HTTP Cross Origin and Access Control Preflighting requests


A basic CORS request is allowed to use one of only two methods:

  • GET
  • POST

and only a few select headers. POST CORS requests can additionally choose from only three content types.

To avoid this issue, requests that wish to use other methods, headers, or content types must first issue a preflight request, which is an OPTIONS request that includes access-control Request headers. For example, this is a preflight request that checks if the server will accept a PUT request that includes a DNT header:

OPTIONS /cors HTTP/1.1
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: DNT