I am trying to develop a single page application (SPA) that uses as endpoint a domain that is different from the one hosted in the SPA domain (ie: site.com and site-api.com or api.site.com).

Access Control headers are already set up in the back-end, Max-Age included, however it does not seem to work.

Here's an example of what happens if I perform the same call multiple times:

These are the server headers:

• Access-Control-Allow-Headers: AUTHORIZATION,CONTENT-TYPE
• Access-Control-Allow-Methods: PATCH
• Access-Control-Allow-Origin: http://tovertaal.test:3000
• Access-Control-Max-Age: 600

Shouldn't Max-Age 600 prevent every other OPTIONS request within 600 seconds from the first OPTIONS request?

The server endpoint is http://tovertaal-api.test.

I have finally discovered what was the issue. It seems like Chrome DevTools, when disable cache is active, also disables CORS Origin cache, so it keeps triggering OPTIONS request for stuff that should have been cached already.

Make sure to keep caching enabled if you want to test it!