OPTIONS request method
Baseline
Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The
OPTIONS HTTP method requests permitted communication options for a given URL or server.
This can be used to test the allowed HTTP methods for a request, or to determine whether a request would succeed when making a CORS preflighted request.
A client can specify a URL with this method, or an asterisk (*) to refer to the entire server.| Request has body | May* |
|---|---|
| Successful response has body | May |
| Safe | Yes |
| Idempotent | Yes |
| Cacheable | No |
| Allowed in HTML forms | No |
* Although an
OPTIONS message with a request body is technically allowed, it has no defined semantics.
You may include a body in an OPTIONS message as long as you provide a valid Content-Type header, and when you know the server expects it, as behavior is implementation-specific.Syntax
The request target may be either in 'asterisk form'
* indicating the whole server, or a request target as is common with other methods:*-
Indicates that the client wishes to request
OPTIONSfor the server as a whole, as opposed to a specific named resource of that server. <request-target>-
Identifies the target resource of the request when combined with the information provided in the
Hostheader. This is an absolute path (e.g.,/path/to/file.html) in requests to an origin server, and an absolute URL in requests to proxies (e.g.,http://www.example.com/path/to/file.html). <query>Optional-
An optional query component preceded by a question-mark
?. Often used to carry identifying information in the form ofkey=valuepairs.
Examples
Identifying allowed request methods
To find out which request methods a server supports, one can use the
curl command-line program to issue an OPTIONS request:This creates the following HTTP request:
The response contains an
Allow header that holds the allowed methods:Preflighted requests in CORS
In CORS, a preflight request is sent with the
OPTIONS method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:- The
Access-Control-Request-Methodheader sent in the preflight request tells the server that when the actual request is sent, it will have aPOSTrequest method. - The
Access-Control-Request-Headersheader tells the server that when the actual request is sent, it will have theX-PINGOTHERandContent-Typeheaders.
The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:
Access-Control-Allow-Origin-
The
https://foo.exampleorigin is permitted to request thebar.example/resources/post-here/URL via the following: Access-Control-Allow-MethodsAccess-Control-Allow-Headers-
X-PINGOTHERandContent-Typeare permitted request headers for the URL. Access-Control-Max-Age-
The above permissions may be cached for 86,400 seconds (1 day).
Note:
Both
200 OK and 204 No Content are permitted status codes (external), but some browsers incorrectly believe 204 No Content applies to the resource and do not send a subsequent request to fetch it.Specifications
| Specification |
|---|
| HTTP Semantics # OPTIONS (external) |
Browser compatibility
|
Chrome
|
Edge
|
Firefox
|
Opera
|
Safari
|
Chrome Android
|
Firefox for Android
|
Opera Android
|
Safari on iOS
|
Samsung Internet
|
WebView Android
|
WebView on iOS
|
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legend
Tip: you can click/tap on a cell for more information.
Full support
