Access-Control-Allow-Headers Header
Table of Content
This header is part of the Cross-Origin Resource Sharing (CORS) mechanism that allows web applications running at one origin to access selected resources from a different origin. Specifically, the Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used during the actual request.
Syntax
Access-Control-Allow-Headers: <header-name>[, <header-name>]*Directives
In the Access-Control-Allow-Headers header, directives are basically the names of supported HTTP request headers. The value of this header is a comma-separated list of HTTP headers that the server will allow the client to use in the actual request.
Examples
In a server response, you might see the Access-Control-Allow-Headers header used as follows:
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, OriginBrowser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Access-Control-Allow-Headers header
ModHeader is a Chrome extension that can be used to modify HTTP request headers. This can be useful, for instance, when testing CORS behavior of a web application. After installing ModHeader, you would simply add a new header with name "Access-Control-Allow-Headers", and enter the desired value. Note that since ModHeader modifies the headers of outgoing requests, the changes often will not have any effect because Access-Control-Allow-Headers is intended for server responses. However, it can still be a useful tool for understanding how different headers affect browser behavior.