cors
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Access-Control-Allow-Methods: <method>[, <method>...] | * (response to preflight) Common directives / values
| Directive | Purpose |
|---|---|
| GET, POST, PUT, PATCH, DELETE | Typical REST allow-list. |
| * | Wildcard — allowed only for requests without credentials. |
| OPTIONS | Rarely needed explicitly; preflight itself is exempt. |
Examples
Access-Control-Allow-Methods: GET, POST, DELETE Standard REST API preflight response.
Access-Control-Allow-Methods: * Public non-credentialed API — allow any method.
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE\nAccess-Control-Max-Age: 86400 Cache the preflight decision for 24h to avoid a preflight before every request.
Access-Control-Allow-Methods: POST\nAccess-Control-Allow-Headers: Content-Type, Authorization Preflight response for a JSON API call with Bearer auth.
Gotcha
Simple methods (GET, HEAD, POST with simple Content-Type) don't trigger a preflight, so this header only affects methods that do. Wildcard * is ignored when the request is credentialed.
Related headers
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Max-Age
How long (in seconds) the browser may cache the preflight response, avoiding an OPTIONS round-trip before subsequent identical requests. Browsers cap this at their own maximum (Chrome ~7200s, Firefox ~86400s).
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.