HTTP Cross Origin and Access Control Server: responding to preflight requests


When a server receives a preflight request, it must check if it supports the requested method and headers, and send back a response that indicates its ability to support the request, as well as any other permitted data (such as credentials).

These are indicated in access-control Allow headers. The server may also send back an access-control Max-Age header, indicating how long the preflight response can be cached for.

This is what a request-response cycle for a preflight request might look like:

OPTIONS /cors HHTP/1.1
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: DNT
HTTP/1.1 200 OK
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Headers: DNT