ContextQMD
Back to Content

Access-Control-Allow-Methods header

files/en-us/web/http/reference/headers/access-control-allow-methods/index.md

latest1.5 KB
Original Source

The HTTP Access-Control-Allow-Methods {{Glossary("response header")}} specifies one or more HTTP request methods allowed when accessing a resource in response to a {{glossary("preflight request")}}.

<table class="properties"> <tbody> <tr> <th scope="row">Header type</th> <td>{{Glossary("Response header")}}</td> </tr> </tbody> </table>

Syntax

http
Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *

Directives

  • <method>
    • : A comma-separated list of the allowed request methods. GET, HEAD, and POST are always allowed, regardless of whether they are specified in this header, as they are defined as CORS-safelisted methods.
  • * (wildcard)
    • : All HTTP methods. It has this meaning only for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal method name * without special semantics.

Examples

http
Access-Control-Allow-Methods: PUT, DELETE
Access-Control-Allow-Methods: *

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also

  • {{HTTPHeader("Access-Control-Allow-Origin")}}
  • {{HTTPHeader("Access-Control-Expose-Headers")}}
  • {{HTTPHeader("Access-Control-Allow-Headers")}}
  • {{HTTPHeader("Access-Control-Request-Method")}}
  • HTTP request methods