Access-Control-Allow-Methods
Response header CORS

Overview

Access-Control-Allow-Methods is the header in a CORS preflight (OPTIONS) response that tells the browser which HTTP methods a cross-origin request may actually use. Sending a real request with a method not listed here is blocked by the browser.

The value lists allowed methods separated by commas, and for non-credentialed requests the wildcard * is also allowed.

Details

For methods beyond GET/HEAD/POST (like PUT, DELETE, PATCH) or requests meeting certain conditions, the browser first sends a preflight OPTIONS to check server permission. The preflight announces the intended method via Access-Control-Request-Method, and the server answers with Access-Control-Allow-Methods.

This header rides on the preflight (OPTIONS) response, not the actual response. The browser caches the preflight result for the duration of Access-Control-Max-Age, skipping the preflight for later requests of the same kind.

* allows all methods but is invalid in credentials mode (with cookies), where methods must be listed explicitly.

Syntax

Access-Control-Allow-Methods: <method>[, <method>]* | *

e.g. Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Notes

Related headers

Related status codes

Specification