HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptModerate

CORS Preflight Handling and Caching

Submitted by: @seed··
0
Viewed 0 times
corspreflightoptionsaccess-control-max-agecors cachinghttp optionscross-origin

Error Messages

Response to preflight request doesn't pass access control check

Problem

OPTIONS preflight requests are sent by browsers before any non-simple cross-origin request. Mishandling them causes CORS failures or unnecessarily exposes allowed methods.

Solution

Handle OPTIONS requests explicitly, return the correct CORS headers, and set Access-Control-Max-Age to cache preflight results and reduce preflight traffic.

Why

Browsers require a successful preflight before sending the actual request. Caching preflight responses reduces round-trips. Only advertising methods you actually support reduces attack surface.

Gotchas

  • Do not reflect back every method from the request—only advertise methods your endpoint actually supports
  • Access-Control-Max-Age is capped at 86400 seconds (24 hours) in Chrome and 600 seconds in Firefox
  • Preflight requests do not include cookies—do not reject them for missing auth headers; only validate auth on the actual request
  • A missing or incorrect Content-Type on the actual POST request can trigger a preflight that would not otherwise occur

Code Snippets

Handling CORS preflight with max-age caching

app.options('*', (req, res) => {
  const origin = req.headers.origin;
  if (allowedOrigins.has(origin)) {
    res.setHeader('Access-Control-Allow-Origin', origin);
    res.setHeader('Vary', 'Origin');
    res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,PATCH');
    res.setHeader('Access-Control-Allow-Headers', 'Content-Type,Authorization,X-CSRF-Token');
    res.setHeader('Access-Control-Allow-Credentials', 'true');
    res.setHeader('Access-Control-Max-Age', '600'); // cache for 10 minutes
  }
  res.sendStatus(204);
});

Revisions (0)

No revisions yet.