CORS preflight request

A CORS preflight is an OPTIONS request asking whether a cross-origin method and request fields are permitted.

  • cors
  • preflight
  • browsers

Definition

A CORS preflight is an OPTIONS request generated by the browser before certain cross-origin requests. It advertises the intended method and non-safelisted field names so the server can grant or deny them.

OPTIONS /records HTTP/1.1
Origin: https://app.example.invalid
Access-Control-Request-Method: QUERY
Access-Control-Request-Headers: content-type

Expected result: the actual request proceeds only if the preflight response supplies the required CORS permissions. Passing preflight does not replace the origin grant on the actual response.

Why it matters

The application script normally does not send preflight itself. Diagnose the OPTIONS exchange and the intended request as two related but separate HTTP transactions.

Primary sources