Measured in your browserWe advise on speed. We practice it.Loaded just now · real numbers from this visit, not a lab score.
Page loaded
First byte
DOM ready
First paint
Largest paint
DNS lookup
TLS handshake
Transferred
Saved by compression
Requests

Cross-origin requests carry a hidden toll: the preflight, an OPTIONS round trip the browser insists on before any non-simple request. On chatty APIs the tax is a full RTT per endpoint per cache window per user, and most estates pay far more of it than the spec requires.

When preflights fire, exactly

Simple requests (GET/HEAD/POST with a short list of content types and headers) skip preflight; everything else, custom headers like Authorization on some patterns, JSON content types on POST in certain shapes, any PUT/DELETE, triggers OPTIONS first. The browser asks permission, the server answers with allowed origins, methods, headers, and only then does the real request fly. On a distant API without mitigation, every user pays intercontinental latency twice for their first mutating call.

The caching levers

Access-Control-Max-Age lets browsers cache the preflight verdict per URL-and-origin; set it high (browsers cap it internally, but hours beat the anemic defaults) and the tax amortizes per session. At the edge, answer OPTIONS directly from CDN config or an edge function, static policy, zero origin involvement, so even uncached preflights cost one short hop instead of an origin round trip. Together: first preflight is edge-fast, repeats are free.

The deeper pattern, once again, is authorization semantics moving to the data plane: CORS policy is a static contract, and static contracts belong at the layer that can answer them fastest, the same argument our token-auth article makes for content authorization and our composition article makes for assembly. A useful discipline generalizes from it: for every origin round trip in your architecture, ask what information the origin adds to this answer, and every response of nothing is a migration candidate for edge config or edge compute. Estates that run that audit annually keep shedding round trips; the preflight is merely the most commonly harvested one.

The misconfiguration patterns

Wildcard origins with credentials (spec-forbidden, silently breaks), reflecting arbitrary Origin headers without an allowlist (works, and is a security smell), Vary: Origin missing so caches serve one origin’s CORS headers to another (intermittent, maddening), and per-request dynamic CORS logic at origin that defeats every caching layer above. Also the architectural dodge worth remembering: same-origin via path routing at the edge (api.example.com becomes example.com/api) removes CORS from the hot path entirely where product constraints allow.

In practice

Inventory preflight volume (filter OPTIONS in logs, you may be surprised), set Max-Age deliberately, move policy to the edge with a strict allowlist, add Vary: Origin wherever responses depend on it, and re-measure. For most API estates this is an afternoon of config that removes a full round trip from every user’s first meaningful interaction, which is LCP-class money on interactive products.

API-delivery reviews here start with the OPTIONS histogram. It is the cheapest latency most clients are still paying for.

Get the free assessmentMore analysis