Cloudfront return 403 on OPTION request

0

I have a cloudfront distribution pointing to S3.

Accessing to de URL directly works fine.

But is part o a complex API, de API return a 307 that points to the cloudfront, and the webbrowser made and and OPTIONS request.

The OPTIONS return a 403

The distributions contains a single behavior and accepts GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

I have tested several combinations of CORS response headers but none works. This is my current configuration

current configuration

any idea about why cloudfront returns a 403?

asked 8 months ago213 views
1 Answer
2
Accepted Answer

It seems like the OPTIONS request is being blocked either due to incorrect CORS configuration or WAF rules blocking the request. A few things to check:

Verify that the CORS configuration on the S3 bucket allows the Origin, Access-Control-Request-Method and Access-Control-Request-Headers that are being sent in the OPTIONS request.

Check if a WAF web ACL is associated with the CloudFront distribution and blocking the OPTIONS request. The WAF rules need to allow OPTIONS requests to pass through.

Make sure the CloudFront distribution behavior allows OPTIONS method.

Try simplifying the CORS configuration on S3 to just allow all origins, methods and headers as a test:


[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET","PUT","POST","DELETE","HEAD","OPTIONS"], 
    "AllowedOrigins": ["*"],
    "ExposeHeaders": []
  }
]

Check CloudFront and S3 access logs to see exactly what requests are reaching the origin and getting blocked.

profile picture
EXPERT
answered 8 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 8 months ago
  • I was assuming that cloudfront itself handled the CORS requests, and no setup from S3 side was needed. I solved de problem after configure CORS on S3.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions