WordPress.org
Get WordPress
WordPress.org

WordPress Developer Resources

rest_allowed_cors_headers

apply_filters( ‘rest_allowed_cors_headers’, string[] $allow_headers, WP_REST_Request $request )

In this article

Back to top

Filters the list of request headers that are allowed for REST API CORS requests.

Description

The allowed headers are passed to the browser to specify which headers can be passed to the REST API. By default, we allow the Content-* headers needed to upload files to the media endpoints.
As well as the Authorization and Nonce headers for allowing authentication.

Parameters

$allow_headersstring[]
The list of request headers to allow.
$requestWP_REST_Request
The request in context.

Source

$allow_headers = apply_filters( 'rest_allowed_cors_headers', $allow_headers, $request );

View all references View on Trac View on GitHub

Used byDescription
WP_REST_Server::serve_request()wp-includes/rest-api/class-wp-rest-server.php

Handles serving a REST API request.

Changelog

VersionDescription
6.3.0The $request parameter was added.
5.5.0Introduced.

User Contributed Notes

  1. Skip to note 2 content
    LumberHack
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

    You can remove specific headers using a snippet like the one below

    add_filter( 'rest_allowed_cors_headers', 'wpdocs_block_specific_headers');

function wpse213123_block_specific_headers( $allow_headers, $request ) {
	// Check for a specific header item in the list
	if ( in_array( 'Content-Type', $allow_headers ) ) {
		unset( 'Content-Type' );
	}
	
	return $allow_headers;
}

You must log in before being able to contribute a note or feedback.