These may be CORS requests. See this MDN page for an explanation of how CORS works.
In principle, before making the actual request, the client will make an OPTIONS request for a request for permission to the actual request. This is called a preflight request.
One thing: CORS does not require the client to make an OPTIONS request before an HTTP GET. Thus, the client may be wrong.
You can check if the CORS OPTIONS are called by examining their headers - if they have the headers Access-Control-Request-Method and Access-Control-Request-Headers , this is a preflight check request, and this is CORS.
Why do you need a preliminary request?
CORS is used by browsers. By default, most modern browsers did not allow JS web code to make an AJAX request to a different server than on this page. This is a safety measure.
CORS is a way for the browser (not the page itself!) To ask the server whether it is safe to make the actual request.
For methods that can modify the resource on the server — for example, most POST methods and all PUT methods — the browser should first ask if these changes are normal. A server supporting CORS will include custom headers in response to the preview.
No request before the flight: for example, the browser makes a request to a server that does not support CORS. In this case, making a request is likely to change the resource. And we do not want this!
For GET requests that should not change the state of a resource, a preliminary validation request is not required.