When a cross origin request is initiated by a client app, browsers make a preflight request before executing an actual request.
A preflight request, is a mechanism in CORS by the browser to check if the resource destination is willing to accept the real request or not. This mechanism works by sending an OPTIONS HTTP method with Access-Control-Request-Method and Access-Control-Request-Headers in the header to notify the server about the type of request it wants to send. The response it retrieves determine if the actual request is allowed to be sent or not.
Option calls are additional calls and will contribute to the time taken for a response. One option call before every POST request can start contributing significantly to the latency of the application.
Example: Assume that example.com makes an authenticated POST request to a server api.service.com. The browser makes an additional OPTIONS request to api.service.com before making the actual request.
The POST request will be processed only if the response to the OPTIONS call has the headers
access-control-allow-methods:POST
access-control-allow-origin:example.com
If these headers are not present, the POST call is aborted.
Preflight requests make CORS (Cross Origin Resource Sharing) secure, but at the same time they introduce noticeable latency to every rest API call.
This article explains how to avoid OPTIONS calls when you are using AWS CloudFront as CDN and AWS API Gateway to manage your APIs.
Prerequisites
- AWS account.
- Web Application hosted in AWS Cloudfront.
- APIs managed by AWS API Gateway.