Access-Control-Allow-Headers

응답헤더 Access-Control-Allow-Headers 는  사전요청(preflight request)Access-Control-Request-Headers 가 포함 되어있을 때 사용됩니다.

실제 요청시 어떤 HTTP header들이 사용 가능한지에 대해서 알려줍니다.

 simple headers, Accept, Accept-Language, Content-Language, Content-Type (파싱된  MIME type(매개변수 무시)의 값이 application/x-www-form-urlencoded, multipart/form-data, text/plain중 하나일 경우에만), 이 헤더들은 항상 사용이 가능하여 리스트 할 필요가 없습니다. 

요청에 Access-Control-Request-Headers 헤더가 포함 되어 있으면 필수 적으로 추가해서 응답해 주어야 합니다.

Header type Response header
Forbidden header name no

Syntax(구문)

Access-Control-Allow-Headers: <header-name>[, <header-name>]*

Directives(지시자)

<header-name>
지원되는 해더 이름. 헤더 이름은 ','로 구분하여 복수로 나열 할 수 있습니다.

항상 허용 되는 해더 : Accept, Accept-Language, Content-Language, Content-Type (파싱된  MIME type(매개변수 무시)의 값이 application/x-www-form-urlencoded, multipart/form-data, text/plain중 하나일 경우에만 ). 이 헤더들은 simple headers(심플해더) 로 불리고, 나열할 필요 없습니다.

Examples(예제)

A custom header (사용자 정의 헤더)

Here's an example of what an Access-Control-Allow-Headers header might look like. It indicates that in addition to the "simple" headers, a custom header named X-Custom-Header is supported by CORS requests to the server.

Access-Control-Allow-Headers: X-Custom-Header

Multiple headers (복수개의 헤더)

This example shows Access-Control-Allow-Headers when it specifies support for multiple headers.

Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests

Example preflight request (사전요청 예)

사전 요청에서  Access-Control-Allow-Headers 이 사용된 경우의 예제를 보도록 합시다.

요청

첫째, 요청.  사전 요청은 OPTIONS 메소드와 세개의 사전 요청 헤더가 가 필요하다 :  Access-Control-Request-Method, Access-Control-Request-Headers, and Origin

아래는 사전 요청의 예

OPTIONS /resource/foo
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org

응답

만약 서버가 DELETE 메소드에 대한 CORS 요청과 을 허락한다면,  Access-Control-Allow-Methods 에 DELETE와 지원되는 다른 메소드가 같이 나열되어 응답합니다.

HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400

만약 응답을 

Specifications

Specification Status Comment
Fetch
The definition of 'Access-Control-Allow-Headers' in that specification.		 Living Standard Initial definition.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Access-Control-Allow-HeadersChrome Full support 4Edge Full support 12Firefox Full support 3.5IE Full support 10Opera Full support 12Safari Full support 4WebView Android Full support 2Chrome Android Full support YesFirefox Android Full support 4Opera Android Full support 12Safari iOS Full support 3.2Samsung Internet Android Full support Yes
Wildcard (*)Chrome Full support 63Edge No support NoFirefox Full support 69IE No support NoOpera Full support 50Safari No support NoWebView Android Full support 63Chrome Android Full support 63Firefox Android No support NoOpera Android Full support 46Safari iOS No support NoSamsung Internet Android Full support 8.2

