From 0fe17539e16d32eeb68d291567653df2a0b2a0ea Mon Sep 17 00:00:00 2001
From: Kyle Shockey <shockey@users.noreply.github.com>
Date: Mon, 4 Dec 2017 20:58:53 -0800
Subject: [PATCH] Add limitations.md

---
 docs/usage/limitations.md | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 docs/usage/limitations.md

diff --git a/docs/usage/limitations.md b/docs/usage/limitations.md
new file mode 100644
index 00000000..03cf1f4f
--- /dev/null
+++ b/docs/usage/limitations.md
@@ -0,0 +1,38 @@
+# Limitations
+
+### Forbidden header names
+
+Some header names cannot be controlled by web applications, due to security
+features built into web browsers.
+
+Forbidden headers include:
+
+> - Accept-Charset
+> - Accept-Encoding
+> - Access-Control-Request-Headers
+> - Access-Control-Request-Method
+> - Connection
+> - Content-Length
+> - Cookie
+> - Cookie2
+> - Date
+> - DNT
+> - Expect
+> - Host
+> - Keep-Alive
+> - Origin
+> - Proxy-*
+> - Sec-*
+> - Referer
+> - TE
+> - Trailer
+> - Transfer-Encoding
+> - Upgrade
+> - Via
+>
+> _[Forbidden header names (developer.mozilla.org)](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name)_
+
+The biggest impact of this is that OpenAPI 3.0 Cookie parameters cannot be
+controlled when running Swagger-UI in a browser.
+
+_For more context, see [#3956](https://github.com/swagger-api/swagger-ui/issues/3956).