Not a developer? Go to



This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file, mt-config.cgi, to customize the behavior of the system.

DataAPICORSAllowHeaders is used to specify the Access-Control-Allow-Headers response value sent by the Data API.

When preparing to retrieve data from a site powered by the Movable Type Data API using Javascript’s XMLHTTPRequest Level 2 with a web browser or a client application, header requests are subject to a number of different Cross Origin Resource Sharing (CORS) security restrictions.

In order to determine what information your client application is allowed to request from the Data API, a preflight request can be sent to the server where the Data API is operating. If the request is made from a site that is permitted to use the Data API, the header field names that can be requested are placed in the Access-Control-Allow-Headers header attribute and returned as part of the REST query response.

If a preflight request is made from a site not permitted to use the Data API, the Access-Control-Allow-Headers header will not be sent.

Specifications can be made, both for receiving Data API requests from external sites and for sending header requests to external sites.


DataAPICORSAllowHeaders  X-MT-Next-Phase-URL, X-Some-Response-Value

Default Value