Corsfix
Corsfix

CORS Headers Explained by Corsfix

Content licensed under CC-BY-SA-4.0

Source code

CORS Headers Explained

Access-Control-Request-Headers

The Access-Control-Request-Headers header is automatically sent by the browser during CORS preflight requests to indicate which headers will be included in the actual request.

This allows the server to approve or deny the use of those headers before the actual cross-origin request is made.

Syntax & Values 

Access-Control-Request-Headers: <header>, <header>, ...

The Access-Control-Request-Headers header is automatically set by the browser during preflight requests. It contains a comma-separated list of header names (e.g., content-type, x-custom-header) that will be included in the actual cross-origin request.

Examples

Preflight with custom headers

When a request includes custom headers like X-Custom-Header and X-API-Key, the browser automatically sends this header in the preflight request to inform the server which headers will be used.

Access-Control-Request-Headers: x-custom-header, x-api-key

Frequently Asked Questions

Do I need to set this header manually?

No, the browser automatically sends this header during preflight requests based on the headers in your actual request.

When is this header sent?

During preflight requests when your request includes custom headers or uses certain methods that require CORS preflight.