Allowed Request Headers by XHR

Lists all the allowed request headers using XHR in the Same Domain.

By
Anonymous 1 Seen 2091 times
Tags
xhr headers
Run this test now.

Results


This browser ran the most recent scan
Tested on
Chrome - 91 - undefined
HTTP HeaderIs Allowed?
2.0.3Not Allowed
2.0.2Not Allowed
2.0.1Not Allowed
2.0.0Not Allowed
1.10.2Not Allowed
1.10.1Not Allowed
1.10.0Not Allowed
1.9.1Not Allowed
1.9.0Not Allowed
1.8.3Not Allowed
1.8.2Not Allowed
1.8.1Not Allowed
1.8.0Not Allowed
1.7.2Not Allowed
1.7.1Not Allowed
1.7.0Not Allowed
1.6.4Not Allowed
1.6.3Not Allowed
1.6.2Not Allowed
1.6.1Not Allowed
1.6.0Not Allowed
1.5.2Not Allowed
1.5.1Not Allowed
1.5.0Not Allowed
1.4.4Not Allowed
1.4.3Not Allowed
1.4.2Not Allowed
1.4.1Not Allowed
1.4.0Not Allowed
1.3.2Not Allowed
1.3.1Not Allowed
1.3.0Not Allowed
1.2.6Not Allowed
1.2.3Not Allowed

Tested on
Firefox - 75 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

This browser ran the most recent scan
Tested on
Unknown Browser - Unknown Version - Unknown OS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed

Tested on
Googlebot - 2.1 - undefined
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
Mobile Safari - 7 - iOS
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

Tested on
Safari - 8 - Mac OS X
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed

This browser ran the most recent scan
Tested on
Chrome Mobile - 89 - Android
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
IE - 11 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERNot Allowed
X-CSRFNot Allowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTNot Allowed
IPNot Allowed
X-Forwarded-ForAllowed
AuthorizationNot Allowed
Content-LengthNot Allowed
Content-TypeNot Allowed

Tested on
Opera - 43 - Windows 7
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTAllowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaNot Allowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

Tested on
Edge - 17.17134 - Windows 10
HTTP HeaderIs Allowed?
X-CUSTOM-HEADERAllowed
X-CSRFAllowed
Accept-CharsetNot Allowed
Access-Control-Request-HeadersNot Allowed
Access-Control-Request-MethodNot Allowed
Cookie2Not Allowed
DateNot Allowed
DNTNot Allowed
ExpectNot Allowed
Keep-AliveNot Allowed
TENot Allowed
TrailerNot Allowed
UpgradeNot Allowed
ViaAllowed
PORTAllowed
IPAllowed
X-Forwarded-ForAllowed
AuthorizationAllowed
Content-LengthNot Allowed
Content-TypeAllowed

User Script (ENUM_FUNCTION)

					
// http://domstorm.skepticfx.com/request/headers -  Gives all the HTTP Request Headers in the given request.


function test(data){
	// We need to separate properties and access one by one.
try{
    var xhr = new XMLHttpRequest();
    xhr.open('GET', '/helper/headers', false); // Same Domain Request 
    xhr.setRequestHeader(data, 'someValue');
    xhr.send();
    var headers = JSON.parse(xhr.responseText);
    if(headers.hasOwnProperty(data.toLowerCase())){
        addInfo(data , 'Allowed'); 
    } else {
        addError(data , 'Not Allowed');
    }
    
}

catch(err){
	addError(data ,  'Probably Not. Some Error Occured');
}
}

					
				

Enum Data (ENUM_FUNCTION)

					
// Author Request Headers - http://www.w3.org/TR/XMLHttpRequest/#author-request-headers
// 4.6.2 The setRequestHeader() method
// http://www.w3.org/TR/XMLHttpRequest/#dom-xmlhttprequest-setrequestheader

// This does not include the set of Already Send Headers by default. For example, Cookie or Accep-Charset.

var data = ['X-CUSTOM-HEADER','X-CSRF','Accept-Charset', 'Access-Control-Request-Headers', 'Access-Control-Request-Method', 'Cookie2', 'Date', 'DNT', 'Expect',
'Keep-Alive', 'TE', 'Trailer', 'Upgrade', 'Via', 'PORT', 'IP','X-Forwarded-For', 'Authorization', 'Content-Length', 'Content-Type'];