How do I cache preflight responses?

Add Access-Control-Max-Age: 86400 (seconds) to the preflight response. This tells the browser to cache the preflight result for 24 hours, avoiding repeated OPTIONS requests for the same origin/method/headers combination.

Why does my API work from Postman but not the browser?

Postman is not a browser and does not enforce CORS or send preflight requests. CORS is a browser security feature. If your API works from Postman but not the browser, the issue is missing CORS headers on your server responses.

CORS Preflight Request Failed — OPTIONS Request Blocked or Missing Headers

Errorgeneral

Overview

Fix CORS preflight failures where the browser's OPTIONS request is blocked, returns wrong headers, or the server does not handle preflight correctly.

Key Details

CORS preflight is an OPTIONS request sent before cross-origin requests that use custom headers or non-simple methods
The preflight checks if the server allows the actual request method, headers, and origin
Preflight is triggered by: custom headers, methods other than GET/POST/HEAD, non-simple content types
The server must respond to OPTIONS with Access-Control-Allow-Origin, -Methods, and -Headers
Preflight responses can be cached using Access-Control-Max-Age header to reduce overhead

Common Causes

Server does not handle OPTIONS method — returns 404, 405, or 500 instead of 200/204
Access-Control-Allow-Headers missing the custom header used in the actual request
Access-Control-Allow-Methods does not include the HTTP method of the actual request (PUT, DELETE, PATCH)
Server-side authentication middleware rejecting the OPTIONS request that has no credentials

Steps

1Check the preflight response: DevTools > Network > filter by the request > find the OPTIONS request
2Ensure the server handles OPTIONS explicitly: return 204 No Content with the correct CORS headers
3Add all custom headers to Access-Control-Allow-Headers: Authorization, Content-Type, X-Custom-Header
4Add all needed methods to Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
5Exclude OPTIONS requests from authentication middleware — preflight requests never include credentials

Related Items

browser-mixed-content-blocked-https

More in General

printer-offlinePrinter Offline Error

Warning

driver-unavailablePrinter Driver Is Unavailable

Warning

spooler-errorPrint Spooler Error

Warning

pcl-xl-errorPCL XL Error — Subsystem Kernel

Warning

printer-duplex-printing-errorsPrinter Duplex (Double-Sided) Printing Errors — Jams, Alignment & Blank Pages

Warning

printer-usb-connection-errorsUSB Printer Errors — Not Detected, Driver Issues, and Connection Troubleshooting

Warning

Frequently Asked Questions

For cross-origin requests that use: non-simple methods (PUT, DELETE, PATCH), custom headers (Authorization, X-*), or content types other than application/x-www-form-urlencoded, multipart/form-data, or text/plain.

CORS Preflight Request Failed — OPTIONS Request Blocked or Missing Headers

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in General

Frequently Asked Questions