Skip to main content

Understanding CORS Preflight Requests

·3 mins
A plane taking off
A plane taking off


Cross-Origin Resource Sharing (CORS) is a fundamental concept in web development, crucial for enabling secure and controlled access to resources across different domains.

At the heart of this mechanism is the CORS preflight request, an essential process that browsers perform to ensure that a client-side web application can safely request resources from a server hosted on a different origin.

Understanding this process is key for developers, especially when faced with the common ‘blocked by CORS policy’ error, which indicates a misconfiguration in CORS settings.

Understanding CORS Preflight Requests

A CORS preflight request is a small request sent by the browser to the server hosting the cross-origin resource before the actual request, in order to check if the actual request is safe to send. Check the diagram below for a visual representation of this process.

sequenceDiagram Browser->>+Server: preflight request Server->>-Browser: preflight response alt request is not allowed note over Browser: actual request is not sent else request is allowed Browser->>+Server: actual request Server->>-Browser: response end

Preflight requests use the HTTP OPTIONS method, and they include headers that specify the HTTP method and headers that the actual request will use. When a server receives a preflight request, it responds with the appropriate CORS headers to indicate whether or not the actual request is allowed.

How CORS Preflight Requests are Triggered

CORS preflight requests are triggered automatically by the browser under certain conditions. These conditions include:

  • HTTP methods other than GET, HEAD, or POST.
  • POST requests with content types other than application/x-www-form-urlencoded, multipart/form-data, or text/plain.
  • Requests that set custom headers.

For example, a client application making a POST request with JSON data to a server on a different domain will trigger a preflight request. This is because the content type application/json is not one of the simple types, and thus the browser needs to confirm that the server accepts requests of this nature.

Best Practices when dealing with CORS Preflight Requests

To effectively manage CORS preflight requests, developers should:

  • Ensure that the server is correctly configured to respond to preflight (OPTIONS) requests with the appropriate Access-Control-Allow-* headers.
  • Clearly define which origins, methods, and headers are acceptable.
  • Regularly review and update CORS policies to align with changes in the application.

Refer to our CORS debugger to make sure your server is correctly configured to handle CORS preflight requests.

By following these best practices, developers can prevent the ‘blocked by CORS policy’ error and ensure a smooth cross-origin resource sharing experience.

If you'd like to hear about new tools and features we release, sign up for our newsletter. Zero spam.