Access-Control-Allow-Methods
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The HTTP Access-Control-Allow-Methods
response header specifies one or more HTTP request methods allowed when accessing a resource in response to a preflight request.
Header type | Response header |
---|---|
Forbidden header name | No |
Syntax
Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *
Directives
<method>
-
A comma-separated list of the allowed request methods.
GET
,HEAD
, andPOST
are always allowed, regardless of whether they are specified in this header, as they are defined as CORS-safelisted methods. *
(wildcard)-
All HTTP methods. It has this meaning only for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal method name
*
without special semantics.
Examples
Access-Control-Allow-Methods: PUT, DELETE
Access-Control-Allow-Methods: *
Specifications
Specification |
---|
Fetch # http-access-control-allow-methods |
Browser compatibility
Report problems with this compatibility data on GitHubdesktop | mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Access-Control-Allow-Methods | ||||||||||||
Wildcard ( * ) |
Legend
Tip: you can click/tap on a cell for more information.
- Full support
- Full support