Access-Control-Allow-Headers header
Baseline Widely available *
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
* Some parts of this feature may have varying levels of support.
The HTTPAccess-Control-Allow-Headersresponse header is used in response to apreflight request to indicate the HTTP headers that can be used during the actual request.This header is required if the preflight request containsAccess-Control-Request-Headers.
Note:TheCORS-safelisted request headers are always allowed and usually aren't listed inAccess-Control-Allow-Headers unless there is a need to circumvent theadditional safelist restrictions.
| Header type | Response header |
|---|
Syntax
Access-Control-Allow-Headers: <header-name>Access-Control-Allow-Headers: <header-name>, <header-name>Access-Control-Allow-Headers: *Directives
<header-name>The name of a supported request header. The header may list any number of headers, separated by commas.
*(wildcard)Any header.The value
*only counts as a special wildcard value for requests without credentials (requests withoutHTTP cookies or HTTP authentication information).In requests with credentials, it is treated as the literal header name*without special semantics.TheAuthorizationheader doesn't accept wildcard and always needs to be listed explicitly.
Examples
Implementing a custom header
Below is an example of anAccess-Control-Allow-Headers header.It indicates that a custom header namedX-Custom-Header is supported by CORS requests to the server, in addition to theCORS-safelisted request headers.
Access-Control-Allow-Headers: X-Custom-HeaderSupporting multiple headers
This example showsAccess-Control-Allow-Headers when it specifies support for multiple headers.
Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-RequestsBypassing additional restrictions on CORS-safelisted headers
AlthoughCORS-safelisted request headers are always allowed and don't usually need to be listed inAccess-Control-Allow-Headers, listing them anyway will circumvent theadditional restrictions that apply.
Access-Control-Allow-Headers: AcceptHandling preflight requests
Let's look at an example of apreflight request involvingAccess-Control-Allow-Headers.
Request
First, the preflight request is anOPTIONS request that includes some combination of the three preflight request headers:Access-Control-Request-Method,Access-Control-Request-Headers, andOrigin.
The preflight request below tells the server that we want to send a CORSGET request with the headers listed inAccess-Control-Request-Headers (Content-Type andX-Requested-With).
OPTIONS /resource/fooAccess-Control-Request-Method: GETAccess-Control-Request-Headers: content-type,x-requested-withOrigin: https://www.example.comResponse
If the CORS request indicated by the preflight request is authorized, the server will respond to the preflight request with a message that indicates the allowed origin, methods, and headers. Below, we see thatAccess-Control-Allow-Headers includes the headers that were requested.
HTTP/1.1 200 OKContent-Length: 0Connection: keep-aliveAccess-Control-Allow-Origin: https://www.example.comAccess-Control-Allow-Methods: POST, GET, OPTIONS, DELETEAccess-Control-Allow-Headers: Content-Type, x-requested-withAccess-Control-Max-Age: 86400If the requested method isn't supported, the server will respond with an error.
Specifications
| Specification |
|---|
| Fetch # http-access-control-allow-headers |