Support for wildcards in the Access-Control-Allow-Headers
header was added to the living standard only in May 2016, so it may not be supported by all browsers. On browser which don’t implement this yet, it must be an exact match: https://www.w3.org/TR/2014/REC-cors-20140116/#access-control-allow-headers-response-header
If you expect a large number of headers, you can read in the value of the Access-Control-Request-Headers
header and echo that value back in the Access-Control-Allow-Headers
header.