References HTTP Reference Headers Access-Control-Allow-Methods
Collection
Language

Access-Control-Allow-Methods

The HTTP Access-Control-Allow-Methods response header specifies one or more HTTP request methods allowed when accessing a resource in response to a preflight request.

Header type Response header
Forbidden request header No

Syntax

http
Access-Control-Allow-Methods: <method>, <method>, …
Access-Control-Allow-Methods: *

Directives

<method>

A comma-separated list of the allowed request methods. GET, HEAD, and POST are always allowed, regardless of whether they are specified in this header, as they are defined as CORS-safelisted methods.

* (wildcard)

All HTTP methods. It has this meaning only for requests without credentials (requests without HTTP cookies or HTTP authentication information). In requests with credentials, it is treated as the literal method name * without special semantics.

Examples

http
Access-Control-Allow-Methods: PUT, DELETE
Access-Control-Allow-Methods: *

Specifications

Browser compatibility

See also

In this article

Your blueprint for a better internet.

MDN
Support
Our communities
Developers

Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2024 by individual mozilla.org contributors. Content available under a Creative Commons license.