Explain Codes LogoExplain Codes Logo

Access Control Request Headers, is added to header in AJAX request with jQuery

javascript
cors
ajax
jquery
Alex KataevbyAlex Kataev·Jan 12, 2025
TLDR

To tackle AJAX request header problems, ensure your server's response has Access-Control-Allow-Origin:

Access-Control-Allow-Origin: http://yourdomain.com

For custom headers such as X-Custom-Header, have them declared by the server:

Access-Control-Allow-Headers: X-Custom-Header

Don't attempt to set Access-Control-Request-Headers in jQuery—it's handled by your browser. Use the following AJAX pattern instead:

$.ajax({
  url: "https://example.com/api",
  method: 'POST', // POSTing like a Reddit pro
  dataType: 'json', // data type: "json". This ain't no HTML party!
  headers: {
      'Content-Type': 'application/json' // we're talking JSON, baby!
  },
  data: JSON.stringify({ key: 'value' }), // JSONify all the things
  beforeSend: function(xhr) {
      xhr.setRequestHeader('X-Custom-Header', 'custom_value'); // rolling out the red (header) carpet
  },
  processData: false, // ain't nobody got time to process
  success: function(data) { console.log(data); }, // success! Log the data to the console
  error: function(err) { console.error(err); } // something went wrong... time to debug!
});

If after your AJAX setup is spot on but issues persist, tweak your server's CORS policy.

Understanding CORS and Custom Headers

Pre-flight Requests: The Handshake Before the High-Five

The pre-flight requests play a key role in CORS (Cross-Origin Resource Sharing). The browser executes these using the OPTIONS method to check if it's safe to send the actual request, especially when dealing with custom headers or when the requests are not considered simple requests.

Sending Custom Headers: The Right Way

In jQuery, you could be setting custom headers in one of two ways:

  1. Directly in the $.ajax call using the headers property.
  2. Using beforeSend to access xhr (XMLHttpRequest) and then calling setRequestHeader.

Server-side Configuration: CORS Edition

On the server side, ensure that the OPTIONS pre-flight request is handled correctly and that the necessary Access-Control-Allow headers are included in the response. This might require some tweaking in your server's settings if you're using something like Apache or nginx.

JSON and Content-Type: A Love Story

When it comes to sending JSON data, remember to set the correct Content-Type header and stringify the data. To prevent inadvertent data processing by jQuery, don't shy away from setting processData: false.

Debugging with FireBug: Your New Best Friend

Developer tools like FireBug or Chrome's Developer Tools are great for verifying custom headers in your AJAX request and debugging any issues with CORS.

Coping with CORS Issues: Alternatives and Workarounds

If you're still facing CORS issues, consider switching to the fetch API. For extremely challenging cases, you might need to implement server-side proxying.

Dealing with Real-world Scenarios

Dynamically Handling Domains

If your client may come from various domains, ensure there's a server-side check that dynamically sets Access-Control-Allow-Origin to the requesting domain or compares against a white-list.

Handling Credentials

When using credentials with cross-origin requests, set withCredentials: true and ensure the server returns Access-Control-Allow-Credentials: true.

Content-Type Headers: Knowing the Difference

Remember that setting Content-Type to anything other than application/x-www-form-urlencoded, multipart/form-data, or text/plain will trigger a pre-flight request.

Standby Proxies for Extreme Cases

For dire situations where CORS cannot be enabled on the server, consider using a proxy server that attaches the necessary CORS headers to the response.

explain-codes / Javascript / Access Control Request Headers, is added to header in AJAX request with jQuery
Linked

How does the 'Access-Control-Allow-Origin' header work?

How do I send a cross-domain POST request via JavaScript?

Use basic authentication with jQuery and Ajax

Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header

Trying to use fetch and pass in mode: no-cors

Allow Access-Control-Allow-Origin header using HTML5 fetch API

Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?

Understanding CORS and Custom HeadersDealing with Real-world Scenarios
Linked

How does the 'Access-Control-Allow-Origin' header work?

How do I send a cross-domain POST request via JavaScript?

Use basic authentication with jQuery and Ajax

Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header

Trying to use fetch and pass in mode: no-cors

Allow Access-Control-Allow-Origin header using HTML5 fetch API

Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?