Custom Headers and Allowed Methods

When a browser sends a cross-origin request, the server can control which headers and HTTP methods are permitted by using the Access-Control-Allow-Headers and Access-Control-Allow-Methods response headers. These headers play a key role in defining the boundaries of what is allowed in cross-origin interactions, helping you protect your backend from unwanted or potentially dangerous requests.

The Access-Control-Allow-Headers header tells the browser which custom headers can be included in the actual request. For example, if your frontend sends a header like X-Auth-Token, the backend must explicitly allow it. Similarly, Access-Control-Allow-Methods specifies which HTTP methods—such as GET, POST, or PUT—the server will accept from cross-origin requests. By listing only the headers and methods you trust, you can prevent clients from sending unexpected data or using unsafe operations.

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://trusted.example.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Auth-Token, Content-Type

In this example, the server response allows requests from https://trusted.example.com to use only the GET and POST methods. It also permits only the X-Auth-Token and Content-Type headers in the request. By restricting both the allowed methods and headers, you reduce the risk of exposing sensitive operations or accepting harmful input. This approach minimizes the attack surface, making it less likely for attackers to exploit your API with unexpected methods or custom headers.