I enabled Spring Security on a Rest API and saw that OPTIONS requests are being rejected because they miss the Authorization header.
Should I require (is it possible?) that clients include that header even in OPTIONS (pre-flight) requests, or should I explicitly configure my application to allow unauthorizated OPTIONS requests (even if the user is already logged in)?
It seems to me that there's some sort of convention (i.e. client libraries not including Authorized by default in such request).
Yes, OPTIONS requests should be allowed without authentication.
OPTIONS is the HTTP method used for CORS-preflight requests and the CORS specification confirms as follows:
a CORS-preflight request never includes credentials.