Serverless CORS middleware

Serverless comes with a basic CORS implementation. With credentialed requests, the documentation suggests the application handle the response.

CORS is an application responsibility, and hence this library aims to ease the implementation of CORS using simple middleware add to an existing HTTP handler. This is similar to the expressjs middleware implementation.

How to use

import cors from 'serverless-cors-middleware';
const yourConfig = {....}
const handler = cors(yourConfig)(yourHandler);

This handles both the preflight request and the modification of the normal HTTP response.

Credentialed requests and wildcards

Credentialed requests and wildcards When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

Because the request headers in the above example include a Cookie header, the request would fail if the value of the Access-Control-Allow-Origin header were "". But it does not fail: Because the value of the Access-Control-Allow-Origin header is "http://foo.example" (an actual origin) rather than the "" wildcard, the credential-cognizant content is returned to the invoking web content.

Credentials are cookies, authorization headers or TLS client certificates.

References

• https://www.w3.org/TR/cors/
• https://github.com/expressjs/cors/blob/master/test/test.js
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials