Reputation: 10842
Can't use custom Request Headers on AWS API Gateway with CORS
I have created and deployed an AWS API Gateway resource with the following structure including a custom HTTP Request Header 'X-header'
dev (stage)
/echo (resource)
POST (method)
Method Request - Headers: X-header
OPTIONS (method)
Method Request - Headers: X-header
When I POST to the endpoint from Chrome, I get the following error.
XMLHttpRequest cannot load https://fxxxx.execute-api.us-west-2.amazonaws.com/dev/echo. Request header field X-header is not allowed by Access-Control-Allow-Headers in preflight response.
Chrome is doing a preflight check against the OPTIONS method. I can see the Request Headers:
Access-Control-Request-Headers:accept, content-type, x-header
Access-Control-Request-Method:POST
But the Response Headers only have:
Access-Control-Allow-Headers:Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
Access-Control-Allow-Methods:POST,OPTIONS
Access-Control-Allow-Origin:*
Chrome expects the Response Access-Control-Request-Headers to include my custom x-header, which seems logical. Is this an API Gateway bug?
The only workaround I see is to remove the custom header and pass the data in the POST body.
Upvotes: 7
Views: 13286
Answers (3)
Reputation: 156
Not sure if someone found the solutions but there is an option under the Options--> Integration Response--> Access-Control-Allow-Headers:
Upvotes: 7
Reputation: 81
I have the exact same issue. And I have added my custom header to comma-separated list for Access-Control-Allow-Headers under the resource, Enable CORS; and also under resource - OPTIONS - Integration Response, Header Mappings.
I get the same error in Chrome, and inspecting the OPTIONS call in Network, I do not see my header name in Access-Control-Allow-Headers in the response.
- John
Upvotes: 8
Reputation: 7344
You have full control over the CORS headers on the OPTIONS response in API Gateway. If you need to add x-header to the Access-Control-Allow-Headers header, go ahead and add it! Go to the Integration Response for the OPTIONS method and modify the static value of that header.
When you first configure CORS using the console feature (you may not have done this), you can enter the list of headers there and see other advanced headers as well.
So you can make this change in the future at create-time, or update it on the fly after the OPTIONS has been created.
Upvotes: 13
Related Questions
- How does the 'Access-Control-Allow-Origin' header work?
- Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
- Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
- Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response
- API Gateway CORS: no 'Access-Control-Allow-Origin' header
- No 'Access-Control-Allow-Origin' header is present on the requested resource—when trying to get data from a REST API
- AWS API Gateway - CORS + POST not working
- Cross-origin resource sharing (CORS) post request works from plain javascript, but why not with jQuery
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
- Access Control Request Headers, is added to header in AJAX request with jQuery