Blog

AWS SigV4 from browsers: presigned URLs and CORS on S3 versus API Gateway

Direct S3 uploads need bucket CORS rules; API Gateway SigV4 calls need method-level CORS on the same stage.

Published: 2026-01-14Updated: 2026-01-161 min read

awssigningcors

S3 multipart

Expose ETag in CORS if clients need to complete multipart uploads from the browser.

Block public ACL changes while allowing your SPA origin in the bucket policy.

Enable OPTIONS on each route variant; greedy paths can hide missing preflight handlers.

Use execution logging without logging signature components.