diff --git a/aspnetcore/security/cors.md b/aspnetcore/security/cors.md index 12662e2a3ee8..71d4f6de436b 100644 --- a/aspnetcore/security/cors.md +++ b/aspnetcore/security/cors.md @@ -5,7 +5,7 @@ author: tdykstra description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app. ms.author: tdykstra ms.custom: mvc -ms.date: 11/10/2025 +ms.date: 05/12/2026 uid: security/cors --- # Enable Cross-Origin Requests (CORS) in ASP.NET Core @@ -247,7 +247,7 @@ CORS Middleware declines a preflight request with the following request header b Access-Control-Request-Headers: Cache-Control, Content-Language ``` -The app returns a *200 OK* response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request. +The app returns a `204 No Content` response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request. ### Set the exposed response headers @@ -364,7 +364,7 @@ The preflight request uses the [HTTP OPTIONS](https://developer.mozilla.org/docs * [Access-Control-Request-Method](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Request-Method): The HTTP method that will be used for the actual request. * [Access-Control-Request-Headers](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Headers): A list of request headers that the app sets on the actual request. As stated earlier, this doesn't include headers that the browser sets, such as `User-Agent`. -If the preflight request is denied, the app returns a `200 OK` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document. +If the preflight request is denied, the app returns a `204 No Content` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document. Using the F12 tools, the console app shows an error similar to one of the following, depending on the browser: