allow-header

The allow-header entry specifies which headers are presented in preflight responses to clients as acceptable to use when making cross-origin requests to resources which this policy is applicable to.

allow-header = <origin>

Description

A header which is permitted when making cross-origin requests to the resources protected by this policy. This configuration entry may be specified multiple times to indicate multiple allowable headers. A value of '*' can be specified to indicate that any header is acceptable, in this case the reverse proxy responds with any header(s) presented by the client in the Access-Control-Request-Headers header. When configured with a header or list of headers, this configuration entry adds the following header to pre-flight responses:

Access-Control-Allow-Headers = <any values given in this policy> 

When configured with '*', this configuration entry adds the following header to pre-flight responses:

Access-Control-Allow-Header = <any value presented by the client in the Access-Control-Request-Headers>

The following simple headers are always considered allowed and are never returned in the Access-Control-Allow-Headers header:

Accept
Accept-Language
Content-Language
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Content-Type: text/plain

This entry only affects only pre-flight requests.

Options

header

This entry should either be '*' or a header name.

Usage: We can specify multiple entries if needed. The header matching performed is not case sensitive.

If an '*' entry is specified, all other allow-header entries for this policy are ignored.

Default value: None.

Example:

allow-header = X-IBM-VERSION
allow-header = X-IBM-ROUTE

Parent topic: [cors-policy:policy-name] stanza