Access-Control-Allow-Methods header
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2015.
The HTTPAccess-Control-Allow-Methodsresponse header specifies one or moreHTTP request methods allowed when accessing a resource in response to apreflight request.
| Header type | Response header |
|---|
Syntax
http
Access-Control-Allow-Methods: <method>, <method>, …Access-Control-Allow-Methods: *Directives
<method>A comma-separated list of the allowed request methods.
GET,HEAD, andPOSTare always allowed, regardless of whether they are specified in this header, as they are defined asCORS-safelisted methods.*(wildcard)All HTTP methods.It has this meaning only for requests without credentials (requests withoutHTTP cookies or HTTP authentication information). In requests with credentials, it istreated as the literal method name
*without special semantics.
Examples
http
Access-Control-Allow-Methods: PUT, DELETEAccess-Control-Allow-Methods: *Specifications
| Specification |
|---|
| Fetch # http-access-control-allow-methods |