CorsOptions

class aws_cdk.aws_apigateway.CorsOptions(*, allow_origins, allow_credentials=None, allow_headers=None, allow_methods=None, disable_cache=None, expose_headers=None, max_age=None, status_code=None)

Bases: object

Parameters:

  • allow_origins (Sequence[str]) – Specifies the list of origins that are allowed to make requests to this resource. If you wish to allow all origins, specify Cors.ALL_ORIGINS or [ * ]. Responses will include the Access-Control-Allow-Origin response header. If Cors.ALL_ORIGINS is specified, the Vary: Origin response header will also be included.

  • allow_credentials (Optional[bool]) – The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request’s credentials mode (Request.credentials) is “include”. When a request’s credentials mode (Request.credentials) is “include”, browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true. Credentials are cookies, authorization headers or TLS client certificates. Default: false

  • allow_headers (Optional[Sequence[str]]) – The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Default: Cors.DEFAULT_HEADERS

  • allow_methods (Optional[Sequence[str]]) – The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. If ANY is specified, it will be expanded to Cors.ALL_METHODS. Default: Cors.ALL_METHODS

  • disable_cache (Optional[bool]) – Sets Access-Control-Max-Age to -1, which means that caching is disabled. This option cannot be used with maxAge. Default: - cache is enabled

  • expose_headers (Optional[Sequence[str]]) – The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names. If you want clients to be able to access other headers, you have to list them using the Access-Control-Expose-Headers header. Default: - only the 6 CORS-safelisted response headers are exposed: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma

  • max_age (Optional[Duration]) – The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached. To disable caching altogether use disableCache: true. Default: - browser-specific (see reference)

  • status_code (Union[int, float, None]) – Specifies the response status code returned from the OPTIONS method. Default: 204

ExampleMetadata:

infused

Example:

apigateway.RestApi(self, "api",
    default_cors_preflight_options=apigateway.CorsOptions(
        allow_origins=apigateway.Cors.ALL_ORIGINS,
        allow_methods=apigateway.Cors.ALL_METHODS
    )
)

Attributes

allow_credentials

The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request’s credentials mode (Request.credentials) is “include”.

When a request’s credentials mode (Request.credentials) is “include”, browsers will only expose the response to frontend JavaScript code if the Access-Control-Allow-Credentials value is true.

Credentials are cookies, authorization headers or TLS client certificates.

Default:

false

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

allow_headers

The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.

Default:

Cors.DEFAULT_HEADERS

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

allow_methods

The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request.

If ANY is specified, it will be expanded to Cors.ALL_METHODS.

Default:

Cors.ALL_METHODS

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods

allow_origins

Specifies the list of origins that are allowed to make requests to this resource.

If you wish to allow all origins, specify Cors.ALL_ORIGINS or [ * ].

Responses will include the Access-Control-Allow-Origin response header. If Cors.ALL_ORIGINS is specified, the Vary: Origin response header will also be included.

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

disable_cache

Sets Access-Control-Max-Age to -1, which means that caching is disabled.

This option cannot be used with maxAge.

Default:

  • cache is enabled

expose_headers

The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names.

If you want clients to be able to access other headers, you have to list them using the Access-Control-Expose-Headers header.

Default:

  • only the 6 CORS-safelisted response headers are exposed:

Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers

max_age

The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.

To disable caching altogether use disableCache: true.

Default:

  • browser-specific (see reference)

See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age

status_code

Specifies the response status code returned from the OPTIONS method.

Default:

204