Some of our APIs(REST) getting a high number of requests with HTTP method OPTIONS. While these APIs only supports GET method. Since OPTIONS is not supported, All these requests turn into 4xx.
Observations: These requests coming
- From different client IPs
- With blank referer
- With valid user-agent. I checked randomly, request are from mobile browsers.
What do I do with these requests? How do I ensure that these requests are valid? Should I enable OPTIONS along with GET?
Please note that some of the pages have an AMP version of it. Could this be related?
Just a guess:
Many frontends (frameworks like Angular) send so called "preflight requests".
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
So if it's legit for your API to have different frontends using it, I'd say you should accept these headers.