Access-Control-Allow-Origin: * Access-Control-Allow-Headers: X-Requested-With
In PHP the code would be:
header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Headers: X-Requested-With');
If you are using a single script that contains both the API and the regular page (even with includes), the headers must be sent before it is determined whether it is an API call or not. Â This is due to a ‘pre-flight request‘ the browser does to test that the impending AJAX call is all approved and above board. Â Once it receives the a-ok it will do a second call with the full AJAX credentials.