Access-Control-Allow-Methods

The HTTP Access-Control-Allow-Methods response header specifies which HTTP methods are permitted when accessing a resource in a cross-origin request. Servers return this header as part of a CORS preflight response.

Usage

Before sending a cross-origin request with a non-simple method, the browser issues a preflight OPTIONS request. The Access-Control-Request-Method header in the preflight indicates which method the client plans to use. The server replies with Access-Control-Allow-Methods to confirm which methods are accepted for the target resource.

Simple methods (GET, HEAD, and POST) are always permitted by the CORS protocol and do not strictly require listing here. Listing them explicitly is common practice and makes server policy visible at a glance.

Multiple methods appear as a comma-separated list.

Directives

Method name list

A comma-separated set of HTTP method names the server accepts for cross-origin access.

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

* (wildcard)

The asterisk acts as a wildcard for requests without credentials, permitting any method.

Access-Control-Allow-Methods: *

Example

A preflight request asks whether the PUT method is allowed. The server confirms several methods.

Request

OPTIONS /api/resource/42 HTTP/1.1
Origin: https://app.example.re
Access-Control-Request-Method: PUT

Response

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Max-Age: 7200

A more restrictive server permits only GET and POST.

Access-Control-Allow-Methods: GET, POST

Takeaway

The Access-Control-Allow-Methods header tells browsers which HTTP methods a server accepts for cross-origin requests, enabling the browser to proceed with the actual request after a successful preflight.

See also

• Fetch Standard: HTTP Access-Control-Allow-Methods
• Access-Control-Request-Method
• Access-Control-Allow-Headers
• Access-Control-Allow-Origin
• CORS
• HTTP headers