When a server receives a preflight request, it must check if it supports the requested method and headers, and send back a response that indicates its ability to support the request, as well as any other permitted data (such as credentials).
These are indicated in access-control Allow headers. The server may also send back an access-control
Max-Age header, indicating how long the preflight response can be cached for.
This is what a request-response cycle for a preflight request might look like:
OPTIONS /cors HHTP/1.1 Host: example.com Origin: example.org Access-Control-Request-Method: PUT Access-Control-Request-Headers: DNT
HTTP/1.1 200 OK Access-Control-Allow-Origin: example.org Access-Control-Allow-Methods: PUT Access-Control-Allow-Headers: DNT