AWS Api Gateway Not Setting CORS On 204

I've built a frontend application with Angular which uses an API backend hosted on AWS ECS, provided by AWS Api Gateway.

So, this is my setup:

/user/{userId}/account/{accountId}/dashboard/{proxy+} is the endpoint on API Gateway

it's using an AWS Lambda proxy integration for the OPTIONS method, which currently only checks if the origin is allowed or not to proceed

the GET method instead uses a custom AWS Lambda authorizer within the Method Request part, then it proceeds to the Integration Request part with a VPC Link to the ECS microservice and finally goes back to the Method Response part.

Currently possible HTTP status codes are: 200, 204, 401, 500, 504 and only 204 and 504 are set here (sincerly I don't know if it does something or not)

this is the Node.js Lambda authorizer relevant code:

const UNAUTHORIZED_STRING = "Unauthorized";
exports.handler = (event, context, callback) => {

    /* Preliminar checks here */

    const keyRequiresAuth = xApiKeyRequiresAuth(xApiKey);
    if (keyRequiresAuth) {
        // try validating using cookie
        // uses generatePolicy at the end
        userAuthentication(cookieValue, event, callback);
    } else {
        // Validate using x-api-key
        const generatedPolicy = generatePolicy(xApiKey, 'Allow', event.methodArn);
        callback(null, generatedPolicy);

const generatePolicy = (principalId, policyEffect, resource) => {
    const authResponse = {
        principalId: principalId
    if (policyEffect && resource) {
        authResponse.policyDocument = {
            Version: '2012-10-17',
            Statement: [{
                Action: 'execute-api:Invoke',
                Effect: policyEffect,
                Resource: resource
    return authResponse;

Assuming that Microservices are not setting any headers at all, the problem is, while I made it with 401 and 504 status codes by setting them as a default gateway response, how do I manage to return CORS with 204?

IMHO, I think API Gateway has the most complex system to set error responses, but, apart from that, I managed to let it return CORS with a 401 Unauthorized error


I made it with http status 500 aswell, but by setting a default Gateway response



So, after two days of testing I came out with a solution. I mean, probably I've misunderstood something inside AWS API Gateway, but I saw that my endpoint was actually referencing to a VPC Link which was pointing at my ECS microservice.

Only thing I had to do was update that microservice with CORS response headers, that fixed this issue