Using custom origins in Cloudfront CORS response header policy is not working

Question

I have a Cloundfront distribution with a S3 bucket (using OAI, so the s3 bucket is not a website/public) origin. I have enabled a custom Response Header policy with the following CORS configuration:

![Enter image description here](/media/postImages/original/IM7gSeUQccR6mHI585ssWV_Q)

But when I test this with curl (with the `Origin` header) - it doesn't show the `access-control-allow-origin` header.  However, if I chose the `All origins` option, the `access-control-allow-origin: *` does show up in the reponse headers.

It seems like the origin customization is not working.

The `Origin override` is enabled, and the curl request is like so:

```
 curl -I -H 'Origin: http://myhost.com' https://mycloudfronturl/path/to/file.txt
```

re:Post Agent · Accepted Answer

It appears you're experiencing an issue with your custom CORS response header policy in CloudFront. When you specify custom origins in the Response Header Policy, CloudFront should add the Access-Control-Allow-Origin header with your specified domain(s) to responses when the request's Origin header matches one of those domains.

There are a few potential reasons why your custom origins configuration isn't working:

1. The Origin header in your curl request might not exactly match one of the origins you've specified in your policy. Make sure the origin value in your request matches exactly what you've configured (including protocol, subdomain, and no trailing slash).

2. You may need to ensure that the OriginOverride setting is properly configured. This setting determines whether CloudFront overrides HTTP response headers received from the origin with the ones specified in your response headers policy.

3. If you recently made these changes, CloudFront might still be propagating the configuration across edge locations. You might need to wait a bit longer or invalidate your cache.

4. Check that the response headers policy is actually attached to the cache behavior in your CloudFront distribution. Creating the policy alone isn't enough - you need to edit your distribution's behavior settings and select the new policy under "Response headers policy".

Since the "All origins" option works correctly (returning access-control-allow-origin: *), the issue is specifically with the custom origins configuration. Try simplifying your test by including just one origin in your custom list to isolate the problem.

If you continue to experience issues, you might want to verify your curl command is correctly sending the Origin header and that the value exactly matches what you've configured in your policy.  
**Sources**  
[CORS configuration through Amazon CloudFront | Networking & Content Delivery](https://aws.amazon.com/blogs/networking-and-content-delivery/cors-configuration-through-amazon-cloudfront/)  
[ResponseHeadersPolicyCorsConfig - Amazon CloudFront](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ResponseHeadersPolicyCorsConfig.html)  
[ResponseHeadersPolicyAccessControlAllowOrigins - Amazon CloudFront](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_ResponseHeadersPolicyAccessControlAllowOrigins.html)  
[COEP and COOP response headers with S3+ Cloudfront | AWS re:Post](https://repost.aws/questions/QUVRdl8CFMSF6lDMtj9Lr0gQ/coep-and-coop-response-headers-with-s3-cloudfront)

Using custom origins in Cloudfront CORS response header policy is not working

Add your answer

Relevant content