Reputation: 3579
Recommended CORS Allow and Expose Headers
enable-cors.org nginx config suggests using the below values for Access-Control-Allow-Headers and Access-Control-Expose-Headers. But there isn't much explanation of why these are recommended except Custom headers and headers various browsers *should* be OK with but aren't. I'd rather not inflate the payload for every API request if some of these are not needed for my application.
I know I could remove them and wait for something to break but I'm hoping for some background on why/how they were selected so I can make a more educated decision on whether they are necessary for my application. i.e. were they recommended to support a browser that my application doesn't need to support?
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
For the Allow-Headers, I can understand for most of them why a client would want to send them. X-CustomHeader stands out as an oddball though. Also, I tested on Chrome that even if User-Agent isn't explicitly allowed, chrome still sends it. This implies that these options were added for browser compatibility that my app might not need.
For the Expose-Headers, it seems like it would be very application specific on which headers a client needs to read. Why would a client need to read User-Agent, DNT, or X-Requested-With? They contain info meant for the server to consume, not the client. Additionally, Cache-Control and Content-Range are already enabled by default so they seem redundant here.
Upvotes: 3
Views: 3710
Answers (1)
Reputation: 3579
I ended up going through each header and determining if it was necessary. I compiled a list of changes:
- Changes for both
AllowandExpose- Removed from both since they are non-standard headers
X-CustomHeader
- Removed from both since they are non-standard and semi-deprecated
- Removed from both since they are non-standard headers
- Changes for
Allow:- Removed since they are response-specific headers (used only for
servers to inform client)
Content-Range
- Kept even though they are enabled by default but only for certain
types of requests (as per MDN):
Content-Type
- Removed since they are response-specific headers (used only for
servers to inform client)
- Changes for
Expose:- Removed since they are already enabled by default (as per MDN)
Cache-ControlContent-Type
- Removed since they are request-specific headers (used only for
clients to inform server)
DNTUser-AgentX-Requested-WithIf-Modified-SinceRange
- Added since they seem useful
Content-Length
- Removed since they are already enabled by default (as per MDN)
This leaves me with the following:
Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Expose-Headers: Content-Length,Content-Range
Any comments or corrections would be greatly appreciated.
Upvotes: 5
Related Questions
- How do CORS and Access-Control-Allow-Headers work?
- How to properly setup nginx Access-Control-Allow-Origin into response header based on the Origin header from the request?
- How should I be using Access-Control-Allow-Headers?
- How do I know which access-control-allow-headers to allow for CORS?
- AngularJS with CORS and custom headers
- How to enable CORS in nginx
- Point of CORS HTTP Headers
- CORS headers with NginX and the auth_request module
- Angular2 Http set header Access-Control-Allow-Origin and http CORS
- CORS - When to return `Access-Control-Expose-Headers`