verifier for Access-Control-Allow-Origin Specifies either a single origin, which tells browsers to allow that origin to access the resource; or else — for requests without credentials — the "*" wildcard, to tell browsers to allow any origin to access the resource.

Values for Access-Control-Allow-Methods. Specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request.

Values for Access-Control-Allow-Headers. Is used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's Access-Control-Request-Headers header

Values for Access-Control-Expose-Headers. Lets a server whitelist headers that Javascript (such as getResponseHeader()) in browsers are allowed to access.

Value for Access-Control-Allow-Credentials. Indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.

Values for Access-Control-Max-Age. Indicates how long the results of a preflight request can be cached.