Simple GET
Usually no preflight for basic GET without custom headers.
Preflight (OPTIONS)
Methods other than GET/HEAD/POST, custom headers (Authorization, X-*), Content-Type other than application/x-www-form-urlencoded, multipart/form-data, text/plain.
Credentials
fetch(..., { credentials: 'include' }) requires Access-Control-Allow-Credentials and a specific origin (not *).
Fix on server
Access-Control-Allow-Origin, Allow-Methods, Allow-Headers, Max-Age on OPTIONS response.