Forbidden header names

Some header names cannot be controlled by web applications, due to security features built into web browsers.

Forbidden headers include:

Forbidden header names (developer.mozilla.org)

The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be controlled when running Swagger UI in a browser.

For more context, see #3956.