Introduction
The OPTIONS method is an essential HTTP request used to determine the communication options supported by a server or a specific resource. It does not manipulate data but is used for discovery, especially related to CORS (Cross-Origin Resource Sharing).
OPTIONS plays a crucial role in browser security, API integrations, and cross-domain communication. Modern web applications rely heavily on OPTIONS for preflight checks before sensitive requests are sent.
What Is an OPTIONS Request?
An OPTIONS request asks the server:
“What can I do with this resource?”
It reveals:
- Which HTTP methods are supported
- Which headers are allowed
- Whether the request can be sent cross-origin
- Which origins are permitted
- Whether credentials can be included
Key Characteristics
- Safe
- Does not change server data
- Returns metadata only
- Commonly used for preflight CORS checks
- Works for both resources and entire servers
Where Is OPTIONS Used?
OPTIONS is used for:
- Browser CORS preflight requests
- API method discovery
- Server capability testing
- Debugging backend rules
- Determining allowed custom headers
- Checking authentication requirements
Preflight Requests (Very Important)
When a browser detects:
- A custom header
- A method like PUT, DELETE, PATCH
- A non-simple Content-Type (e.g., JSON)
…it sends an OPTIONS preflight request automatically before the main request.
Example preflight request:
OPTIONS /api/user/101 HTTP/1.1
Origin: https://example-client.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Content-Type
The server responds with headers such as:
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://example-client.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type
If these match the client’s request, the browser proceeds.
How OPTIONS Works Internally
- Client/browser sends OPTIONS
- Server returns supported methods, headers, and CORS rules
- Browser validates if the next request is allowed
- If OK → browser sends actual request
- If not allowed → browser blocks request
Example 1: Using OPTIONS with JavaScript (Fetch API)
fetch("https://api.example.com/data", {
method: "OPTIONS"
})
.then(res => {
console.log("Allowed Methods:", res.headers.get("Allow"));
console.log("CORS Origin:", res.headers.get("Access-Control-Allow-Origin"));
});
Explanation
Allowheader returns available methods- Useful for debugging API endpoints
Example 2: Using OPTIONS with cURL
curl -X OPTIONS -i https://example.com/api/users
Expected Output
HTTP/1.1 204 No Content
Allow: GET, POST, PUT, DELETE, OPTIONS
Allow is the key header.
Example 3: Implementing OPTIONS in Express.js (Node.js)
app.options("/api/user/:id", (req, res) => {
res.set({
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE",
"Access-Control-Allow-Headers": "Content-Type, Authorization"
});
res.sendStatus(204);
});
Explanation
- Enables cross-origin requests
- Defines methods supported by the server
- Returns 204 because body is not required
Important Headers in OPTIONS Responses
1. Allow
Specifies which HTTP methods are supported.
Allow: GET, POST, PUT, PATCH, DELETE, OPTIONS
2. Access-Control-Allow-Origin
Specifies which external origins can access the resource.
3. Access-Control-Allow-Methods
Specifies which methods are allowed for the resource.
4. Access-Control-Allow-Headers
Specifies which custom headers can be sent.
5. Access-Control-Max-Age
Defines how long the preflight result is cached.
OPTIONS vs HEAD vs GET
| Feature | OPTIONS | HEAD | GET |
|---|---|---|---|
| Returns Body | No | No | Yes |
| Purpose | Check methods/CORS | Get headers | Get resource |
| Used Before Actual Request | Yes (Preflight) | No | No |
| Used by Browser | Yes | Yes | Yes |
Common Response Codes for OPTIONS
| Code | Meaning |
|---|---|
| 200 OK | Metadata returned successfully |
| 204 No Content | No body, but headers returned |
| 403 Forbidden | Server refuses to provide options |
| 405 Method Not Allowed | OPTIONS is disabled for this resource |
Advantages of OPTIONS
- Critical for CORS and cross-origin apps
- Protects servers from unsafe requests
- Efficient for determining capabilities
- Useful for debugging and API testing
Disadvantages of OPTIONS
- Some servers misconfigure CORS
- Browser may block requests automatically
- Adds extra network round trips (preflight = slower)
- Needs secure configuration to avoid vulnerabilities
Real-World Use Cases
1. Cross-Origin AJAX Requests
Single-page applications (React, Angular, Vue) rely on OPTIONS to safely call backend APIs.
2. API Discovery
Developers can check available methods without documentation.
3. Security Enforcement
Servers decide which origins and headers to allow.
4. Debugging Integration Issues
OPTIONS reveals misconfigured CORS policies instantly.
