How to skip the OPTIONS preflight request?

The preflight is being triggered by your Content-Type of application/json. The simplest way to prevent this is to set the Content-Type to be text/plain in your case. application/x-www-form-urlencoded & multipart/form-data Content-Types are also acceptable, but you'll of course need to format your request payload appropriately.

If you are still seeing a preflight after making this change, then Angular may be adding an X-header to the request as well.

Or you might have headers (Authorization, Cache-Control...) that will trigger it, see:

• https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Preflighted_requests

As what Ray said, you can stop it by modifying content-header like -

 $http.defaults.headers.post["Content-Type"] = "text/plain";

For Example -

angular.module('myApp').factory('User', ['$resource','$http',    function($resource,$http){        $http.defaults.headers.post["Content-Type"] = "text/plain";        return $resource(API_ENGINE_URL+'user/:userId', {}, {            query: {method:'GET', params:{userId:'users'}, isArray:true},            getLoggedIn:{method:'GET'}        });    }]);

Or directly to a call -

var req = { method: 'POST', url: 'http://example.com', headers: {   'Content-Type': 'text/plain' }, data: { test: 'test' }}$http(req).then(function(){...}, function(){...});

This will not send any pre-flight option request.

NOTE: Request should not have any custom header parameter, If request header contains any custom header then browser will make pre-flight request, you cant avoid it.

When performing certain types of cross-domain AJAX requests, modern browsers that support CORS will insert an extra "preflight" request to determine whether they have permission to perform the action.From example query:

$http.get( ‘https://example.com/api/v1/users/’ +userId,  {params:{           apiKey:’34d1e55e4b02e56a67b0b66’          }  } );

As a result of this fragment we can see that the address was sent two requests (OPTIONS and GET). The response from the server includes headers confirming the permissibility the query GET. If your server is not configured to process an OPTIONS request properly, client requests will fail. For example:

Access-Control-Allow-Credentials: trueAccess-Control-Allow-Headers: accept, origin, x-requested-with, content-typeAccess-Control-Allow-Methods: DELETEAccess-Control-Allow-Methods: OPTIONSAccess-Control-Allow-Methods: PUTAccess-Control-Allow-Methods: GETAccess-Control-Allow-Methods: POSTAccess-Control-Allow-Orgin: *Access-Control-Max-Age: 172800Allow: PUTAllow: OPTIONSAllow: POSTAllow: DELETEAllow: GET