The Access-Control-Allow-Methods header specifies which HTTP methods are allowed for cross-origin requests to a resource.
When a cross-origin request uses a non-simple method (other than GET, POST, or HEAD), the browser sends a preflight request to check if the method is allowed. The server must respond with this header listing the permitted methods for the actual request to proceed.
Syntax & Values
Access-Control-Allow-Methods: <method> Access-Control-Allow-Methods: <method>, <method>, ... Access-Control-Allow-Methods: *
The Access-Control-Allow-Methods header accepts one or more HTTP methods (e.g., GET or GET, POST, PUT, DELETE) to specify which methods are allowed for the cross-origin request. Additionally, the wildcard * can be used to allow all methods.
Examples
Allowing a single method
Permits only GET requests for this cross-origin resource.
Access-Control-Allow-Methods: GET
Allowing multiple methods
Permits multiple HTTP methods such as GET, POST, PUT, and DELETE. Methods are comma-separated.
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Allowing all methods
Permits any HTTP method to be used for this cross-origin resource.
Access-Control-Allow-Methods: *
Common Errors & Fixes
Did not find method in CORS header Access-Control-Allow-Methods
Add the method to the Access-Control-Allow-Methods header on your server.
Frequently Asked Questions
Can I have multiple methods in Access-Control-Allow-Methods?
Yes, you can list multiple methods, separated by commas. For example: Access-Control-Allow-Methods: GET, POST, PUT.
Do I need to explicitly allow the OPTIONS method in Access-Control-Allow-Methods?
No, the OPTIONS method is implicitly handled by the browser during the preflight request. You don't need to list it in Access-Control-Allow-Methods.
Can I allow all methods?
Yes, you can use an asterisk (*) to allow all methods. For example: Access-Control-Allow-Methods: *.