I have a simple lambda function that returns a 200 response code with an empty body. I have enabled cors in my serverless.yaml file by setting
cors: true on the http event. However, when making a request to the endpoint, I get the error message:
access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response
I then changed my
cors definition in my
serverless.yml file from
cors:true to explicitly list out what the default
cors configuration is, and then added 2 new headers:
cors: origin: '*' headers: - Content-Type - X-Amz-Date - Authorization - X-Api-Key - X-Amz-Security-Token - X-Amz-User-Agent - Access-Control-Allow-Origin // I added this one - Access-Control-Allow-Credentials // I added this one as well
This worked, and my requests are now successful.
My question is, this seems like I’m misunderstanding something or doing something wrong. As far as I know, those 2 headers are always included in CORS requests. If they are not included in the allowed-headers list by default, then in what scenarios does specifying the
cors: true shorthand work?