Missing Access-Control-Max-Age Header in HTTP Responses Causes Performance Issues #2161
Description
Description:
Version Information:
- Version: 0.24.32
- Commit SHA: a57ad4a
- Build Date: 2025-09-09
Problem:
The current HTTP API responses include the following headers for Cross-Origin Resource Sharing (CORS):
access-control-allow-headers: *access-control-allow-methods: *access-control-allow-origin: *
However, the Access-Control-Max-Age header is missing. This header is crucial for performance as it tells browsers how long they can cache the results of a CORS preflight request.
Without this header, the browser is forced to send a preflight OPTIONS request before every actual HTTP request to check if the CORS protocol is understood and the request is safe to send. This results in unnecessary, repetitive preflight requests, which significantly degrades the performance of front-end applications.
Suggestion:
It is recommended to add the Access-Control-Max-Age header to the HTTP responses. A suggested value is 86400 seconds (24 hours), which is the maximum value supported by Firefox.
Example:
Access-Control-Max-Age: 86400
Adding this header will allow browsers to cache the preflight response, eliminating the need for repeated OPTIONS requests and improving the overall performance and responsiveness of the front-end.
