A CORS preflight request obviously uses the OPTIONS method and has an Origin header. However, a browser can decide for any HTTP request to add an Origin header. Also, OPTIONS may be used for other functionality than CORS. (How) Can I identify exactly (without false positives or negatives) whether a request is a CORS preflight request?
Check for the Access-Control-Request-Method header. It would not make much sense to send it in a request other than the preflight request.
Check for the existence of these essential information present in a preflight request:
- The request's HTTP method is
OPTIONS - It has an
Originheader - It has an
Access-Control-Request-Methodheader, indicating what's the actual method it's trying to use to consume your service/resource
Considerations
In theory you you could be a so clever and manually set those headers and try to make some fake-Preflight request for some reason.
However, your browser would complain with the following sample message:
Refused to set unsafe header "Origin" (tested as an XHR request on Chrome)
while other apps, such as Postman will set their own Origin as, say Origin: chrome://extension...
来源:https://stackoverflow.com/questions/32331737/how-can-i-identify-a-cors-preflight-request