OPTIONS Method and CORS Preflight Requests

OPTIONS and CORS

The OPTIONS method describes the communication options available for the target resource. Its most important role in modern web development is the CORS preflight request.

What Triggers a Preflight?

Browsers send an automatic OPTIONS request before the actual request when:

• The HTTP method is not GET, HEAD, or POST
• The request includes custom headers (e.g., Authorization, X-Custom-Header)
• The Content-Type is not application/x-www-form-urlencoded, multipart/form-data, or text/plain
• The request is cross-origin (different protocol, domain, or port)

Preflight Request Example

OPTIONS /api/users HTTP/1.1
Host: api.example.com
Origin: https://app.example.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Content-Type, Authorization

Preflight Response Example

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400

Key Response Headers

Header	Purpose
Access-Control-Allow-Origin	Which origins can access the resource
Access-Control-Allow-Methods	Which HTTP methods are permitted
Access-Control-Allow-Headers	Which request headers are allowed
Access-Control-Max-Age	How long (seconds) the preflight result can be cached

Without CORS Context

OPTIONS can also be used independently to discover which methods a server supports:

OPTIONS /api/users HTTP/1.1
Host: api.example.com

HTTP/1.1 200 OK
Allow: GET, POST, PUT, DELETE, OPTIONS

The Allow header lists the supported methods for that endpoint.