What is a CORS preflight request?

A preflight is an automatic OPTIONS request the browser sends before the real cross-origin request, to ask the server whether the actual method and headers are allowed. The server answers with Access-Control-Allow-* headers; only if they permit the request does the browser send it.

Which requests are simple and skip preflight?

A request is simple if its method is GET, HEAD or POST, it only uses CORS-safelisted headers (Accept, Accept-Language, Content-Language, Content-Type), and any Content-Type is one of application/x-www-form-urlencoded, multipart/form-data or text/plain. Anything else triggers a preflight.

Can I use a wildcard with credentials?

No. When the request sends credentials (cookies or HTTP auth), Access-Control-Allow-Origin MUST be the exact origin, not *, and Access-Control-Allow-Credentials must be true. A wildcard with credentials is rejected by the browser.

What does Access-Control-Max-Age do?

It tells the browser how many seconds it may cache the preflight result for the same method and headers, avoiding a repeated OPTIONS on every call. Browsers cap it (Chromium 7200s, Firefox 86400s).

Does this tool make network requests?

No. The analyzer and reference run entirely in your browser using the CORS rules. Nothing is sent to a server.

CORS Preflight Request Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The CORS preflight flow

Before a cross-origin request that is not “simple”, the browser sends an automatic OPTIONS preflight asking the server which method and headers are allowed. This reference pairs every Access-Control-Request-* header with the Access-Control-Allow-* response the server must return, and an analyzer tells you whether a given request preflights.

How it works

The browser preflights when the request uses a non-safelisted method or header. The preflight is an OPTIONS carrying the intended method and headers:

OPTIONS /api/data HTTP/1.1
Origin: https://app.example
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: content-type, authorization

The server must answer with matching allow headers:

Access-Control-Allow-Origin: https://app.example
Access-Control-Allow-Methods: GET, PUT, DELETE
Access-Control-Allow-Headers: content-type, authorization
Access-Control-Max-Age: 600

A request that uses only GET/HEAD/POST, safelisted headers and a safelisted Content-Type is “simple” and skips the preflight entirely.

Tips and notes

With credentials, never use * — echo the exact Origin and set Allow-Credentials: true.
Access-Control-Max-Age caches the preflight; browsers cap the value.
List every custom request header in Access-Control-Allow-Headers.
Access-Control-Expose-Headers lets JS read non-safelisted response headers.