CORS Headers

Correct Answer - A, E.

To support CORS, API resource needs to implement an OPTIONS method to respond to the OPTIONS preflight request with the following headers.

Access-Control-Allow-Headers.

Access-Control-Allow-Origin.

Access-Control-Allow-Methods.

Option B, C & Dare incorrect as both these headers are not required to be included as a part of the OPTIONS method.

For more information on enabling CORS on resource using API Gateway, refer to the following URL-

The answer is A. Access-Control-Allow-Headers and E. Access-Control-Allow-Origin.

Explanation:

When a web application running on a domain makes a request to a resource on a different domain, it is known as a Cross-Origin Resource Sharing (CORS) request. In such a scenario, a browser first sends a preflight request (OPTIONS) to the server, which in turn responds with headers that allow or deny access to the requested resource.

The following are the headers that need to be set up in each API method with CORS enabled:

1. Access-Control-Allow-Origin: This header is used to indicate which domain(s) are allowed to make requests to the resource. It can have the value of '*' to allow all domains or a specific domain name.

2. Access-Control-Allow-Headers: This header is used to indicate which HTTP headers can be used during the actual request. If this header is not present, the browser will not send any custom headers in the request.

3. Access-Control-Expose-Headers: This header is used to indicate which response headers can be accessed by the client-side JavaScript code. By default, only a few response headers are exposed to JavaScript.

Option B (Access-Control-Allow-CORS) and D (Access-Control-Expose-Origin) are not valid CORS headers.

Therefore, the correct answer is A. Access-Control-Allow-Headers and E. Access-Control-Allow-Origin.