Chapter 4. Handling preflight requests
This chapter covers
- What a CORS preflight is
- How to respond to a CORS preflight
- How the preflight cache works
The previous chapter showed how to respond to CORS requests by using the Access-Control-Allow-Origin header. While this header is required on all valid CORS responses, there are some cases where the Access-Control-Allow-Origin header alone isn’t enough. Certain types of requests, such as DELETE or PUT, need to go a step further and ask for the server’s permission before making the actual request.
The browser asks for permissions by using what is called a preflight request. A preflight request is a small request that is sent by the browser before the actual request. It contains information ...