Understanding Simple and Preflight Requests in CORS

CORS (Cross‑Origin Resource Sharing) is a browser mechanism that controls how resources from different origins can be accessed. Simple requests are those that can be made by a plain HTML form without scripts, limited to the HTTP methods GET, HEAD, or POST, specific safe headers (Accept, Accept‑Language, Content‑Language, Content‑Type), and content types of text/plain, multipart/form-data, or application/x‑www‑form‑urlencoded.

Non‑simple requests include methods like PUT, custom headers, or other content encodings that a standard form cannot produce, requiring the browser to perform a preflight request.

From the server’s perspective, many servers are not intended to serve cross‑origin requests, so they default to denying them. Even if a server does not send CORS response headers, the browser will not expose the response, but the request may still have side effects, so a default deny policy is safer.

Preflight requests allow the browser to ask the server once whether a particular cross‑origin request is permitted, avoiding repeated computation for subsequent actual requests. This mechanism is only applicable to non‑simple requests; simple requests cannot rely on preflight because browsers must still allow traditional form submissions without extra checks.

Issuing a preflight for a simple request adds unnecessary overhead without providing additional security benefits, and it complicates server implementation. Therefore, simple requests are intentionally exempt from preflight to keep cross‑origin interactions lightweight and compatible with existing server behavior.