TheOPTIONS HTTP method requests permitted communication options for a given URL or server.This can be used to test the allowed HTTP methods for a request, or to determine whether a request would succeed when making a CORS preflighted request.A client can specify a URL with this method, or an asterisk (*) to refer to the entire server.

* Although anOPTIONS message with a request body is technically allowed, it has no defined semantics.You may include a body in anOPTIONS message as long as you provide a validContent-Type header, and when you know the server expects it, as behavior is implementation-specific.

Syntax

OPTIONS *|<request-target>["?"<query>] HTTP/1.1

The request target may be either in 'asterisk form'* indicating the whole server, or a request target as is common with other methods:

*

Indicates that the client wishes to requestOPTIONS for the server as a whole, as opposed to a specific named resource of that server.

<request-target>

Identifies the target resource of the request when combined with the information provided in theHost header.This is an absolute path (e.g.,/path/to/file.html) in requests to an origin server, and an absolute URL in requests to proxies (e.g.,http://www.example.com/path/to/file.html).

<query>Optional

An optional query component preceded by a question-mark?.Often used to carry identifying information in the form ofkey=value pairs.

Examples

Identifying allowed request methods

To find out which request methods a server supports, one can use thecurl command-line program to issue anOPTIONS request:

curl -X OPTIONS https://example.org -i

This creates the following HTTP request:

OPTIONS / HTTP/2Host: example.orgUser-Agent: curl/8.7.1Accept: */*

The response contains anAllow header that holds the allowed methods:

HTTP/1.1 204 No ContentAllow: OPTIONS, GET, HEAD, POSTCache-Control: max-age=604800Date: Thu, 13 Oct 2016 11:45:00 GMTServer: EOS (lax004/2813)

Preflighted requests in CORS

InCORS, apreflight request is sent with theOPTIONS method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:

• TheAccess-Control-Request-Method header sent in the preflight request tells the server that when the actual request is sent, it will have aPOST request method.
• TheAccess-Control-Request-Headers header tells the server that when the actual request is sent, it will have theX-PINGOTHER andContent-Type headers.

OPTIONS /resources/post-here/ HTTP/1.1Host: bar.exampleAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateConnection: keep-aliveOrigin: https://foo.exampleAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-type,x-pingother

The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:

Access-Control-Allow-Origin

Thehttps://foo.example origin is permitted to request thebar.example/resources/post-here/ URL via the following:

Access-Control-Allow-Methods

POST,GET, andOPTIONS are permitted methods for the URL. (This header is similar to theAllow response header, but used only forCORS.)

Access-Control-Allow-Headers

X-PINGOTHER andContent-Type are permitted request headers for the URL.

Access-Control-Max-Age

The above permissions may be cached for 86,400 seconds (1 day).

HTTP/1.1 200 OKDate: Mon, 01 Dec 2008 01:15:39 GMTServer: Apache/2.0.61 (Unix)Access-Control-Allow-Origin: https://foo.exampleAccess-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Headers: X-PINGOTHER, Content-TypeAccess-Control-Max-Age: 86400Vary: Accept-Encoding, OriginKeep-Alive: timeout=2, max=100Connection: Keep-Alive

Specifications

Browser compatibility

See also

• HTTP request methods
• HTTP response status codes
• HTTP headers
• Allow header
• CORS