Can the “x-requested-with” http header be spoofed?

Question

My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source)

Is this a correct assumption to make? The security of a site I am bui

Answer 1

It can be spoofed by somebody using curl or a browser extension.

However, if it is used as an anti CSRF measure (see here), then it cannot be easily spoofed as the attacker is not the one with the browser. To spoof it you will need a Flash exploit as explained in the answer, or CORS being setup with lax permissions on the target server.