How to Enforce a Quota on the CORS OPTIONS Method in Amazon API Gateway

Amazon API Gateway supports usage plans which contain quotas to limit the number of requests a user can make to your API in a given time period. Quotas work by inspecting the HTTP header carrying the API key in every incoming request. Quotas are enforced on a per-user basis, i.e., a quota of 100 per day will allow no more than 100 requests carrying a particular API key, per day.

But what about requests that do not or cannot support specifying API keys? API Gateway cannot enforce any quotas on them. One such request is the HTTP OPTIONS method used by browsers in preflight requests to determine the CORS status of API endpoints, before making the actual call to the API. CORS is essential to many APIs & OPTIONS is essential to CORS. As such, it’s important to limit OPTIONS calls too, so your API bill doesn’t go through the roof just because someone ran an OPTIONS-based DDoS on your API. This article describes a way to use WAF to limit OPTIONS calls.

Start by visiting & click “Create Web ACL”. Associate the web ACL with a stage of your API & proceed as shown below:

The rest of the web ACL creation is straight-forward. Finish creating it & the OPTIONS quota will go into effect immediately!