Please assign to @wilsonge per the discussion in gh-26925.

The API application currently implements HTTP verbs in a mostly RESTful manner but it's missing an implementation for OPTIONS.

Per "Build APIs You Won't Hate" by Phil Sturgeon, chapter 5 HATEOAS, "Discovering Resource Programmatically" we should respond to the OPTIONS verb with an HTTP header similar to
Allow: GET, HEAD, POST
thereby relaying the supported HTTP verbs for the resource.

I suspect this should be possible to implement by inspecting the routes for each resource.

Note that the supported routes need not be ACL'ed, e.g. you should return the DELETE verb even if the current user is not authorized to delete the resource as long as the resource supports deletion.