diff --git a/api/middleware/policy.go b/api/middleware/policy.go
index 9cf0088d2..3193f3843 100644
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@@ -108,6 +108,10 @@ func PolicyCheck(cfg PolicyConfig) Func {
 }
 
 func policyCheck(ctx context.Context, r *http.Request, cfg PolicyConfig) error {
+	if r.Method == http.MethodOptions {
+		return nil
+	}
+
 	reqInfo := GetReqInfo(ctx)
 
 	req, userKey, userGroups, err := getPolicyRequest(ctx, r, cfg, reqInfo.RequestType, reqInfo.BucketName, reqInfo.ObjectName)
diff --git a/api/router_mock_test.go b/api/router_mock_test.go
index 5d1320ec1..eef15d2e8 100644
--- a/api/router_mock_test.go
+++ b/api/router_mock_test.go
@@ -518,9 +518,13 @@ func (h *handlerMock) ListBucketsHandler(w http.ResponseWriter, r *http.Request)
 	h.writeResponse(w, res)
 }
 
-func (h *handlerMock) Preflight(http.ResponseWriter, *http.Request) {
-	//TODO implement me
-	panic("implement me")
+func (h *handlerMock) Preflight(w http.ResponseWriter, r *http.Request) {
+	res := &handlerResult{
+		Method:  middleware.OptionsBucketOperation,
+		ReqInfo: middleware.GetReqInfo(r.Context()),
+	}
+
+	h.writeResponse(w, res)
 }
 
 func (h *handlerMock) AppendCORSHeaders(http.ResponseWriter, *http.Request) {
diff --git a/api/router_test.go b/api/router_test.go
index 981b0244a..14898a530 100644
--- a/api/router_test.go
+++ b/api/router_test.go
@@ -627,6 +627,26 @@ func TestMFAPolicy(t *testing.T) {
 	createBucket(router, ns, bktName)
 }
 
+func TestPreflightWithoutAuth(t *testing.T) {
+	router := prepareRouter(t)
+	router.middlewareSettings.denyByDefault = true
+
+	ns, bktName := "", "bucket"
+	allowOperations(router, ns, []string{"s3:CreateBucket"}, nil)
+	createBucket(router, ns, bktName)
+
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodOptions, "/"+bktName, nil)
+	r.Header.Set(FrostfsNamespaceHeader, ns)
+	router.ServeHTTP(w, r)
+	require.Equal(t, http.StatusOK, w.Code)
+
+	w, r = httptest.NewRecorder(), httptest.NewRequest(http.MethodOptions, "/"+bktName+"/some-object", nil)
+	r.Header.Set(FrostfsNamespaceHeader, ns)
+	router.ServeHTTP(w, r)
+
+	require.Equal(t, http.StatusOK, w.Code)
+}
+
 func allowOperations(router *routerMock, ns string, operations []string, conditions engineiam.Conditions) {
 	addPolicy(router, ns, "allow", engineiam.AllowEffect, operations, conditions)
 }