Access-Control-Allow-Methods Header

Table of Content

The Access-Control-Allow-Methods HTTP header specifies the method or methods allowed when accessing a resource in response to a preflight request. It is used in CORS (Cross Origin Resource Sharing) to control which HTTP Methods are permitted from a client-side web application. Its functionality is important for security purposes as it can prevent certain client-side applications from performing harmful actions on a server's resource.


Access-Control-Allow-Methods: <method>, <method>, ...


  • <method>: Method allowed for accessing the resource. This is specified as a comma-separated list. Examples of methods include GET, POST, DELETE, PUT, OPTIONS, etc.


To allow only GET and POST methods from a client-side application, your header would look something like this:

Access-Control-Allow-Methods: GET, POST

To allow all methods:

Access-Control-Allow-Methods: *

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Access-Control-Allow-Methods header

ModHeader is a Chrome extension that can be used to modify request headers. Let's consider a scenario in which we want to modify the Access-Control-Allow-Methods header to allow only POST methods.

  1. Install the ModHeader extension from the Chrome Web Store.
  2. Open ModHeader, you will see two box areas, one for 'Request Headers' and one for 'Filters'.
  3. In the 'Request Headers' section, enter 'Access-Control-Allow-Methods' in the 'Name' field.
  4. Enter 'POST' in the 'Value' field.
  5. All your requests now sent from this browser will allow only POST method.

ModHeader proves useful, for example when debugging or testing CORS behaviours in a web app by allowing modification of header data on the fly.