How do you avoid CORS preflight requests?
Use only GET/POST/HEAD with safe Content-Types and no custom headers. In practice, this is rarely possible for modern APIs (JSON + Authorization). Instead, configure the server to handle preflight correctly with Access-Control-Max-Age to cache the result.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS: Simple vs Non-Simple Requests
GET, POST, or HEAD with a safe Content-Type (form-urlencoded, multipart, text/plain) and no custom headers. The browser sends it directly without a preflight and checks the response headers.
PUT, DELETE, PATCH, or any request with application/json Content-Type or custom headers (Authorization, X-Custom). These trigger a preflight OPTIONS request before the actual request.
Yes. application/json is not a 'safe' Content-Type. The browser sends an OPTIONS preflight first. Only form-urlencoded, multipart/form-data, and text/plain are safe.
Still have questions?
Browse all our FAQs or reach out to our support team
