CORS headers not being picked up by aws api gateway

Question

I have a rest api beanstalk setup that's connected with aws api gateway. The api gateway has proxy routes set up for the rest api on beanstalk, and from what I've read in the docs, in order to enable cors for this proxy setup I have to configure the server to pass the correct headers back. So I've done this, and my server is passing back the cors headers, but for some reason aws api gateway is not picking these up and passing them on to the client.

I confirmed this all by setting up a jump server inside my vpc so I could query the rest api on beanstalk directly instead of through the gateway. I use this command:

```
curl https://eb.mywebsite.com/v1/prices \
-X OPTIONS \
-i \
--insecure \
-H "Host: app.mywebsite.com" \
-H "Origin: https://app.mywebsite.com" \
-H "Access-Control-Request-Method=GET" \
-H "Access-Control-Request-Headers: x-csrftoken"
```

The response looks like this:

```
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 15 Mar 2025 19:32:34 GMT
Content-Type: application/json
Content-Length: 212
Connection: keep-alive
Vary: Accept, origin
Allow: GET, HEAD, OPTIONS
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Cross-Origin-Opener-Policy: same-origin
access-control-allow-origin: https://app.mywebsite.com
access-control-allow-credentials: true
access-control-allow-headers: accept, authorization, content-type, user-agent, x-csrftoken, x-requested-with
access-control-allow-methods: DELETE, GET, OPTIONS, PATCH, POST, PUT
access-control-max-age: 86400
```

But when I test the same endpoint in the aws api gateway console, these are the response headers:

```
{
  "Allow": "GET, HEAD, OPTIONS",
  "Connection": "keep-alive",
  "Content-Length": "302",
  "Content-Type": "application/json",
  "Cross-Origin-Opener-Policy": "same-origin",
  "Date": "Sat, 15 Mar 2025 19:33:12 GMT",
  "Referrer-Policy": "same-origin",
  "Server": "nginx",
  "Vary": "Accept, origin",
  "X-Content-Type-Options": "nosniff"
}
```

Even though the docs say that cors can't be handled by aws api gateway for proxy integrations, I still tried this and can confirm it didn't work either. The proper cors headers were not being sent to the client. I also tried adding a specific OPTIONS route for the endpoint and this didn't work either.

re:Post Agent · Answer

The issue you're experiencing with CORS headers not being passed through AWS API Gateway to the client is a common problem when using proxy integrations. Even though your Elastic Beanstalk application is correctly sending the CORS headers, API Gateway is not automatically forwarding them in this setup.

To resolve this issue, you have a few options:

1. Configure API Gateway to pass through all headers:
   In your API Gateway settings, you can modify the integration response to pass through all headers from your backend. This can be done by adding a mapping template in the integration response that includes `#set($context.responseOverride.header.Access-Control-Allow-Origin = $input.params('Access-Control-Allow-Origin'))` for each CORS header you want to pass through.

2. Add CORS headers in API Gateway:
   Although you mentioned this didn't work, it's worth double-checking the configuration. In API Gateway, you can enable CORS for each resource or for the entire API. Make sure you've added all the necessary CORS headers, including 'Access-Control-Allow-Origin', 'Access-Control-Allow-Headers', and 'Access-Control-Allow-Methods'.

3. Use a Lambda authorizer:
   You can create a Lambda authorizer that adds the necessary CORS headers to the response. This authorizer can be attached to your API routes and will ensure the headers are present in the response.

4. Modify your backend application:
   If possible, you could modify your Elastic Beanstalk application to add the CORS headers to every response, not just for OPTIONS requests. This way, even if API Gateway doesn't pass the headers from OPTIONS requests, they'll be present in the actual GET, POST, etc. responses.

5. Use HTTP APIs instead of REST APIs:
   If you have the flexibility to change your API type, HTTP APIs in API Gateway have better built-in support for CORS and might handle this situation more gracefully.

Remember to redeploy your API after making any changes to the configuration. Also, make sure to test with actual browser requests, as curl doesn't enforce CORS policies in the same way browsers do.

If none of these solutions work, you may need to contact AWS support for further assistance, as there could be a specific configuration in your account or region that's causing this behavior.  
**Sources**  
[API Gateway CORS Error | AWS re:Post](https://repost.aws/questions/QUpGUTSs0cTaSjcxxtmCAxZQ/api-gateway-cors-error)  
[CORS Access-Control-Allow-Origin Header missing - Api Gateway HTTP / EC2 | AWS re:Post](https://repost.aws/questions/QU_sZfP1agS5CdA5iNZZVROg/cors-access-control-allow-origin-header-missing-api-gateway-http-ec2)  
[Requests to API Gateway fail with CORS error if I add headers. | AWS re:Post](https://repost.aws/questions/QUEXhLmmw6Rs-I819fPue1LQ/requests-to-api-gateway-fail-with-cors-error-if-i-add-headers)

CORS headers not being picked up by aws api gateway

Relevant content