Chapter 4. Handling preflight requests


This chapter covers

  • What a CORS preflight is
  • How to respond to a CORS preflight
  • How the preflight cache works

The previous chapter showed how to respond to CORS requests by using the Access-Control-Allow-Origin header. While this header is required on all valid CORS responses, there are some cases where the Access-Control-Allow-Origin header alone isn’t enough. Certain types of requests, such as DELETE or PUT, need to go a step further and ask for the server’s permission before making the actual request.

The browser asks for permissions by using what is called a preflight request. A preflight request is a small request that is sent by the browser before the actual request. It contains information like which HTTP method is used, as well as if any custom HTTP headers are present. The preflight gives the server a chance to examine what the actual request will look like before it’s made. The server can then indicate whether the browser should send the actual request, or return an error to the client without sending the request.

This chapter will examine what a preflight request is and when it’s used. Next it will introduce headers the server can use to respond to a preflight. It will then introduce the preflight cache, which is a browser optimization that helps limit the number of preflight requests that are made.

4.1. What is a preflight request?

4.2. Triggering a preflight request

4.3. Identifying a preflight request

4.4. Responding to a preflight request

4.5. Recapping preflights

4.6. Preflight result cache

4.7. Summary