I've been working on a classic SPA where the front end app lives on app.example.com
while the API lives on api.example.com
, hence requiring the use of CORS requests. Have setup the server to return the CORS header, works fine.
Whenever an AJAX request is not simple, the browser makes an extra OPTIONS
request to the server to determine if it can make the call with the payload. Find Simple Requests on MDN
The question is: What are the actual benefits of doing the OPTIONS request, especially in regards to security?
Some users of my app have significant geographical latency and since the preflight cache doesn't last long, the preflight requests cause latencies to be multiplied.
I'm hoping to make POST
requests simple, but just embedding the Content-Type
of application/json
negates that. One potential solution is to "hack" it by using text/plain
or encoding in the url. Hence, I hope to leave with a full understanding of what CORS preflight requests do for web security. Thanks.