Configure CORS for authorization errors (Api gateway HTTP + Lamda proxy + Cognito)

When API Gateway responds to an authentication or authorization error before passing the request to Lambda, it doesn't include the CORS headers. That makes the browser think it's a CORS error, even though it's actually an authentication/authorization error. To ensure CORS headers are included in the authentication error response from API Gateway, follow these steps:

• Catch the Error in API Gateway
• Customize Gateway Responses
• • In the Response Headers section, you can add the headers needed for CORS. For example, you might add:
• • Access-Control-Allow-Origin with the value set to '*' or your specific domain.
• • Access-Control-Allow-Credentials with the value true if needed.
• • Any other headers you'd typically add for CORS responses?
• Response Mapping Templates
• Re-deploy Your API

Thanks for the quick answer!

Unfortunately i can't find the settings to do that. For Lambda proxy integrations it seems that i can only do a parameter mapping. I've tried it already but can't save it: "Operations on header access-control-allow-origin are restricted"

In the meantime i have found a workaround which works for me:

• Modified the cloud front distribution of my App and added a new origin and behavior.
• It forwards everything from /api/* to my api gateway. Since the requests are being done from the same domain, i have no CORS issues anymore.
• M2M requests are still directly targeting my api gateway since i don't need CORS headers in that case.

Thanks and regards