Tech Blog

Leveraging the Public Cloud: Creating a CORS Proxy

While building a Primo customization package, the need arose to call the Alma Resolver from JavaScript. As we’ve discussed before, most APIs and services don’t support CORS as a security best practice. To work around this limitation, we can configure a proxy which adds the required CORS headers. In this post, we’ll show an option to leverage the public cloud by using the AWS API Gateway to create a simply proxy with CORS headers.

Start by logging in to the AWS console (or create a new free account). From the Services menu, choose API Gateway. Click the “Create API” button and choose HTTP API (a simple, cost-effective API type).

In Step 1, specify a name and click “Next.”


Click “Next” through the remaining screens to keep the default configuration.¬†Finally, click the “Create” button to create the API.

Next we want to add a proxy route so that all requests are forwarded to our Alma instance. Click “Routes” in the left menu and then click “Create.” For the route, enter “$default”, which will catch any requests and click “Create.”

In the next screen, enter your Alma URL (since we want to proxy our requests to our Alma instance). Then click “Create” again:

Now we want to add CORS support. The API Gateway console has built-in support for CORS. Click the CORS link on the left menu, then click the “Configure” button. For our purposes, it’s enough that we add CORS for any origin, so enter * in the Access-Control-Allow-Origin box and click “Add.” Then click “Save”.

And that’s all there is to it. The screen shot above shows the proxy URL in the “Stages” section. Replace the Alma domain name with the proxy domain and the rest of the URL remains the same. Only now, when we call the Resolver, we get a response with a the CORS header in tact. (Note in this curl request, we include an Origin header, as that’s the indication to the server that the request was made via AJAX. The browser adds this header automatically when an AJAX request is made.)

$ curl -v -H 'Origin:' "


< HTTP/2 200 
< date: Tue, 28 Jul 2020 14:12:11 GMT
< content-type: text/html;charset=UTF-8
< content-length: 12872
< vary: Accept-Encoding
< access-control-allow-origin: *
< ...