Access-Control-Allow-Methods Header
Table of Content
The Access-Control-Allow-Methods HTTP header specifies the method or methods allowed when accessing a resource in response to a preflight request. It is used in CORS (Cross Origin Resource Sharing) to control which HTTP Methods are permitted from a client-side web application. Its functionality is important for security purposes as it can prevent certain client-side applications from performing harmful actions on a server's resource.
Syntax
Access-Control-Allow-Methods: <method>, <method>, ...Directives
- <method>: Method allowed for accessing the resource. This is specified as a comma-separated list. Examples of methods include
GET,POST,DELETE,PUT,OPTIONS, etc.
Examples
To allow only GET and POST methods from a client-side application, your header would look something like this:
Access-Control-Allow-Methods: GET, POSTTo allow all methods:
Access-Control-Allow-Methods: *Browser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Supported |
| Safari | Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Access-Control-Allow-Methods header
ModHeader is a Chrome extension that can be used to modify request headers. Let's consider a scenario in which we want to modify the Access-Control-Allow-Methods header to allow only POST methods.
- Install the ModHeader extension from the Chrome Web Store.
- Open ModHeader, you will see two box areas, one for 'Request Headers' and one for 'Filters'.
- In the 'Request Headers' section, enter 'Access-Control-Allow-Methods' in the 'Name' field.
- Enter 'POST' in the 'Value' field.
- All your requests now sent from this browser will allow only POST method.
ModHeader proves useful, for example when debugging or testing CORS behaviours in a web app by allowing modification of header data on the fly.