From 0e4e497ce48f44dd44b3b3c9f0fae2ac1a5a8982 Mon Sep 17 00:00:00 2001
From: Matt Sutton <git@mhs.fastmail.com>
Date: Fri, 6 Mar 2026 10:32:15 -0500
Subject: [PATCH] Remove DNT and X-Mx-ReqToken from default allowed headers

DNT (Do Not Track) is a browser-set header, not something a client
application would send in a cross-origin request, so including it in
Access-Control-Allow-Headers serves no purpose.

X-Mx-ReqToken was specific to the Mendix platform and is not a
general-purpose header that belongs in a CORS library's defaults.
---
 lib/cors_plug.ex | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/cors_plug.ex b/lib/cors_plug.ex
index 3842a6a..2e80821 100644
--- a/lib/cors_plug.ex
+++ b/lib/cors_plug.ex
@@ -12,9 +12,7 @@ defmodule CORSPlug do
         "Accept",
         "Origin",
         "User-Agent",
-        "DNT",
         "Cache-Control",
-        "X-Mx-ReqToken",
         "Keep-Alive",
         "X-Requested-With",
         "If-Modified-Since",