Login/Register
In HTTP logs I am seeing OPTIONS, GET, OPTIONS, POST why?
Asked Answered
Solved httpgethttp-options-method
B

2

5

I am currently reviewing some proxy logs and seeing:

200 OPTIONS   /api/bob/
200 GET       /api/bob/
200 OPTIONS   /api/jim/
200 PUT       /api/jim/

I am wondering a couple of things, why is it doing the OPTIONS call before each request? And, my main question is: what are the benefits of doing so?

I would have thought this would add latency and an unnecessary overhead.

Bea answered 15/8, 2014 at 9:47 Comment(2)
What is the benefit of doing the pref-light check over doing it on the actual request? Why would I do this for every request over just make half the number of requests and waiting for 4xx response?Bea
See my modified answer. I've added an explanation for the reasoning for preflight request.Finery
F
5

This might be CORS requests being made. See this MDN page on explanation how CORS works.

Basically, before making an actual request, client would make a OPTIONS request to kind of ask for permission to make an actual request. This is called a "preflight request".

One thing though - CORS doesn't require client to make an OPTIONS request before HTTP GET. So the client might be misbehaving.

You can verify whether the OPTIONS are caused by CORS by investigating their headers - if they do have Access-Control-Request-Method and Access-Control-Request-Headers headers, this is a preflight request and it's CORS.

Why preflight request is needed?

CORS is enforced by the browsers. By default most contemporary browsers wouldn't allow web JS code to make an AJAX request to the different server than this page is hosted on. This is a security measure.

CORS is a way for the browser (not the page itself!) to ask server whether it's safe to make an actual request.

For methods which could modify the resource on the server - for instance most POST's and all PUT methods - browser has to first ask whether it's okay to make this modifications. Server that supports CORS, will include special headers in the preflight response.

Without the preflight request: let's assume the browser makes the request to the server which does not support CORS. In that case making the request would probably modify the resource. And we don't want this!

For GET requests, which shouldn't change resource state, preflight request isn't necessary.

Finery answered 15/8, 2014 at 9:50 Comment(0)
T
2

OPTIONS requests are performed as a preflight to CORS requests, to ensure the origin is allowed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests

Tiffanietiffanle answered 15/8, 2014 at 9:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.