Preflight Request

Security

Overview

A preflight request is a CORS pre-check in which the browser, before sending a 'complex' cross-origin request, uses the OPTIONS method to ask the server whether that request is allowed.

If the server responds with permission, the real request proceeds; if not, the real request is never sent at all.

Details

Not every cross-origin request triggers a preflight. It's triggered when the request falls outside the 'simple request' criteria (GET/HEAD/POST + a limited set of headers + a content type of `application/x-www-form-urlencoded`, `multipart/form-data`, or `text/plain`). For example, sending a PUT with `Content-Type: application/json` or adding custom headers (`X-…`) triggers it.

The preflight OPTIONS carries `Access-Control-Request-Method` and `Access-Control-Request-Headers`, and the server answers with `Access-Control-Allow-Methods`, `Allow-Headers`, and `Allow-Origin`. If the server sends `Access-Control-Max-Age`, the browser caches this permission for a while to avoid repeated OPTIONS calls. Since two round trips per API call add latency, caching via Max-Age and shaping requests to meet the simple criteria both help performance.

Related types