The Access-Control-Request-Method header is automatically sent by the browser during CORS preflight requests to indicate which HTTP method will be used in the actual request.
This allows the server to approve or deny the use of that method before the actual cross-origin request is made.
Syntax & Values
Access-Control-Request-Method: <method>
The Access-Control-Request-Method header is automatically set by the browser during preflight requests. It contains the HTTP method (e.g., PUT or DELETE) that will be used in the actual cross-origin request.
Examples
Preflight for PUT request
When a request uses the PUT method, the browser automatically sends this header in the preflight request to inform the server which method will be used.
Access-Control-Request-Method: PUT
Preflight for DELETE request
When a request uses the DELETE method, the browser automatically sends this header in the preflight request.
Access-Control-Request-Method: DELETE
Frequently Asked Questions
Do I need to set this header manually?
No, the browser automatically sends this header during preflight requests based on the method in your actual request.
When is this header sent?
During preflight requests when your request uses a non-simple method (anything other than GET, HEAD, or POST) or meets other CORS preflight conditions.