Hi,    Would you be able to provide a little more detail in what you are trying to do?     Is it that your JavaScript is adding Access-Control-Request-Headers to an OPTIONS request and you want vTM to add an Access-Control-Allow-Headers containing that header to it's response?  i.e.   Browser--> OPTIONS (w/ header Access-Control-Request-Headers: X-Dummy) -->  vTM vTM --> RESPONSE  Access-Control-Allow-Headers:  X-Dummy   Not sure if that's what you had in mind but I tested doing the above and using the OPTIONS method on a VTM.  I was able to get vTM to take the value of the Access-Control-Request-Headers in a request and insert that into an Access-Control-Allow-Headers header in the response.  I used 2 rules to accomplish this, one Request rule and one Response rule:   Request rule:  check_CORS_header $cors_header = http.getHeader ( "Access-Control-Request-Headers" ); if ( $cors_header != "" ) { connection.data.set ( "CORS_Header_Exists" , $cors_header ); } ​ Reponse rule:  add_CORS_header $cors_header_to_add = connection.data.get ("CORS_Header_Exists"); if ( $cors_header_to_add != "" ){ http.setResponseHeader( "Access-Control-Allow-Headers", $cors_header_to_add ); } ​ I tested this using the Advanced Rest Client Chrome app and it seems to work, even when using the OPTIONS method:     Again, not sure if this is what you had in mind.  FYI the interesting piece is how you can use connection.data.set and connection.data.get to send information from a request rule to a response rule.   Cheers, Joe   ... View more