AWS says “If you configure CORS for a HTTP API, API Gateway automatically sends a response to preflight OPTIONS requests, even if there isn’t an OPTIONS route configured for your API. For a CORS request, API Gateway adds the configured CORS headers to the response from an integration.”

However, After I did some tests in my account, I noticed HTTP API returns CORS headers only if:

1. A incoming Preflight (OPTIONS) request includes both ‘Origin’ and ‘Access-Control-Request-Method’ headers
2. Otherwise, incoming requests should have the header ‘Origin’

Some cURL CLI examples:

curl -X OPTIONS https://api/path -H ‘Origin: https://example.com’ -H ‘Access-Control-Request-Method: GET,POST’

curl https://api/path -H ‘Origin: https://example.com’ -v