CORS preflight request

A CORS preflight request is the browser check that happens before some cross-origin requests, usually as an OPTIONS request with method and header intent.

The important debugging point is that the failing request may not be the POST, PUT, PATCH, or DELETE that appears in application code. The browser may first ask the server whether that future request is allowed. If the OPTIONS response is missing the expected CORS headers, the real request never reaches the application endpoint.

A preflight is more likely when the request uses a non-simple method, custom headers, JSON content type, credentials, or authorization headers. When the console says a CORS request failed, the first inspection should be the Network tab entry for OPTIONS, not only the business request.

Useful fields to check are Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, and status code. A 404 or 405 on OPTIONS is a server routing problem, not a frontend parsing problem.

The boundary is also important: CORS is enforced by browsers. A curl request or server-to-server call can succeed while the browser still blocks the page. That difference is a clue, not a contradiction.

Cors preflight request debugging 2026 06 25 e

// COMMENTS

ON THIS PAGE

Cors preflight request debugging 2026 06 25 e

// COMMENTS ↓ Newest First

ON THIS PAGE

// COMMENTS