Manage cross-origin resource sharing (CORS) for your HTTP APIs. Specify the domain to allow as a string or specify a dictionary with additional Cors configuration. NOTE: Cors requires SAM to modify your OpenAPI definition, so it only works with inline OpenApi defined in the DefinitionBody
property.
For more information about CORS, see Configuring CORS for an HTTP API in the API Gateway Developer Guide.
Note: If HttpApiCorsConfiguration is set both in OpenAPI and at the property level, AWS SAM merges them with the properties taking precedence.
To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.
[AllowCredentials](#sam-httpapi-httpapicorsconfiguration-allowcredentials): Boolean
[AllowHeaders](#sam-httpapi-httpapicorsconfiguration-allowheaders): List
[AllowMethods](#sam-httpapi-httpapicorsconfiguration-allowmethods): List
[AllowOrigins](#sam-httpapi-httpapicorsconfiguration-alloworigins): List
[ExposeHeaders](#sam-httpapi-httpapicorsconfiguration-exposeheaders): List
[MaxAge](#sam-httpapi-httpapicorsconfiguration-maxage): Integer
AllowCredentials
Specifies whether credentials are included in the CORS request.
Type: Boolean
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
AllowHeaders
Represents a collection of allowed headers.
Type: List
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
AllowMethods
Represents a collection of allowed HTTP methods.
Type: List
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
AllowOrigins
Represents a collection of allowed origins.
Type: List
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
ExposeHeaders
Represents a collection of exposed headers.
Type: List
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
MaxAge
The number of seconds that the browser should cache preflight request results.
Type: Integer
Required: No
AWS CloudFormation compatibility: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent.
HTTP API Cors Configuration example.
CorsConfiguration:
AllowOrigins:
- "https://example.com"
AllowHeaders:
- x-apigateway-header
AllowMethods:
- GET
MaxAge: 600
AllowCredentials: True