Let's look at an example of a preflight request involving Access-Control-Allow-Headers
.
Request
First, the request. The preflight request is an OPTIONS
request that includes some combination of the three preflight request headers: Access-Control-Request-Method
, Access-Control-Request-Headers
, and Origin
.
The preflight request below tells the server that we want to send a CORS GET
request with the headers listed in Access-Control-Request-Headers
(Content-Type
and x-requested-with
).
OPTIONS /resource/foo
Access-Control-Request-Method: GET
Access-Control-Request-Headers: Content-Type, x-requested-with
Origin: https://foo.bar.org
Response
If the CORS request indicated by the preflight request is authorized, the server will respond to the preflight request with a message that indicates the allowed origin, methods, and headers. Below we see that Access-Control-Allow-Headers
includes the headers that were requested.
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Allow-Headers: Content-Type, x-requested-with
Access-Control-Max-Age: 86400
If the requested method isn't supported, the server will respond with an error.