It might also help avoid confusion for new developers that see an unused parameter in your code and could think it's unnecessary.

///

/// info

In this example we use invented custom headers `X-Key` and `X-Token`.

But in real cases, when implementing security, you would get more benefits from using the integrated [Security utilities (the next chapter)](../security/index.md){.internal-link target=_blank}.

///

///

## Add custom headers { #add-custom-headers }

There are some situations in where it's useful to be able to add custom headers to the HTTP error. For example, for some types of security.

You probably won't need to use it directly in your code.

But in case you needed it for an advanced scenario, you can add custom headers:

{* ../../docs_src/handling_errors/tutorial002_py39.py hl[14] *}

            final ExtractData data = new ExtractData(content != null ? content : StringUtil.EMPTY);
            final Enumeration<Header> headers = message.getAllHeaders();
            while (headers.hasMoreElements()) {
                final Header header = headers.nextElement();
                data.putValue(header.getName(), header.getValue());
            }
            putValue(data, "Content-ID", message.getContentID());

### Go 1.26

Go 1.26 added a new `httpcookiemaxnum` setting that controls the maximum number
of cookies that net/http will accept when parsing HTTP headers. If the number of
cookie in a header exceeds the number set in `httpcookiemaxnum`, cookie parsing
will fail early. The default value is `httpcookiemaxnum=3000`. Setting
`httpcookiemaxnum=0` will allow the cookie parsing to accept an indefinite

## Version 4.9.2

_2021-09-30_

 *  Fix: Don't include potentially-sensitive header values in `Headers.toString()` or exceptions.
    This applies to `Authorization`, `Cookie`, `Proxy-Authorization`, and `Set-Cookie` headers.
 *  Fix: Don't crash with an `InaccessibleObjectException` when running on JDK17+ with strong
    encapsulation enabled.

    *,
    settings: Settings,
    query: str,
    after: str | None = None,
) -> dict[str, Any]:
    headers = {"Authorization": f"token {settings.github_token.get_secret_value()}"}
    variables = {"after": after}
    response = httpx.post(
        github_graphql_url,
        headers=headers,
        timeout=settings.httpx_timeout,
        json={"query": query, "variables": variables, "operationName": "Q"},
    )

    ],
)
def test_hidden_header(path, headers, expected_status, expected_response):
    client = TestClient(app)
    response = client.get(path, headers=headers)
    assert response.status_code == expected_status
    assert response.json() == expected_response


def test_hidden_path():
    client = TestClient(app)
    response = client.get("/hidden_path/hidden_path")
    assert response.status_code == 200

                                "in": "header",
                                "required": True,
                                "schema": {"type": "string", "title": "Host"},
                            },
                            {
                                "name": "save_data",
                                "in": "header",
                                "required": True,

Pero por seguridad, como el server no sabe que está detrás de un proxy confiable, no interpretará esos headers.

/// note | Detalles Técnicos

Los headers del proxy son:

* <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For" class="external-link" target="_blank">X-Forwarded-For</a>

        try (ResponseBody responseBody = response.body()) {
          if (!response.isSuccessful()) throw new IOException("Unexpected code " + response);

          Headers responseHeaders = response.headers();
          for (int i = 0, size = responseHeaders.size(); i < size; i++) {
            System.out.println(responseHeaders.name(i) + ": " + responseHeaders.value(i));
          }