CORS preflight: when the browser sends an OPTIONS request

GET and HEAD with safe headers, or POST with limited content types, may be treated as simple and skip the OPTIONS probe.

Adding custom headers like Authorization or Content-Type: application/json usually upgrades the request to preflighted.

The browser asks the server whether the origin, method, and headers are allowed before sending the real request.

Caching directives like Access-Control-Max-Age help browsers reuse preflight results and cut latency on subsequent calls.