Disable CORs on EC2 instance


Hi I have been going crazy the last 2 days wondering how CORs headers got into my EC2 dockerized API response, and I broke everything down and came to a conclusion it must be coming from amazon.

After banging my head wondering how amazon could modify my response, even though I would assign the cors headers myself to try and override theirs, they would take precedence. Then I stumbled into this article that explains everything: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/cors-support.html

For simple GET and POST requests amazon EC2 ALWAYS returns Access-Control-Allow-Origin:* which makes it possible to do CORs requests.

I specifically do not want any CORs on my site and do not want to have to remove headers set by amazon without my permission... - is there anyway to turn the automatically added CORs headers off??

if not maybe a way that I could at least change the access control origin to only my domain, because the current structure means I have to remove amazons response header and add my own, if they are going to add it for me, they may aswell take my input....

2 Answers

Hi! The documentation you linked explains that EC2 API has the CORS header you mentioned. The EC2 API means the AWS API to (in example) start/stop instances or create/terminate them. So if you build a application that interacts directly with AWS resources you won't be blocked by CORS. This doesn't include any webserver you may have hosted inside an EC2 instance.

If you have a Website hosted in EC2 with a direct public IP, AWS does not modify the responses that your server answers. If this is your case you need to look deeper into your application/services to see what service is adding the headers (Check the apache/nginx configuration for instance if you use those services).

If you have other services in front of your EC2 instances, like an API Gateway, you need to check the documentation on those services to see how CORS may be implemented in it.

I hope this answer helps you! Feel free to expand on your scenario to provide more context to help you or create a support ticket to AWS Support to enroll further help!

answered a year ago
  • Hi thanks for your help, its much appreciated! I think something just made more sense, what you just said about having an EC2 with a direct public IP!

    So I initially picked up on these CORs headers hosting my webserver DNS via cloudflare, so the public IP address is not public!

    Today I was testing with my original EC2 domain (ec2alaska.amazon.eu.com) which is not associated with cloudflare, to try and see if cutting them out would resolve anything! But the CORs headers persisted which is why I thought it must be coming from the EC2 instance!

  • \continued But like you said, the public IP of that EC2 domain is still being proxied behind cloudflare so amazon must be modifying the headers because of this?

    So based on my webserver not having a public IP, through cloudflare, is it safe to say that these Access Control Headers are being added by Amazon? Is there any way I could stop this from happening as I was unable to override these CORs headers being set, not from my express server origin, nor at my NGINX proxy. I didnt really want to modify at a cloudflare worker level either as I want my code to be self-reliant at this stage!

  • No, AWS does not modify the HTTP headers of a EC2 hosted web application that's not being fronted by CloudFront or API Gateway. I would advice to SSH/RDP into the EC2 instance and use a curl-like command to query your webserver and check the existence of the headers, if they exists that means those headers are part of your application stack.


Thanks for your help Pablo! My test involved making a simpler version of my app on HTTP and deploying it alone on both my local PC (dev env) and my EC2 instance. Cloudflare proxy was switched off for my EC2 IP and I tested using the public IP to make sure EC2 was at front.

I can confirm the Access-Control-Allow_Origin:* header only appears in my EC2 responses, even with direct IP access!

In my local dev environment, no access control headers are received whatsoever. No response modification is happening...

On my IP EC2 instance, access control allow origin: * is added to both POST and GET requests. Additionally, if I make a preflight cross origin request - this OPTIONs is returned!!Wide Open CORS

I think this confirms our suspicions that the EC2 "API" document I initially stated, is actually relevant to EC2 instance response modification and these responses confirm this...

Please do your own due diligence and let me know if anyone gets different results.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions