Access Control Request Headers

Nikhil Anilkumar
Published on
11 Dec 2022
2 min read
HTTP headers

What is access control request headers?

Access-Control-Request-Headers is a request-type header used by browsers that carries information about the various HTTP headers that the client will send in the subsequent request.

The browser determines if a CORS preflight is required whenever a client sends a request to a server.

If a CORS preflight request is required, the browser sends a request with numerous headers attached conveying information about the ensuing request using the HTTP Options method.

One of these characteristics is the variety of headers that the request may contain. This data is stored in the preflight request’s Access-Control-Request-Headers header.

Syntax of access control request headers


Access-Control-Request-Headers: header-name-1, header-name-2, …

Directives of access control request headers

The Access-Control-Request-Headers header accepts a header-name directive. The header-name directive is a comma-separated list of header names that will be attached to the ensuing request.

Access control request headers example

Let us consider an example where the browser sends an XHR request. The following code sends

        const req= new XMLHttpRequest(); 
       'POST', 'https://examplepostroute/'); 

        req.setRequestHeader('X-PINGOTHER', 'pingpong'); 



        req.onreadystatechange = handler; 



The request will include the HTTP headers Content-Type and X-PINGOTHER. Before sending the POST request, the browser will perform a CORS preflight request. The CORS preflight request will include the following header. In this way, the server is made aware of any headers in the client request that follows.

Access-Control-Request-Headers: X-PINGOTHER, Content-Type

Browser compatibility

ChromeVersion 4 and upwards
EdgeVersion 12 and upwards
FirefoxVersion 3.5 and upwards
OperaVersion 12 and upwards
SafariVersion 4 and upwards
Chrome AndroidAll versions supported
Firefox for AndroidVersion 4 and upwards
Opera AndroidVersion 12 and upwards
Safari on iOSVersion 3.2 and upwards
Samsung InternetAll versions supported
WebView AndroidVersion 2 and upwards
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nikhil Anilkumar
Nikhil Anilkumar
DevSecOps Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.