CORS Preflight fails on HTTP API Gateway

0

I have a simple HTTP API Gateway with a Lambda Integration and a JWT Authorizer (Cognito JWT). The gateway has only one route "/{proxy+}" that is forwarding to the Lambda function. Every HTTP Method is supported (GET, PUT, POST, DELETE, HEAD, OPTIONS, PATCH). The authorization is configured that every HTTP method except "OPTIONS" is protected by the JWT Authorizer. The HTTP method "OPTIONS" has no authorizer. If you have a valid Bearer Token the HTTP API Gateway is working correct.

However the automatic CORS Preflight by the browser is not working as I´m getting the following error "403 - Forbidden". The CloudWatch Log of the HTTP API Gateway has no more details. What do I have to configure so that CORS preflight is working correctly?

4 Answers
0
Accepted Answer

Hello,

The issue you're facing is likely due to the way AWS API Gateway handles CORS preflight requests. By default, API Gateway does not automatically handle CORS preflight requests for HTTP APIs.

If you don't have any stages defined in your HTTP API Gateway, and you're using the default stage, follow the below steps:

1.Create a new route for the OPTIONS method with the same path as your existing route (e.g., /{proxy+}). 2.For the new OPTIONS route, configure a mock integration to return the necessary CORS headers in the response:

{
  "statusCode": 200,
  "headers": {
    "Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'",
    "Access-Control-Allow-Origin": "'*'",
    "Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE'"
  }
}
  1. Configure the OPTIONS route to bypass the JWT Authorizer by setting the authorization type to "None".

After these steps, the CORS preflight requests should be handled correctly, and you should no longer receive the 403 Forbidden error.

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • I created a small Lambda function that is called by the OPTIONS route. This lambda is returning the necessary CORS headers

0

I have no stages so there is only the "default" stage

answered 3 months ago
0

Have you deployed all the changes to the resource to the correct stage? Just wanting to ensure that base is covered

profile picture
EXPERT
answered 3 months ago
0

How do I have to configure this Mock Integration? In the Management Console I can not find an option to add a Mock integration? As far as I know this option is only possible on REST API Gateway.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions