OPTIONS

HTTP OPTIONS

SafeYes
IdempotentYes
CacheableNo
Request bodyNo
Response bodyYes

Overview

OPTIONS asks which methods and capabilities the target resource supports. In practice the most common use is the CORS preflight the browser sends before a cross-origin request.

Details

Before a cross-origin request that uses `PUT`/`DELETE` or custom headers, the browser first sends OPTIONS to ask the server 'do you allow this origin, method, and headers?'. The server answers with `Access-Control-Allow-Origin`/`-Methods`/`-Headers`, usually returning 204.

If the preflight fails, the real request is never sent and a CORS error appears in the browser console. Send `Access-Control-Max-Age` to cache the response and cut round-trips.

Request / Response example

Request
OPTIONS /api/users HTTP/1.1
Host: api.example.com
Origin: https://app.example.com
Access-Control-Request-Method: POST
Response
HTTP/1.1 204 No Content
Allow: GET, POST, OPTIONS
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, OPTIONS

In code

curl -X OPTIONS https://api.example.com/api/users \
  -H 'Origin: https://app.example.com' \
  -H 'Access-Control-Request-Method: POST' -i

Common mistakes

Typical status codes

Related methods

Related headers