Access-Control-Max-Age is an integral part of the HTTP headers that facilitate the Cross-Origin Resource Sharing (CORS) mechanism. It specifies the maximum amount of time a browser should cache the preflight response for a particular resource.
What is Access-Control-Max-Age?
Access-Control-Max-Age HTTP response header signifies the maximum age, in seconds, for which a preflight request can be cached. The preflight request is the CORS mechanism’s way of checking with the server if a certain type of request is safe to send. These requests are made with the HTTP OPTIONS method before the actual request.
By setting a sensible
Access-Control-Max-Age, you can avoid excessive preflight requests, which can lead to increased latency in your application.
The header follows the format:
<delta-seconds> is the maximum amount of time, in seconds, that the preflight response can be cached.
For instance, consider a response with this header:
Here, the server indicates that the preflight response can be cached for up to 600 seconds (10 minutes).
Scenario 1: Cache Preflight Response for One Hour
Suppose your server handles CORS preflight requests and you want to cache the preflight response for one hour to reduce the number of OPTIONS requests. Your response to the preflight request would include:
In this case, the browser will not send a new preflight request for the same resource for the next hour.
Scenario 2: No Preflight Response Caching
In a scenario where you don’t want the preflight response to be cached at all, you would set
Now, a new preflight request will be sent for every request to the resource.
Considerations and Caveats
When setting the
Access-Control-Max-Age, there are a few things to keep in mind:
- Performance vs. Freshness: A longer
Access-Control-Max-Agemeans fewer preflight requests, which can improve performance. However, it also means that changes to your CORS policy might not take effect immediately for clients who have cached the preflight response.
- Browser Limits: Most browsers have a maximum limit for
Access-Control-Max-Age. If you exceed this limit, the browser will simply ignore your value and use its default. Chrome’s limit is around 10 minutes.
- Preflight Requests: Remember,
Access-Control-Max-Ageis relevant for preflight requests, which are not required for all CORS requests, only for those deemed “not simple” (e.g., requests with methods other than GET, HEAD, or POST, or with certain types of headers).
Access-Control-Max-Age header allows servers to control how long a preflight response can be cached. This can help optimize the balance between performance (by reducing the number of OPTIONS requests) and the freshness of the CORS policy. Like all aspects of CORS, it’s important to set this header thoughtfully to achieve both the functionality and security your web application needs.