Web browsers send a CORS preflight to see if the CORS protocol is understood by a server using specific methods and headers
Preflight fetches what OPTIONS HTTP method returns from the request.
Access-Control-Allow-Methods response header.HTTP/1.1 204 No Content Connection: keep-alive Access-Control-Allow-Origin: https://foo.bar.org Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE Access-Control-Allow-Headers: Origin, X-Requested-With Access-Control-Max-Age: 86400
Access-Control-Max-AgePre-flighted requests require the browser to first make a request to the server using the OPTIONS HTTP method.
Only after this can the main request be made if it is deemed safe.
However, making the OPTIONS call for each pre-flighted request can be expensive.
To prevent this, the server can respond with the Access-Control-Max-Age header, allowing the browser to cache the result of pre-flighted requests for a certain amount of time.