Access-Control-Request-Headers Header
Table of Content
- Syntax
- Directives
- Examples
- Browser Compatibility
- How to modify Access-Control-Request-Headers header
The Access-Control-Request-Headers header is used when issuing a preflight request to let the server know what HTTP headers will be used when an actual request is made. This is part of the Cross-Origin Resource Sharing (CORS) mechanism that web browsers implement to assure security on the web. CORS controls the interactions between a web browser and a web server in a secure way if they do not originate from the same domain.
Syntax
Access-Control-Request-Headers: <field-name>[, <field-name>]*Directives
<field-name>: A case-insensitive list of HTTP header field names separated by commas,.
Examples
Assuming a client application needs to set Content-Type and Accept-Language in its request, the preflight request would include:
Access-Control-Request-Headers: Content-Type, Accept-LanguageBrowser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Access-Control-Request-Headers header
ModHeader is a Chrome extension that allows you to add, modify, and remove request headers in Chrome. This can be particularly useful for testing APIs by setting different headers. To modify the Access-Control-Request-Headers header:
- Install and click on the ModHeader icon in the Chrome toolbar.
- In the pop-up window, under "Request Headers", click on the "+" button.
- Enter "Access-Control-Request-Headers" in "Name" and the header you want to use in "Value" (e.g., "Content-Type, Accept-Language").
ModHeader will now add the Access-Control-Request-Headers to all requests made from your browser until you turn it off. This becomes extremely useful when testing CORS-enabled applications or APIs by manipulating the headers.