问题
I am using the new API Gateway HTTP which during the configuration enables you to add CORS. So I have set the Access-Control-Allow-Origin Header with the setting *.
However when I make a request using Postman I do not see that header and this i causing my VueJS Axios request to fail.
I previously used a Lambda Proxy Integration and did the following in my Lambda
"headers": {
"Access-Control-Allow-Origin": "*"
}
However the new HTTP API just does not seem to implement CORS. Maybe I am missing something simple.
--EDITS--
So I have continue to find an answer and came across a blog post from the guys at Serverless who set the following
It’ll ensure following headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers:
Content-Type, X-Amz-Date, Authorization, X-Api-Key, X-Amz-Security-Token, X-Amz-User-Agent
Access-Control-Allow-Methods:
OPTIONS, and all the methods defined in your routes (GET, POST, etc.)
I have tried these and redeployed and still only get the standard headers
Thanks
回答1:
If you have a JWT authorizer and your route accepts ANY requests, your authorizer will reject the OPTIONS request as it doesn't contain an Authorization/Bearer token. To resolve this issue, you need to explicitly point your route to the HTTP request/method you need. E.g. POST
In that case, your authorizer will ignore the OPTIONS request without a JWT and proceed with the required request.
回答2:
For anyone using HTTP API and the proxy route ANY /{proxy+}
You will need to explicitly define your route methods in order for CORS to work.
Wish this was more explicit in the AWS Docs for Configuring CORS for an HTTP API
Was on a 2 hour call with AWS Support and they looped in one of their senior HTTP API developers, who made this recommendation.
Hopefully this post can save some people some time and effort.
回答3:
If you are using HTTP API Gateway, then make sure the CORS setting in your aws console is setup correctly. If possible even avoid clicking the console when you have other approach to initialize your API Gateway.
When the CORS is ready look carefully to the response of your request. What you are expecting is one OPTIONS before one GET/PUT or whatever your request is. This two step approach is defined by CORS. (For REST API you will have an extra OPTIONS route, but for HTTP API you don't need to create that)
Finally is reading the response: The CORS error message is often misleading. If it is telling you the 'Access-Control-Allow-Origin' is missing. It is NOT saying you are missing the header, it is saying the API Gateway's response is missing the header. The way it should work is that if you hit the endpoint correctly, API Gateway will return the format in the OPTIONS' response. And inside that response there should be 'Access-Control-Allow-Origin' etc. Therefore if you are receiving that missing message, double check if your headers meet the allow headers in CORS setup in your console. When
来源:https://stackoverflow.com/questions/60830115/api-gateway-http-api-cors