OPTIONS asks which methods and capabilities the target resource supports. In practice the most common use is the CORS preflight the browser sends before a cross-origin request.
Before a cross-origin request that uses `PUT`/`DELETE` or custom headers, the browser first sends OPTIONS to ask the server 'do you allow this origin, method, and headers?'. The server answers with `Access-Control-Allow-Origin`/`-Methods`/`-Headers`, usually returning 204.
If the preflight fails, the real request is never sent and a CORS error appears in the browser console. Send `Access-Control-Max-Age` to cache the response and cut round-trips.
OPTIONS /api/users HTTP/1.1
Host: api.example.com
Origin: https://app.example.com
Access-Control-Request-Method: POSTHTTP/1.1 204 No Content
Allow: GET, POST, OPTIONS
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, OPTIONScurl -X OPTIONS https://api.example.com/api/users \
-H 'Origin: https://app.example.com' \
-H 'Access-Control-Request-Method: POST' -i