Access-Control-Allow-Headers
The HTTP Access-Control-Allow-Headers response header specifies which HTTP headers are permitted in a cross-origin request. Servers return this header as part of a CORS preflight response.
Usage
When a browser issues a preflight OPTIONS request, the Access-Control-Request-Headers header lists the non-safelisted headers the client intends to send. The server replies with Access-Control-Allow-Headers to confirm which of those headers are accepted.
CORS-safelisted headers are always permitted and do not need to appear in this list. The safelisted set includes Accept, Accept-Language, Content-Language, Content-Type (with restrictions on media type and value length), and Range (with restrictions on the format). Listing a safelisted header explicitly removes the extra restrictions on the value.
Multiple header names appear as a comma-separated list.
Directives
Header name list
A comma-separated set of header names the server accepts in the actual request.
Access-Control-Allow-Headers: Content-Type, Authorization
* (wildcard)
The asterisk acts as a wildcard for requests without credentials, permitting any header name.
Access-Control-Allow-Headers: *
Note
For credentialed requests the wildcard * is treated
as a literal string, not as a wildcard. Each allowed
header must be listed explicitly when credentials are
present. The Authorization header is
never covered by the wildcard and must always be named
explicitly.
Example
A preflight request asks whether Content-Type and a
custom X-Request-ID header are allowed. The server
confirms both.
Request
OPTIONS /api/data HTTP/1.1
Origin: https://app.example.re
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, X-Request-ID
Response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Content-Type, X-Request-ID
Access-Control-Max-Age: 86400
A server using the wildcard for non-credentialed requests responds with a single character.
Access-Control-Allow-Headers: *
Takeaway
The Access-Control-Allow-Headers header tells browsers which non-safelisted request headers a server accepts in a cross-origin request, preventing the browser from blocking the actual request after the preflight check.
See also
- Fetch Standard: HTTP Access-Control-Allow-Headers
- Access-Control-Request-Headers
- Access-Control-Allow-Methods
- Access-Control-Allow-Credentials
- CORS
- HTTP headers