Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't use custom Request Headers on AWS API Gateway with CORS

I have created and deployed an AWS API Gateway resource with the following structure including a custom HTTP Request Header 'X-header'

dev (stage)
  /echo (resource)
    POST (method)
      Method Request - Headers: X-header
    OPTIONS (method)
      Method Request - Headers: X-header

When I POST to the endpoint from Chrome, I get the following error.

XMLHttpRequest cannot load https://fxxxx.execute-api.us-west-2.amazonaws.com/dev/echo. Request header field X-header is not allowed by Access-Control-Allow-Headers in preflight response.

Chrome is doing a preflight check against the OPTIONS method. I can see the Request Headers:

Access-Control-Request-Headers:accept, content-type, x-header
Access-Control-Request-Method:POST

But the Response Headers only have:

Access-Control-Allow-Headers:Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
Access-Control-Allow-Methods:POST,OPTIONS
Access-Control-Allow-Origin:*

Chrome expects the Response Access-Control-Request-Headers to include my custom x-header, which seems logical. Is this an API Gateway bug?

The only workaround I see is to remove the custom header and pass the data in the POST body.

like image 940
Jason Avatar asked Apr 08 '16 01:04

Jason


People also ask

How do I fix the CORS error in AWS API gateway?

Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.

How do I enable headers in CORS?

Access-Control-Allow-Origin is a CORS (cross-origin resource sharing) header. When Site A tries to fetch content from Site B, Site B can send an Access-Control-Allow-Origin response header to tell the browser that the content of this page is accessible to certain origins.

How do you fix CORS headers?

To get rid of a CORS error, you can download a browser extension like CORS Unblock. The extension appends Access-Control-Allow-Origin: * to every HTTP response when it is enabled. It can also add custom Access-Control-Allow-Origin and Access-Control-Allow-Methods headers to the responses.


2 Answers

You have full control over the CORS headers on the OPTIONS response in API Gateway. If you need to add x-header to the Access-Control-Allow-Headers header, go ahead and add it! Go to the Integration Response for the OPTIONS method and modify the static value of that header.

When you first configure CORS using the console feature (you may not have done this), you can enter the list of headers there and see other advanced headers as well.

So you can make this change in the future at create-time, or update it on the fly after the OPTIONS has been created.

like image 106
jackko Avatar answered Sep 27 '22 20:09

jackko


I have the exact same issue. And I have added my custom header to comma-separated list for Access-Control-Allow-Headers under the resource, Enable CORS; and also under resource - OPTIONS - Integration Response, Header Mappings.

I get the same error in Chrome, and inspecting the OPTIONS call in Network, I do not see my header name in Access-Control-Allow-Headers in the response.

  • John
like image 35
John Troxel Avatar answered Sep 27 '22 19:09

John Troxel