Referring to this: https://serverless.com/framework/docs/providers/aws/events/apigateway#enabling-cors
It says to set cors: true. But in reality, this option isn’t needed, since the Lambda func is handling the headers in response. I left out the option and my Lambda function still works fine without it.
From the documentation on this page: Enabling CORS for a REST API resource - Amazon API Gateway
You must set up an OPTIONS method to handle preflight requests to support CORS. However, OPTIONS methods are optional if 1) an API resource exposes only the GET, HEAD or POST methods and 2) the request payload content type is
application/x-www-form-urlencoded,multipart/form-dataortext/plainand 3) the request does not contain any custom headers. When possible, we recommend to use OPTIONS method to enable CORS in your API.
cors: true in the serverless file sets up API gateway to respond to the OPTION preflight request. However it’s only needed if the browser makes one. In your case the browser may not be making one.
You ALSO need to set the headers in your response like you said you’re doing. 
Makes sense, thanks!