CORS with included credentials


I have tried using CORS with allowCredentials=true. The problem is that if I use the credentials=include option on the client side, I get an error message: “Failed to load Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. Origin ‘’ is therefore not allowed access.”

It seems like serverless hard-codes the wildcard ‘*’ for the preflight requests in the AWS Gateway Method. But for secure cross-origin requests, the header cannot be a wildcard. My config for the function:

        origin: '*'
          - Content-Type
          - X-Amz-Date
          - Authorization
          - X-Api-Key
          - X-Amz-Security-Token
          - X-Amz-User-Agent
        allowCredentials: true

Is it bug or can I configure the desired behavior somehow?

1 Like

Any luck with this? I am running into the same exact problem trying to save a JWT in a HTTPOnly Cookie.

1 Like

Not really. I decided not to use cookies for my use case. I think you may work around it by specifying origin to be your domain if you have a single domain (instead of origin: '*'). In general, I’d suggest not to use serverless’ api gateway integration if you need fine-grained control over CORS. It’s better to use a lambda to respond to the options request and respond with dynamic origins.

I have this same problem and have not found a solution yet either.

I also encountered the same problem. If you know exactly the origins that can access your api, then you can configure the allowed origins using serverless’ cors feature:

But if you’d need to allow credentials for any origin, serverless cannot do that for you (AFAIK). In that case you need to handle the OPTIONS request by yourself and set the Access-Control-Allow-Origin to same value as request Origin header. Remember to set all other cors headers as well.

So sad this is not properly supported.

This is what I’m doing:

    handler: src/users/me.handler
      - http:
          path: me
          method: get
            allowCredentials: true

The neat thing is that you don’t need to add all the extra headers or other complex stuff. The problem is that, as other has stated, you can not specify dynamic origins, and you can not use * if the allowCredentials is set to true.