Access-Control-Request-Headers
Request header CORS

Overview

Access-Control-Request-Headers is a request header the browser automatically adds to a CORS preflight to tell the server which custom or non-safelisted request headers the upcoming actual request will send. The server replies with Access-Control-Allow-Headers to grant them.

Details

Using only CORS-safelisted request headers (Accept, Accept-Language, Content-Language, and a restricted-value Content-Type) avoids a preflight. Adding others (e.g. Authorization, X-Request-Id, or a Content-Type of application/json) makes the request non-simple, so the browser issues a preflight and lists the names it will actually send, lowercased and sorted, in this header.

The server approves by naming those headers (or *) in Access-Control-Allow-Headers on the preflight response. If any requested header is not in the allow list, the browser blocks the actual request. Like its sibling, this is a browser-managed forbidden header name that script cannot manipulate.

The value carries header names only, never their values. Authorization is not always covered by the * wildcard (in credentialed contexts), so the server should list it explicitly in Access-Control-Allow-Headers to be safe.

Syntax

Access-Control-Request-Headers: <header-name>[, <header-name>]*

e.g. Access-Control-Request-Headers: Content-Type, X-Request-Id

Notes

Related headers

Related status codes

Specification