Legend

Full support  
Full support
No support  
No support

Compatibility notes

See also

관련 주제
  1. HTTP
  2. 가이드:
  3. 리소스와 URIs
    1. 웹의 리소스 식별하기
    2. 데이터 URIs
    3. MIME 타입 소개
    4. MIME 타입의 전체 리스트
    5. www와 non-www URL 중에서 선택하기
  4. HTTP 가이드
    1. HTTP 기본
    2. HTTP 개요
    3. HTTP의 진화
    4. HTTP 메시지
    5. 전형적인 HTTP 세션
    6. HTTP/1.x의 연결 관리
    7. 프로토콜 업그레이드 메커니즘
  5. HTTP 보안
    1. Content Security Policy (CSP)
    2. HTTP Public Key Pinning (HPKP)
    3. HTTP Strict Transport Security (HSTS)
    4. Cookie security
    5. X-Content-Type-Options
    6. X-Frame-Options
    7. X-XSS-Protection
    8. Mozilla web security guidelines
    9. Mozilla Observatory
  6. HTTP 접근 제어(CORS)
  7. HTTP 인증
  8. HTTP 캐싱
  9. HTTP 압축
  10. HTTP 조건부 요청
  11. HTTP 컨텐츠 협상
  12. HTTP 쿠키
  13. HTTP range 요청
  14. HTTP 리다이렉트
  15. HTTP 명세
  16. Feature policy
  17. 레퍼런스:
  18. HTTP 헤더
    1. Accept
    2. Accept-Charset
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch [Translate]
    6. Accept-Ranges
    7. Access-Control-Allow-Credentials
    8. Access-Control-Allow-Headers
    9. Access-Control-Allow-Methods [Translate]
    10. Access-Control-Allow-Origin
    11. Access-Control-Expose-Headers [Translate]
    12. Access-Control-Max-Age [Translate]
    13. Access-Control-Request-Headers [Translate]
    14. Access-Control-Request-Method [Translate]
    15. Age
    16. Allow [Translate]
    17. Alt-Svc [Translate]
    18. Authorization
    19. Cache-Control
    20. Clear-Site-Data [Translate]
    21. Connection
    22. Content-Disposition [Translate]
    23. Content-Encoding
    24. Content-Language
    25. Content-Length
    26. Content-Location
    27. Content-Range
    28. Content-Security-Policy
    29. Content-Security-Policy-Report-Only [Translate]
    30. Content-Type
    31. Cookie
    32. Cookie2 [Translate]
    33. Cross-Origin-Resource-Policy [Translate]
    34. DNT
    35. Date
    36. Digest [Translate]
    37. ETag
    38. Early-Data [Translate]
    39. Expect
    40. Expect-CT [Translate]
    41. Expires
    42. Feature-Policy [Translate]
    43. Forwarded
    44. From
    45. Host
    46. If-Match [Translate]
    47. If-Modified-Since
    48. If-None-Match [Translate]
    49. If-Range
    50. If-Unmodified-Since [Translate]
    51. Index [Translate]
    52. Keep-Alive
    53. Large-Allocation [Translate]
    54. Last-Modified
    55. Link [Translate]
    56. Location [Translate]
    57. Origin [Translate]
    58. Pragma
    59. Proxy-Authenticate [Translate]
    60. Proxy-Authorization [Translate]
    61. Public-Key-Pins [Translate]
    62. Public-Key-Pins-Report-Only [Translate]
    63. Range
    64. Referer
    65. Referrer-Policy [Translate]
    66. Retry-After
    67. Save-Data [Translate]
    68. Sec-WebSocket-Accept [Translate]
    69. Server
    70. Server-Timing [Translate]
    71. Set-Cookie
    72. Set-Cookie2 [Translate]
    73. SourceMap [Translate]
    74. Strict-Transport-Security
    75. TE [Translate]
    76. Timing-Allow-Origin [Translate]
    77. Tk [Translate]
    78. Trailer [Translate]
    79. Transfer-Encoding
    80. Upgrade-Insecure-Requests [Translate]
    81. User-Agent [Translate]
    82. Vary
    83. Via [Translate]
    84. WWW-Authenticate [Translate]
    85. Want-Digest [Translate]
    86. Warning [Translate]
    87. X-Content-Type-Options [Translate]
    88. X-DNS-Prefetch-Control [Translate]
    89. X-Forwarded-For
    90. X-Forwarded-Host [Translate]
    91. X-Forwarded-Proto
    92. X-Frame-Options
    93. X-XSS-Protection
  19. HTTP 요청 메소드
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH [Translate]
    7. POST
    8. PUT
    9. TRACE [Translate]
  20. HTTP 응답 상태 코드
    1. 100 Continue
    2. 101 Switching Protocols
    3. 103 Early Hints [Translate]
    4. 200 OK
    5. 201 Created
    6. 202 Accepted [Translate]
    7. 203 Non-Authoritative Information [Translate]
    8. 204 No Content [Translate]
    9. 205 Reset Content [Translate]
    10. 206 Partial Content
    11. 300 Multiple Choices [Translate]
    12. 301 Moved Permanently
    13. 302 Found
    14. 303 See Other [Translate]
    15. 304 Not Modified
    16. 307 Temporary Redirect [Translate]
    17. 308 Permanent Redirect [Translate]
    18. 400 Bad Request
    19. 401 Unauthorized
    20. 402 Payment Required [Translate]
    21. 403 Forbidden
    22. 404 Not Found
    23. 405 Method Not Allowed
    24. 406 Not Acceptable [Translate]
