/ HTTP Headers


The Access-Control-Request-Headers is a crucial element of the HTTP headers that constitute the Cross-Origin Resource Sharing (CORS) mechanism. This header is used when a browser is making a preflight request to inform the server of the HTTP headers that will be used when the actual request is made.

What is Access-Control-Request-Headers?

The Access-Control-Request-Headers is an HTTP request header. It is used by a client (a Web API in a browser) during a preflight request to let the server know which HTTP headers will be used when the actual request is made. It’s the server’s responsibility to indicate whether these headers are acceptable.

Basic Usage

The header follows the format:

Access-Control-Request-Headers: <field-name>[, <field-name>]*

The <field-name> is the name of the header that the client plans to use in the actual request.

For instance, consider a preflight request with this header:

Access-Control-Request-Headers: X-My-Custom-Header

Here, the client indicates that it will use the X-My-Custom-Header in the actual request.

Detailed Examples

Scenario 1: Requesting a Single Custom Header

Suppose your client needs to make a request to your server with a custom header X-My-Custom-Header. The preflight request from the client would include:

Access-Control-Request-Headers: X-My-Custom-Header

The server should then respond with an Access-Control-Allow-Headers header containing X-My-Custom-Header to indicate that this header is allowed:

Access-Control-Allow-Headers: X-My-Custom-Header

Scenario 2: Requesting Multiple Custom Headers

In many situations, you might need to make a request with multiple custom headers. To do this, include each header name in the Access-Control-Request-Headers header, separated by commas:

Access-Control-Request-Headers: X-My-Custom-Header, X-Another-Custom-Header

The server would then respond with:

Access-Control-Allow-Headers: X-My-Custom-Header, X-Another-Custom-Header

Considerations and Caveats

When working with Access-Control-Request-Headers, there are a few key points to bear in mind:

  • Header Sensitivity: Ensure that any custom headers you use don’t unintentionally leak sensitive information.
  • Server Responsibility: It’s up to the server to decide whether to allow or disallow the headers specified in Access-Control-Request-Headers. If the server does not respond with an Access-Control-Allow-Headers header that includes the requested headers, the actual request will not be allowed.
  • Preflight Requests: Access-Control-Request-Headers is used in preflight requests, which are sent automatically by the browser under certain conditions (i.e., for “non-simple” requests) to check the server’s CORS policy.


The Access-Control-Request-Headers header plays a vital role in the CORS mechanism, enabling clients to inform the server about the headers they intend to use in the actual request. A proper understanding and implementation of this header can ensure smoother and more secure cross-origin interactions in your web applications.

Was this helpful?

Thanks for your feedback!