security - Can the "x-requested-with" http header be spoofed?

Question

My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)

Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.

Answer 1

The security of a site I am building may require that "x-requested-with" cannot be faked

Just about anything in HTTP can be spoofed. The level of 'spoofability' is hard to determine. It's fairly trivial to craft a request with any header value I desire.

If it's your only option, so be it, but I wouldn't want to use a site that relied on it for anything important.