OPTIONS

The HTTP OPTIONS method requests the communication options available for a given resource or an entire server.

Table of Contents

Usage
- CORS preflight
- Properties
Example
Takeaway
See also

Usage

An OPTIONS request retrieves the allowed methods and capabilities of a target resource without performing an action on the resource. The server responds with an Allow header listing the supported methods.

When an asterisk (*) is used as the request target, the request applies to the server as a whole rather than a specific resource.

OPTIONS * HTTP/1.1
Host: api.example.re

CORS preflight

The most common real-world use of OPTIONS is the CORS preflight request. Before sending a cross-origin request with a method outside the CORS-safelisted set, custom headers, or a Content-Type outside the safelisted set (application/x-www-form-urlencoded, multipart/form-data, text/plain), the browser automatically sends an OPTIONS request to the target server. The preflight checks whether the server permits the actual request.

The preflight request includes Origin, Access-Control-Request-Method, and optionally Access-Control-Request-Headers. The server responds with Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers to signal approval.

Properties

Property	Value
Safe	Yes
Idempotent	Yes
Cacheable	No

Example

Resource capabilities

A client queries the allowed methods for a specific resource. The server responds with 204 No Content and an Allow header.

Request

OPTIONS /articles HTTP/1.1
Host: api.example.re

Response

HTTP/1.1 204 No Content
Allow: OPTIONS, GET, HEAD, POST, DELETE

Server-wide query

Using * as the target reveals the methods the server supports in general, independent of any specific resource.

Request

OPTIONS * HTTP/1.1
Host: api.example.re

Response

HTTP/1.1 204 No Content
Allow: OPTIONS, GET, HEAD

CORS preflight

A browser prepares a cross-origin PUT request with a custom X-Request-ID header. Before sending the actual request, the browser issues a preflight OPTIONS request to confirm the server allows the method and header from the requesting origin.

Preflight request

OPTIONS /api/data HTTP/1.1
Host: api.example.re
Origin: https://app.example.re
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: X-Request-ID

Preflight response

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.re
Access-Control-Allow-Methods: GET, PUT, DELETE
Access-Control-Allow-Headers: X-Request-ID
Access-Control-Max-Age: 86400

The Access-Control-Max-Age value tells the browser to cache the preflight result for 86,400 seconds (one day), avoiding repeated preflight requests for the same endpoint.

Takeaway

The HTTP OPTIONS method retrieves the communication options for a resource or server. In practice, browsers send OPTIONS most frequently as an automatic CORS preflight request before cross-origin calls with non-safelisted methods or custom headers.

OPTIONS

Usage

CORS preflight

Properties

Example

Resource capabilities

Server-wide query

CORS preflight

Takeaway

See also