Specifically *which* headers are off-limits?

[tryoxiss]

The FAQ mentions you can't set "transport" headers such as Content-Length and Transfer-Encoding, but what is the actual list that is off-limits? Transfer headers is basically every HTTP header, a lot of which you may want to manually set. Here are just a few that seem simillar that make sense to be able to manaully set:

• Content-Language
• Content-Encoding for if you are sending other file types, such as PNG
• Via to blank out sources (idk why but people do it)
• X-Powered-By is often blanked to avoid exposing server software in use, thus doing some work to mitigate automatic attack adapatation or expose what vulnerabilities you may be open to.

[the10thWiz]

"Transport" headers are defined by the HTTP spec. These are headers that indicate how the body of a request is transferred. Content-Length and Transfer-Encoding are set by Rocket, to indicate how Rocket converted the raw bytes of the body into the response stream.