Skip to contentSkip to navigationSkip to topbar
Rate this page:
On this page



headers page anchor

Restricted headers

restricted-headers page anchor

The following headers are not accessible within a Function. Avoid developing any code that depends on these headers or their variants.

Header Name
Connection Proxy-Connection
Proxy-Authorization Proxy-Authenticate
X-Forwarded-* X-Real-IP

You cannot interact with the pre-flight OPTIONS request(link takes you to an external page) that is sent by browsers. The Runtime client will automatically respond to OPTIONS requests with Access-Control-Allow-Headers: *, and pass along all included request headers to the targeted Function (unless they are in the exclusions list above). In addition, the Runtime client allows all origins by returning Access-Control-Allow-Origin: *.

Headers and cookies in both incoming requests and outgoing responses are subject to these limits:

  • Max header size: 15kb (including cookies)
  • Max header count: 90 (including cookies)

If either of these limits is exceeded, your Function will throw a 431 error. The error will include the message Request headers or cookies too long if the limits are exceeded by a request, or Response headers or cookies too long if you've constructed a response that exceeds these limits.

This will also generate a Twilio Error 82008.

  • Runtime automatically adds the HttpOnly and Secure attributes to your cookies by default, unless you manually set those values.
  • You cannot manually set the value of the Domain attribute on a cookie. The value will be removed and set to the domain of the Function creating the response.
  • If you do not set a Max-Age or Expires on a cookie, it will be considered a Session cookie(link takes you to an external page) .
  • If you set both Max-Age and Expires on a cookie, Max-Age takes precedence.
  • If you set the Max-Age or Expires of a cookie to greater than 24 hours, your Function will return a 400 error with the message Cookies max-age cannot be greater than a day .

Rate this page: