I’m trying to implement a basic custom authorizer but I have an issue with cors when the authorizer don’t authorize the API call :
I get the expected 401 status code but there are no Access-Control-Allow-Origin header in the response, then I can’t handle it in my front-end code…
I didn’t find any mention of cors attribute in the serverless doc for the authorizer itself, so how can I tell it to add the correct header for “non authorized” responses ?
Thanks in advance
Stephane
Hi @stephanechauvin,
Unfortunately you can’t, that’s a limitation in API gateway and a pain-point for a lot of users.
https://forums.aws.amazon.com/thread.jspa?messageID=728839
Ok thx bbilger.
Incredible that AWS isn’t able to quickly address this kind of issue ! 
Things have changed, AWS finally fixed this thing, but I am not sure how to implement it with serverless.
Does anybody have an idea?
Thank you
@RastoStric I have the same question
Did you figure out how to return cors headers from authorizer?
After hours of searching… The answer is here: https://github.com/serverless/serverless/issues/3896#issuecomment-326721971
Thanks for sharing, I didn’t know it! 
After searching for more than a day, I have finally found the proper answer.
Thanks @DavidWells