References OPTIONS
OPTIONS
The HTTP OPTIONS method requests
permitted communication options for a
given URL or server. A client can specify a
URL with this method, or an asterisk ( * ) to
refer to the entire server.
Request has body No
Successful response has body Yes
Safe Yes
Idempotent Yes
Cacheable No
Allowed in HTML forms No
Syntax
HTTP
OPTIONS /index.html HTTP/1.1
OPTIONS * HTTP/1.1
Examples
Identifying allowed request
methods
To find out which request methods a server
supports, one can use the curl command-
line program to issue an OPTIONS request:
BASH
curl -X OPTIONS
https://example.org -i
The response then contains an Allow
header that holds the allowed methods:
HTTP
HTTP/1.1 204 No Content
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00
GMT
Server: EOS (lax004/2813)
Preflighted requests in CORS
In CORS, a preflight request is sent with the
OPTIONS method so that the server can
respond if it is acceptable to send the
request. In this example, we will request
permission for these parameters:
The Access-Control-Request-Method
header sent in the preflight request
tells the server that when the actual
request is sent, it will have a POST
request method.
The Access-Control-Request-Headers
header tells the server that when the
actual request is sent, it will have the
X-PINGOTHER and Content-Type
headers.
HTTP
OPTIONS /resources/post-here/
HTTP/1.1
Host: bar.example
Accept:
text/html,application/xhtml+xml,ap
plication/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://foo.example
Access-Control-Request-Method:
POST
Access-Control-Request-Headers: X-
PINGOTHER, Content-Type
The server now can respond if it will accept
a request under these circumstances. In
this example, the server response says
that:
Access-Control-Allow-Origin
The https://foo.example origin is
permitted to request the
bar.example/resources/post-here/ URL
via the following:
Access-Control-Allow-Methods
POST , GET , and OPTIONS are permitted
methods for the URL. (This header is
similar to the Allow response header,
but used only for CORS.)
Access-Control-Allow-Headers
X-PINGOTHER and Content-Type are
permitted request headers for the URL.
Access-Control-Max-Age
The above permissions may be cached
for 86,400 seconds (1 day).
HTTP
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39
GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin:
https://foo.example
Access-Control-Allow-Methods:
POST, GET, OPTIONS
Access-Control-Allow-Headers: X-
PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Status Code
Both 200 OK and 204 No Content are
permitted status codes , but some
browsers incorrectly believe 204 No
Content applies to the resource and do not
send the subsequent request to fetch it.
Specifications
Specification
HTTP Semantics
# OPTIONS
Browser compatibility
Report problems with this compatibility
data on GitHub
Chrome
Firefox
Opera
Safari
Edge
OPTIONS Yes 12 Yes Yes Yes
Tip: you can click/tap on a cell for more information.
Full support
See also
Allow header
CORS
Found a content problem with
this page?
Edit the page on GitHub.
Report the content issue.
View the source on GitHub.
Want to get more involved? Learn how
to contribute.
This page was last modified on May 15,
2023 by MDN contributors.
Your blueprint for a
better internet.
MDN Support
About Product help
Blog Report an issue
Careers
Advertise with us
Our communities Developers
MDN Community Web Technologies
MDN Forum Learn Web Development
MDN Chat MDN Plus
Hacks Blog
Website Privacy Notice Cookies Legal
Community Participation Guidelines
Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2023 by individual mozilla.org
contributors. Content available under a Creative Commons license.
