Preflight

Web browsers send a CORS preflight to see if the CORS protocol is understood by a server using specific methods and headers

Preflight fetches what OPTIONS HTTP method returns from the request.

• This request responds with a Access-Control-Allow-Methods response header.

HTTP/1.1 204 No Content
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Allow-Headers: Origin, X-Requested-With
Access-Control-Max-Age: 86400

Access-Control-Max-Age

Pre-flighted requests require the browser to first make a request to the server using the OPTIONS HTTP method.

Only after this can the main request be made if it is deemed safe.

However, making the OPTIONS call for each pre-flighted request can be expensive.

To prevent this, the server can respond with the Access-Control-Max-Age header, allowing the browser to cache the result of pre-flighted requests for a certain amount of time.