apply_filters( ‘rest_allowed_cors_headers’, string[] $allow_headers, WP_REST_Request $request )

Filters the list of request headers that are allowed for REST API CORS requests.


The allowed headers are passed to the browser to specify which headers can be passed to the REST API. By default, we allow the Content-* headers needed to upload files to the media endpoints.
As well as the Authorization and Nonce headers for allowing authentication.


The list of request headers to allow.
The request in context.


$allow_headers = apply_filters( 'rest_allowed_cors_headers', $allow_headers, $request );


6.3.0The $request parameter was added.

User Contributed Notes

  1. Skip to note 2 content

    You can remove specific headers using a snippet like the one below

    add_filter( 'rest_allowed_cors_headers', 'wpdocs_block_specific_headers');
    function wpse213123_block_specific_headers( $allow_headers, $request ) {
    	// Check for a specific header item in the list
    	if ( in_array( 'Content-Type', $allow_headers ) ) {
    		unset( 'Content-Type' );
    	return $allow_headers;

You must log in before being able to contribute a note or feedback.