Missing `Access-Control-Max-Age` Header in HTTP Responses Causes Performance Issues
Opened this issue · 1 comments
Description:
Version Information:
- Version: 0.24.32
- Commit SHA: a57ad4a
- Build Date: 2025-09-09
Problem:
The current HTTP API responses include the following headers for Cross-Origin Resource Sharing (CORS):
access-control-allow-headers: *access-control-allow-methods: *access-control-allow-origin: *
However, the Access-Control-Max-Age header is missing. This header is crucial for performance as it tells browsers how long they can cache the results of a CORS preflight request.
Without this header, the browser is forced to send a preflight OPTIONS request before every actual HTTP request to check if the CORS protocol is understood and the request is safe to send. This results in unnecessary, repetitive preflight requests, which significantly degrades the performance of front-end applications.
Suggestion:
It is recommended to add the Access-Control-Max-Age header to the HTTP responses. A suggested value is 86400 seconds (24 hours), which is the maximum value supported by Firefox.
Example:
Access-Control-Max-Age: 86400
Adding this header will allow browsers to cache the preflight response, eliminating the need for repeated OPTIONS requests and improving the overall performance and responsiveness of the front-end.
Now the issue where preflight requests are not being cached can only be resolved with the following Nginx configuration:
server {
server_name your.domain.com;
location / {
# Intercept OPTIONS preflight requests
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' '*';
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
add_header 'Access-Control-Max-Age' '86400';
# Return 204 No Content and stop processing the request further
return 204;
}
# pass to the backend application
proxy_pass http://127.0.0.1:8080;
# ......
}
# ... other server configurations ...
}