-1

Some of our APIs(REST) getting a high number of requests with HTTP method OPTIONS. While these APIs only supports GET method. Since OPTIONS is not supported, All these requests turn into 4xx.

Observations: These requests coming

  • From different client IPs
  • With blank referer
  • With valid user-agent. I checked randomly, request are from mobile browsers.

What do I do with these requests? How do I ensure that these requests are valid? Should I enable OPTIONS along with GET?

Please note that some of the pages have an AMP version of it. Could this be related?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
ssharma
  • 521
  • 1
  • 7
  • 17

1 Answers1

1

Just a guess:

Many frontends (frameworks like Angular) send so called "preflight requests".

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood.

It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method, Access-Control-Request-Headers, and the Origin header.

A preflight request is automatically issued by a browser, when needed. In normal cases, front-end developers don't need to craft such requests themselves.

https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

So if it's legit for your API to have different frontends using it, I'd say you should accept these headers.

maio290
  • 6,440
  • 1
  • 21
  • 38
  • In our case, I don't think there is a need of prefight request as there is no chance of cross-domain request. The only possible case could be AMP – ssharma Sep 17 '18 at 12:24