Facebook Pixel

Does adding an Authorization header trigger a preflight?

Yes. Authorization is a custom header (not in the CORS-safe list). Any request with an Authorization header triggers a preflight, even a GET.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in CORS: Simple vs Non-Simple Requests

GET, POST, or HEAD with a safe Content-Type (form-urlencoded, multipart, text/plain) and no custom headers. The browser sends it directly without a preflight and checks the response headers.

PUT, DELETE, PATCH, or any request with application/json Content-Type or custom headers (Authorization, X-Custom). These trigger a preflight OPTIONS request before the actual request.

Yes. application/json is not a 'safe' Content-Type. The browser sends an OPTIONS preflight first. Only form-urlencoded, multipart/form-data, and text/plain are safe.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.