OPTIONS method is used to describe the communication options for the target resource. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server.
|Request has body||No|
|Successful response has body||Yes|
|Allowed in HTML forms||No|
OPTIONS /index.html HTTP/1.1 OPTIONS * HTTP/1.1
Identifying allowed request methods
To find out which request methods a server supports, one can use curl and issue an OPTIONS request:
curl -X OPTIONS http://example.org -i
The response then contains an
Allow header with the allowed methods:
HTTP/1.1 204 No Content Allow: OPTIONS, GET, HEAD, POST Cache-Control: max-age=604800 Date: Thu, 13 Oct 2016 11:45:00 GMT Expires: Thu, 20 Oct 2016 11:45:00 GMT Server: EOS (lax004/2813) x-ec-custom-error: 1
Preflighted requests in CORS
In CORS, a preflight request with the
OPTIONS method is sent, so that the server can respond whether it is acceptable to send the request with these parameters. The
Access-Control-Request-Method header notifies the server as part of a preflight request that when the actual request is sent, it will be sent with a
POST request method. The
Access-Control-Request-Headers header notifies the server that when the actual request is sent, it will be sent with a
Content-Type custom headers. The server now has an opportunity to determine whether it wishes to accept a request under these circumstances.
OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.other Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Origin: http://foo.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER, Content-Type
The server responds with
Access-Control-Allow-Methods and says that
OPTIONS are viable methods to query the resource in question. This header is similar to the
Allow response header, but used strictly within the context of CORS.
HTTP/1.1 204 No Content Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: http://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 Vary: Accept-Encoding, Origin Keep-Alive: timeout=2, max=100 Connection: Keep-Alive
|RFC 7231, section 4.3.7: OPTIONS||Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content|
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
|Chrome Full support Yes||Edge Full support Yes||Firefox Full support Yes||IE Full support Yes||Opera Full support Yes||Safari Full support Yes||WebView Android Full support Yes||Chrome Android Full support Yes||Firefox Android Full support Yes||Opera Android Full support Yes||Safari iOS Full support Yes||Samsung Internet Android Full support Yes|
- Full support
- Full support