Cors Problem In Rest Implements?

Hello,

I implemented a REST code with YII 2.0 and i discovered that to return the OPTIONS code for the CORS problem, YII passed inside checkAccess code, and return 401 code. Is that correct? Because when the ajax send the OPTIONS, it doesn’t send the Header Authentication option, so will never works, or am i wrong?