This response header is helpful as a response to a preflight request by indicating which HTTP headers can be actually used during the actual request.This header is required if the request has an Access-Control-Request-Headers header.
This header shows up just for preflight requests. Any preflight request would respond to “OPTIONS” header and should have headers, “Access-Control-Allow-Methods” along with “Access-Control-Allow-Headers” if by chance there is any presence of author request headers preflight-request. When there isn’t either a method or header match on any of the author request header then preflight would fail and we would not be able to see Access-Control-Allow-Headers.
This header is a comma-delimited list of all the supported possible request headers. It can list down all headers that are supported by server and not just the headers which are requested in preflight request.
Enablement in Apache:
The below mentioned syntax is added as a part of configuration file.
Header always set Access-Control-Allow-Headers “x-requested-with, Content-Type, origin, authorization, accept, client-security-token”
Enablement in Nginx:
The syntax given below is added in “nginx.conf” file.
add_header ‘Access-Control-Allow-Headers’ ‘Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With’ always;