cors

Access-Control-Allow-Methods

Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.

Access-Control-Allow-Methods: <method>[, <method>...]  |  *  (response to preflight)

Common directives / values

Directive Purpose
GET, POST, PUT, PATCH, DELETE Typical REST allow-list.
* Wildcard — allowed only for requests without credentials.
OPTIONS Rarely needed explicitly; preflight itself is exempt.

Examples

Access-Control-Allow-Methods: GET, POST, DELETE

Standard REST API preflight response.

Access-Control-Allow-Methods: *

Public non-credentialed API — allow any method.

Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE\nAccess-Control-Max-Age: 86400

Cache the preflight decision for 24h to avoid a preflight before every request.

Access-Control-Allow-Methods: POST\nAccess-Control-Allow-Headers: Content-Type, Authorization

Preflight response for a JSON API call with Bearer auth.

Gotcha

Simple methods (GET, HEAD, POST with simple Content-Type) don't trigger a preflight, so this header only affects methods that do. Wildcard * is ignored when the request is credentialed.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors