Modify default Access-Control-Allow-Headers headers #178

googletorp opened this Issue Jul 21, 2012 · 7 comments


None yet

6 participants


I might be staring myself blind here, but have been looking at this for a while.

By default the restify outputs

Access-Control-Allow-Headers: Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version

which is a goo default, but I would like it to output

Access-Control-Allow-Headers: My-Custom-Header, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version

The only way I've found it possible to do with, keeping the deault headers is to reimplement


By doing


which seems a bit overkill to just change the CORS headers a bit. I figure I must be overlooking something. I tried using what was described in #30 but that feature must have been replaced with the default header function. I also tried using the 'MethodNotAllowed' event and handle the OPTIONS call myself, setting the Access-Control-Allow-Headers but it seems that they were overwritten by the default header function.

So what should you do, if you just want to tweak the headers a bit?

mcavage commented Jul 30, 2012


You can listen for a header event from a restify response; that will be called synchronously right before headers are written to node. Although, I just looked at the source, and it appears it's wrong, as it's emitted right after the writeHead call, so I'll push a fix under this ticket for that.


mypark commented Sep 27, 2012

hiya, was this issue closed? Curious about what the right way to set Access-Control-Allow-Headers is.

+1 on the best approach here? I had to fork the library for now to add an additional allowed header.

I need this too. I can't access my API from a client on another host because it is sending X-Requested-With header which is not included by default.

I resolved my issue. jQuery was adding the header automatically unless I set options.crossDomain = true.

$.ajaxPrefilter(function(options, originalOptions, jqXHR) {
    options.crossDomain = true;
    options.url = _self.baseURL + options.url;
joenivl commented Dec 21, 2012

+1, needed X-Requested-With

mcavage commented Dec 26, 2012

This is fully possible in restify 2.0, as it doesn't force you to use the built-ins anymore. Instead that's now a "plugin", which would enable you to easily write your own that does what you need instead of having restify force its presets on you.

@mcavage mcavage closed this Dec 26, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment