Skip to main content Skip to docs navigation
View on GitHub

CORS Safelisted Request Header

A CORS-safelisted request header is one of the following HTTP headers :

On this page

When containing only these headers (and values that meet the additional requirements laid out below), a request doesn't need to send a preflight request in the context of CORS .

You can safelist more headers using the Access-Control-Allow-Headers header and also list the above headers there to circumvent the following additional restrictions.

Additional restrictions

CORS-safelisted headers must also fulfill the following requirements in order to be a CORS-safelisted request header:

  • Accept-Language and Content-Language can only have values consisting of 0-9 , A-Z , a-z , space or *,-.;= .
  • Accept and Content-Type can't contain a CORS-unsafe request header byte : 0x00-0x1F (except for 0x09 (HT) , which is allowed), "():<>?@[\]{} , and 0x7F (DEL) .
  • Content-Type needs to have a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded , multipart/form-data , or text/plain .
  • Range needs to have a value of a single byte range in the form of bytes=[0-9]+-[0-9]* . See the Range header documentation for more details.
  • For any header: the value's length can't be greater than 128.

See also

Updated on April 20, 2024 by Datarist.