Querying the server for resource capabilities

OPTIONS Method

Preliminaries

This note provides supplementary information about the server's implementation of the standard HTTP OPTIONS method to query resource capabilities, and to implement cross-origin resource sharing exceptions.

The OPTIONS request was used historically as a programmatic way to query the server about which methods a resource is able to handle. This is still one of its roles.

With the advent of the cross-origin resource sharing protocol, the OPTIONS method has been pulled into the additional duty of providing a mechanism for browsers to determine if any exceptions to the same-origin policy have been granted by the server.

Request/response handlers

The server's request/response cycle for OPTIONS requests is fulfilled using this sequence of handlers:

Request Handler Optional Configurable
1 Server Name Indication no no
2 Hosts no yes
3 IP Access yes yes
4 Resource Masks yes yes
5 Raw Path no no
6 Cookies no no
7 Forbidden yes yes
8 Cross Origin yes yes
9 RBAC yes yes
10 Allow no no
Dynamic Handler Optional Configurable
11 Router yes yes
Response Handler Optional Configurable
12 Content Length no no
13 Status Codes no yes

Status codes

OPTIONS requests always return status code 200.

For reference purposes, refer to IETF RFC 7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content section 4.3.7 for the basic protocol expected of HTTP OPTIONS requests.

Refer to the W3C publication Cross-Origin Resource Sharing, dated January 16, 2014, for how the CORS protocol works.

Querying the server for resource capabilities