Where I should store code_verifier (oauth 2.0 code authorization flow with PKCE)

I'm currently working on an oauth 2.0 code authorization grant with PKCE in an SSR page (working with React in the front and Express in the back).

Where I should store code_verifier when client request to authorization server code (when authorization server creates code_challenge and code_verifier for verify latter). I have the authorization server running in an independent stack/infrastructure.

I should store code_verifier in req.headers ? (see Draft Campbell OAuth TBPKCE-00)

We are following RFC6749

from Where I should store code_verifier (oauth 2.0 code authorization flow with PKCE)