    25. 407 Proxy Authentication Required [Translate]
    26. 408 Request Timeout [Translate]
    27. 409 Conflict
    28. 410 Gone [Translate]
    29. 411 Length Required
    30. 412 Precondition Failed [Translate]
    31. 413 Payload Too Large
    32. 414 URI Too Long [Translate]
    33. 415 Unsupported Media Type [Translate]
    34. 416 Range Not Satisfiable
    35. 417 Expectation Failed [Translate]
    36. 418 I'm a teapot
    37. 422 Unprocessable Entity
    38. 425 Too Early [Translate]
    39. 426 Upgrade Required [Translate]
    40. 428 Precondition Required [Translate]
    41. 429 Too Many Requests [Translate]
    42. 431 Request Header Fields Too Large [Translate]
    43. 451 Unavailable For Legal Reasons [Translate]
    44. 500 Internal Server Error
    45. 501 Not Implemented [Translate]
    46. 502 Bad Gateway [Translate]
    47. 503 Service Unavailable
    48. 504 Gateway Timeout [Translate]
    49. 505 HTTP Version Not Supported [Translate]
    50. 511 Network Authentication Required [Translate]
  21. CSP 지시문
    1. CSP: base-uri [Translate]
    2. CSP: block-all-mixed-content [Translate]
    3. CSP: child-src [Translate]
    4. CSP: connect-src [Translate]
    5. CSP: default-src
    6. CSP: font-src [Translate]
    7. CSP: form-action [Translate]
    8. CSP: frame-ancestors [Translate]
    9. CSP: frame-src [Translate]
    10. CSP: img-src
    11. CSP: manifest-src [Translate]
    12. CSP: media-src
    13. CSP: navigate-to [Translate]
    14. CSP: object-src [Translate]
    15. CSP: plugin-types [Translate]
    16. CSP: prefetch-src [Translate]
    17. CSP: referrer [Translate]
    18. report-to
    19. CSP: report-uri [Translate]
    20. CSP: require-sri-for [Translate]
    21. CSP: sandbox [Translate]
    22. CSP: script-src
    23. CSP: script-src-attr [Translate]
    24. CSP: script-src-elem [Translate]
    25. CSP: style-src [Translate]
    26. CSP: style-src-attr [Translate]
    27. CSP: style-src-elem [Translate]
    28. CSP: trusted-types [Translate]
    29. CSP: upgrade-insecure-requests [Translate]
    30. CSP: worker-src [Translate]
  22. CORS 에러
    1. Reason: CORS disabled [Translate]
    2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz' [Translate]
    3. Reason: CORS header 'Access-Control-Allow-Origin' missing [Translate]
    4. Reason: CORS header ‘Origin’ cannot be added [Translate]
    5. Reason: CORS preflight channel did not succeed [Translate]
    6. Reason: CORS request did not succeed
    7. Reason: CORS request external redirect not allowed [Translate]
    8. Reason: CORS request not HTTP [Translate]
    9. Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’ [Translate]
    10. Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    11. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed [Translate]
    12. Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’ [Translate]
    13. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ [Translate]
    14. Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’ [Translate]
    15. Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel [Translate]
  23. Feature-Policy 지시문
    1. Feature-Policy: accelerometer [Translate]
    2. Feature-Policy: ambient-light-sensor [Translate]
    3. Feature-Policy: autoplay [Translate]
    4. Feature-Policy: camera [Translate]
    5. Feature-Policy: display-capture [Translate]
    6. Feature-Policy: document-domain [Translate]
    7. Feature-Policy: encrypted-media [Translate]
    8. Feature-Policy: fullscreen [Translate]
    9. Feature-Policy: geolocation [Translate]
    10. Feature-Policy: gyroscope [Translate]
    11. Feature-Policy: layout-animations [Translate]
    12. Feature-Policy: legacy-image-formats [Translate]
    13. Feature-Policy: magnetometer [Translate]
    14. Feature-Policy: microphone [Translate]
    15. Feature-Policy: midi [Translate]
    16. Feature-Policy: oversized-images [Translate]
    17. Feature-Policy: payment [Translate]
    18. Feature-Policy: picture-in-picture [Translate]
    19. Feature-Policy: speaker [Translate]
    20. Feature-Policy: sync-xhr [Translate]
    21. Feature-Policy: unoptimized-images [Translate]
    22. Feature-Policy: unsized-media [Translate]
    23. Feature-Policy: usb [Translate]
    24. Feature-Policy: vibrate [Translate]
    25. Feature-Policy: vr [Translate]
    26. Feature-Policy: wake-lock [Translate]
    27. Feature-Policy: webauthn [Translate]
    28. Feature-Policy: xr [Translate]