The
HTTP
OPTIONS
method
requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (
*
) to refer to the entire server.
OPTIONS
/
index.html
HTTP/1.1
OPTIONS * HTTP/1.1
To find out which request methods a server supports, one can use the
curl
command-line program to issue an
OPTIONS
request:
curl
-X
OPTIONS https://example.org
-i
The response then contains an
Allow
header that holds the allowed methods:
In
CORS
, a
preflight request
is sent with the
OPTIONS
method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:
OPTIONS
/
resources
/
post-here
/
HTTP/1.1
The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:
Access-Control-Allow-Origin
-
The
https://foo.example
origin is permitted to request the
bar.example/resources/post-here/
URL via the following:
Access-Control-Allow-Methods
-
POST
,
GET
, and
OPTIONS
are permitted methods for the URL. (This header is similar to the
Allow
response header, but used only for
CORS
.)
-
X-PINGOTHER
and
Content-Type
are permitted request headers for the URL.
Access-Control-Max-Age
-
The above permissions may be cached for 86,400 seconds (1 day).
Both
200
OK and
204
No Content are
permitted status codes
, but some browsers incorrectly believe
204 No Content
applies to the resource and do not send the subsequent request to fetch it.
BCD tables only load in the browser