The Access-Control-Max-Age header specifies how long (in seconds) the browser can cache the results of a CORS preflight request.
Caching preflight responses improves performance by allowing subsequent identical cross-origin requests to skip the preflight check for the specified duration, reducing latency and server load.
Syntax & Values
Access-Control-Max-Age: <seconds>
The Access-Control-Max-Age header accepts a numeric value representing the number of seconds (e.g., 86400 for one day) that the preflight response can be cached by the browser. This reduces the number of preflight requests for subsequent identical CORS requests during the specified time period.
Examples
Caching preflight for 1 hour
The browser can cache the preflight response for 3600 seconds (1 hour), reducing the number of preflight requests.
Access-Control-Max-Age: 3600
Caching preflight for 1 day
The browser can cache the preflight response for 86400 seconds (1 day), significantly improving performance for frequently accessed resources.
Access-Control-Max-Age: 86400
Common Errors & Fixes
Preflight requests still being sent for every request despite setting this header
Ensure the header is sent in OPTIONS responses, not actual requests. Check that your value doesn't exceed browser limits (7200 for Chrome, 86400 for Firefox). Verify identical requests are being made and check the Network tab to confirm the header is present in OPTIONS responses.
Frequently Asked Questions
What is the maximum value I can have for Access-Control-Max-Age?
While the specification doesn't define a strict maximum, browsers impose their own limits. It's best to check current browser documentation for the most up-to-date limits.