What is CORS in AWS?

CORS, or Cross-Origin Resource Sharing, is a security feature implemented by web browsers to allow or restrict resources (such as fonts, scripts, or data) to be requested from a domain other than the one that served the original resource.

CORS, or Cross-Origin Resource Sharing Scenario

  1. Web Server (Origin): The server that hosts the initial web page (e.g., https://example.com).
  2. Web Browser: The client’s browser making requests.
  3. Cross-Origin Web Server: Another server from which additional resources are needed (e.g., https://api.example.com).


  1. Initial Request:
  • The web browser makes an HTTPS request to the web server (origin server) to retrieve the initial web page.
  • The origin server responds with an HTML document (index file).
  1. HTML Document References Cross-Origin Resources:
  • The HTML document contains references to resources hosted on a different domain (the cross-origin web server). These could be API endpoints, stylesheets, scripts, images, etc.
  1. Browser Detects Cross-Origin Requests:
  • When the browser parses the HTML document and sees the need to fetch resources from a different origin (https://api.example.com), it prepares to make cross-origin requests.
  1. Preflight Request:
  • For certain types of cross-origin requests (typically non-simple requests, such as those with custom headers, methods other than GET/POST, or non-standard content types), the browser first sends a preflight request.
  • The preflight request is an HTTP OPTIONS request sent to the cross-origin web server to check if the actual request is safe to send.
  1. Cross-Origin Server Response:
  • The cross-origin server (https://api.example.com) receives the preflight request.
  • If the server allows the cross-origin request, it responds with the appropriate CORS headers:
    • Access-Control-Allow-Origin: Specifies which origins are allowed to access the resource.
    • Access-Control-Allow-Methods: Lists the HTTP methods that are allowed (e.g., GET, POST, PUT).
    • Access-Control-Allow-Headers: Lists the headers that can be used in the actual request.
    • Access-Control-Max-Age: Specifies how long the results of the preflight request can be cached.
  1. Browser Makes Actual Request:
  • If the preflight request is approved, the browser proceeds with the actual HTTP request to the cross-origin web server, including any necessary headers and data.
  • The cross-origin server processes the request and sends the response along with the appropriate CORS headers to allow the browser to access the response.

Example CORS Headers

When responding to the preflight request, the cross-origin server might include headers like these:

Example Workflow

  1. Browser Request to Origin Server:
  1. Origin Server Response with HTML:
  1. Browser Detects Cross-Origin Request and Sends Preflight Request:
  1. Cross-Origin Server Response to Preflight Request:
  1. Browser Makes Actual Request:
  1. Cross-Origin Server Response:


This workflow illustrates how CORS works to enable secure cross-origin requests. The preflight request is a crucial part of the CORS mechanism, ensuring that the cross-origin server consents to the actual request and that the browser enforces these security measures to protect user data and maintain web application security. As a solutions architect, understanding and properly configuring CORS is essential for enabling secure and efficient cross-origin communications in web applications.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top