cors

Access-Control-Allow-Headers

Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.

Access-Control-Allow-Headers: <header-name>[, <header-name>...]  |  *  (response to preflight)

Common directives / values

Directive Purpose
Content-Type Required when sending JSON or any non-safelisted Content-Type.
Authorization Required for Bearer/JWT/Basic auth on cross-origin fetches.
X-Requested-With Common for XHR-flavored APIs to declare AJAX intent.
* Wildcard allow — ignored for credentialed requests; Authorization must still be listed explicitly.

Examples

Access-Control-Allow-Headers: Content-Type, Authorization

Typical JSON API with token auth.

Access-Control-Allow-Headers: *

Non-credentialed permissive API; note Authorization still requires explicit listing.

Access-Control-Allow-Headers: Content-Type, X-CSRF-Token, X-Request-Id

Allow custom app headers used for CSRF and tracing.

Access-Control-Allow-Headers: *, Authorization

Wildcard plus explicit Authorization — needed because * doesn't cover it.

Gotcha

The wildcard * in Allow-Headers does NOT include Authorization — it must always be listed by name. Also, header matching is case-insensitive, but always echo the header names the client actually sent.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors