🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Access Control Allow Methods

HTTP Header

The HTTP Access-Control-Allow-Methods response header defines the set of HTTP request methods that are permitted when accessing a resource. This header is included in the response to a preflight request to inform the client about the allowed methods.

Syntax

http
Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *

The Access-Control-Allow-Methods header specifies the HTTP methods that are permitted for cross-origin requests. When implementing CORS (Cross-Origin Resource Sharing), you can define which methods are allowed.

Directives

<method>

A list of allowed request methods separated by commas.
Methods such as GET, HEAD, and POST are always permitted, irrespective of their inclusion in this header, as they are classified as CORS-safelisted methods.

* (wildcard)

This symbol indicates all HTTP methods.
It applies only to requests that do not carry credentials (i.e., without HTTP cookies or authentication details).
In requests with credentials, it is interpreted literally as the method name * without any special meaning.

Example

http
Access-Control-Allow-Methods: PUT, DELETE
Access-Control-Allow-Methods: *

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Access-Control-Allow-Methods header. This is particularly helpful when testing how your server responds to different HTTP methods or to simulate CORS policy changes during development or debugging. Steps to Modify the Access-Control-Allow-Methods Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Access-Control-Allow-Methods.
    • In the “Header Value” field, enter the HTTP methods you want to allow (e.g., GET, POST, PUT).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
  5. Save the rule.

Once set up, Requestly will inject the specified Access-Control-Allow-Methods header into all matching responses, enabling you to test cross-origin requests and ensure your API handles the allowed HTTP methods properly.