awslabs · cogwirrel · Dec 11, 2025 · Dec 3, 2025 · Dec 5, 2025 · Dec 10, 2025
diff --git a/docs/src/content/docs/en/guides/fastapi.mdx b/docs/src/content/docs/en/guides/fastapi.mdx
@@ -490,6 +490,8 @@ This sets up:
 5. X-Ray tracing configuration
 6. CloudWatch metrics namespace
 
+<Snippet name="api/cors-configuration-cdk-note" />
+
 :::note
 If you selected to use `Cognito` authentication, you will need to supply the `identity` property to the API construct:
 
@@ -542,6 +544,8 @@ This sets up:
 5. X-Ray tracing configuration
 6. CORS configuration
 
+<Snippet name="api/cors-configuration-terraform-note" />
+
 :::note
 If you selected to use `Cognito` authentication, you will need to supply the Cognito configuration:
 

diff --git a/docs/src/content/docs/en/guides/trpc.mdx b/docs/src/content/docs/en/guides/trpc.mdx
@@ -425,6 +425,8 @@ export class ExampleStack extends Stack {
 
 This sets up your API infrastructure, including an AWS API Gateway REST or HTTP API, AWS Lambda functions for business logic, and authentication based on your chosen `auth` method.
 
+<Snippet name="api/cors-configuration-cdk-note" />
+
 :::note
 If you selected to use `Cognito` authentication, you will need to supply the `identity` property to the API construct:
 
@@ -477,6 +479,8 @@ This sets up:
 5. X-Ray tracing configuration
 6. CORS configuration
 
+<Snippet name="api/cors-configuration-terraform-note" />
+
 :::note
 If you selected to use `Cognito` authentication, you will need to supply the Cognito configuration:
 

diff --git a/docs/src/content/docs/en/guides/ts-smithy-api.mdx b/docs/src/content/docs/en/guides/ts-smithy-api.mdx
@@ -405,6 +405,8 @@ This sets up:
 4. CloudWatch log group
 5. X-Ray tracing configuration
 
+<Snippet name="api/cors-configuration-cdk-note" />
+
 :::note
 If you selected `Cognito` authentication, you will need to supply the `identity` property to the API construct:
 
@@ -457,6 +459,8 @@ This sets up:
 5. X-Ray tracing configuration
 6. CORS configuration
 
+<Snippet name="api/cors-configuration-terraform-note" />
+
 :::note
 If you selected `Cognito` authentication, you will need to supply the Cognito configuration:
 

diff --git a/docs/src/content/docs/en/snippets/api/cors-configuration-cdk-note.mdx b/docs/src/content/docs/en/snippets/api/cors-configuration-cdk-note.mdx
@@ -0,0 +1,25 @@
+---
+title: CORS configuration CDK
+---
+import Link from '@components/link.astro';
+
+:::note
+If your solution includes a website you can configure its CloudFront distribution as the only permitted CORS origin in the API gateway / API AWS Lambda integrations for HTTP / REST APIs. Note that this restriction is not applied to preflight OPTIONS for REST APIs - please +1 [this GitHub issue](https://github.com/awslabs/nx-plugin-for-aws/issues/377) to help prioritise addressing this.
+You will need to create the API and then call the API `restrictCorsTo` method with the created website.
+
+```ts
+import { MyApi, MyWebsite } from ':my-scope/common-constructs';
+
+export class ExampleStack extends Stack {
+  constructor(scope: Construct, id: string) {
+    const api = new MyApi(this, 'MyApi', {
+      integrations: MyApi.defaultIntegrations(this).build(),
+    });
+    const website = new MyWebsite(this, 'MyWebsite');
+    api.restrictCorsTo(website);
+  }
+}
+```
+
+The `MyWebsite` construct can be generated using the <Link path="/guides/react-website">`ts#react-website` generator</Link>
+:::
diff --git a/docs/src/content/docs/en/snippets/api/cors-configuration-terraform-note.mdx b/docs/src/content/docs/en/snippets/api/cors-configuration-terraform-note.mdx
@@ -0,0 +1,26 @@
+---
+title: CORS configuration Terraform
+---
+import Link from '@components/link.astro';
+
+:::note
+If your solution includes a Terraform website module then you can use its CloudFront domain name to restrict CORS.
+Given a CloudFront domain name `<domain_name>`, within the Terraform module for deploying your API add
+- a `cors_allow_origins` property, set to `["http://localhost:4200", "http://localhost:4300", "https://<domain name>"]`, for HTTP APIs. This restricts the API gateway CORS to this distribution and local host.
+- an `ALLOWED_ORIGINS` environment variable, set to `"https://<domain_name>"`, for REST APIs. This sets the CloudFront distribution as the only permitted CORS origin (other than local host) in AWS Lambda integrations. Note that this restriction is not applied to preflight OPTIONS - please +1 [this GitHub issue](https://github.com/awslabs/nx-plugin-for-aws/issues/377) to help prioritise addressing this.
+
+```hcl {4,7}
+module "my_api" {
+  source = "../../common/terraform/src/app/apis/my-api"
+
+  cors_allow_origins = ["http://localhost:4200", "http://localhost:4300", "https://<domain name>"] // Only required for HTTP API
+
+  env = {
+    ALLOWED_ORIGINS = "https://<domain name>" // Only required for REST API
+    ENVIRONMENT = var.environment
+    LOG_LEVEL   = "INFO"
+  }
+}
+```
+The `MyWebsite` construct can be generated using the <Link path="/guides/react-website">`ts#react-website` generator</Link>
+:::