interface CorsOptions
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.APIGateway.CorsOptions |
 Go | github.com/aws/aws-cdk-go/awscdk/v2/awsapigateway#CorsOptions |
 Java | software.amazon.awscdk.services.apigateway.CorsOptions |
 Python | aws_cdk.aws_apigateway.CorsOptions |
 TypeScript (source) | aws-cdk-lib » aws_apigateway » CorsOptions |
Example
new apigateway.RestApi(this, 'api', {
defaultCorsPreflightOptions: {
allowOrigins: apigateway.Cors.ALL_ORIGINS,
allowMethods: apigateway.Cors.ALL_METHODS // this is also the default
}
})
Properties
| Name | Type | Description |
|---|---|---|
| allow | string[] | Specifies the list of origins that are allowed to make requests to this resource. |
| allow | boolean | The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include". |
| allow | string[] | The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. |
| allow | string[] | The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. |
| disable | boolean | Sets Access-Control-Max-Age to -1, which means that caching is disabled. |
| expose | string[] | The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names. |
| max | Duration | The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached. |
| status | number | Specifies the response status code returned from the OPTIONS method. |
allowOrigins
Type:
string[]
Specifies the list of origins that are allowed to make requests to this resource.
If you wish to allow all origins, specify Cors.ALL_ORIGINS or
[ * ].
Responses will include the Access-Control-Allow-Origin response header.
If Cors.ALL_ORIGINS is specified, the Vary: Origin response header will
also be included.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
allowCredentials?
Type:
boolean
(optional, default: false)
The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include".
When a request's credentials mode (Request.credentials) is "include", browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true.
Credentials are cookies, authorization headers or TLS client certificates.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
allowHeaders?
Type:
string[]
(optional, default: Cors.DEFAULT_HEADERS)
The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
allowMethods?
Type:
string[]
(optional, default: Cors.ALL_METHODS)
The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request.
If ANY is specified, it will be expanded to Cors.ALL_METHODS.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
disableCache?
Type:
boolean
(optional, default: cache is enabled)
Sets Access-Control-Max-Age to -1, which means that caching is disabled.
This option cannot be used with maxAge.
exposeHeaders?
Type:
string[]
(optional, default: only the 6 CORS-safelisted response headers are exposed:
Cache-Control, Content-Language, Content-Type, Expires, Last-Modified,
Pragma)
The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names.
If you want clients to be able to access other headers, you have to list them using the Access-Control-Expose-Headers header.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
maxAge?
Type:
Duration
(optional, default: browser-specific (see reference))
The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.
To disable caching altogether use disableCache: true.
See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
statusCode?
Type:
number
(optional, default: 204)
Specifies the response status code returned from the OPTIONS method.