request header field DNT not allowed by access-control-allow-headers

On the Mobile Safari browser you can come across the error ‘Request header field DNT is not allowed by access-control-allow-headers’ . We’ll explain how to fix this easily.

When you’re doing an AJAX call to a different server (eg. api.javablog.be) then where the original page was loaded (eg. www.javablog.be); you’re essentially doing a cross domain AJAX call. This is blocked by browser due to security reasons.

To support mashup style websites,  you can include a response header in the HTTP answer the server is sending:

Access-Control-Allow-Origin", "*"

The * means that any domain can send the AJAX call. It’s better to limit it to those domains which are allowed access.

Setting only this parameter is not enough to fix Request header field DNT is not allowed by access-control-allow-headers. 

You’ll also need to set the following headers on the server side HTTP response object:

Access-Control-Allow-Methods = GET, POST, OPTIONS, DELETE
Access-Control-Allow-Headers = DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type, Accept-Language, Origin, Accept-Encoding

How you should set the HTTP response parameters depends on your server side technology; here are some helpful links for PHP and JAVA

Leave a Reply

Your email address will not be published. Required fields are marked *