Does setting the Authorization header for a POST cross-domain request always require a preflight?

Question

I was surprised recently to learn that when I set the Authorization header, my POST requests are getting preflighted. I had always assumed that the Authorization header would be exempted because of its ubiquity.

Is it true that the Authorization header is not special with respect to CORS, and therefore whenever you set the Authorization header, the browser must preflight?

Answer 1

Yes, it’s true that whenever you add the Authorization header to a request, it triggers a preflight in browsers. That’s because Authorization isn’t defined as a CORS safelisted request-header.

The list of CORS safelisted request-headers is quite short; it’s just Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, Width.

Any header added to a request that’s not in that list will trigger browsers to do a preflight.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests.