Access-Control-Max-Age Header

Table of Content

  • Syntax
  • Directives
  • Examples
  • Browser Compatibility
  • How to modify Access-Control-Max-Age header The Access-Control-Max-Age header is an HTTP header that is part of the Cross-Origin Resource Sharing (CORS) specification. Its function is to define the amount of time, in seconds, that the results of a preflight request can be cached by a client browser. Through this, it significantly reduces the amount of requests made to the server, particularly in situations where multiple CORS requests are made to the same server.


The Access-Control-Max-Age Header follows a very simple syntax:

Access-Control-Max-Age: <delta-seconds>

Where <delta-seconds> is the amount of time the preflight request results can be cached, in seconds.


The Access-Control-Max-Age header has only one directive, which is <delta-seconds>. This represents the duration of time in seconds that the preflight request can be cached.


For instance, setting the Access-Control-Max-Age header to 86400 seconds (24 hours) would look like this:

Access-Control-Max-Age: 86400

This indicates that the results of a preflight request can be cached by the client for 24 hours before it needs another full preflight request.

Browser Compatibility

Browser Compatibility
Chrome Supported
Firefox Supported
Safari Supported
Opera Supported
Edge Supported

How to modify Access-Control-Max-Age header

ModHeader is a Chrome extension that allows you to add, modify, and remove HTTP request headers. This tool can be particularly useful when debugging and testing CORS.

Here is an example of how to modify the Access-Control-Max-Age header using ModHeader:

  1. Add ModHeader to your Chrome browser.
  2. Click on the ModHeader icon on your Chrome toolbar to open it.
  3. You will see an 'Add' button in the Response headers section. Click it to add a new header.
  4. Type 'Access-Control-Max-Age' in the 'Name' field.
  5. Fill in the 'Value' field with the number of seconds you want to set. For example, '600'.
  6. Now you can browse as normal, but the Access-Control-Max-Age header is set to the value you've given.

This allows developers to test how their applications handle different Access-Control-Max-Age values without having to modify server-side code.