CORS issue - even for * Access-Control-Allow-Origin, Access-Control-Expose-Headers

Can you confirm manually (e.g. via curl) that the CORS headers are present? Are you using a Lambda behind an API Gateway by any chance?

Hi, Unfortunately API Gateway doesnot have any global mechanism to enable CORS on all API for the region. You would need to enable it on each API endpoint. Also, since the CORS header values will be of different for different applications, it may be of no use to create a global parameter.

Additionally, if the use-case is to specifically allow certain values on all the API's that you create,

• You could create a base template with required CORS values set and then export the API
• Use the exported API as template when you create new APIs so that you don't have to configure the same CORS values again