cors
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Allow-Headers: <header-name>[, <header-name>...] | * (response to preflight) Common directives / values
| Directive | Purpose |
|---|---|
| Content-Type | Required when sending JSON or any non-safelisted Content-Type. |
| Authorization | Required for Bearer/JWT/Basic auth on cross-origin fetches. |
| X-Requested-With | Common for XHR-flavored APIs to declare AJAX intent. |
| * | Wildcard allow — ignored for credentialed requests; Authorization must still be listed explicitly. |
Examples
Access-Control-Allow-Headers: Content-Type, Authorization Typical JSON API with token auth.
Access-Control-Allow-Headers: * Non-credentialed permissive API; note Authorization still requires explicit listing.
Access-Control-Allow-Headers: Content-Type, X-CSRF-Token, X-Request-Id Allow custom app headers used for CSRF and tracing.
Access-Control-Allow-Headers: *, Authorization Wildcard plus explicit Authorization — needed because * doesn't cover it.
Gotcha
The wildcard * in Allow-Headers does NOT include Authorization — it must always be listed by name. Also, header matching is case-insensitive, but always echo the header names the client actually sent.
Related headers
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.
Access-Control-Max-Age
How long (in seconds) the browser may cache the preflight response, avoiding an OPTIONS round-trip before subsequent identical requests. Browsers cap this at their own maximum (Chrome ~7200s, Firefox ~86400s).
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.