cors

Access-Control-Max-Age

How long (in seconds) the browser may cache the preflight response, avoiding an OPTIONS round-trip before subsequent identical requests. Browsers cap this at their own maximum (Chrome ~7200s, Firefox ~86400s).

Access-Control-Max-Age: <delta-seconds>

Common directives / values

Directive Purpose
0 Do not cache the preflight; force OPTIONS before every request.
600 10 minutes — safe default while iterating.
86400 24 hours — capped by Firefox to this value.
7200 2 hours — Chrome's practical cap.

Examples

Access-Control-Max-Age: 86400

Cache preflight for a day — big latency win in production.

Access-Control-Max-Age: 0

Disable preflight caching — useful during CORS debugging.

Access-Control-Max-Age: 7200\nAccess-Control-Allow-Methods: GET, POST\nAccess-Control-Allow-Headers: Content-Type, Authorization

Chrome-friendly 2h cache of a JSON API preflight.

Access-Control-Max-Age: -1

Treated as invalid — browser will not cache; equivalent to 0.

Gotcha

Browsers impose their own upper limits — a value of 604800 (7 days) is silently clamped to ~7200 (Chrome) or 86400 (Firefox). Preflight cache is keyed on origin + URL + method + header set, so shape changes still force re-preflight.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors