Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Modify default Access-Control-Allow-Headers headers #178

googletorp opened this Issue · 7 comments

6 participants


I might be staring myself blind here, but have been looking at this for a while.

By default the restify outputs

Access-Control-Allow-Headers: Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version

which is a goo default, but I would like it to output

Access-Control-Allow-Headers: My-Custom-Header, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version

The only way I've found it possible to do with, keeping the deault headers is to reimplement


By doing


which seems a bit overkill to just change the CORS headers a bit. I figure I must be overlooking something. I tried using what was described in #30 but that feature must have been replaced with the default header function. I also tried using the 'MethodNotAllowed' event and handle the OPTIONS call myself, setting the Access-Control-Allow-Headers but it seems that they were overwritten by the default header function.

So what should you do, if you just want to tweak the headers a bit?



You can listen for a header event from a restify response; that will be called synchronously right before headers are written to node. Although, I just looked at the source, and it appears it's wrong, as it's emitted right after the writeHead call, so I'll push a fix under this ticket for that.



hiya, was this issue closed? Curious about what the right way to set Access-Control-Allow-Headers is.


+1 on the best approach here? I had to fork the library for now to add an additional allowed header.


I need this too. I can't access my API from a client on another host because it is sending X-Requested-With header which is not included by default.


I resolved my issue. jQuery was adding the header automatically unless I set options.crossDomain = true.

$.ajaxPrefilter(function(options, originalOptions, jqXHR) {
    options.crossDomain = true;
    options.url = _self.baseURL + options.url;

+1, needed X-Requested-With


This is fully possible in restify 2.0, as it doesn't force you to use the built-ins anymore. Instead that's now a "plugin", which would enable you to easily write your own that does what you need instead of having restify force its presets on you.

@mcavage mcavage closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.