CORS on AWS API Gateway

Amazon API Gateway adds support for CORS enabling through a simple button in the API Gateway console. Unfortunately that button has a partial behavior, thus setting CORS correctly only for 200 answer (so not other HTTP status codes) and ignoring JQuery header support. The best solution considered so far is about avoiding to use the CORS button and set configurations manually. This can be achieved in a couple of steps:

  1. Log into API Gateway console
  2. Create all the REST resources that needs to be exposed with their methods before setting up CORS (if new resources/methods are created after enabling CORS, these steps must be repeated)
  3. Select a resource
  4. Add OPTIONS method, choose as integration type "mock"
  5. For each Method of a resource
  6. Go to Response Method
  7. Add all the response method that should be supported (i.e. 200, 500, etc.)
  8. For each response code set Response Headers to
    • X-Requested-With
    • Access-Control-Allow-Headers
    • Access-Control-Allow-Origin
    • Access-Control-Allow-Methods
  9. Go to Integration Response, select one of the created response codes, then Header Mappings
  10. Insert default values for headers
    • X-Requested-With: '*'
    • Access-Control-Allow-Headers: 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,x-requested-with'
    • Access-Control-Allow-Origin: '*'
    • Access-Control-Allow-Methods: 'POST,GET,OPTIONS'
    This operation has to be repeated for each method, including the newly created OPTIONS
  11. Deploy the API to a stage
  12. Check using that CORS requests have been successfully enabled

Who’s behind this

Monsur Hossain and Michael Hausenblas


The content on this site stays fresh thanks to help from users like you! If you have suggestions or would like to contribute, fork us on GitHub.

Buy the book

Save 39% on CORS in Action with promotional code hossainco at