Table of Content
This header is part of the Cross-Origin Resource Sharing (CORS) mechanism that allows web applications running at one origin to access selected resources from a different origin. Specifically, the
Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used during the actual request.
Access-Control-Allow-Headers: <header-name>[, <header-name>]*
Access-Control-Allow-Headers header, directives are basically the names of supported HTTP request headers. The value of this header is a comma-separated list of HTTP headers that the server will allow the client to use in the actual request.
In a server response, you might see the
Access-Control-Allow-Headers header used as follows:
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin
How to modify Access-Control-Allow-Headers header
ModHeader is a Chrome extension that can be used to modify HTTP request headers. This can be useful, for instance, when testing CORS behavior of a web application. After installing ModHeader, you would simply add a new header with name "Access-Control-Allow-Headers", and enter the desired value. Note that since ModHeader modifies the headers of outgoing requests, the changes often will not have any effect because
Access-Control-Allow-Headers is intended for server responses. However, it can still be a useful tool for understanding how different headers affect browser behavior.