CORS with included credentials




I have tried using CORS with allowCredentials=true. The problem is that if I use the credentials=include option on the client side, I get an error message: “Failed to load Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘’ is therefore not allowed access.”

It seems like serverless hard-codes the wildcard ‘*’ for the preflight requests in the AWS Gateway Method. But for secure cross-origin requests, the header cannot be a wildcard. My config for the function:

        origin: '*'
          - Content-Type
          - X-Amz-Date
          - Authorization
          - X-Api-Key
          - X-Amz-Security-Token
          - X-Amz-User-Agent
        allowCredentials: true

Is it bug or can I configure the desired behavior somehow?


Any luck with this? I am running into the same exact problem trying to save a JWT in a HTTPOnly Cookie.


Not really. I decided not to use cookies for my use case. I think you may work around it by specifying origin to be your domain if you have a single domain (instead of origin: '*'). In general, I’d suggest not to use serverless’ api gateway integration if you need fine-grained control over CORS. It’s better to use a lambda to respond to the options request and respond with dynamic origins.


I have this same problem and have not found a solution yet either.