## Add CORS header

**CloudFront Functions event type: viewer response**

This function adds an [Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) response header if it is not present in the outgoing response from CloudFront. The `Access-Control-Allow-Origin` header is part of [Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) (CORS), a mechanism using HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin. The `Access-Control-Allow-Origin` response header indicates whether the response can be shared with requesting code from the given origin. In this example, we are setting the value to the [Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) request header, if the origin header is present.

***Important: Set the value of the Access-Control-Allow-Origin header to an appropriate value for your specific needs.**

If your web site or application doesn't need CORS headers, then this function is not required.

**Testing the function**

To validate that the function is working as expected, you can use the JSON test objects in the `test-objects` directory. To test, you can use the `test-function` CLI command that will look something like this:

```
$ aws cloudfront test-function --if-match EXXXXXXXXXXXX --name add-cors-header --event-object fileb://add-cors-header/test-objects/no-cors-header.json
```

If the function has been set up correctly, you should see a result similar to the following with the `access-control-allow-origin` header being added in the `FunctionOutput` JSON object:
```
{
    "TestResult": {
        "FunctionSummary": {
            "Name": "add-cors-header",
            "Status": "UNPUBLISHED",
            "FunctionConfig": {
                "Comment": "",
                "Runtime": "cloudfront-js-1.0"
            },
            "FunctionMetadata": {
                "FunctionARN": "arn:aws:cloudfront::1234567890:function/add-cors-header",
                "Stage": "DEVELOPMENT",
                "CreatedTime": "2021-04-08T23:37:50.825000+00:00",
                "LastModifiedTime": "2021-04-08T23:37:51.096000+00:00"
            }
        },
        "ComputeUtilization": "16",
        "FunctionExecutionLogs": [
            "Access-Control-Allow-Origin was missing, adding it now."
        ],
        "FunctionErrorMessage": "",
        "FunctionOutput": "{\"response\":{\"headers\":{\"access-control-allow-origin\":{\"value\":\"https:\/\/www.example.com\"},\"server\":{\"value\":\"CustomOriginServer\"},\"content-length\":{\"value\":\"9593\"},\"content-type\":{\"value\":\"text/html; charset=UTF-8\"}},\"statusDescription\":\"OK\",\"cookies\":{\"loggedIn\":{\"attributes\":\"Secure; Path=/; Domain=example.com; Expires=Wed, 05 Jan 2024 07:28:00 GMT\",\"value\":\"true\"},\"id\":{\"attributes\":\"Expires=Wed, 05 Jan 2024 07:28:00 GMT\",\"value\":\"a3fWa\"}},\"statusCode\":200}}"
    }
}
```