The Access-Control-Allow-Headers response header is used in response to a preflight request to indicate which HTTP headers can be used during the actual request.

The simple headers, Accept, Accept-Language, Content-Language, Content-Type (but only with a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain), are always available and don't need to be listed by this header.

This header is required if the request has an Access-Control-Request-Headers header.

Header type Response header
Forbidden header name no


Access-Control-Allow-Headers: <header-name>, <header-name>, ...


Comma-delimited list of the supported request headers.


Access-Control-Allow-Headers: X-Custom-Header


Specification Status Comment
The definition of 'Access-Control-Allow-Headers' in that specification.
Living Standard Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support4123.510124
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support2.1 Yes Yes4123.2 ?

Compatibility notes

See also

Document Tags and Contributors

 Contributors to this page: smaximov, fscholz, teoli
 Last updated by: smaximov,