patternjavascriptModerate
CORS Preflight Handling and Caching
Viewed 0 times
corspreflightoptionsaccess-control-max-agecors cachinghttp optionscross-origin
Error Messages
Problem
OPTIONS preflight requests are sent by browsers before any non-simple cross-origin request. Mishandling them causes CORS failures or unnecessarily exposes allowed methods.
Solution
Handle OPTIONS requests explicitly, return the correct CORS headers, and set Access-Control-Max-Age to cache preflight results and reduce preflight traffic.
Why
Browsers require a successful preflight before sending the actual request. Caching preflight responses reduces round-trips. Only advertising methods you actually support reduces attack surface.
Gotchas
- Do not reflect back every method from the request—only advertise methods your endpoint actually supports
- Access-Control-Max-Age is capped at 86400 seconds (24 hours) in Chrome and 600 seconds in Firefox
- Preflight requests do not include cookies—do not reject them for missing auth headers; only validate auth on the actual request
- A missing or incorrect Content-Type on the actual POST request can trigger a preflight that would not otherwise occur
Code Snippets
Handling CORS preflight with max-age caching
app.options('*', (req, res) => {
const origin = req.headers.origin;
if (allowedOrigins.has(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Vary', 'Origin');
res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,PATCH');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type,Authorization,X-CSRF-Token');
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.setHeader('Access-Control-Max-Age', '600'); // cache for 10 minutes
}
res.sendStatus(204);
});Revisions (0)
No revisions yet.