Access-Control-Max-Age
Response header CORS

Overview

Access-Control-Max-Age is a response header specifying, in seconds, how long the browser may cache the result of a CORS preflight (OPTIONS) — the allowed methods and headers. While cached, matching requests skip the preflight, cutting a round trip.

Details

A non-simple cross-origin request first sends an OPTIONS preflight so the server can confirm the method and headers are allowed. Repeating a preflight on every request doubles the round trips, so when the server sets Access-Control-Max-Age the browser omits the preflight for the same URL/method/header combination for that duration.

The result is stored in a per-browser preflight cache keyed by origin, URL, request method, and request headers. Browsers cap the value: Chromium clamps it to at most 7200 seconds (2 hours) and Firefox to at most 86400 seconds (24 hours); larger values are truncated to these ceilings.

The value -1 means do not cache, forcing a preflight on every request. A short value (or near zero) is handy while iterating on the allow policy in development, whereas a stable production service benefits from a value near the ceiling to minimize preflight frequency.

Syntax

Access-Control-Max-Age: <delta-seconds>

e.g. Access-Control-Max-Age: 600

Directives / values

<delta-seconds>Seconds to cache the preflight result. -1 disables caching.

Notes

Related headers

Related status codes

Specification