Http protocol: Under what circumstances does an options request occur?

background:

A new colleague asked me that there were many options requests in my project, and the background services were down, and I didn’t know how to deal with it;

[[343640]]

http protocol

In fact, the most commonly used HTTP methods are: GET, POST; they can be used as data exchange between the front-end and the back-end;

Under what circumstances do options appear

• Cross-domain calls, for example: when debugging, many situations are debugged in cross-domain mode;
• Custom Header
• The content-type parameter of the request header: formats other than application/x-www-form-urlencoded, multipart/form-data, and text/plain

When the above three situations occur, options requests will appear. To put it simply, it is for server security. For example, the same-origin policy triggers this rule;

Options are usually initiated automatically by the browser, and their purpose is to check whether the next method (GET, POST, PUT, delete) is supported by the server;

How to deal with the server

Check the following

A: Method

• Is the source allowed?
• Whether the custom header is included (this depends on your project)

If your project is considered safe, just return a 200 status code.

B: Method

• Is the source allowed?
• Whether the custom header is included (this depends on your project)
• Check if the content-type is what you expect

If your project is considered safe, just return a 200 status code.

If not allowed you can put back status code 400 or something;

Options requests affect service performance, how to optimize

Originally, one request was enough to complete the task, but the frequent addition of many options inevitably caused pressure on the service;

It is possible to cache options requests. For example, options requests will appear in the http://www.**.com/api/getUser interface. We cache options once when options are returned, and inform the front-end not to send options when requesting this interface in the future. When the server responds, the Access-Control-Max-Age time can be set, which is 10 minutes by default.

Further understanding of options

Functions of key fields related to options

• Access-Control-Request-Method: tells the server that the next request will use a method, such as POST
• Access-Control-Request-Headers: Tells the server which custom request header fields will be carried in the next request

MDN's description of OPTIONS

The HTTP OPTIONS method is used to obtain the communication options supported by the target resource. The client can use the OPTIONS method for a specific URL or for the entire site (by setting the URL to "*").