Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to respond to an HTTP OPTIONS request?

Tags:

http

The HTTP OPTIONS method is supposedly used to determine what other methods the server supports on a given resource. Given that, I have two questions:

  • What does this response look like? I have seen examples with CSV lists in Public, Allow, and even Access-Control-Allow-Methods headers. Are they all needed? What's the difference? RFC 2616 doesn't seem to be very helpful here.

  • Would it be appropriate to use this to list the actions that a resource supports in a non-REST-API environment? For example, if my ConversionController supports the action convert, would a response like this make sense:

Request:

OPTIONS /conversion HTTP/1.1

Response:

HTTP/1.1 200 OK ... Allow: CONVERT ...
like image 405
FtDRbwLXw6 Avatar asked Aug 13 '12 00:08

FtDRbwLXw6

People also ask

How do I use HTTP options method?

The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk ( * ) to refer to the entire server.

What should Options Call Return?

The expected return on a call option equals: (expected price of the asset at the expiration date - the strike price) the quantity of the asset the option allows you to buy, minus the price you paid for the option.

What is Options HTTP used for?

The HTTP OPTIONS method is used to describe the communication options for the target resource. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

2 Answers

RFC 2616 defines "Allow" (http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7). "Public" is not in use anymore. "Access-Control-Allow-Methods" is defined in the CORS specification (see http://www.w3.org/TR/cors/).

like image 92
Julian Reschke Avatar answered Sep 22 '22 14:09

Julian Reschke

What is an HTTP OPTIONS request?

It is a request from the client to know what HTTP methods the server will allow, like GET, POST, etc.

Request

The request might look like this when asking about the options for a particular resource:

OPTIONS /index.html HTTP/1.1

or like this when asking about the server in general:

OPTIONS * HTTP/1.1

Response

The response would contain an Allow header with the allowed methods:

Allow: OPTIONS, GET, HEAD, POST

Why is the server receiving an HTTP OPTIONS request?

  • Some REST APIs need it (but if you are defining the API, you'd know that)
  • Browsers send it to servers as "preflighted" requests to see if the server understands CORS
  • Attackers send it to get more information about the API

How to respond to an HTTP OPTIONS request?

  • You could respond with an Allowed header and even document your API in the body.
  • You could respond with additional CORS defined Access-Control-Request-* headers.
  • You could respond with 405 Method Not Allowed or 501 Not Implemented.

How do I stop getting HTTP OPTIONS requests?

  • If it's coming from a browser then update your API so that it isn't doing anything "dangerous" (like PUT or DELETE, or POST with application/json). Only perform simple requests.

See also

  • RFC 2616 Section 9: Method definitions
  • MDN Web docs: OPTIONS
  • MDN Web docs: Cross-Origin Resource Sharing (CORS)
  • CORS - What is the motivation behind introducing preflight requests?
  • How to exploit HTTP Methods
like image 31
Suragch Avatar answered Sep 23 '22 14:09

Suragch
Sign in to Comment

Related questions

HTTP status code for temporarily unavailable pages
Basic static file server in NodeJS
Parsing Query String in node.js
Spring MVC How take the parameter value of a GET HTTP Request in my controller method?
Disabling browser caching for all browsers from ASP.NET
Are query string keys case sensitive?
Is a response-body allowed for a HTTP-DELETE-request?
Console errors. Failed to load resource: net::ERR_INSECURE_RESPONSE
Place API key in Headers or URL
Examples of HTTP API Rate Limiting HTTP Response headers
How can I programmatically remove the 2 connection limit in WebClient
node.js http 'get' request with query string parameters
Should a 502 HTTP status code be used if a proxy receives no response at all?
Save a large file using the Python requests library [duplicate]
Can I use tcpdump to get HTTP requests, response header and response body?
Are JSON web services vulnerable to CSRF attacks?
What encoding should I use for HTTP Basic Authentication?
Max value for cache control header in HTTP
Node js Error: Protocol "https:" not supported. Expected "http:"
How to solve SocketException: Failed host lookup: 'www.xyz.com' (OS Error: No address associated with hostname, errno = 7)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!