Access-Control-Max-Age

The HTTP Access-Control-Max-Age response header specifies how long, in seconds, the results of a CORS preflight request are cached by the browser.

Table of Contents

Usage

A preflight OPTIONS request adds latency to every cross-origin call. The Access-Control-Max-Age header reduces this cost by telling the browser to reuse the preflight result for a given number of seconds. During the cache window, the browser skips the preflight step and sends the actual request directly.

The cached entry is keyed on the request URL, the Origin, and the combination of Access-Control-Request-Method and Access-Control-Request-Headers values. A change in any of these triggers a fresh preflight.

When the header is absent, browsers apply a short default of five seconds. Each browser enforces an upper limit on the value, capping preflight cache duration regardless of what the server sends.

Values

Seconds

A non-negative integer representing the number of seconds the preflight result remains valid.

Access-Control-Max-Age: 86400

-1

A value of -1 disables caching entirely, forcing a preflight request before every cross-origin call. This is useful during development or when server policy changes frequently.

Access-Control-Max-Age: -1

Example

A server returns a preflight response allowing PUT and DELETE methods with a 24-hour cache window. The browser reuses this result for subsequent requests to the same endpoint from the same origin.

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Methods: GET, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
Vary: Origin

A shorter cache window of 10 minutes suits APIs where permissions change more often.

Access-Control-Max-Age: 600

Takeaway

The Access-Control-Max-Age header reduces preflight overhead by allowing browsers to cache the result of a CORS preflight OPTIONS exchange for a specified number of seconds.

See also

Last updated: March 5, 2026