The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request.

Header type Response header
Forbidden header name no


Access-Control-Allow-Methods: <method>, <method>, ...
Access-Control-Allow-Methods: *


Comma-delimited list of the allowed HTTP request methods.
* (wildcard)
The value "*" only counts as a special wildcard value for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal method name "*" without special semantics.


Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Methods: *


Specification Status Comment
The definition of 'Access-Control-Allow-Methods' in that specification.
Living Standard Initial definition

Browser compatibility

ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Access-Control-Allow-MethodsChrome Full support 4Edge Full support 12Firefox Full support 3.5IE Full support 10Opera Full support 12Safari Full support 4WebView Android Full support 2Chrome Android Full support YesFirefox Android Full support 4Opera Android Full support 12Safari iOS Full support 3.2Samsung Internet Android Full support Yes
Wildcard (*)Chrome Full support 63Edge Full support 79Firefox Full support 69IE No support NoOpera Full support 50Safari No support NoWebView Android Full support 63Chrome Android Full support 63Firefox Android No support NoOpera Android Full support 46Safari iOS No support NoSamsung Internet Android Full support 8.2


Full support
Full support
No support
No support

See also