Access-Control-Request-Method
Request header CORS

Overview

Access-Control-Request-Method is a request header the browser automatically adds to a CORS preflight (OPTIONS) to tell the server which HTTP method the upcoming actual request will use. The server decides whether to allow it and answers with Access-Control-Allow-Methods.

Details

This is a browser-managed 'forbidden header name', so application JavaScript cannot set or override it. Requests using a method other than GET/HEAD/POST (such as PUT, DELETE, PATCH) or carrying custom headers are classified as non-simple, triggering a preflight in which the browser inserts this header.

In the preflight response the server approves by placing the requested method (or *) in Access-Control-Allow-Methods if the value in Access-Control-Request-Method is in its allowed set. If it is not approved, the browser never sends the actual request and fails it as a CORS error.

A preflight normally has no body, and servers conventionally answer briefly with 204 No Content or 200. This header appears only on the preflight and is never present on the actual request.

Syntax

Access-Control-Request-Method: <method>

e.g. Access-Control-Request-Method: DELETE

Notes

Related headers

Related status codes

Specification