Access-Control-Max-AgeAccess-Control-Max-Age is a response header specifying, in seconds, how long the browser may cache the result of a CORS preflight (OPTIONS) — the allowed methods and headers. While cached, matching requests skip the preflight, cutting a round trip.
A non-simple cross-origin request first sends an OPTIONS preflight so the server can confirm the method and headers are allowed. Repeating a preflight on every request doubles the round trips, so when the server sets Access-Control-Max-Age the browser omits the preflight for the same URL/method/header combination for that duration.
The result is stored in a per-browser preflight cache keyed by origin, URL, request method, and request headers. Browsers cap the value: Chromium clamps it to at most 7200 seconds (2 hours) and Firefox to at most 86400 seconds (24 hours); larger values are truncated to these ceilings.
The value -1 means do not cache, forcing a preflight on every request. A short value (or near zero) is handy while iterating on the allow policy in development, whereas a stable production service benefits from a value near the ceiling to minimize preflight frequency.
Access-Control-Max-Age: <delta-seconds>e.g. Access-Control-Max-Age: 600
<delta-seconds> | Seconds to cache the preflight result. -1 disables caching. |