OPTIONS
The OPTIONS requests communication options about the target URI.
OPTIONS is not often implemented as intended, and is not well defined. Typically resources options are communicated through HTTP headers, eliminating the need for an additional OPTIONS request. Additionally, no media type has been defined for OPTIONS responses, making automated use of the method difficult.
"Communication options" is not well defined, but could include things like content negotiation configuration, media types, metadata, alternate versions of a resource, supported encodings, required permissions, and so forth.
The most common use of an OPTIONS request in the wild is a "CORS pre-flight request," typically by Web browsers when a webpage wants to make an HTTP request to another origin.
Writing requests (clients)
There isn't currently a well-known use for OPTIONS as it is defined. Clients will typically only make an OPTIONS request when there is a specific application that requires it.
Web browsers may make an OPTIONS request to fill CORS requirements. However, this is a workaround to protect a user's Web browser from making malicious requests to HTTP servers inside their private network; it does not secure HTTP servers in general, and its use is only applicable to HTTP requests made from scripts written by untrusted parties.
Reading requests (intermediaries)
If the request headers contain Max-Forwards: 0
, then handle the request as the origin; in this case, the representation options will be information describing the message handling configuration of this server.
Otherwise the HTTP message should be forwarded as usual.
Reading requests (servers)
CORS requests
Servers will typically want to add CORS headers to OPTIONS responses, so that information is made available to resources in other origins. (This information would normally be available through use of a CORS proxy, adding CORS headers removes the need for a proxy.) For information, see Enable CORS. At the very least, servers will want to add:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Other requests
Servers that wish to implement OPTIONS as intended may wish to return a document containing a list of resources that could be negotiated, and their negotiating metadata. For example:
<http://www.example.com/index.txt>;type="text/plain" <http://www.example.com/index.html>;type="application/xhtml+xml" <http://www.example.com/index.json>;type="application/json"
Usage in the wild
This list is incomplete, you can suggest additions.
Usage by CORS (Cross-Origin Resource Sharing)
CORS is a procedure used by Web browsers to determine if webpages from one origin may make HTTP requests to another origin. The request that determines this is called a "pre-flight request" and is made over OPTIONS. This usage somewhat overloads the intended use of OPTIONS.
Overview table
- Name
- OPTIONS
- Description
- Requests requests communication options about the resource.
- Specification
- RFC 5789: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. 4.3.7. OPTIONS