# Limitations

## Headers

### Restricted headers

The following headers are not accessible within a Function. Avoid developing any code that depends on these headers or their variants.

| Header Name                            |
| -------------------------------------- |
| Connection Proxy-Connection            |
| Expect                                 |
| Host                                   |
| Proxy-Authorization Proxy-Authenticate |
| Referer                                |
| Trailer                                |
| Transfer-Encoding                      |
| Upgrade                                |
| Via                                    |
| X-Accel-\*                             |
| X-Forwarded-\* X-Real-IP               |

### The OPTIONS request

You cannot interact with the [pre-flight OPTIONS request](https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request) that is sent by browsers. The Runtime client will automatically respond to `OPTIONS` requests with `Access-Control-Allow-Headers: *`, and pass along all included request headers to the targeted Function (unless they are in the exclusions list above). In addition, the Runtime client allows all origins by returning `Access-Control-Allow-Origin: *`.

### Maximum header size

Headers and cookies in both incoming requests and outgoing responses are subject to these limits:

* Max header size: **15kb** (including cookies)
* Max header count: **90** (including cookies)

If either of these limits is exceeded, your Function will throw a `431` error. The error will include the message `Request headers or cookies too long` if the limits are exceeded by a request, or `Response headers or cookies too long` if you've constructed a response that exceeds these limits.

This will also generate a [Twilio Error 82008](/docs/api/errors/82008).

## Cookies

* Runtime automatically adds the `HttpOnly` and `Secure` attributes to your cookies by default, unless you manually set those values.
* You cannot manually set the value of the `Domain` attribute on a cookie. The value will be removed and set to the domain of the Function creating the response.
* If you do not set a `Max-Age` or `Expires` on a cookie, it will be considered a [Session cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie).
* If you set both `Max-Age` and `Expires` on a cookie, `Max-Age` takes precedence.
* If you set the `Max-Age` or `Expires` of a cookie to greater than 24 hours, your Function will return a `400` error with the message `Cookies max-age cannot be greater than a day`.