Access-Control-Allow-Headers: Syntax, Directive, Examples

The Access-Control-Allow-Headers is an HTTP response header that specifies which HTTP headers are supported by the response’s URL for the CORS (Cross-Origin Resource Sharing) protocol. A Cross-Origin Resource Sharing (CORS) is an HTTP-header-based method that enables a web server to determine any other origin or domain than its own from which a web browser allows origins to share resources amongst each other. A CORS-safe listed response header is an HTTP header in a CORS(Cross-Origin Resource Sharing) response that is considered secure to display to client scripts. Only safe listed response headers are made available to web pages. Additional headers can be added to the safelist using Access-Control-Expose-Headers. The web server lists the available headers using an Access-Control-Expose-Headers HTTP header, allowing clients to access them.

The Access-Control-Allow-Headers HTTP response header is applied as a response to a preflight request to determine which HTTP headers can be used during the actual request. A preflight request allows the webserver to check how the actual request appears before being created. The web server may indicate whether the web browser should send the actual request, or send an error to the client without returning the request. The Access-Control-Allow-Headers HTTP response header includes the Access-Control-Request-Headers. The Access-Control-Allow-Headers HTTP response header is needed if the request has an Access-Control-Request-Headers. The Access-Control-Request-Headers request header is used by web browsers for issuing a preflight request to allow the webserver to distinguish which HTTP headers the client will send when the actual request is created. 

What is Access-Control-Allow-Headers?

The Access-Control-Allow-Headers is a response-type header that is used to determine the required and supported HTTP headers. The Access-Control-Allow-Headers are also used during a request and applied in response to the CORS (Cross-origin Resource Sharing) preflight request. A CORS preflight request reviews to examine if the CORS (Cross-origin Resource Sharing) protocol is followed and ensures the webserver is aware of using specific mechanisms and HTTP headers, such as the Access-Control-Request

-Headers and Access-Control-Allow-Headers.

What is the Syntax of Access-Control-Allow-Headers?

The syntax for the Access-Control-Allow-Headers HTTP response header consists of the supported HTTP headers separated by commas and the wildcard value “*” if the requests do not require credentials. The syntax is shown below.

Access-Control-Allow-Headers: [<header-name>[, <header-name>]*]
Access-Control-Allow-Headers: *

An example of the syntax given below shows how the preflight request notifies the webserver that we need to send a “CORS GET” request with the HTTP headers enumerated in Access-Control-Request-Headers (Content-Type and x-requested-with).

OPTIONS /resource/my
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type, x-requested-with

What is the Directive of Access-Control-Allow-Headers?

The directives of the Access-Control-Allow-Headers HTTP response header are below.

  • <header-name> The name of a supported request header. The header may list any number of headers, separated by commas.
  • <*> called as a wildcard. The value “*” only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal header name “*” without special semantics. Note that the Authorization header can’t be wildcarded and always needs to be listed explicitly.

How to use Access-Control-Allow-Headers?

The usage of Access-Control-Allow-Headers HTTP response header is for determining which HTTP headers are needed and supported by a specific URL for CORS (Cross-origin Resource Sharing). With the help of CORS (Cross-origin Resource Sharing), web browsers allow origins to share resources amongst each other for a better user experience. If the CORS (Cross-origin Resource Sharing) request specified by the preflight request is approved, the web server will respond to the preflight request with a message that shows the authorized origin, mechanism, and headers. The Access-Control-Allow-Headers below show how we can include the headers that were requested.

HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Allow-Headers: Content-Type, x-requested-with
Access-Control-Max-Age: 85200

Examples of Access-Control-Allow-Headers Use

An example of Access-Control-Allow-Headers HTTP response header is when we have an origin my_sample ( and I desire to obtain resources from origin your_sample( To defend your security, the web browser will not allow me to access resources from and will block my request. As a requirement for origin to access your resources, your origin will need to allow the browser to know that it is approved for me to obtain resources from your origin( The format syntax of the example given is below.

Access-Control-Allow-Origin : * : Allows any origin.
Access-Control-Allow-Origin : : Allow requests only from

What are the Specification Documents for Access-Control-Allow-Headers?

The specification documents for the Access-Control-Allow-Headers HTTP response header are RFC7231 and RFC7230. The definition of the specification documents is below.

  • RFC7231: The RFC7231 or Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content, this document defines HTTP/1.1 request and response semantics based on the structure.
  • RFC7230: The RFC7230 is a request/response protocol with extensible semantics and self-explained message payloads.

What are the similar HTTP Headers to the Access-Control-Allow-Headers?

The related headers for the Access-Control-Allow-Headers HTTP response header are the Access-Control-Allow-Credentials HTTP response header and the Access-Control-Request-Headers. The definition of the similar headers for the Access-Control-Allow-Headers HTTP response header is below.

  • The Access-Control-Allow-Headers HTTP response header is included in a preflight request, which contains the Access-Control-Request-Headers, to determine which HTTP headers will be applied to the requests. 
  • The Access-Control-Allow-Credentials HTTP response header is used to provide the confirmation of the request’s credentials, defined in the Access-Control-Allow-Headers HTTP response header.
Koray Tuğberk GÜBÜR

Leave a Comment