Maximum and default values of Access-Control-Max-Age

Question

I used Access-Control-Max-Age to cache options requests on a .net project. I used the code like this and want to cache it with it's largest value.

if (context.Request.HttpMethod == "OPTIONS")
{
    response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
    response.AddHeader("Access-Control-Allow-Headers", "authorization, content-type");
    response.AddHeader("Access-Control-Allow-Credentials", "true");
    response.AddHeader("Access-Control-Max-Age", "86400");
    response.End();
}

I have few questions according to Access-Control-Max-Age.

1. What's the largest Access-Control-Max-Age value you can be used?
2. Is maximum Access-Control-Max-Age change according to the browser?
3. What is the default value of Access-Control-Max-Age?

Answer 1

I am having the exact same question as you and found your post by google. Thus I am new on this too. I found this two links

• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age

It has the following words

Note that each browser has a maximum internal value that takes precedence when the Access-Control-Max-Age is greater.

From the link, it says Firefox allows max 24 hours and Chrome allows max 10 minutes. I don't know if they are correct or not. Just FYI.