Answers to How should server respond to CORS requests with Origins it wishes to deny? and Trying to understand how to respond to CORS OPTIONS request with 403 and when state that server should not send Access-Control-Allow-Origin header for the response that denies the access to Origin and is free to choose status code in that case. However, I am wondering if I may use Access-Control-Max-Age header which specifies TTL for cache entry for my server’s CORS response and whether the browser cache such response without Access-Control-Allow-Origin header or not?