/ HTTP Headers


The Access-Control-Request-Method is an integral part of the HTTP headers that enable the Cross-Origin Resource Sharing (CORS) mechanism. This header is used by the browser in a preflight request to inform the server about the HTTP method that will be used in the actual request.

What is Access-Control-Request-Method?

The Access-Control-Request-Method is an HTTP request header utilized in a preflight request to let the server know which HTTP method will be used when the actual request is made. The server then responds with whether it accepts requests with this method from the origin in question.

Basic Usage

The header follows the format:

Access-Control-Request-Method: <method>

The <method> is the HTTP method (such as GET, POST, DELETE, etc.) that will be used in the actual request.

For example, consider a preflight request with this header:

Access-Control-Request-Method: POST

Here, the client is indicating that it will make the actual request with the POST method.

Detailed Examples

Scenario 1: Requesting to Use the POST Method

Suppose your client needs to make a POST request to your server. The preflight request from the client would include:

Access-Control-Request-Method: POST

The server should then respond with an Access-Control-Allow-Methods header containing POST to indicate that this method is allowed:

Access-Control-Allow-Methods: POST

Scenario 2: Requesting to Use the PUT Method

If your client needs to make a PUT request to your server, the preflight request would include:

Access-Control-Request-Method: PUT

The server would then respond with:

Access-Control-Allow-Methods: PUT

Considerations and Caveats

When working with Access-Control-Request-Method, remember the following points:

  • Server Responsibility: It’s the server’s responsibility to decide whether to allow or disallow the method specified in Access-Control-Request-Method. If the server doesn’t respond with an Access-Control-Allow-Methods header that includes the requested method, the actual request will not be allowed.
  • Preflight Requests: Access-Control-Request-Method is used in preflight requests. These requests are sent automatically by the browser under certain conditions to check the server’s CORS policy before making the actual request.
  • Simple Methods: Remember that for “simple” methods (GET, HEAD, POST), a preflight request is not necessary. The Access-Control-Request-Method is only used for “non-simple” HTTP methods.


The Access-Control-Request-Method header is a critical part of the CORS mechanism, allowing clients to inform the server about the method they intend to use in the actual request. Correctly implementing and understanding this header will enhance cross-origin interactions, ensuring smoother operation and stronger security in your web applications.

Was this helpful?

Thanks for your feedback!