Provide a configuration option to control automatic option responses

By default Flask will provide responses to OPTIONS requests that are
automatically generated. These responses list the valid methods in the
response headers. Whilst this is useful, it can be frowned on by
auditors hence an ability to disable it wholesale is useful.

CHANGES.rst

@@ -1,7 +1,8 @@
 Version 3.1.0
 -------------
 
-Unreleased
+- Provide a configuration option to control automatic option
+ responses. :pr:`5496`
 
 
 Version 3.0.3

docs/config.rst

@@ -280,6 +280,12 @@ The following configuration values are used internally by Flask:
  ``4093``. Larger cookies may be silently ignored by browsers. Set to
  ``0`` to disable the warning.
 
+.. py:data:: PROVIDE_AUTOMATIC_OPTIONS
+
+ Set to ``False`` to disable the automatic addition of OPTIONS
+ responses. This can be overridden per route by altering the
+ ``provide_automatic_options`` attribute.
+
 .. versionadded:: 0.4
  ``LOGGER_NAME``
 
@@ -331,6 +337,10 @@ The following configuration values are used internally by Flask:
 .. versionchanged:: 2.3
  ``ENV`` was removed.
 
+.. versionadded:: 3.10
+ Added :data:`PROVIDE_AUTOMATIC_OPTIONS` to control the default
+ addition of autogenerated OPTIONS responses.
+
 
 Configuring from Python Files
 -----------------------------

src/flask/app.py

@@ -198,6 +198,7 @@ class Flask(App):
  "PREFERRED_URL_SCHEME": "http",
  "TEMPLATES_AUTO_RELOAD": None,
  "MAX_COOKIE_SIZE": 4093,
+ "PROVIDE_AUTOMATIC_OPTIONS": True,
  }
  )
 

src/flask/sansio/app.py

@@ -638,7 +638,7 @@ def add_url_rule(
  )
 
  if provide_automatic_options is None:
- if "OPTIONS" not in methods:
+ if "OPTIONS" not in methods and self.config["PROVIDE_AUTOMATIC_OPTIONS"]:
  provide_automatic_options = True
  required_methods.add("OPTIONS")
  else: