I have a simple lambda function that returns a 200 response code with an empty body. I have enabled cors in my serverless.yaml file by setting cors: true on the http event. However, when making a request to the endpoint, I get the error message:
access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response
I then changed my cors definition in my serverless.yml file from cors:true to explicitly list out what the default cors configuration is, and then added 2 new headers:
cors:
origin: '*'
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- X-Amz-User-Agent
- Access-Control-Allow-Origin // I added this one
- Access-Control-Allow-Credentials // I added this one as well
This worked, and my requests are now successful.
My question is, this seems like I’m misunderstanding something or doing something wrong. As far as I know, those 2 headers are always included in CORS requests. If they are not included in the allowed-headers list by default, then in what scenarios does specifying the cors: true shorthand work?