Used after preflight request response to restrict the headers that will be used during the actual request.
Multiple header values can be passed to a single header definition.
Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests
Like allowed-origin, the * (wildcard) definition can only be used for requests without credentials.