API Pricing RU Sign In

Site Analysis

HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS

DNS DNS Propagation WHOIS SSL CMS Detector

Network

Ping Traceroute IP ASN Lookup IP/CIDR Calculator

Security

Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content SEO Audit Schema Checker Site Comparison

SEO & AI

Robots.txt AI Readiness llms.txt Keywords

Utilities

Formatter Cron Tester JWT Decoder TTL Calculator Batch Heartbeat Status Pages

Information

API Documentation Articles Pricing Help Contact

RU Sign In Sign Up

Home / HTTP Headers / Access-Control-Allow-Headers

← All HTTP Headers

CORS

Access-Control-Allow-Headers

Specifies which HTTP headers can be used in the actual request following a CORS preflight.

Syntax

Access-Control-Allow-Headers: &lt;header-name&gt;, &lt;header-name&gt;

Example

Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With

Description

Access-Control-Allow-Headers indicates which headers can be included in cross-origin requests.

Simple headers (Accept, Accept-Language, Content-Language, simple Content-Type) are always allowed. Custom headers like Authorization need explicit permission.

* allows any headers but does not work with credentials.

Check if your website sends this header correctly

Check your headers →

HTTP Methods Explained: GET, POST, PUT, DELETE and Beyond

A comprehensive guide to HTTP methods — GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS. Learn semantics, use cases, and best practices for REST APIs.

CORS Explained: Cross-Origin Resource Sharing Guide

Understand CORS — how cross-origin requests work, preflight checks, headers, common errors, and how to configure CORS correctly for your web application.

Analyzing Server Response Headers: What They Reveal About a Website

A detailed guide to HTTP headers: Cache-Control, ETag, Server, CORS, and security headers. How to read and optimize response headers.

Related Headers

Access-Control-Allow-Credentials

Indicates whether the response to a credentialed cross-origin request can be exposed to JavaScript.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed in a CORS preflight response.

Access-Control-Allow-Origin

Specifies which origins are permitted to read the response, the fundamental CORS header.

Access-Control-Max-Age

Specifies how long the results of a CORS preflight request can be cached.

Start monitoring for free

Create Account API Documentation

⚡

enterno.io

Website monitoring and analysis tools

Site Analysis HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS & Network DNS Lookup DNS Propagation WHOIS SSL Check CMS Detector Ping & Ports Traceroute IP Geolocation ASN Lookup IP/CIDR Calculator

Security Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content

SEO & AI & Utilities Robots.txt AI Readiness llms.txt Keywords SEO Audit Schema Checker Site Comparison Formatter Cron Tester JWT Decoder TTL Calculator Batch Check

Service API Documentation Pricing Help Compare Articles HTTP Headers Reference HTTP Status Codes Contact Privacy Policy Terms of Service Heartbeat Status Pages

PHP 8.4 · Hosting: Russia