How can I identify a CORS preflight request?

A CORS preflight request obviously uses the OPTIONS method and has an Origin header. However, a browser can decide for any HTTP request to add an Origin header. Also, OPTIONS may be used for other functionality than CORS. (How) Can I identify exactly (without false positives or negatives) whether a request is a CORS preflight request?

Solution

Check for the Access-Control-Request-Method header. It would not make much sense to send it in a request other than the preflight request.

How does the 'Access-Control-Allow-Origin' header work?
How to enable CORS in ASP.net Core WebAPI
Why does my CORS configuration still block datatables from consuming an API?
Google Cloud: Access to image has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
React/Axios API Get Request Issues (CORS & Internal Server Error 500)
CORS Error when using .page.js, but not .page.server.js to fetch external csv ressource with SvelteKit
Blazor HttpClient stuck in GetAsync
Angular 18 CORS issue with Springboot as backend
Do Electron apps enforce CORS restrictions in the renderer process?
CORS (cross origin resource sharing) using PHP
How to Solve CORS error in accessing laravel routes
How do I fix CORS issue in Fetch API
How to stop CORS from blocking connections to my node netlify server?
Enable access control on simple HTTP server
Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)
CORS error while consuming calling REST API with React
CORS issue with express.js
Adding headers to iis static files not working in asp.net CORE
Google Maps API: No 'Access-Control-Allow-Origin' header is present on the requested resource
Issue with CORS origin linked to API key
Google Cloud Storage request blocked by CORS: not allowed by Access-Control-Allow-Origin
canvas.toDataURL() SecurityError
How to fetch a resource from a github release?
Blazor WASM Local dev CORS errors fetching API endpoints
how to set up cors() in typescript express
R2: Setting CORS policy with different methods per allowed-origins
How to bypass CORS policy when sending get/post request from React JS?
Firebase-Storage Access to fetch at '..' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
The 'Access-Control-Allow-Origin' header contains multiple values
CORS Issue - Between Dev and Prod