The HTTP Access-Control-Allow-Methods response header is part of the CORS protocol to allow cross-origin sharing, and it is sent by the server to indicate to the client that specific HTTP methods are allowed when accessing a resource in response to a preflight request.


The Access-Control-Allow-Methods response header indicates what HTTP methods are allowed when accessing resources during a preflight request.

Access-Control-Allow-Methods: *

The asterisk is a wildcard for HTTP requests that do not have credentials. It tells the client to allow any supported HTTP method during a preflight request.


For HTTP requests that include credentials, the asterisk character * is treated as a literal, rather than a wildcard character.


Specific HTTP methods can also be specified in a common-delimited fashion, as in the following example where the server indicates that the HTTP POST and HTTP GET methods are allowed.


Access-Control-Allow-Methods: POST, GET


The Access-Control-Allow-Methods response header is sent by a server to inform clients as to which HTTP methods they allow, if any, during a preflight request.

See also

Last updated: June 2, 2022