Access-Control-Allow-Headers Header

Table of Content

This header is part of the Cross-Origin Resource Sharing (CORS) mechanism that allows web applications running at one origin to access selected resources from a different origin. Specifically, the Access-Control-Allow-Headers header is used in response to a preflight request to indicate which HTTP headers can be used during the actual request.


Access-Control-Allow-Headers: <header-name>[, <header-name>]*


In the Access-Control-Allow-Headers header, directives are basically the names of supported HTTP request headers. The value of this header is a comma-separated list of HTTP headers that the server will allow the client to use in the actual request.


In a server response, you might see the Access-Control-Allow-Headers header used as follows:

Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Access-Control-Allow-Headers header

ModHeader is a Chrome extension that can be used to modify HTTP request headers. This can be useful, for instance, when testing CORS behavior of a web application. After installing ModHeader, you would simply add a new header with name "Access-Control-Allow-Headers", and enter the desired value. Note that since ModHeader modifies the headers of outgoing requests, the changes often will not have any effect because Access-Control-Allow-Headers is intended for server responses. However, it can still be a useful tool for understanding how different headers affect browser behavior.