The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.

The simple headers, Accept, Accept-Language, Content-Language, Content-Type (but only with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain), are always available and don't need to be listed by this header.

This header is required if the request has an Access-Control-Request-Headers header.

Header type Response header
Forbidden header name no

Syntax

Access-Control-Allow-Headers: <header-name>[, <header-name>]*

Directives

<header-name>
The name of a supported request header. The header may list any number of headers, separated by commas.

Note that certain headers are always allowed: Accept, Accept-Language, Content-Language, Content-Type (but only with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain). These are called the simple headers, and you don't need to specify them explicitly.

Examples

A custom header

Here's an example of what an Access-Control-Allow-Headers header might look like. It indicates that in addition to the "simple" headers, a custom header named X-Custom-Header is supported by CORS requests to the server.

Access-Control-Allow-Headers: X-Custom-Header

Multiple headers

This example shows Access-Control-Allow-Headers when it specifies support for multiple headers.

Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests

Example preflight request

Let's look at an example of a preflight request involving Access-Control-Allow-Headers.

Request

First, the request.  The preflight request is an OPTIONS request which includes some combination of the three preflight request headers: Access-Control-Request-Method, Access-Control-Request-Headers, and Origin, such as:

OPTIONS /resource/foo
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org

Response

If the server allows CORS requests to use the DELETE method, it responds with an Access-Control-Allow-Methods response header, which lists DELETE along with the other methods it supports:

HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400

If the requested method isn't supported, the server will respond with an error.

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Allow-Headers' in that specification.
Living Standard Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support4123.510124
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support2.1 Yes Yes4123.2 Yes

Compatibility notes

See also

Document Tags and Contributors

Contributors to this page: mfuji09, Sheppy, othree, smaximov, fscholz, teoli
Last updated by: mfuji09,