Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Fix CORS error from API Gateway REST API

by | Sep 28, 2021

Want to resolve CORS error from API Gateway REST API? Our Support Engineers have an easy resolution for this issue.

Read to find out how to troubleshoot the “No Access-Control-Allow-Origin header is present on the requested resource” from Amazon API Gateway REST API. It is time to learn from the best at Bobcares.

How to fix CORS error from API Gateway REST API

The CORS errors occur when the server does not return HTTP headers as per the CORS standard. Resolving this issue involves re-configuring the API to meet the CORS standard.

We would like to point out that the CORS enabling at the resource level ensures its handling using backend integrations or API Gateway configurations.
The No ‘Access-Control-Allow-Origin’ header present error is a result of any of the following reasons:

  • Current configuration of an API with non-proxy integration or proxy integration will not return CORS header as per the CORS standard.
  • The current confogiration of OPTIONS method in the API will not return the CORS header as per the CORS standard.
  • The configurations of other method types like PUT,POST or GET will not return CORS header as per the CORS standard.
  • In case of a private REST API, the wrong Invoke URL or the traffic not routed to the interface VPS endpoint can also result in an error message.

You can confirm the cause of the error with these steps:

  • While invoking the API, create a HAR (HTTP Archive) file. Next, check the headers to confirm the cause behind the error.
  • You can also utilize the developer tools in the browser to check the response and request parameters of the failed API request.

Enable CORS on the API resource that returned the error

In order to enable CORS, you need to choose DEFAULT 5XX and DEFAULT 4XX checkboxes for Gateway Responses for <api-name> API.

The API Gateway responds with correct CORS headers regardless of whether the request reached the endpoint when these default options are selected.

Also, remember to choose the OPTIONS method checkbox for Methods. We also recommend checking boxes for all other methods like PUT, POST, and GET that are available to CORS requests.

Configure REST API integrations to return required CORS headers

First, configure the backend HTTP server or AWS Lambda function to send the CORS headers. You also need to return the list of domains in Access-Control-Allow-Origin as a value for the header.

For a proxy integration, the backend response is forwarded directly to the client by the API Gateway. Hence, you will not be able to set up an integration response in API Gateway for a proxy integration to modify the parameters returned by the API’s backend.

Private REST APIs: Check the private DNS setting of the interface endpoint

Verify the private DNS for the associated Interface VPC endpoints. They have to be enabled for private REST APIs. If enabled, call the private API from the Amazon VPC via the private DNS name. This helps avoid CORS errors.

In case private DNS is not enabled, route traffic manually to the VPC’s endpoint’s IP addresses from the invoke URL.

When private DNS is not enabled and CORS is enabled, remember the following:

  • No utilization of endpoint-specific public DNS names for accessing private API within the VPC.
  • You cannot use the Host header option.
  • Cannot use the x-apigw-api-id custom header either.

[Need a hand? We are here to help.]


To summarize, we went over how to troubleshoot CORS errors from the API Gateway API. The Support Team at Bobcares is here with a solution for any issue you face.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.



Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.