Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
mohamedkhallouq
GitHub Repository: mohamedkhallouq/content
 Path: blob/main/files/en-us/web/http/methods/options/index.md
6532 views
---
title: OPTIONS
slug: Web/HTTP/Methods/OPTIONS
browser-compat: http.methods.OPTIONS
---

{{HTTPSidebar}}

The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (*) to refer to the entire server.

Request has body No
Successful response has body Yes
{{Glossary("Safe/HTTP", "Safe")}} Yes
{{Glossary("Idempotent")}} Yes
{{Glossary("Cacheable")}} No
Allowed in HTML forms No

Syntax

OPTIONS /index.html HTTP/1.1
OPTIONS * HTTP/1.1

Examples

Identifying allowed request methods

To find out which request methods a server supports, one can use the curl command-line program to issue an OPTIONS request:

curl -X OPTIONS https://example.org -i

The response then contains an {{HTTPHeader("Allow")}} header that holds the allowed methods:

HTTP/1.1 204 No Content
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)

Preflighted requests in CORS

In CORS, a preflight request is sent with the OPTIONS method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:

  • The {{HTTPHeader("Access-Control-Request-Method")}} header sent in the preflight request tells the server that when the actual request is sent, it will have a {{HTTPMethod("POST")}} request method.

  • The {{HTTPHeader("Access-Control-Request-Headers")}} header tells the server that when the actual request is sent, it will have the X-PINGOTHER and Content-Type headers.

OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.example
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Connection: keep-alive
Origin: https://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type

The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:

  • {{HTTPHeader("Access-Control-Allow-Origin")}}

    • : The https://foo.example origin is permitted to request the bar.example/resources/post-here/ URL via the following:

  • {{HTTPHeader("Access-Control-Allow-Methods")}}

    • : {{HTTPMethod("POST")}}, {{HTTPMethod("GET")}}, and OPTIONS are permitted methods for the URL. (This header is similar to the {{HTTPHeader("Allow")}} response header, but used only for CORS.)

  • {{HTTPHeader("Access-Control-Allow-Headers")}}

    • : X-PINGOTHER and Content-Type are permitted request headers for the URL.

  • {{HTTPHeader("Access-Control-Max-Age")}}

    • : The above permissions may be cached for 86,400 seconds (1 day).

HTTP/1.1 200 No Content
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: https://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive

Status Code

Both {{HTTPStatus("200")}} OK and {{HTTPStatus("204")}} No Content are permitted status codes, but some browsers incorrectly believe 204 No Content applies to the resource and do not send the subsequent request to fetch it.

Specifications

{{Specifications}}

Browser compatibility

{{Compat}}

See also

  • {{HTTPHeader("Allow")}} header

  • CORS