What triggers a CORS preflight request?
Non-simple requests: methods other than GET/POST/HEAD (PUT, DELETE, PATCH), custom headers (Authorization, X-Custom), or Content-Type application/json. Simple requests (GET, POST with form data) do not trigger a preflight.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS Interview Questions
Cross-Origin Resource Sharing. A browser security mechanism that allows servers to opt-in to cross-origin requests by including Access-Control-Allow-Origin and related headers.
An OPTIONS request sent before non-simple requests (PUT, DELETE, PATCH, custom headers, application/json). The browser checks if the server allows the method, headers, and origin before sending the actual request.
Configure the server: Access-Control-Allow-Origin (your origin), Access-Control-Allow-Methods, Access-Control-Allow-Headers. Handle OPTIONS preflight with 204. Use the cors middleware in Express. Use a proxy in development.
Still have questions?
Browse all our FAQs or reach out to our support team
