My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)
Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.
The security of a site I am building may require that "x-requested-with" cannot be faked
Just about anything in HTTP can be spoofed. The level of 'spoofability' is hard to determine. It's fairly trivial to craft a request with any header value I desire.
If it's your only option, so be it, but I wouldn't want to use a site that relied on it for anything important.
Every header can be spoofed. Any header that starts with x- is non-standard.
Just came across this question, looking for something else, here is my answer:
A general security principle to bear in mind: any data can be altered.
Now from a practical standpoint here is what happens: The further down you operate on the stack (transport, network, link...) the more difficult it gets to alter the data because the tools needed are more likely to be unavailable to you in the first place and require system modifications (e.g. you can recompile a linux kernel to mess up with ethernet/IP stack if you're interested).
Talking about HTTP, that's application layer and it becomes dead easy to do whatever you want. You'll find tons of tools which will allow you to generate any custom HTTP requests from very basic network tools (nc, telnet...) to more advanced ones (cUrl,Fiddler...).
So NO the mere presence of the x-requested-with header can't be considered as proper security.
While it may be useful for low security level situations it will definitely not stop an attacker willing to go past it. Remember the first principle in security: no system in impenetrable, it just has to be secure enough to make breaking attempts unworthy.
It can be spoofed by somebody using curl or a browser extension.
However, if it is used as an anti CSRF measure (see here), then it cannot be easily spoofed as the attacker is not the one with the browser. To spoof it you will need a Flash exploit as explained in the answer, or CORS being setup with lax permissions on the target server.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 三岁会撩人 的文章《Can the “x-requested-with” http header be spoofed?》','https://www.manongdao.com/article-264680.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}