What is the HTTP OPTIONS request used for?
The HTTP OPTIONS method is used to describe communication options for the target resource. Browsers send an HTTP OPTIONS request to find out the supported HTTP methods and other options supported for the target resource before sending the actual request. HTTP OPTIONS requests allow clients to obtain parameters and requirements for specific resources and server capabilities without taking action on the resource or requesting the resource.
The server response can include an Allow header indicating the allowed HTTP methods for this resource or various CORS (Cross-Origin Resource Sharing) headers. The HTTP OPTIONS method is both secure and idempotent and is only intended to provide information on how to interact with a resource. If you want to change data on the server, use POST, PUT, PATCH, or DELETE methods.
For security reasons, when you send data to a different domain (cross-domain requests), browsers usually send a 'preflight' HTTP OPTIONS request to the target server before sending the data there.
HTTP OPTIONS key features
- If the request URI is an asterisk ("*"), the HTTP OPTIONS request is intended to be applied to the server as a whole and not to a specific resource.
- If the Request-URI is not an asterisk ("*"), the OPTIONS request MUST only be applied to the specified resource.
- Requests using the HTTP OPTIONS method should only retrieve data (the server should not change its state).
- The HTTP OPTIONS method is defined as idempotent, which means that multiple identical OPTIONS requests must have the same effect as a single request.
- The HTTP OPTIONS responses are not cacheable.
HTTP OPTIONS Example
The following example demonstrates sending an HTTP OPTIONS request to the ReqBin echo URL:
And the server response:
The Allow response header contains a list of HTTP methods that may be used on the target resource. Additional Cross-Origin Resource Sharing (CORS) headers may present in the server response if your target resource is located on another domain.
What is CORS?
CORS (Cross-Origin Resource Sharing) is an HTTP header-based mechanism that allows the server to specify any other source from which the browser should obtain resources or send data. These sources can differ from the current by the hostname, HTTP scheme, or port number.
CORS relies on a mechanism to send a "preflight" request to another server hosting the desired resource to see if that server will allow the actual request. In this preflight request, the browser sends CORS headers that indicate the required HTTP method and other headers to be used in the actual request.
CORS was implemented due to the limitations of the single-origin policy. The same-origin policy restricts resources to interact only with resources located in the same domain. For example, the same-origin policy prevents the browser from sending AJAX requests to another website without prior permission, as this could potentially compromise the security of that site.
However, in some cases, it may be necessary to allow resource sharing between different websites, for example, if the same service provider owns both websites or if the website provides resources through a JavaScript API.
What is the Allow header?
The Allow header in the server response lists the set of HTTP methods supported by the target URI. For example, if the server responds with a 405 Method Not Allowed status code, then the Allow header indicates which request methods can be used for this URI.
How to determine the allowed request methods?
To find out which request methods the target URL supports, you need to send an HTTP OPTIONS request to this URL:
The server response contains the Allow header, which lists the allowed methods:
What is the Preflight request?
A preflight request is a "light" request sent by the browser before the actual request. The preflight request is an HTTP OPTIONS request without a body and contains information about which HTTP method will be used and whether any additional custom HTTP headers will be present. A preflight request gives the server the chance to check what the actual request will look like before it is made and decide whether to allow or deny it.
The browser's preflight requests are automatically issued when the request qualifies as "to be preflighted" and omitted for simple requests. For example, AJAX POST requests to another domain are always accompanied by a preflight request.
Conclusion
HTTP OPTIONS requests are called preflight requests in CORS. They are required when you submit requests across different origins. The browser performs the preflight request as a security measure to ensure that the server understands the method and headers sent on the request and that the server knows and trusts the source of the request.
