XHR().setRequestHeader
is used to define a header in the list of request headers. When you call it this way:
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
You are setting the content type you are assigning in the "post"
or "put"
method request, there in the first parameter of XHR().send
. The content type "application/x-www-form-urlencoded"
only indicates that the content is in URL parameter format, for example: "?param=1&etc=2"
Headers are always used in requests, there is never a security risk to the server.
Check out this page , it lists headers that can be defined in a request. Note: Not all headers can be defined programmatically with the XHR().setRequestHeader
method.
There is no security risk in relation to the headers. There is no such thing as not sending headers, and moreover they can not affect the server.
For more information, there is a specification for% here .
What can affect the server depends on your actions.