您可以在全局设置：

$httpProvider.defaults.headers.post['My-Header']='value'   (or)
$http.defaults.headers.post['My-Header']='value';

或单个请求：

$http({
   headers: {
      'My-Header': 'value'
   }  
});

这是一个重要的报价从Angular：

Cross Site Request Forgery (XSRF) Protection XSRF is a technique by
which an unauthorized site can gain your user’s private data. Angular
provides following mechanism to counter XSRF. When performing XHR
requests,the $http service reads a token from a cookie called
XSRF-TOKEN and sets it as the HTTP header X-XSRF-TOKEN. Since only
JavaScript that runs on your domain could read the cookie,your server
can be assured that the XHR came from JavaScript running on your
domain.

To take advantage of this,your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header,and therefore be sure that only JavaScript running on your domain could have read the token. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript making up its own tokens). We recommend that the token is a digest of your site’s authentication cookie with salt for added security.