Allowed Request Headers by XHR

Lists all the allowed request headers using XHR in the Same Domain.

By
Anonymous 1 Seen 929 times
Tags
xhr headers
Run this test now.

Results


Tested on
Chrome - 66 - Windows 7
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Firefox - 52 - Linux
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Unknown Browser - Unknown Version - Unknown OS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed

Tested on
Googlebot - 2.1 - undefined
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERProbably Not. Some Error Occured
X-CSRFProbably Not. Some Error Occured
Accept-CharsetProbably Not. Some Error Occured
Access-Control-Request-HeadersProbably Not. Some Error Occured
Access-Control-Request-MethodProbably Not. Some Error Occured
Cookie2Probably Not. Some Error Occured
DateProbably Not. Some Error Occured
DNTProbably Not. Some Error Occured
ExpectProbably Not. Some Error Occured
Keep-AliveProbably Not. Some Error Occured
TEProbably Not. Some Error Occured
TrailerProbably Not. Some Error Occured
UpgradeProbably Not. Some Error Occured
ViaProbably Not. Some Error Occured
PORTProbably Not. Some Error Occured
IPProbably Not. Some Error Occured
X-Forwarded-ForProbably Not. Some Error Occured
AuthorizationProbably Not. Some Error Occured
Content-LengthProbably Not. Some Error Occured
Content-TypeProbably Not. Some Error Occured

Tested on
Mobile Safari - 7 - iOS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

Tested on
Safari - 8 - Mac OS X
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

Tested on
Chrome Mobile - 41 - Android
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERProbably Not. Some Error Occured
X-CSRFProbably Not. Some Error Occured
Accept-CharsetProbably Not. Some Error Occured
Access-Control-Request-HeadersProbably Not. Some Error Occured
Access-Control-Request-MethodProbably Not. Some Error Occured
Cookie2Probably Not. Some Error Occured
DateProbably Not. Some Error Occured
DNTProbably Not. Some Error Occured
ExpectProbably Not. Some Error Occured
Keep-AliveProbably Not. Some Error Occured
TEProbably Not. Some Error Occured
TrailerProbably Not. Some Error Occured
UpgradeProbably Not. Some Error Occured
ViaProbably Not. Some Error Occured
PORTProbably Not. Some Error Occured
IPProbably Not. Some Error Occured
X-Forwarded-ForProbably Not. Some Error Occured
AuthorizationProbably Not. Some Error Occured
Content-LengthProbably Not. Some Error Occured
Content-TypeProbably Not. Some Error Occured

Tested on
IE - 11 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERNot Allowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
Opera - 43 - Windows 7
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Edge - 17.17134 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

User Script (ENUM_FUNCTION)

					
// http://domstorm.skepticfx.com/request/headers -  Gives all the HTTP Request Headers in the given request.


function test(data){
	// We need to separate properties and access one by one.
try{
    var xhr = new XMLHttpRequest();
    xhr.open('GET', '/helper/headers', false); // Same Domain Request 
    xhr.setRequestHeader(data, 'someValue');
    xhr.send();
    var headers = JSON.parse(xhr.responseText);
    if(headers.hasOwnProperty(data.toLowerCase())){
        addInfo(data , 'Allowed'); 
    } else {
        addError(data , 'Not Allowed');
    }
    
}

catch(err){
	addError(data ,  'Probably Not. Some Error Occured');
}
}

					
				

Enum Data (ENUM_FUNCTION)

					
// Author Request Headers - http://www.w3.org/TR/XMLHttpRequest/#author-request-headers
// 4.6.2 The setRequestHeader() method
// http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-setrequestheader

// This does not include the set of Already Send Headers by default. For example, Cookie or Accep-Charset.

var data = ['X-CUSTOM-HEADER','X-CSRF','Accept-Charset', 'Access-Control-Request-Headers', 'Access-Control-Request-Method', 'Cookie2', 'Date', 'DNT', 'Expect',
'Keep-Alive', 'TE', 'Trailer', 'Upgrade', 'Via', 'PORT', 'IP','X-Forwarded-For', 'Authorization', 'Content-Length', 'Content-Type'];