Access-Control-Request-Headers

The HTTP Access-Control-Request-Headers request header is sent by the browser during a CORS preflight to list which non-safelisted headers the subsequent request will include.

Usage

When front-end JavaScript sends a cross-origin request containing headers outside the CORS-safelisted set, the browser first issues a preflight OPTIONS request. The Access-Control-Request-Headers header in the preflight lists every non-safelisted header the actual request intends to send.

The server inspects this list and responds with Access-Control-Allow-Headers to confirm which headers are permitted. If the server omits a requested header from the allow list, the browser cancels the actual request.

CORS-safelisted request headers (Accept, Accept-Language, Content-Language, Content-Type, and Range under certain conditions) do not appear in this header because the browser permits them without preflight approval.

The header value is a comma-separated list of header names, all lowercased and sorted lexicographically by the browser.

Example

A client-side application needs to send a POST with a JSON body and a custom X-Request-ID header. The browser generates a preflight listing both Content-Type (which requires preflight when the media type is application/json) and the custom header.

Request

OPTIONS /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type, x-request-id

Response

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://shop.example.re
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Content-Type, X-Request-ID
Access-Control-Max-Age: 3600

A preflight for a request carrying an Authorization token and a custom tracing header.

Request

OPTIONS /api/account HTTP/1.1
Host: api.example.re
Origin: https://dashboard.example.re
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization, x-trace-id

Takeaway

The Access-Control-Request-Headers header informs the server which non-safelisted headers the browser plans to include, enabling the server to approve or deny each one through Access-Control-Allow-Headers.

See also

• Fetch Standard: HTTP Access-Control-Request-Headers
• Access-Control-Allow-Headers
• Access-Control-Request-Method
• CORS
• HTTP headers