A CORS-safelisted request header is one of the following HTTP headers:
When containing only these headers (and values that meet the additional requirements laid out below), a requests doesn't need to send a preflight request in the context of CORS.
You can safelist more headers using the
header and also list the above headers there to circumvent the following additional restrictions:Access-Control-Allow-Headers
Additional restrictions
CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:
- For
andAccept-Language
: can only have values consisting ofContent-Language
,0-9
,A-Z
, space ora-z
.*,-.;= - For
andAccept
: can't contain a CORS-unsafe request header byte:Content-Type
, Delete, Tab and control characters: 0x00 to 0x19."():<>?@[\]{} - For
: needs to have a MIME type of its parsed value (ignoring parameters) of eitherContent-Type
,application/x-www-form-urlencoded
, ormultipart/form-data
.text/plain - For any header: the value’s length can't be greater than 128.
Learn more
View Previous Terms:
- Certificate authority
- Challenge-response authentication
- Cipher
- Cipher suite
- Ciphertext
- CORS
- CORS-safelisted response header
- Cross-site scripting
- Cryptanalysis
- Cryptographic hash function
- Cryptography
- CSP
- CSRF
- Decryption
- Digital certificate
- DTLS (Datagram Transport Layer Security)
- Encryption
- Forbidden header name
- Forbidden response header name
- Hash
- HMAC
- HPKP
- HSTS
- HTTPS
- Key
- MitM
- OWASP
- Preflight request
- Public-key cryptography
- Reporting directive
- Robots.txt
- Same-origin policy
- Session Hijacking
- SQL Injection
- Symmetric-key cryptography
- TOFU
- Transport Layer Security (TLS)
Credits
- Source: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header
- Published under Open CC Attribution ShareAlike 3.0 license
