paint-brush
Glossary of Security Terms: Preflight Requestby@mozilla
201 reads

Glossary of Security Terms: Preflight Request

by Mozilla ContributorsSeptember 8th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers. Preflight requests are automatically issued by a browser and in normal cases, front-end developers don't need to craft such requests themselves. It appears when request is qualified as "to be preflighted" and ommited for simple requests. The preflight response can be optionally cached for the requests created in the same URL using Access-Control-Max-Age header.

Company Mentioned

Mention Thumbnail
featured image - Glossary of Security Terms: Preflight Request
Mozilla Contributors HackerNoon profile picture

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood and a server is aware using specific methods and headers.

It is an

OPTIONS
request, using three HTTP request headers:
Access-Control-Request-Method
,
Access-Control-Request-Headers
, and the
Origin
header.

A preflight request is automatically issued by a browser and in normal cases, front-end developers don't need to craft such requests themselves. It appears when request is qualified as "to be preflighted" and ommited for simple requests.

For example, a client might be asking a server if it would allow a

DELETE
request, before sending a
DELETE
request, by using a preflight request:

OPTIONS /resource/foo 
Access-Control-Request-Method: DELETE 
Access-Control-Request-Headers: origin, x-requested-with
Origin: https://foo.bar.org

If the server allows it, then it will respond to the preflight request with an

Access-Control-Allow-Methods
response header, which lists DELETE:

HTTP/1.1 204 No Content
Connection: keep-alive
Access-Control-Allow-Origin: https://foo.bar.org
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
Access-Control-Max-Age: 86400

The preflight response can be optionally cached for the requests created in the same url using Access-Control-Max-Age header like in the above example.

See also

 View Previous Terms:

Source: https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

Published under Open CC Attribution ShareAlike 3.0 license