Blog

AWS WAF managed rules: allowing CORS preflight OPTIONS without blocking legitimate traffic

Scope rule groups to avoid false positives on OPTIONS methods used by browsers before POST or PATCH.

Published: 2026-10-14Updated: 2026-10-161 min read

awswafcors

API Gateway and ALB

Attach WAF to the same stage you expose to browsers; keep internal admin APIs behind separate listeners.

Log sampled bodies only when compliant—preflight bodies are usually empty.

GeoMatchStatement may block partners who route through unexpected regions—document fallback paths.

Combine with rate-based rules to mitigate credential stuffing separate from CORS abuse.