My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)
Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have.
See Question&Answers more detail:os