Skip to content

Bug: CORS middleware not working as expected in some conditions #4509

New issue
New issue
Closed
#4512
Closed
Bug: CORS middleware not working as expected in some conditions#4509
#4512
Assignees
sdangol
Labels
bugSomething isn't workingcompletedThis item is complete and has been merged/shippedevent-handlerThis item relates to the Event Handler Utility
@sdangol

Description

@sdangol
sdangol
opened on Sep 19, 2025

Expected Behavior

  1. If the Origin header is not present, , it should not set any additional headers.
  2. If the value of the Origin header does not match any of the values in the list of allowed origin, it should not set any additional headers.
  3. If the resource doesn't support credentials, no need to add the Access-Control-Allow-Credentials header
  4. When using an array to configure the allowed origin, if the request origin doesn't match the allowed origin, it should not set any additional headers.
  5. Vary: Origin should only be used when there is a need to dynamically generate the Access-Control-Allow-Origin header. For fixed allowed origin and *, it is not necessary

Current Behavior

There are some cases where CORS middleware is not working as expected.

  1. If the Origin header is not present, , it is still setting the remaining headers
  2. If the value of the Origin header does not match any of the values in the list of allowed origin, it is still setting the remaining headers
  3. If the resource doesn't support credentials, it is setting the Access-Control-Allow-Credentials header to false
  4. When using an array to configure the allowed origin, if the request origin doesn't match the allowed origin, it is still setting remaining headers.
  5. Vary: Origin is added for all fixed allowed origin other than *

Code snippet

import { Router } from '@aws-lambda-powertools/event-handler/experimental-rest';
import { cors } from '@aws-lambda-powertools/event-handler/experimental-rest/middleware';
import { Logger } from '@aws-lambda-powertools/logger';
import type { Context } from 'aws-lambda';

const logger = new Logger({ serviceName: 'pong-service' });
const app = new Router();

app.use(async (_, reqCtx, next) => {
  logger.info('Request received', {
    headers: reqCtx.event.headers,
  });
  await next();
});
app.use(cors({
  origin: ['http://localhost:8000', '*']
}));

app.get('/ping', async () => {
  return { message: 'pong' };
});

export const handler = async (event: unknown, context: Context) =>
  app.resolve(event, context);

Steps to Reproduce

  1. Create a Lambda function and use the CORS middleware in the event handler
  2. Deploy the Lambda function
  3. Make a request with different values for the Origin header and observe as you change the allowed Origin configuration to notice the inconsistencies

Possible Solution

  • Short circuit wherever applicable to prevent additional headers being added
  • Use the wildcard origin if it is in the array of allowed origin

Powertools for AWS Lambda (TypeScript) version

latest

AWS Lambda function runtime

22.x

Packaging format used

npm

Execution logs

Metadata
Metadata
Assignees
Labels
bugSomething isn't workingcompletedThis item is complete and has been merged/shippedevent-handlerThis item relates to the Event Handler Utility
Type
No type
Projects
Powertools for AWS Lambda (TypeScript)
Status
Shipped
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions