cors
Access-Control-Max-Age
How long (in seconds) the browser may cache the preflight response, avoiding an OPTIONS round-trip before subsequent identical requests. Browsers cap this at their own maximum (Chrome ~7200s, Firefox ~86400s).
Access-Control-Max-Age: <delta-seconds> Common directives / values
| Directive | Purpose |
|---|---|
| 0 | Do not cache the preflight; force OPTIONS before every request. |
| 600 | 10 minutes — safe default while iterating. |
| 86400 | 24 hours — capped by Firefox to this value. |
| 7200 | 2 hours — Chrome's practical cap. |
Examples
Access-Control-Max-Age: 86400 Cache preflight for a day — big latency win in production.
Access-Control-Max-Age: 0 Disable preflight caching — useful during CORS debugging.
Access-Control-Max-Age: 7200\nAccess-Control-Allow-Methods: GET, POST\nAccess-Control-Allow-Headers: Content-Type, Authorization Chrome-friendly 2h cache of a JSON API preflight.
Access-Control-Max-Age: -1 Treated as invalid — browser will not cache; equivalent to 0.
Gotcha
Browsers impose their own upper limits — a value of 604800 (7 days) is silently clamped to ~7200 (Chrome) or 86400 (Firefox). Preflight cache is keyed on origin + URL + method + header set, so shape changes still force re-preflight.
Related headers
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Cache-Control
Directs caching behavior in both requests and responses per RFC 9111, controlling freshness, revalidation, and where the response may be stored. Directives can be combined and are respected by browsers, CDNs, and intermediate proxies.
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.