Allowed Request Headers by XHR

Lists all the allowed request headers using XHR in the Same Domain.

By
Anonymous 1 Seen 750 times
Tags
xhr headers
Run this test now.

Results


Tested on
Chrome - 66 - Windows 7
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Firefox - 52 - Linux
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Unknown Browser - Unknown Version - Unknown OS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed

Tested on
Googlebot - 2.1 - undefined
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERProbably Not. Some Error Occured
X-CSRFProbably Not. Some Error Occured
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
Mobile Safari - 7 - iOS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

Tested on
Safari - 8 - Mac OS X
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

Tested on
Chrome Mobile - 41 - Android
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
IE - 11 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERNot Allowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
Opera - 43 - Windows 7
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Edge - 17.17134 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

User Script (ENUM_FUNCTION)

					
// http://domstorm.skepticfx.com/request/headers -  Gives all the HTTP Request Headers in the given request.


function test(data){
	// We need to separate properties and access one by one.
try{
    var xhr = new XMLHttpRequest();
    xhr.open('GET', '/helper/headers', false); // Same Domain Request 
    xhr.setRequestHeader(data, 'someValue');
    xhr.send();
    var headers = JSON.parse(xhr.responseText);
    if(headers.hasOwnProperty(data.toLowerCase())){
        addInfo(data , 'Allowed'); 
    } else {
        addError(data , 'Not Allowed');
    }
    
}

catch(err){
	addError(data ,  'Probably Not. Some Error Occured');
}
}

					
				

Enum Data (ENUM_FUNCTION)

					
// Author Request Headers - http://www.w3.org/TR/XMLHttpRequest/#author-request-headers
// 4.6.2 The setRequestHeader() method
// http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-setrequestheader

// This does not include the set of Already Send Headers by default. For example, Cookie or Accep-Charset.

var data = ['X-CUSTOM-HEADER','X-CSRF','Accept-Charset', 'Access-Control-Request-Headers', 'Access-Control-Request-Method', 'Cookie2', 'Date', 'DNT', 'Expect',
'Keep-Alive', 'TE', 'Trailer', 'Upgrade', 'Via', 'PORT', 'IP','X-Forwarded-For', 'Authorization', 'Content-Length', 'Content-Type'];