrity of the request. Examples include Origin, Referer, User-Agent, Host, and any header starting with Sec- or Proxy-.

Why can't I set the Origin or Referer header in JavaScript?

Browsers restrict these headers to prevent websites from spoofing their identity. If JavaScript could freely set the Origin or Referer header, a malicious site could impersonate another domain to bypass access controls. This is a browser-enforced security measure defined in the Fetch specification.

How do I override forbidden headers with Corsfix?

Add the x-corsfix-headers header to your request with a JSON-stringified object containing the headers you want to override. Corsfix will apply those headers server-side before forwarding your request to the target API. For example, you can set Origin, Referer, or User-Agent to any value you need.

What is the full list of forbidden header names?

The forbidden header names include: Accept-Charset, Accept-Encoding, Access-Control-Request-Headers, Access-Control-Request-Method, Connection, Content-Length, Cookie, Date, DNT, Expect, Host, Keep-Alive, Origin, Referer, TE, Trailer, Transfer-Encoding, Upgrade, Via, User-Agent, and any header starting with Sec- or Proxy-. See the MDN Web Docs for the complete reference.

When would I need to override request headers?

Common scenarios include: APIs that validate the Origin or Referer header and reject requests from unknown domains, web scraping where the target server checks the User-Agent string, and accessing APIs that require specific header values that browsers won't let you set from frontend code.

Can I override multiple headers at once?

Yes. The x-corsfix-headers value is a JSON object, so you can include as many headers as you need in a single request. For example, you can override both Origin and Referer at the same time.

Is overriding request headers safe?

Corsfix applies the header overrides server-side, so the browser's security restrictions are not bypassed on the client. Your frontend code sends the override instructions to Corsfix, and Corsfix sets the actual headers when forwarding the request. This keeps your requests compliant while giving you full control over what the target API receives.

Stop fighting browser restrictions

Override any request header with Corsfix. Free to get started.

Override headers nowNo credit card required.