<method>
A list of allowed request methods separated by commas.
Methods such asGET
,HEAD
, andPOST
are always permitted, irrespective of their inclusion in this header, as they are classified as CORS-safelisted methods.* (wildcard)
This symbol indicates all HTTP methods.
It applies only to requests that do not carry credentials (i.e., without HTTP cookies or authentication details).
In requests with credentials, it is interpreted literally as the method name*
without any special meaning.
HTTP Headers
Access Control Allow Methods
The HTTP Access-Control-Allow-Methods
response header defines the set of HTTP request methods that are permitted when accessing a resource. This header is included in the response to a preflight request to inform the client about the allowed methods.
Syntax
Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *
The Access-Control-Allow-Methods header specifies the HTTP methods that are permitted for cross-origin requests. When implementing CORS (Cross-Origin Resource Sharing), you can define which methods are allowed.
Directives
Example
Access-Control-Allow-Methods: PUT, DELETE
Access-Control-Allow-Methods: *
How to Modify Header using Requestly
Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Access-Control-Allow-Methods header. This is particularly helpful when testing how your server responds to different HTTP methods or to simulate CORS policy changes during development or debugging. Steps to Modify the Access-Control-Allow-Methods Header:
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Access-Control-Allow-Methods.
- In the “Header Value” field, enter the HTTP methods you want to allow (e.g., GET, POST, PUT).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
- Save the rule.
Once set up, Requestly will inject the specified Access-Control-Allow-Methods header into all matching responses, enabling you to test cross-origin requests and ensure your API handles the allowed HTTP methods properly.
Table of Contents
- No headings found.