> Portal Navigation: > > - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version. > - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages). > - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`). > - Top-level index of all portals: https://dev.wix.com/docs/llms.txt > - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt # Method name: options(request: WixHttpFunctionRequest) # Method package: wixHttpFunctions # Method menu location: wixHttpFunctions --> options # Method Link: https://dev.wix.com/docs/velo/velo-only-apis/wix-http-functions/options.md # Method Description: A function that responds to requests made with the HTTP OPTIONS method. The HTTP OPTIONS method is usually called by consumers [attempting to identify the allowed request methods](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Identifying_allowed_request_methods) or as part of a [CORS preflight request](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS#Preflighted_requests_in_CORS). If defined in this way, the function should respond with a 204 (No Content) status code and header data that indicates which methods are allowed and from which origins. The value for the `"Access-Control-Allow-Origin"` response header determines whether the response can be shared with a given requesting origin. Its value can be one of `"*"`, a single specific origin URL, or `null` as described [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin). Due to security concerns, it is recommended that you use a single specific origin URL whenever possible. If you need to allow more than one origin URL, you should validate that the requesting origin is allowed access and then echo it back in the response header. Respond to the request by returning a [`WixHttpFunctionResponse`](wix-http-functions.WixHttpFunctionResponse.html) object you create using the [`response()`](wix-http-functions.html#response) function. The `options()` function is not a function that you call from your code. You define the function in a file named **http-functions.js** in your site's Backend section. The function is called when your users make HTTP requests using the associated URLs as described below. All OPTIONS requests with the following URL will be routed to this function: Premium sites: ``` https://www.{user_domain}/_functions/ ``` Free sites: ``` https://{user_name}.wixsite.com/{site_name}/_functions/ ``` > **Note:** You must publish your site at least once before using both the testing and production endpoints. When you make changes to production endpoints you must publish your site for them to take effect. Testing endpoints will use the latest code in the editor. # Method Code Examples: *** Note: do not assume any prop names or enum values other than the ones in the example. ## Create an OPTIONS HTTP function ```javascript // In http-functions.js import {response} from 'wix-http-functions'; // URL looks like: // https://www.mysite.com/_functions/myFunction/ // or: // https://user.wixsite.com/mysite/_functions/myFunction/ export function options_myFunction(request) { let headers = { "Access-Control-Allow-Origin": "https://www.example.com", "Access-Control-Allow-Methods": "POST, GET, OPTIONS", "Access-Control-Max-Age": "86400" } return response({"status": 204, "headers": headers}); } ``` ## Create an OPTIONS HTTP function that validates the origin ```javascript // In http-functions.js import {response} from 'wix-http-functions'; // URL looks like: // https://www.mysite.com/_functions/myFunction/ // or: // https://user.wixsite.com/mysite/_functions/myFunction/ export function options_myFunction(request) { let headers = { "Access-Control-Allow-Methods": "POST, GET, OPTIONS", "Access-Control-Max-Age": "86400" } // send allowed origin header only if origin // is validated by some validation function if(validate(request.headers.origin)) { headers["Access-Control-Allow-Origin"] = request.headers.origin; } return response({"status": 204, "headers": headers}); } ``` ---