Enable CORS on API Gateway for GET Method: Lambda Custom Integration - DVA-C01 Exam Preparation | Amazon

To Enhance Browser Security: Enable CORS for GET Method with Lambda Custom Integration | DVA-C01 Exam | Amazon

Prev Question Next Question

Question

To enhance browser security, you are planning to enable CORS.

To enable CORS on a resource using API gateway for GET method, which of the following action needs to be performed for all types of response except 200 response in case of Lambda custom integration?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

While enabling CORS on resources using API Gateway, for all responses apart from 200 responses of the OPTIONS method, we need to manually configure to return Access-Control-Allow-Origin' header with '*' or specific origins to fulfill pre-flight handshakes.

Option A is incorrect as this is valid only for Lambda Proxy integration & not for Lambda custom integration.

Option B is incorrect as this is set only for the 200 responses of the Options method.

For all other methods, we need to manually configure to return Access-Control-Allow-Origin' header with '*' or specific origins to fulfill pre-flight handshakes.

Option C is incorrect as even though this is set, we will also need to Manually configure to return Access-Control-Allow-Origin' header with '*' or specific origins to fulfill pre-flight handshakes.

For more information on enabling CORS for an API Gateway, refer to the following URL-

https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

Cross-Origin Resource Sharing (CORS) is a mechanism that allows web pages to make XMLHttpRequests to a domain that is different from the originating domain. It is a security feature implemented by modern browsers to prevent cross-site scripting (XSS) attacks.

To enable CORS on a resource using API Gateway for GET method, the following actions need to be performed:

  1. Add an OPTIONS method to the resource: An OPTIONS method needs to be added to the resource to handle pre-flight requests. A pre-flight request is an HTTP request that is used to determine whether the actual request is safe to send. It is used to check whether the server is willing to accept the request, based on the origin, request headers, and the HTTP method used.

  2. Configure the OPTIONS method to return the Access-Control-Allow-* headers: When an OPTIONS request is received by API Gateway, it automatically returns the three Access-Control-Allow-* headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers) to fulfill pre-flight handshakes. This is done by default, so you don't need to manually configure it.

  3. Configure the backend to return the Access-Control-Allow-Origin header: For all types of responses except the 200 response in case of Lambda custom integration, the backend devices will be responsible for returning the Access-Control-Allow-Origin header with * or specific origins to fulfill pre-flight handshakes. This is necessary because the API Gateway cannot add this header to the response.

  4. Check if all Methods are added in "AllowMethods" along with GET: It is important to check if all methods are added in "AllowMethods" along with GET to ensure that the API Gateway allows all the necessary methods to access the resource.

Therefore, the correct answer is option A: "Backend devices will be responsible for returning Access-Control-Allow-Origin header with * or specific origins to fulfill pre-flight handshakes." Option B is partially correct but not necessary to configure as it is done by API Gateway automatically. Option C is also important but not directly related to enabling CORS on a resource using API Gateway for GET method. Option D is incorrect as the API Gateway cannot add the Access-Control-Allow-Origin header to the response.