Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response

Question

I am trying to make a DELETE ajax request but I can't seem to make it work. When I make it using POSTMAN it works. Here's my code:

This is my request, made with jQuery's .ajax() method:

$.ajax({
    url: imageUrl,
    type: 'DELETE',
    crossDomain: true
});

On the server, a different app built with node.js + express, I have:

app.use(function(req, res, next) {
    res.header("Access-Control-Allow-Origin", "*");
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
});

---

And finally, these are my Request, Request Headers and Response Headers:

Request

Request URL:http://original/request/url
Request Method:OPTIONS
Status Code:200 OK
Remote Address:75.126.137.93:80 

Request Headers

Accept:*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4,es;q=0.2,gl;q=0.2
Access-Control-Request-Headers:
Access-Control-Request-Method:DELETE
Connection:keep-alive
Host:fs.bvodola.webfactional.com
Origin:http://localhost:3000
Referer:http://localhost:3000/landing/admin/add-page
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Response Headers

Access-Control-Allow-Headers:Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin:*
Allow:GET,HEAD,DELETE
Connection:keep-alive
Content-Length:15
Content-Type:text/html; charset=utf-8
Date:Sat, 03 Sep 2016 23:34:17 GMT
ETag:W/"f-W+bYAIA7Bs2GwQecFLp1SA"
Server:nginx
X-Powered-By:Express

And in the Console i get the following:

XMLHttpRequest cannot load http://original/request/url. Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response.

How can I solve this? On some StackOverflow questions I read that Access-Control-Allow-Headers must the same as Access-Control-Request-Headers. But when I try to set it on the jQuery request, I get the following on the console:

Refused to set unsafe header "Access-Control-Request-Headers"

Any ideas of what might be wrong? Thanks!

---

I have looked at the following StackOverflow questions but couldn't find the answer:

• DELETE is not allowed by Access-Control-Allow-Methods
• Always got Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response
• Access-Control-Allow-Origin in preflight response doesn't enable cross-domain access
• Request header field Access-Control-Allow-Headers is not allowed by Access-Control-Allow-Headers

Answer 1

Add Access-Control-Allow-Methods as well in the response headers with the methods you would like to allow as comma separated: 'GET, POST,DELETE...'