CORS preflight is an OPTIONS request that the browser sends before a "complex" cross-origin request (non-standard headers, PUT/DELETE methods). The server must respond 200 with Access-Control-Allow-Methods / Headers. If preflight fails, the main request is not sent. Common cause of "CORS errors" in the browser console.
Free online tool — CORS checker: instant results, no signup.
CORS preflight is an OPTIONS request that the browser sends before a "complex" cross-origin request (non-standard headers, PUT/DELETE methods). The server must respond 200 with Access-Control-Allow-Methods / Headers. If preflight fails, the main request is not sent. Common cause of "CORS errors" in the browser console.
CORS (Cross-Origin Resource Sharing) preflight requests are an essential part of web security, ensuring that a web application can safely interact with resources from different origins. When a browser detects a request that may not be safe, such as those using HTTP methods other than GET or POST, or those that include custom headers, it performs a preflight request using the OPTIONS method.
The preflight request checks with the server to see if the actual request is safe to send. The server must respond with the appropriate Access-Control-Allow-Methods and Access-Control-Allow-Headers headers to indicate which methods and headers are permitted. If the server does not respond correctly, the browser will block the actual request and log a CORS error in the console.
For example, if a client attempts to send a PUT request to a different domain, the browser will first send an OPTIONS request to that domain to verify if the server allows PUT requests. If the server responds with:
Access-Control-Allow-Methods: GET, POST, PUTAccess-Control-Allow-Headers: Content-TypeThen the browser will proceed with the original PUT request. If not, it will terminate the request and display a CORS error.
Debugging CORS preflight errors can be challenging, especially when dealing with complex applications. Here are steps and tips to effectively identify and resolve these issues:
OPTIONS request and examine the response headers. Ensure that Access-Control-Allow-Origin is present and correctly configured.location /api/ {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type';
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type';
return 200;
}
} curl -X OPTIONS https://example.com/api/ -H 'Origin: https://yourdomain.com' -H 'Access-Control-Request-Method: POST' This command will return the server's response headers, allowing you to verify if they are set correctly. If you receive a response without the expected CORS headers, that’s a clear indication of misconfiguration.
Configuring CORS preflight requests correctly is crucial for maintaining application security and functionality. Here are best practices to follow:
*), specify allowed origins explicitly to restrict access. For example:add_header 'Access-Control-Allow-Origin' 'https://example.com'; add_header 'Access-Control-Allow-Methods' 'GET, POST'; Content-Type, configure it as follows:add_header 'Access-Control-Allow-Headers' 'Content-Type'; Access-Control-Max-Age header to cache preflight responses. This reduces the number of preflight requests:add_header 'Access-Control-Max-Age' '86400'; By adhering to these best practices, you can ensure that your CORS preflight requests are secure, efficient, and functional, minimizing the risk of errors and enhancing the overall user experience.
See the use-case section above. For a quick check, use our online form.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.