How can I identify a CORS preflight request?

Question

A CORS preflight request obviously uses the OPTIONS method and has an Origin header. However, a browser can decide for any HTTP request to add an Origin header. Also, O

Answer 1

Check for the existence of these essential information present in a preflight request:

1. The request's HTTP method is OPTIONS
2. It has an Origin header
3. It has an Access-Control-Request-Method header, indicating what's the actual method it's trying to use to consume your service/resource

Considerations

In theory you you could be a so clever and manually set those headers and try to make some fake-Preflight request for some reason.

However, your browser would complain with the following sample message: Refused to set unsafe header "Origin" (tested as an XHR request on Chrome) while other apps, such as Postman will set their own Origin as, say Origin: chrome://extension...

Answer 2

Check for the Access-Control-Request-Method header. It would not make much sense to send it in a request other than the preflight request.