High number of requests turning into 4xx due to unsupported HTTP method OPTIONS

Question

Some of our APIs(REST) getting a high number of requests with HTTP method OPTIONS. While these APIs only supports GET method. Since OPTIONS is not supported, All these requests turn into 4xx.

Observations: These requests coming

• From different client IPs
• With blank referer
• With valid user-agent. I checked randomly, request are from mobile browsers.

What do I do with these requests? How do I ensure that these requests are valid? Should I enable OPTIONS along with GET?

Please note that some of the pages have an AMP version of it. Could this be related?

Answer 1

Just a guess:

Many frontends (frameworks like Angular) send so called "preflight requests".

A CORS preflight request is a CORS request that checks to see if the CORS protocol is understood.

It is an OPTIONS request, using three HTTP request headers: Access-Control-Request-Method, Access-Control-Request-Headers, and the Origin header.

A preflight request is automatically issued by a browser, when needed. In normal cases, front-end developers don't need to craft such requests themselves.

https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

So if it's legit for your API to have different frontends using it, I'd say you should accept these headers.