It’s not there for business logic.
It’s there so clients, browsers, and proxies can ask:
“What are you willing to do here?”
When a valid OPTIONS request returns 400 Bad Request, the API isn’t being strict.
It’s being non-compliant.
This usually shows up as:
- broken CORS preflight requests
- clients guessing allowed methods
- inconsistent gateway or proxy behavior
Nothing is “hacked”.
Things just quietly stop working.
If your API speaks HTTP and calls itself REST-ish, OPTIONS handling is not optional.
You don’t need business logic — just correct capability responses:
200 OK or 204 No Content with an Allow header.
Full write-up here:
https://rentgen.io/api-stories/options-method-handling.html
Top comments (0)