A CORS preflight request obviously uses the OPTIONS method and has an Origin header. However, a browser can decide for any HTTP request to add an Origin header. Also, O
Check for the existence of these essential information present in a preflight request:
OPTIONS
Origin
headerAccess-Control-Request-Method
header, indicating what's the actual method it's trying to use to consume your service/resourceConsiderations
In theory you you could be a so clever and manually set those headers and try to make some fake-Preflight request for some reason.
However, your browser would complain with the following sample message:
Refused to set unsafe header "Origin"
(tested as an XHR request on Chrome)
while other apps, such as Postman will set their own Origin
as, say Origin: chrome://extension...