Skip to content

Remove DNT and X-Mx-ReqToken from default allowed headers#102

Open
mhsdef wants to merge 1 commit intomschae:mainfrom
mhsdef:remove-obsolete-default-headers
Open

Remove DNT and X-Mx-ReqToken from default allowed headers#102
mhsdef wants to merge 1 commit intomschae:mainfrom
mhsdef:remove-obsolete-default-headers

Conversation

@mhsdef
Copy link

@mhsdef mhsdef commented Mar 6, 2026

Summary

  • DNT (Do Not Track) is a browser-controlled header sent automatically on navigation and subresource requests. It is never sent by application code in cross-origin XHR/fetch calls, so listing it in Access-Control-Allow-Headers has no effect.
  • X-Mx-ReqToken is a header specific to the Mendix platform. It's not a general-purpose header and doesn't belong in a CORS library's defaults.

Removing both keeps the default list focused on headers that are actually relevant to typical cross-origin API usage.

This is a backwards-compatible change — anyone who explicitly needs these headers can still add them via the :headers option.

@mhsdef
Remove DNT and X-Mx-ReqToken from default allowed headers
0e4e497 
DNT (Do Not Track) is a browser-set header, not something a client
application would send in a cross-origin request, so including it in
Access-Control-Allow-Headers serves no purpose.

X-Mx-ReqToken was specific to the Mendix platform and is not a
general-purpose header that belongs in a CORS library's defaults.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mhsdef