Configuring CORS for an HTTP API
Cross-origin
resource sharing (CORS)
CORS is typically required to build web applications that access APIs hosted on a
different domain or origin. You can enable CORS to allow requests to your API from a web
application hosted on a different domain. For example, if your API is hosted on
https://{api_id}.execute-api.{region}.amazonaws.com/
and you want to
call your API from a web application hosted on example.com
, your API must
support CORS.
If you configure CORS for an API, API Gateway automatically sends a response to preflight OPTIONS requests, even if there isn't an OPTIONS route configured for your API. For a CORS request, API Gateway adds the configured CORS headers to the response from an integration.
Note
If you configure CORS for an API, API Gateway ignores CORS headers returned from your backend integration.
You can specify the following parameters in a CORS configuration.
CORS headers | CORS configuration property | Example values |
---|---|---|
Access-Control-Allow-Origin |
allowOrigins |
|
Access-Control-Allow-Credentials |
allowCredentials |
true |
Access-Control-Expose-Headers |
exposeHeaders |
Date, x-api-id |
Access-Control-Max-Age |
maxAge |
300 |
Access-Control-Allow-Methods |
allowMethods |
GET, POST, DELETE, * |
Access-Control-Allow-Headers |
allowHeaders |
Authorization, * |
Configuring CORS for an HTTP API with a $default
route and JWT authorizer
You can enable CORS and configure authorization for any route of an HTTP API.
When you enable CORS and authorization for the $default
route, there are some special considerations. The
$default
route catches requests for all methods and routes that you
haven't explicitly defined, including OPTIONS
requests. To support
unauthorized OPTIONS
requests, add an OPTIONS /{proxy+}
route
to your API that doesn't require authorization and attach an integration to the route. The OPTIONS /{proxy+}
route
has higher priority than the $default
route. As a result, it enables
clients to submit OPTIONS
requests to your API without authorization. For
more information about routing priorities, see Routing API requests.
Configure CORS for an HTTP API by using the AWS CLI
You can use the following command to enable CORS requests from
https://www.example.com
.
aws apigatewayv2 update-api --api-id
api-id
--cors-configuration AllowOrigins="https://www.example.com"
For more information, see CORS in the Amazon API Gateway Version 2 API Reference.