Is there a way to fine tune the permissions for OPTIONS requests? I found out through my frontend javascript dev that the js programmer has 0 control over which headers are sent with the preflight OPTIONS request.

The only solution I could think of was to set 'DEFAULT_PERMISSION_CLASSES' in settings.py to AllowAny.

Is there any security risk on a non-authenticated OPTIONS on a resource? The purpose is to see if a given operation is allowed, so it seems like that might not be an entirely correct thing to do, since it should tell the client that a certain type auth is required, for example Bearer or Digest etc. So am I correct that the pre-flight request should prob. return a response with a header like: WWW-Authenticate:Bearer realm="api"?

Here is the relevant part of the spec.
http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0

It looks like the browser will strip any headers from a pre-flight request even if you were able to set them. Am I reading that correctly?

Another interesting read from a twitter developer: https://code.google.com/p/twitter-api/issues/detail?id=2273

It looks like the proper way of handling CORS options requests is not to do any authentication. The author describes it as a catch-22.