The HTTP Access-Control-Allow-Headers header is a response-type header that is used to indicate the HTTP headers. It can be used during a request and is used in response to a CORS preflight request, that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers, which includes the Access-Control-Request-Headers HTTP header.
Syntax:
Access-Control-Allow-Headers: <header-name>
Note:Multiple headers can be used.
Directives: This header accepts two directives described below:
- <header-name>: It specifies the supported request header. If there are multiple headers in use we separate them using commas.
- *(wildcard): It is used for requests without HTTP cookies or HTTP authentication information. It should be noted that the Authorization header cannot be wild-carded and needs explicit mentioning.
Examples:
Access-Control-Allow-Headers: Proxy-Authorization
Access-Control-Allow-Headers: Proxy-Authorization, Max-Forwards
To check the Access-Control-Allow-Headers header, go to Inspect Element -> Network. Check the response header like below Access-Control-Allow-Headers is highlighted
Supported Browsers: The browsers are compatible with HTTP Access-Control-Allow-Headers header are listed below:
- Google Chrome 4.0
- Internet Explorer 12.0
- Firefox 3.5
- Opera 12.0
- Safari 4.0
Note: *(wildcard) directive may not supported on Safari and Internet Explorer.