Access-Control-Request-HeadersAccess-Control-Request-Headers is a request header the browser automatically adds to a CORS preflight to tell the server which custom or non-safelisted request headers the upcoming actual request will send. The server replies with Access-Control-Allow-Headers to grant them.
Using only CORS-safelisted request headers (Accept, Accept-Language, Content-Language, and a restricted-value Content-Type) avoids a preflight. Adding others (e.g. Authorization, X-Request-Id, or a Content-Type of application/json) makes the request non-simple, so the browser issues a preflight and lists the names it will actually send, lowercased and sorted, in this header.
The server approves by naming those headers (or *) in Access-Control-Allow-Headers on the preflight response. If any requested header is not in the allow list, the browser blocks the actual request. Like its sibling, this is a browser-managed forbidden header name that script cannot manipulate.
The value carries header names only, never their values. Authorization is not always covered by the * wildcard (in credentialed contexts), so the server should list it explicitly in Access-Control-Allow-Headers to be safe.
Access-Control-Request-Headers: <header-name>[, <header-name>]*e.g. Access-Control-Request-Headers: Content-Type, X-Request-Id