Reputation: 122
HTTP Headers: Access-Control-Allow-Methods VS Allow
What is the main difference between these two headers?
Access-Control-Allow-Methods is located in headers collection of the request while Allow can be found inside of Content.Headers collection.
Which one I should care about while handling OPTIONS requests?
Upvotes: 1
Views: 944
Answers (1)
Reputation: 943207
Allow is a basic HTTP header which is used to describe which HTTP methods may be used to request a resource. This is in general and not specifically for JS. The header predates the existence of JS.
Access-Control-Allow-Headers is a CORS extension to HTTP which describes which HTTP methods may be used by client-side code to make cross-origin requests to a resource.
You must include an Allow header if you are making a 405 response. You may always include it.
You need to include Access-Control-Allow-Headers if you are making a response to a preflight OPTIONS request (unless you don't want to use it to grant the follow-up request any permissions).
Upvotes: 2
Related Questions
- 403 Forbidden vs 401 Unauthorized HTTP responses
- Should Access-Control-Allow-Methods include OPTIONS
- How do I know which access-control-allow-headers to allow for CORS?
- In the HTTP CORS spec, what's the difference between Allow-Headers and Expose-Headers?
- Access-Control-Max-Age vs Cache-Control
- Where should the security headers be? Response headers or Request headers?
- http accept and content-type headers confusion
- CORS - When to return `Access-Control-Expose-Headers`
- Should a HTTP Allow header contain "OPTIONS"?
- Difference between 'Allow' and 'Access-Control-Allow-Methods' in HTTP response header?