The HTTP Access-Control-Allow-Headers response header indicates which HTTP headers can be used during the actual HTTP request.


The Access-Control-Allow-Headers response is part of the CORS protocol to allow cross-origin sharing, and it is returned in response to a preflight request. It specifies which HTTP headers are allowed during the subsequent HTTP request, over and above what is whitelisted by the CORS protocol.

Access-Control-Allow-Headers: *

The asterisk is a wildcard for requests that do not have credentials. It tells the client to allow any supported HTTP header during a preflight request.


For HTTP requests that include credentials, the asterisk character * is treated as a literal, rather than a wildcard character.

HTTP headers that have been whitelisted by CORS are always allowed and are not typically included in the HTTP Access-Control-Allow-Headers header. These include: Accept, Accept-Language, Content-Language, and Content-Type. There are some additional restrictions, including that the length of each value is restricted to 128 bytes in length. However, the additional restrictions are ignored if the safe HTTP headers are explicitly listed.


In this example, the server responds to a preflight request that was made by the client. As part of it, the Access-Control-Allow-Headers response header is included to signal which HTTP headers are allowed during the HTTP request itself. The HTTP Accept header is included so that it will have no restrictions, and the X-User-Addr is a custom HTTP header that includes data understood between client and server.


Access-Control-Allow-Headers: Accept, X-User-Addr


The Access-Control-Allow-Headers response header is sent in response to a preflight request and is used to inform the client as to which HTTP headers are allowed during the HTTP request.

See also

Last updated: June 2, 2022