Enable CORS on a resource using the API Gateway
console
You can use the API Gateway console to enable CORS support for one or all methods on a REST
API resource that you have created.
Resources can contain child resources. Enabling CORS support for a resource and
its methods does not recursively enable it for child resources and their
methods.
- Old REST API console
-
We've redesigned the API Gateway console. On 30th October 2023, the old console will no longer be available.
To enable CORS support on a REST API resource
Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
-
Choose the API from the APIs list.
-
Choose a resource under Resources. This will enable CORS
for all the methods on the resource.
Alternatively, you could choose a method under the resource to enable CORS for
just this method.
-
Choose Enable CORS from the Actions
drop-down menu.
-
On the Enable CORS page, do the following:
-
In the Access-Control-Allow-Headers input field,
type a static string of a comma-separated list of headers that the
client must submit in the actual request of the resource. Use the
console-provided header list of
'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'
or specify your own headers.
-
Use the console-provided value of '*'
as the
Access-Control-Allow-Origin header value to
allow access requests from all origins, or specify origins to be
permitted to access the resource.
-
Choose Enable CORS and replace existing CORS
headers.
When applying the above instructions to the ANY
method in a
proxy integration, any applicable CORS headers will not be set. Instead,
your backend must return the applicable CORS headers, such as
Access-Control-Allow-Origin
.
-
In Confirm method changes, choose Yes,
overwrite existing values to confirm the new CORS
settings.
After CORS is enabled on the GET
method, an OPTIONS
method
is added to the resource, if it is not already there. The 200
response of
the OPTIONS
method is automatically configured to return the three
Access-Control-Allow-*
headers to fulfill preflight handshakes. In
addition, the actual (GET
) method is also configured by default to return
the Access-Control-Allow-Origin
header in its 200 response as well. For
other types of responses, you will need to manually configure them to return
Access-Control-Allow-Origin'
header with '*' or specific origins, if
you do not want to return the Cross-origin access
error.
After you enable CORS support on your resource, you must deploy or redeploy the API
for the new settings to take effect. For more information, see Deploying a REST API from the API Gateway
console.
- New REST API console
-
To enable CORS support on a REST API resource
Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.
-
Choose an API.
-
Choose a resource under Resources.
-
In the Resource details section,
choose Enable CORS.
-
In the Enable CORS box, do the following:
-
(Optional) If you created a custom gateway response and want to enable CORS support for a response, select a gateway response.
-
Select each method to enable CORS support. The OPTION
method must have CORS enabled.
If you enable CORS support for an ANY
method, CORS is enabled for all methods.
-
In the Access-Control-Allow-Headers input field,
enter a static string of a comma-separated list of headers that the
client must submit in the actual request of the resource. Use the
console-provided header list of
'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'
or specify your own headers.
-
Use the console-provided value of '*'
as the
Access-Control-Allow-Origin header value to
allow access requests from all origins, or specify origins to be
permitted to access the resource.
-
Choose Save.
When applying the above instructions to the ANY
method in a
proxy integration, any applicable CORS headers will not be set. Instead,
your backend must return the applicable CORS headers, such as
Access-Control-Allow-Origin
.
After CORS is enabled on the GET
method, an OPTIONS
method
is added to the resource, if it is not already there. The 200
response of
the OPTIONS
method is automatically configured to return the three
Access-Control-Allow-*
headers to fulfill preflight handshakes. In
addition, the actual (GET
) method is also configured by default to return
the Access-Control-Allow-Origin
header in its 200 response as well. For
other types of responses, you will need to manually configure them to return
Access-Control-Allow-Origin'
header with '*' or specific origins, if
you do not want to return the Cross-origin access
error.
After you enable CORS support on your resource, you must deploy or redeploy the API
for the new settings to take effect. For more information, see Deploying a REST API from the API Gateway
console.