In HTTP logs I am seeing OPTIONS, GET, OPTIONS, POST why?

Question

I am currently reviewing some proxy logs and seeing:

200 OPTIONS   /api/bob/
200 GET       /api/bob/
200 OPTIONS   /api/jim/
200 PUT       /api/jim/

I am wondering a couple of things, why is it doing the OPTIONS call before each request? And, my main question is: what are the benefits of doing so?

I would have thought this would add latency and an unnecessary overhead.

Answer 1

This might be CORS requests being made. See this MDN page on explanation how CORS works.

Basically, before making an actual request, client would make a OPTIONS request to kind of ask for permission to make an actual request. This is called a "preflight request".

One thing though - CORS doesn't require client to make an OPTIONS request before HTTP GET. So the client might be misbehaving.

You can verify whether the OPTIONS are caused by CORS by investigating their headers - if they do have Access-Control-Request-Method and Access-Control-Request-Headers headers, this is a preflight request and it's CORS.

---

Why preflight request is needed?

CORS is enforced by the browsers. By default most contemporary browsers wouldn't allow web JS code to make an AJAX request to the different server than this page is hosted on. This is a security measure.

CORS is a way for the browser (not the page itself!) to ask server whether it's safe to make an actual request.

For methods which could modify the resource on the server - for instance most POST's and all PUT methods - browser has to first ask whether it's okay to make this modifications. Server that supports CORS, will include special headers in the preflight response.

Without the preflight request: let's assume the browser makes the request to the server which does not support CORS. In that case making the request would probably modify the resource. And we don't want this!

For GET requests, which shouldn't change resource state, preflight request isn't necessary.