From 1262ffa989a62298497637d36bffd36c8e6a97f8 Mon Sep 17 00:00:00 2001
From: Anthony Accioly <1591739+aaccioly@users.noreply.github.com>
Date: Tue, 5 Nov 2024 22:14:38 +0000
Subject: [PATCH] Expand BUD-01 CORS headers documentation

---
 buds/01.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/buds/01.md b/buds/01.md
index 146717f..3595623 100644
--- a/buds/01.md
+++ b/buds/01.md
@@ -8,7 +8,13 @@ _All pubkeys MUST be in hex format_
 
 ## Cross origin headers
 
-Servers MUST set the `Access-Control-Allow-Origin: *`, `Access-Control-Allow-Headers: Authorization,*` and `Access-Control-Allow-Methods: GET, PUT, DELETE` headers on all endpoints to ensure compatibility with apps hosted on other domains
+Servers MUST set the `Access-Control-Allow-Origin: *` header on all responses to ensure compatibility with applications hosted on other domains.
+
+For [preflight](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests) (`OPTIONS`) requests,
+servers MUST also set, at minimum, the `Access-Control-Allow-Headers: Authorization, *` and `Access-Control-Allow-Methods: GET, PUT,
+DELETE` headers.
+
+The header `Access-Control-Max-Age: 86400` MAY be set to cache the results of a preflight request for 24 hours.
 
 ## Authorization events