API Gateway for HTTP API

The issue you're experiencing with API Gateway for HTTP API not returning Access-Control-Allow-* headers for the preflight OPTIONS request, despite configuring CORS, is a common problem. Here are some steps to troubleshoot and resolve this issue:

1. Ensure that you have properly configured CORS for your HTTP API in API Gateway. Even if you've set Access-Control-Allow-Origin to '*', you need to configure other CORS headers as well, such as Access-Control-Allow-Methods and Access-Control-Allow-Headers.

2. For HTTP APIs, API Gateway should automatically handle CORS preflight requests, even if there isn't an OPTIONS route explicitly configured. However, you may need to create a new route for the OPTIONS method with the same path as your existing routes.

3. If you've created an OPTIONS route, configure it with a mock integration that returns the necessary CORS headers in the response. The response should include headers like:

   • Access-Control-Allow-Origin: '*'
   • Access-Control-Allow-Methods: 'OPTIONS,GET,PUT,POST,DELETE' (include all methods your API supports)
   • Access-Control-Allow-Headers: 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'

4. Make sure the OPTIONS route is not protected by any authorizer. Set the authorization type to "None" for this route.

5. After making these changes, redeploy your API to ensure the changes take effect.

6. Verify that your client request includes the necessary headers, particularly the 'origin' header for CORS requests and the 'Access-Control-Request-Method' header for OPTIONS requests.

7. If you're using Lambda integration, ensure your Lambda function is also returning the appropriate CORS headers in its response.

If you've followed these steps and are still experiencing issues, double-check all your CORS settings and ensure that the preflight OPTIONS request is being handled correctly by your API Gateway configuration. Remember that CORS is a browser security feature, so testing with tools like Postman may not reveal CORS issues that occur in browser-based applications.

Sources
CORS Preflight fails on HTTP API Gateway | AWS re:Post
Configure CORS for HTTP APIs in API Gateway - Amazon API Gateway
CORS Access-Control-Allow-Origin Header missing - Api Gateway HTTP / EC2 | AWS re:Post

Had the same issue before — just setting Access-Control-Allow-Origin: * in CORS settings doesn’t always make the preflight OPTIONS request work unless you configure it properly for HTTP APIs.

Here’s what you should double-check:

Enable CORS in the API Gateway console (not just manually in headers):

Go to your route (usually / or the specific path).

Select the OPTIONS method (you may need to add it).

In the integration response or route response, make sure CORS is enabled there too — API Gateway needs to return all the CORS headers on the OPTIONS response, not just your backend.

Make sure these headers are returned for the preflight:

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET, POST, OPTIONS (or whatever you're using)

Access-Control-Allow-Headers: Content-Type (or specific headers your client sends)

If you’re using Lambda proxy integration, make sure your Lambda explicitly returns these headers on the OPTIONS method as well.

Finally, redeploy the stage after making changes.