options method
Written by
Updated at September 2, 2025
Checks whether a CORS request to an object can be made.
For more information on getting started with the API and the general request format, see How to use the S3 API.
Request
OPTIONS /{bucket}/{key} HTTP/2
Path parameters
| Parameter | Description |
|---|---|
bucket |
Bucket name. |
key |
Object key. which is the ID the object is saved with in Object Storage. |
Headers
| Header | Description |
|---|---|
Origin |
Request source domain. For example, http://www.example.com.Required. |
Access-Control-Request-Method |
HTTP method to use when sending a request to a resource. Required. |
Access-Control-Request-Headers |
List of headers to send in a subsequent request to the object. Headers are separated by commas. Optional. |
Make sure to also use the required common headers.
Response
Headers
In addition to common headers, responses may contain:
| Header | Description |
|---|---|
Access-Control-Allow-Origin |
Domain provided in the Origin request header.If the CORS configuration has the AllowedOrigin element set to *, the Access-Control-Allow-Origin header value will also be *.If access from the domain is denied, Object Storage will return error 403 and there will be no Access-Control-* headers. |
Access-Control-Max-Age |
Allowed response caching time, in seconds. |
Access-Control-Allow-Methods |
Allowed request methods. If there are no allowed methods, Object Storage will return error 403 and there will be no Access-Control-* headers present. |
Access-Control-Allow-Headers |
List of HTTP headers that can be used in a subsequent request to the object. If there are no headers allowed, this header is not included in a response. |
Access-Control-Expose-Headers |
List of HTTP headers the JavaScript client will receive. |
Response codes
The method returns the following:
- 200: If requests to the object are allowed.
- 403: If requests to the object are not allowed.
For a detailed description of response codes, see Responses.