The HTTP OPTIONS
method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (*
) to refer to the entire server.
Request has body | No |
---|---|
Successful response has body | Yes |
Safe | Yes |
Idempotent | Yes |
Cacheable | No |
Allowed in HTML forms | No |
Syntax
OPTIONS /index.html HTTP/1.1 OPTIONS * HTTP/1.1
Examples
Identifying allowed request methods
To find out which request methods a server supports, one can use the curl
command-line program to issue an OPTIONS
request:
curl -X OPTIONS https://example.org -i
The response then contains an Allow
header that holds the allowed methods:
HTTP/1.1 204 No Content Allow: OPTIONS, GET, HEAD, POST Cache-Control: max-age=604800 Date: Thu, 13 Oct 2016 11:45:00 GMT Server: EOS (lax004/2813)
Preflighted requests in CORS
In CORS, a preflight request is sent with the OPTIONS
method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:
- The
Access-Control-Request-Method
header sent in the preflight request tells the server that when the actual request is sent, it will have aPOST
request method. - The
Access-Control-Request-Headers
header tells the server that when the actual request is sent, it will have theX-PINGOTHER
andContent-Type
headers.
OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.example Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Connection: keep-alive Origin: https://foo.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER, Content-Type
The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:
Access-Control-Allow-Origin
- The
https://foo.example
origin is permitted to request thebar.example/resources/post-here/
URL via the following: Access-Control-Allow-Methods
POST
,GET
, andOPTIONS
are permitted methods for the URL. (This header is similar to theAllow
response header, but used only for CORS.)Access-Control-Allow-Headers
- Any script inspecting the response is permitted to read the values of the
X-PINGOTHER
andContent-Type
headers. Access-Control-Max-Age
- The above permissions may be cached for 86,400 seconds (1 day).
HTTP/1.1 204 No Content Date: Mon, 01 Dec 2008 01:15:39 GMT Server: Apache/2.0.61 (Unix) Access-Control-Allow-Origin: https://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER, Content-Type Access-Control-Max-Age: 86400 Vary: Accept-Encoding, Origin Keep-Alive: timeout=2, max=100 Connection: Keep-Alive
Specifications
Specification | Title |
---|---|
RFC 7231, section 4.3.7: OPTIONS | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
OPTIONS | Chrome Full support Yes | Edge Full support 12 | Firefox Full support Yes | IE Full support Yes | Opera Full support Yes | Safari Full support Yes | WebView Android Full support Yes | Chrome Android Full support Yes | Firefox Android Full support Yes | Opera Android Full support Yes | Safari iOS Full support Yes | Samsung Internet Android Full support Yes |
Legend
- Full support
- Full support