Killing CORS Preflight Requests on a React SPA
Damon Aw

Thanks for the detailed insight into this. OPTIONS requests do seem odd when you first see that they’re being sent out

Although it feels a bit hacky, the OAuth 2.0 specification outlines adding an access_token as a URI query parameter as a viable option (no pun intended): which is encouraging.

My feeling on this is that if you’re in total control of the server and the client and everything is behind HTTPS and you want some performance gains, then go for it with trying to nuke all preflight requests.