The HTTP Access-Control-Allow-Methods response header is part of the CORS protocol to allow cross-origin sharing, and it is sent by the server to indicate to the client that specific HTTP methods are allowed when accessing a resource in response to a preflight request.
The Access-Control-Allow-Methods response header indicates what HTTP methods are allowed when accessing resources during a preflight request.
The asterisk is a wildcard for HTTP requests that do not have credentials. It tells the client to allow any supported HTTP method during a preflight request.
For HTTP requests that include credentials, the asterisk character
* is treated as a literal, rather than a wildcard character.
Specific HTTP methods can also be specified in a common-delimited fashion, as in the following example where the server indicates that the HTTP POST and HTTP GET methods are allowed.
Access-Control-Allow-Methods: POST, GET
The Access-Control-Allow-Methods response header is sent by a server to inform clients as to which HTTP methods they allow, if any, during a preflight request.